Data Breaches Increase Seven-Fold In One Year

According to a report by California’s attorney general, 18.5 million Californians were victims of cyber intrusions or data breaches in 2013. Remarkably, this was up from 2.5 million in 2012, a seven-fold increase. (Note that two major data breaches at Target and LivingSocial account for much of the increase.) A copy of the report is linked below, and this article summarizes the report.

The study breaks down the cause of the various breaches, with 53% caused by cyber incursions (e.g., hacking and malware), 26% arising from physical loss or theft, and the remainder coming from unintentional errors or deliberate misuse.

This report is yet another sign that the threat of data loss continues to increase dramatically. While the report focuses on breaches affecting consumer information, it has broader application to companies seeking to protect their proprietary information. Measures necessary to enhance data security and protect trade secrets overlap. Network security is at the heart of these efforts, and companies need to be willing to invest significant resources to keep their networks safe.

But network security is not the only area of concern. This report shows that the loss or theft of computers and other storage media presents another significant risk. For companies seeking to protect their trade secrets, this problem presents on various fronts. For example, companies need to make sure that company-issued computers, smartphones, and media have sufficient protections in case they are lost or stolen. Also, and more problematic, companies need to understand how their employees are using company documents and information on their personal devices. Similarly, companies need to keep tabs on how third parties, like vendors and consultants, are protecting shared proprietary documents.

I have frequently written about the need for companies to implement a trade-secrets policy. This policy would address these issues. For example, it could require that all proprietary documents are encrypted. And it could make sure that these documents are disseminated narrowly, to those employees who need them to do their jobs. For those companies that fail to implement and enforce necessary restrictions, the loss of proprietary information may be inevitable.

2014 California Data Breach Report

Recycled Passwords Can Trash Your Trade Secrets

Recently, a hacker posted a number of usernames and passwords for Dropbox. Considering how many companies are now using Dropbox and other cloud-based providers to share documents, this is obviously a problem. But it does not appear that Dropbox itself was hacked. Instead, as noted by this Slate article, the hacker likely targeted smaller sites with weaker security:

The most likely source of the information is a third-party site that had poor security. Hackers know that most internet users re-use their passwords, so they often target smaller apps made by amateur developers. These easy targets have poor security — so usernames, passwords or files may be stored in a way that’s easy for hackers to steal them.

In other words, most people use the same passwords across multiple sites. Including your employees. This is a BIG problem. Forgive the cliché, but password protection is only as good as the weakest link in the chain. You can spend millions of dollars protecting your network and proprietary information. But if another site where your employees have accounts is hacked, and your employees use the exact same passwords there as they use for your network, your network and information is at risk.

I cannot overstate the importance of making sure that your employees don’t use the same password for your system that they use for other sites. You need to make employees aware of this rule, and strictly enforce it. One option is to create passwords for your employees instead of allowing them to create their own. And change the passwords routinely. Also, as biometric technology develops and becomes more affordable, it presents another option.

There’s a reason we all use the same passwords across multiple sites: it makes life easier. But you need to ensure that your employees don’t allow their convenience to threaten your company.

Will the “Internet of Things” Be A Nightmare for Trade Secrets?

I’ve been on a bit of a hiatus from posting over the past couple of weeks, during which I had a bench trial on a trade-secrets injunction. Since that case is still pending, I’m not going to write about it just yet.

Today, let’s look at the so-called “internet of things” — the increasing number of household, business, and other objects that are now internet enabled. I love being able to access things like my home alarm and thermostat remotely via my iPhone. And there’s no question that the “internet of things” will be growing exponentially in the near future. But does this present a threat to trade secrets and proprietary information?

A recent blog post by Michael Jordon shows the risks. He exposed security weaknesses in internet-enabled printers by getting a Cannon Pixma wireless printer to run the classic video game “Doom.”

The post contains a lot of technical details. But most importantly, his exercise shows that internet-enabled printers lag far behind traditional network devices when it comes to security. This is critical: if someone can hack into your company’s printers, they could have access to all of the documents that were printed.

Jordon’s organization recommends avoiding the internet of things entirely:

Context recommends that you do not put your wireless printers on the Internet, or any other ‘Internet of Things’ device.  To defend against the CRSF [cross-site request forgery] attack, well don’t follow any dodgy links is the best advice I can come up with.  Context is not aware of anyone in the wild actively using this type of attack, but hopefully we can increase the security of these types of devices before the bad guys start to. Finally, make sure that you always apply the latest available firmware to your devices. This is often not an automatic process and may require checking on the manufacturer’s website for updates.

As time goes on, it will be very difficult, if not impossible, to avoid using the “internet of things” in a business context. When you do connect devices to the internet, assume that they have security vulnerabilities. Thus, before connecting the device to the internet, you need to work with your IT department/consultants to make sure that it has adequate security features.

 

Law Professors Oppose Federal Trade Secrets Acts, Ignore Their Benefits

I’ve written about the Defend Trade Secrets Act and the Trade Secrets Protection Act previously. I’ve expressed enthusiastic support for these laws, which have bipartisan and widespread corporate backing. Today, 31 law professors issued a letter opposing these proposed statutes. Their harsh critique ignores clear benefits and overstates the statutes’ risks.

These professors’ thesis is explained at the end of the letter: “[T]he Acts are dangerous because the many downsides explained above have no—not one—corresponding upside.”

This statement and attitude ruins the letter’s credibility. These statutes have real, concrete benefits. They provide for federal jurisdiction, allowing for federal magistrates—experts in e-discovery—to oversee the complicated e-discovery issues often attendant to trade-secrets-misappropriation cases. They would allow for a uniform national trade-secret-misappropriation standard, thereby providing companies with greater certainty regarding enforcement. And the provision creating the most controversy, the ex parte seizure provision, will reduce the real risk of deliberate evidence destruction.

If these professors are not able to acknowledge that these proposed statutes offer benefits to companies facing the threat of misappropriation, I find it hard to take their critique seriously. But let’s look at their five reasons to reject these statutes:

1. Effective and uniform state law already exists. True, most states have adopted the Uniform Trade Secrets Act, with slight variations. But the state-by-state patchwork of statutory interpretation is not uniform. For example, different states apply different standards to determine whether a customer list is a trade secret. And state courts are often overburdened. I have personally experienced difficulty getting expedited hearing dates for emergency temporary injunction motions in state courts. Federal courts are better equipped to hear these types of motions expeditiously.

2. The Acts will damage trade secret law and jurisprudence by weakening uniformity while simultaneously creating parallel, redundant and/or damaging law. Despite this heading, the professors do not explain how applying a uniform federal standard will weaken uniformity. Instead, the professors argue that the Acts do not preempt state law, but only apply to trade secrets used in interstate or foreign commerce. Apparently, they believe that giving companies a choice between filing a misappropriation action in federal or state court is a bad thing. If companies want to litigate in state court, based on state law, these Acts permit them to do so. But these statutes would provide a second option. Given the tremendous corporate support for these statutes, companies themselves seem to want this new option.

The professors also criticize the interstate commerce provision, calling it “unclear and unsettled.” But like all statutes, this provision will become settled once tested in the courts. And the concept of interstate commerce is certainly not a new one, since federal courts routinely apply this standard to many federal statutes.

The professors also criticize the ex parte seizure provisions. Of all their critiques, this one has the most merit. I responded to this issue here. Keep in mind that evidence destruction is a real threat. I believe that it occurs routinely, particularly in misappropriation cases. In the end, I have faith that the federal judiciary will limit these orders to those cases where they are justified.

3. The Acts are imbalanced and could be used for anti-competitive purposes. The professors next argue that the Acts do not explicitly limit the length of injunctive relief. But the proper length of an injunction can vary widely based on the circumstances of a case. The judge hearing the supporting evidence is in a much better position than Congress to determine its length.

The professors are also concerned that parties will misuse the ex parte seizure provisions for anticompetitive purposes. This ignores the fact that (1) the moving party will have to convince a federal judge that the ex parte seizure order is necessary, and (2) the defendant will have the opportunity to challenge the order very soon after its entry. Again, I believe that the benefits of this provision outweigh its risks, given the built-in protections.

4. The Acts increase the risk of accidental disclosure of trade secrets.  Here, the professors argue that because of possible jurisdictional challenges based on the interstate commerce provision, plaintiffs will face motions to dismiss for lack of subject-matter jurisdiction that will “require the plaintiff to identify and disclose its trade secrets early in the litigation.” It’s hard to reconcile the professors’ concern for anticompetitive uses of the Act (number 3 above) with their concern that plaintiffs will have to identify the trade secrets at issue. Regardless, in reality, defendants already seek more detailed information about the trade secrets at issue at the case’s outset as a matter of routine, either through a motion to dismiss/for more definite statement, or through discovery requests. This new statute will have a marginal effect, if any at all, on the timing for identifying the trade secrets at issue.

5. The Acts have potential ancillary negative impacts on access to information, collaboration among businesses and mobility of labor. The letter discusses how companies are able to label information as a trade secret to prevent public and regulatory access to important information. (Again, this is inconsistent with point 4, where the professors wanted to enable companies to delay disclosure of the trade secrets at issue.) But the professors don’t explain how the Acts would increase this practice, other than to mention the ex parte seizure provision. Yet any company (and its attorneys) that obtains an ex parte seizure order in bad faith will have to face the ire of a federal judge who they manipulated into entering the order. I think the risk is overblown.

Look, neither of the Acts are perfect. But the threat of misappropriation is real. Companies need stronger weapons in their arsenal to protect their proprietary information. These Acts accomplish that, with limited real—as opposed to academic—downside.

 

Congressmen Explain Why You Need to Be Proactive About Trade-Secret Theft

In today’s partisan political climate, it’s rare to see an issue that unites members of both parties. But trade-secrets theft has become such a significant threat to our economy that there is now a bipartisan effort to pass federal trade-secret legislation.

Last week, Congressmen Hakeem Jeffries (D-NY), Howard Coble (R-NC), John Conyers Jr. (D-MI), Steve Chabot (R-OH), Jerrold Nadler (D-NY), and George Holding (R-NC), all members of the House Judiciary Committee, published an article explaining why they introduced the “Trade Secrets Protection Act of 2014.”

The Congressmen’s article does a great job detailing the threat that companies face.

They start off with a sobering statistic: “The devastating reality is that theft of trade secrets costs the American economy billions of dollars per year.” They cite to a 2013 study by the Executive Office of the President that found that “the pace of economic espionage and trade secret theft against U.S. corporations is accelerating.” That study gave examples of large-scale trade-secret theft, including stolen trade secrets from Dupont and Goldman Sachs valued at $400 million and $500 million, respectively.

They close by making the point that the current scheme, under which each state has its own trade-secret-misappropriation laws, is inadequate to confront the threat:

The current patchwork is simply not enough to combat organized trade secret theft. All other forms of intellectual property – patents, copyrights, and trademarks – are afforded a civil cause of action in federal law. It is time we confer trade secrets with a similar level of protection to substantially mitigate the billions of dollars lost annually through theft of our intellectual property.

Hopefully, either this or the similar Defend Trade Secrets Act (discussed here and here) will pass. But regardless, companies must be proactive about protecting their trade secrets. State and federal laws creating causes of action for trade-secret theft are great, but litigation is never ideal. You should consult with an attorney with expertise in this area to make sure you are taking all reasonable steps to protect your proprietary information. Doing so will help you avoid the need for expensive and time-consuming litigation.

The “George Costanza Defense” to Trade-Secrets Theft

Costanza

Seinfeld fans will remember the episode where George Costanza’s boss caught him sleeping with a cleaning lady on his desk, leading to this memorable exchange:

Mr. Lippman: It’s come to my attention that you and the cleaning woman have engaged in sexual intercourse on the desk in your office. Is that correct?

George Costanza: Who said that?

Mr. Lippman: She did.

George Costanza: [pause] Was that wrong? Should I not have done that? I tell you, I gotta plead ignorance on this thing, because if anyone had said anything to me at all when I first started here that that sort of thing is frowned upon… you know, cause I’ve worked in a lot of offices, and I tell you, people do that all the time.

Mr. Lippman: You’re fired!

Funny stuff. Now, a former Ford employee is using a similar excuse to explain alleged trade-secrets theft.

According to this Detroit News article, the FBI is investigating a former Ford engineer who admitted planting listening devices in Ford’s meeting rooms. These devices recorded meetings, including ones not involving the engineer.

The engineer’s lawyer is quoted in the article. He essentially gives the Costanza defense, saying that his client used the devices to help her take notes. He’s pleading ignorance on his client’s behalf. She apparently did not know that it was improper to plant hidden recording devices in meeting rooms and leave them there to record meetings she did not attend.

We have no idea whether she is telling the truth. But just like George’s boss, the FBI seems skeptical.

There’s a lesson here. You need to let new employees know their obligations when it comes to protecting your confidential information. A written trade-secrets policy, as either a supplement to or part of an employee handbook, is a great start. The policy should prohibit recording meetings or other conversations without management’s approval.

Can Mark Cuban’s Cyber Dust Help Protect Proprietary Information?

Cyber Dust is an app that lets users send text messages without leaving a digital fingerprint. All texts “self destruct” within 30 seconds, after which they are not stored anywhere — including on Cyber Dust’s servers. Also, Cyber Dust notifies you if someone takes a screenshot of one of your Cyber Dust texts.

Mark Cuban is behind Cyber Dust. In a recent Forbes article, he explained that the idea came from his own experience of having the SEC use his text messages in its insider-trading action against him: “That the phone companies and your text recipients own your texts and even the most innocent text can take on a whole new context. I wanted to have a means of communication that is analogous to face to face – where you can speak openly and honestly. That is why we created Cyber Dust.”

Similar technology is being developed for emails. For example, The Atlantic recently wrote about Pluto Mail, which includes features that allow the sender to set an email to expire after a set time. After that, the recipient can no longer view the email.

As Cuban notes, emails and texts create a digital record that can last forever. When your employees (or others, like consultants or vendors) send emails and text messages that contain your proprietary information, there is a risk of disclosure. As more companies use bring-your-own-device policies, those companies lose even more control of information sent via text and email.

I’ve been thinking of how to use this technology to minimize unwanted disclosure. For example, a company could require that all work-related text messages be sent via Cyber Dust. Emails are a bit more complicated, since there is often a need to preserve emails for later use. But a company could require that all emails containing proprietary information, or attaching certain proprietary documents, be sent with a scheduled expiration date.

In the end,  these policies would only be effective if there’s a way to monitor compliance. Otherwise, it’s not worth the effort. Also, these policies likely would not deter someone who is sending the information with malicious intent, such as an employee who knows he will be leaving to work for a competitor. UPDATE: In fact, such a person could use this technology to cover his tracks.

But it’s worth exploring how to use new technology like Cyber Dust to help bolster efforts to protect proprietary information.

Trade Secrets and Public Records

Companies performing municipal or government work face unique challenges when they need to share their confidential or proprietary information with public agencies. These companies must be wary of state public records laws and the Freedom of Information Act. A recent case, All Aboard Florida — Operations, LLC v. State of Florida, et al., filed in Leon County, Florida, illustrates this.

All Aboard Florida is attempting to develop passenger rail service between Miami and Orlando. It is doing so in partnership with various governmental entities. Recently, Orlando developer Matthew Falconer served various Florida agencies with requests under Florida’s Public Records Act for various documents relating to All Aboard Florida’s efforts.

According to the complaint, these agencies told All Aboard Florida that they intended to provide Falconer with All Aboard Florida’s Florida Ridership and Revenue Study. In response, All Aboard Florida filed this complaint for declaratory and injunctive relief, seeking protection under Florida’s Trade Secrets Act. According to All Aboard Florida, this study is a trade secret:

The Ridership Study analyzes expected market share for AAF’s service, including the effects of various pricing and travel time scenarios on AAF ridership. As such, the Ridership Study is an extremely sensitive and commercially valuable document, the disclosure of which to the public could place AAF at an unfair competitive disadvantage vis-à-vis airlines and other transportation alternatives.

Under Florida’s Public Records Act, trade secrets are exempt from disclosure.

When All Aboard Florida provided this study to the government, it marked each page as proprietary and confidential. For companies facing this situation who have no choice but to provide proprietary information to a government agency, I would recommend going one step further: Label each page of any proprietary document as “Trade Secret Information Protected From Disclosure By Section 815.045, Florida Statutes” (or the relevant statute in the state at issue).

The goal is to make it as simple as possible for the government employees responding to a public-records request to recognize that the document at issue should not be disclosed.

 

Do Noncompetes Stifle or Encourage Innovation? Should you care?

The New York Times published an article yesterday discussing the increased use of noncompete agreements in nontraditional industries. The article starts by talking about a 19-year-old college student who had a job offer to work as a summer-camp counselor withdrawn as a result of a noncompete agreement she signed at another camp:

Colette Buser couldn’t understand why a summer camp withdrew its offer for her to work there this year.

After all, the 19-year-old college student had worked as a counselor the three previous summers at a nearby Linx-branded camp in Wellesley, Mass. But the company balked at hiring her because it feared that Linx would sue to enforce a noncompete clause tucked into Ms. Buser’s 2013 summer employment contract.

The article also talks about a lawn-maintenance person, an entry-level social-media marketer,  and a hairdresser, all of whom had to sign restrictive covenants.

As more and more employers require restrictive covenants, there has been increased push-back. Against the backdrop of Massachusetts’ proposed ban on noncompetes, the article goes on to discuss arguments for and against employee restrictive covenants. Some argue that noncompetes stifle innovation:

“Noncompetes are a dampener on innovation and economic development,” said Paul Maeder, co-founder and general partner of Highland Capital Partners, a venture capital firm with offices in both Boston and Silicon Valley. “They result in a lot of stillbirths of entrepreneurship — someone who wants to start a company, but can’t because of a noncompete.”

Employers argue that the opposite is true:

“Noncompetes reduce the potential for poaching,” said Mr. Hazen, whose company makes scratch lottery tickets and special packaging. “We consider them an important way to protect our business. As an entrepreneur who invests a lot of money in equipment, in intellectual property and in people, I’m worried about losing these people we’ve invested in.”

There has always been a dispute about restrictive covenants’ effect on macro-level economic health. From my perspective, I am more concerned about using restrictive covenants to my clients’ benefit, as opposed to resolving this dispute; the policy implications of restrictive-covenant law are irrelevant to companies trying to protect their proprietary information. But the article leaves out a real-world benefit: increased certainty for employers and employees.

When permitted to use restrictive covenants, employers and employees have a better understanding of what will happen when the employer/employee relationship terminates. Employers can more comfortably share proprietary information with their employees, knowing that the restrictive covenants protect the employers’ interests. And employees know the precise limitations on their future employment, which can better inform their employment-related decisions.

Regardless, as I’ve discussed over and over, companies seeking to protect their proprietary information need to consider whether to require restrictive covenants. As long as the applicable jurisdiction permits them, restrictive covenants are often a company’s most powerful weapon to prevent unwanted disclosure.

Is Facebook Buying a Massive Trade-Secrets-Theft Liability?

Big trade-secret news last week. Oculus VR, Inc., the virtual-reality company Facebook is acquiring for $2 billion. was sued by Zenimax Media Inc. for trade-secrets misappropriation. Zenimax owns popular video-game titles such as Doom and Wolfenstein. A copy of the complaint is linked below.

Facebook’s acquisition of Oculus received widespread media coverage. This lawsuit, which will likely seek billions in damages, should draw extensive media interest.

According to the complaint, when Oculus’s founder (Palmer Luckey, named as a defendant) was developing Oculus’s VR headset called “Rift,” Zenimax provided Luckey with Zenimax’s proprietary information. This information allowed Oculus to transform Rift from a primitive, non-functional prototype into a viable platform justifying Facebook’s billions. After that, the Zenimax employees involved left to work for Oculus.

There are always two sides to every story, and so far we’ve only heard from Zenimax. But the complaint paints a pretty egregious picture of trade-secret theft. One example: After leaving Zenimax, where he had signed an agreement providing that any intellectual property he created for Zenimax belonged to Zenimax, to join Oculus, John Carmack tweeted: “When you are in a hurry, and you know you wrote the exact needed code (well!) at a previous job, reimplementation grates.”

While Zenimax appears to have a strong case, I see some potential issues. Most importantly, Zenimax did not have Oculus sign a nondisclosure agreement until after Zenimax had provided Oculus with at least some of its proprietary information. Oculus will likely argue that Zenimax did not reasonably protect this information, since it shared it with a third-party without requiring a confidentiality agreement.

This leads to the biggest takeaway thus far for companies looking to protect their proprietary information: Never share this information with anyone, for any purpose, unless that person/entity executes a nondisclosure agreement.

It’s also interesting that a company as sophisticated as Zenimax would allow its employees to provide significant proprietary information to a third party without first working out, and documenting, how it would be compensated. Later on, the two companies tried to negotiate a compensation agreement, to no avail.

Finally, any company that doubts the risks employees present to its proprietary information should look at the responses to the Carmack tweet I discussed above, which has 95 “favorites.” Sample response: “that’s what USB sticks are for…”

I will monitor this case and write about its developments.

Zenimax Complaint

 

%d