In the wake of the hacking of the Democratic National Committee’s email server, it may be time to explore whether transmitting trade secrets via email—even internally—has become too risky.

Email hacks have become commonplace. It is a virtual certainty that your company has at least been targeted by some sort of hacking attempt. For every high-profile hack, like Sony, Ashley Madison, or the DNC, there are thousands of less-visible companies who also suffered data breaches, often involving emails.

The sad truth is that regardless of protection efforts, no company can keep its emails and centrally stored electronic documents 100% safe. Thus, you need to ask: is it time for my company to ban transmittal of trade-secrets via email?

A wholesale ban on email transmission is not always going to be feasible. But for certain types of trade secrets—particularly ones used only by a small number of employees—this could be workable. For example, I wrote recently about trade-secrets relating to design schematics used in 3D printing. Those types of schematics could potentially be stored offline.

These issues are highly unique to each company. You should speak with an attorney who specializes in trade-secret issues to figure out whether your company could benefit from taking trade-secrets offline.

Well, that escalated quickly. In what seems like an instant, Pokemon went from a faded memory to an all-encompassing craze unlike anything we’ve seen before from an app. Nintendo, the company behind Pokemon Go, had its market cap increase by $7 billion since it was released last week. I haven’t played the game, but I can’t stop hearing and reading about it. Pretty remarkable.

Pokemon Go’s success has far-reaching implications for how we use technology, and in particular augmented reality. I loved this article about how companies can use Pokemon Go to drive foot traffic for about $1/hour. But for our purposes, Pokemon Go may present some unexpected risks to information security.

This article from inc. discusses two of these risks. First,  Pokemon Go users must login using their Google accounts. But Pokemon Go is then automatically granted full access to the user’s Google account. Thus, Pokemon Go “can see and modify nearly all information in your Google Account.” So, as noted in this blog post, users playing Pokemon Go have granted the app permission to read their emails, send emails, access and delete all Google drive documents, and more. Not good. Particularly if your employees have emailed themselves proprietary information.

The developer of Pokemon Go has since issued a statement that this was a mistake, which will soon be fixed. Regardless, this shows how important it is to keep your employees from sending themselves proprietary information, which should be your company’s policy. In addition, various IT solutions can protect against this practice.

Also, Pokemon Go has only been officially released in several countries. Per the inc. article, people living elsewhere have turned to file-sharing services to download the app:

Because the game is popular, people in other countries are obtaining the Android version through unofficial channels – and hackers have already successfully posted malware-infected versions of the app in some file sharing services. One variant of such a malevolent version of the app was discovered by the security firm Proofpoint and is quite serious: it infects Android devices and allows hackers to access the infected devices via a backdoor.

File-sharing services are notoriously dangerous. You should be blocking access to all such services on all company devices.

Issues like these are well-suited for employee training. Employees need to know that seemingly innocent conduct can expose the company to serious risks.

Today, President Obama signed into law the Defend Trade Secrets Act. This means that companies whose trade secrets are misappropriated can now sue in federal court. This will likely usher in a new paradigm in the world of trade-secrets litigation. It will be very interesting to see how plaintiffs react and the statute develops in the next few years. In the meantime, take a look at my previous post for an urgent recommendation for all companies now that the DTSA has become effective.

The Defend Trade Secrets Act (DTSA), which creates a federal cause of action for trade-secrets misappropriation, will be signed into law by President Obama in the coming days. This new law will have a substantial effect on where, and how, trade-secrets cases are litigated. Now is the time to figure out if your company is ready for the new law.

Since the DTSA’s definitions of trade secrets and misappropriation are largely similar to those in the Uniform Trade Secrets Act adopted by most states, I’m most concerned about making sure companies are minimizing the risk that they will unexpectedly be hit with a seizure order.

As has been widely discussed and debated, the DTSA contains an ex-parte seizure provision that authorizes judges to order the seizure of property containing the plaintiff’s trade secrets. While there are substantial protections to prevent abuse of this remedy, companies need to make sure they are not at risk of having their property seized.

This brings us to the critical step that all companies need to take now: Look carefully at your employee hiring/onboarding process. Far too many new employees bring proprietary documents from their prior employer; sometimes maliciously, sometimes innocently. Once the DTSA becomes law, if a new employee saves these types of documents on your server, you will be at risk of having law enforcement seize whatever is storing the documents.

Use this opportunity to conduct a comprehensive audit of your onboarding process. Make sure that your restrictive covenants and NDAs require new employees to represent that they are not bringing any proprietary information from a prior employer. Train the employees who conduct the onboarding process to discuss this issue with new employees before they are given access to your server. New employees must understand that they are prohibited from saving any documents from a prior employer on any company property, including servers, employee-issued devices, and media. Finally, work with IT to see if it makes sense to install protections that can alert to any external documents saved on your system by a new employee.

As always, each company needs customized solutions to best address the unique issues affecting your company and industry. Consult with an attorney specializing in trade-secret law who can advise what steps your company should take.

Over the past few years, there has been much discussion and debate over the Defend Trade Secrets Act (DTSA), which amends the Economic Espionage Act to create a federal civil cause of action for trade-secrets misappropriation. Well, we’re on the verge of the DTSA becoming the law of the land. Several weeks ago, the Senate passed the DTSA by a vote of 87-0. Today, the House of Representatives passed the bill by a vote of 410-2. Now, it goes to the President for signature.

Since President Obama supports the bill, we are just days away from one of the most significant events in the history of trade-secrets law, the creation of a right to sue in federal court to remedy misappropriation. I’ve strongly supported this law, so I’m very pleased with this development. I look forward to litigating trade-secrets actions in federal court.

Sailpoint recently released its 2016 Market Pulse Survey, which examined employees’ roles in IT security. The results should terrify employers. The report can be downloaded here.

This report echos a theme I’ve been repeating here often: employees can be the biggest threat to your trade secrets. Consider the following findings:

• 65% of respondents admitted using a single password across applications
• One in three shared passwords with co-workers
• More than 40% still had access to corporate network accounts from their prior job

And most disturbing:

• 20% worldwide, and 27% in the U.S., would sell their corporate password to an outsider, often for less than $1,000
• 26% admitted uploading sensitive information to the cloud with the intent to share outside the company

Some of these issues can be addressed through proper training regarding password hygiene and protection of proprietary information. But it’s more difficult to address malicious insiders who want to sell access to your system or disclose your trade secrets.

The malicious-insider problem requires proactive thinking. Consult with your IT team or an outside expert to implement solutions that monitor system usage and alert to irregular activity. Work with HR and management to identify employees who are dissatisfied with their jobs, or otherwise showing signs of higher risk. And make sure that each employee only has access to the proprietary information necessary for that employee’s job.

Also, restrictive covenants and non-disclosure agreements can both deter this type of wrongdoing and allow for more effective enforcement if misappropriation occurs. Consult with an attorney who specializes in trade-secrets law to determine what types of contracts and other legal protections are best suited to protect your company.

What is Google dorking? Simply put, it’s using Google’s advanced search-engine features to find detailed information about websites and computer networks. Because Google’s algorithm indexes huge amounts of information, Google dorking can be a very effective method for learning about a company’s computer network. Including the type of information that could allow a hacker easy access to your trade secrets.

Recently, the DOJ brought charges against hackers who were allegedly working with the Iranian government to carry out cyber attacks on various U.S. companies. One of the hackers is charged with accessing the computer network that controls a dam in New York. According to a Wall Street Journal article, the hacker was able to use Google dorking to discover a vulnerable computer, which he hacked into to gain access to the dam’s control systems. Apparently, he had been using Google for months to find vulnerable industrial-control systems.

The WSJ article observes that many companies are unknowingly subjecting themselves to these types of hacking risks, including by connecting outdated infrastructure systems to the internet:

Companies, often against the advice of hacking experts, increasingly have brought such systems online as a way to add “smarts” to U.S. infrastructure. But older systems can have weaknesses that can readily be found through Google dorking, and then exploited, experts said.

It is a very bad idea to connect anything to your company’s network without knowing the implications for network security. The dam-hacking episode shows how easily a bad actor can take advantage.

Also, Google dorking can also help companies identify hacking risks. A company can, and should, “dork” itself, to look for inadvertent or unknown security lapses. Be sure to work with your IT team to make sure that your company is not susceptible to a dork’s hack.

This week, Governor Rick Scott signed into law S.B. 180 and 182, broadening the definition of Florida’s criminal trade-secrets-theft statute to include financial information, and applying that definition to the trade-secrets exception to public-records laws.

Section 812.081, Florida Statutes, criminalizes trade-secrets theft. Previously, the definition of “Trade Secret” did not explicitly reference financial information. As of this week, the definition has been amended as follows, with the new language underlined:

“Trade secret” means the whole or any portion or phase of any formula, pattern, device, combination of devices, or compilation of informa- tion which is for use, or is used, in the operation of a business and which provides the business an advantage, or an opportunity to obtain an advantage, over those who do not know or use it. The term includes any scientific, technical, or commercial information, including financial information, and includes any design, process, procedure, list of suppliers, list of customers, business code, or improvement thereof. Irrespective of novelty, invention, patentability, the state of the prior art, and the level of skill in the business, art, or field to which the subject matter pertains, a trade secret is considered to be:

1. Secret; 2. Of value; 3. For use or in use by the business; and 4. Of advantage to the business, or providing an opportunity to obtain an advantage, over those who do not know or use it

when the owner thereof takes measures to prevent it from becoming available to persons other than those selected by the owner to have access thereto for limited purposes.

Guest post by Solomon B. Genet.

It is worth reading Bailey v. St Louis, if for no other reason than it is a good story where the good guys seem to have won, and the bad guys got smacked – and when I say “smacked,” I mean hit with an award of punitive damages.

All of the details (as found by the court) won’t fit in this post, but in summary, a private equity (“PE”) firm met with a profitable medical center (plaintiff), to consider giving the plaintiff loan. The plaintiff provided the PE firm with confidential materials, including a copy of the business plan and financial information, to perform due diligence.

The PE firm did not offer a loan, but instead offered to purchase a controlling interest in the plaintiff, and accompanied that offer with the following threat: “you’re going to accept this offer or we’re going to take your doctors and we’re going to take your company.  And we’re going to go up the street, and we’re going to do it ourselves.”

And to the PE firm’s credit (maybe the only thing to its credit), the PE firm did as it promised. The PE firm created dissent among the plaintiff’s employees, using the confidential documents it had received to mislead certain employees as to the plaintiff’s integrity.  It hired away two of the plaintiff’s doctors and established a competing facility.  It used the plaintiff’s business plan, in a “cut and paste job,” to create its own business plan.  A doctor that left the plaintiff to join the PE firm’s competing facility said that one of the a plaintiff’s principals had many aliases, was a wanted felon, and had “possible” sexual offenses, all of which were false. The PE firm even paid certain of the plaintiff’s employees to quit working for the plaintiff. And the plaintiff’s list of patients and leads and accounts payable information were also misappropriated.

The appellate court directed the trial court to award punitive damages, finding that it met the standard of “wanton intentionality, exaggerated recklessness, or such an extreme degree of negligence as to parallel an intentional and reprehensible act.”

For purposes of this post and the focus of this blog, it’s most relevant that the Court’s conclusion flows from the fact that the plaintiff provided the PE firm with a copy of its business plan and certain financial information upon the condition that they would be kept confidential, and that the PE firm disregarded and abused this agreement.  The takeaway is simple and straightforward: if you are contemplating a business relationship of any sort and intend to share confidential information, take the relatively minor step of seeing a lawyer to draft a non-disclosure/limited-use agreement that protects your information.  You could be thanking yourself later.

Bailey v. St. Louis

Noncompete agreements aren’t always appropriate. This is a pretty simple concept that sophisticated companies don’t always grasp. I’ve written often about how noncompete agreements can be a company’s most powerful tool to protect its trade secrets and proprietary information. But only if the employee has access to trade secrets and proprietary information. When a big company takes a blunderbuss approach and makes all of its low-level employees sign noncompete agreements, it can backfire.

In the past few months, companies like Jimmy John’s and Amazon have faced backlash after the media learned that they were forcing sandwich makers and warehouse employees to sign noncompetes. This week, the Wall Street Journal ran a story about Stephanie Russell-Kraft, a former reporter—apparently entry level—at Law360. When Ms. Russell-Kraft left to work at Reuters, Law360 informed Reuters that she had signed a noncompete agreement while at Law360. Reuters fired her for not disclosing the noncompete when she applied.

Now, Law360 is facing bad PR (as reflected in these articles in Slate and Above the Law). Far worse, the New York Attorney General is now investigating Law360 to see if it violated New York labor laws.

I’m not going to claim to be an expert in the legal news-wire business. But it’s hard to see how an entry-level reporter would have access to proprietary information justifying a noncompete. In almost all circumstances, companies should limit noncompetes to senior executives and employees with access to proprietary information and trade secrets.

That’s not to say that companies shouldn’t take steps to protect against lower-level employees misusing or disclosing confidential information. Many times, this can be accomplished by less restrictive agreements such as nonsolicitation or nondisclosure agreements. I’ve found that courts are much more willing to enforce these types of agreements.

This brings us back to one of the key themes that you will find throughout my blog posts: each company needs a personalized strategy for protecting its trade secrets and proprietary information. This strategy should implement appropriate protections, which will often include targeted noncompete agreements. But too many companies force all employees to sign noncompetes. As we’ve seen recently, the company can come off as a bully. Or worse.

UPDATE: Here’s an interesting interview with Russell-Kraft.