ABA Ethics Opinion: Trade-Secrets Lawyers Need to Encrypt Emails

By definition, lawyers working on trade-secrets issues, whether in litigation or otherwise, have access to their clients’ most confidential information. And, of course, these lawyers routinely communicate with clients via email, including about the trade secrets. Sometimes, even the trade secrets themselves are exchanged via email.

This raises ethical issues. Recently, the ABA Committee on Ethics and Professional Responsibility issued a formal opinion addressing lawyers’ ethical obligations when transmitting confidential client information. The opinion can be downloaded here.

All lawyers who deal with trade-secrets issues should read the opinion. But here are some highlights:

The opinion recognizes that law firms are hacking targets because:

(1) they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.

It then discusses applicable ethical rules, concluding that “lawyers must exercise reasonable efforts when using technology in communicating about client matters.” So what are reasonable efforts?

What constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors. In turn, those factors depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of  electronic communications employed, and the types of available security measures for each method.

The opinion specifically mentions lawyers who deal with trade secrets, since those matters “may present a higher risk of data theft.” The fact-based analysis is often relatively simple in trade secrets cases: if you are transmitting your client’s trade secrets or related information, you may need to use “particularly strong protective measures”:

A fact-based analysis means that particularly strong protective measures, like encryption, are warranted in some circumstances. Model Rule 1.4 may require a lawyer to discuss security safeguards with clients. Under certain circumstances, the lawyer may need to obtain informed consent from the client regarding whether to the use enhanced security measures, the costs involved, and the impact of those costs on the expense of the representation where nonstandard and not easily available or affordable security methods may be required or requested by the client. Reasonable efforts, as it pertains to certain highly sensitive information, might require avoiding the use of electronic methods or any technology to communicate with the client altogether, just as it warranted avoiding the use of the telephone, fax and mail in Formal Opinion 99-413.

There is a simple takeaway for all trade-secrets lawyers: think very carefully about how you are transmitting confidential client info. This requires an open dialogue with the client. You need to figure out how you will be protecting this data while in transit (and at rest, but that’s a separate issue). At my firm, we have the capacity to encrypt individual emails on-demand, which can allow for secure transmission of sensitive data.

But this sensitive data isn’t only shared with clients. Often, it will need to be produced in litigation. Lawyers spend a lot of time negotiating protective/confidentiality orders with attorney’s eyes only (AEO) protections. But don’t forget to securely transmit AEO documents to the other side. For example, my firm uses a secure/encrypted document sharing platform.

Trade-secrets cases often move fast. But this ABA opinion shows that regardless of how intense the litigation becomes, lawyers must be cognizant of their obligations to protect clients’ confidential information.

Alley-Oops: The Orlando Magic Tweeted a Picture Showing Team Trade Secrets

Sometimes companies forget about even the most obvious protections for their trade secrets. For example, “don’t tweet out a picture of your secret business strategies.” The Orlando Magic recently did just that.

Earlier this month, a player’s agent tweeted a picture of the player signing a new contract with the Magic. But the picture also showed a dry-erase board listing the Magic’s off-season free-agent targets and trade possibilities. Now there are reports that the Magic’s general manager, who has since been fired, took the picture.

It goes without saying that the Magic don’t want the rest of the league knowing about their off-season personnel plans, which are arguably trade secrets if appropriately protected. But for some reason, they left those plans on a dry-erase board and then let an agent—who could potentially benefit from knowing that information—into the room. And then they allowed the contents of the board to be shared with the rest of the world. Not particularly savvy.

The lesson here is simple, and seemingly obvious: trade secrets need to be secret. They shouldn’t be left up on a dry-erase board. Or in papers on someone’s desk. This episode shows that even intelligent people can have a lapse of judgment. If you implement and enforce a trade-secrets policy that only allows storage of trade secrets in secure media, and limits disclosure of trade secrets to those who need them to do their jobs, you can minimize the “human error” element that led to this embarrassing gaffe.

The Cybersecurity Article that Every Executive Should Read Immediately

I love this article, titled Why America’s Current Approach to Cybersecurity Is So Dangerous. It should be required reading for all executives at companies at risk of a cyber attack — in other words, all companies. While the whole article is great, its core message can be reduced to a single sentence: People, not technology, are the key to reducing the risk of cyberattacks. I could not agree more, as I’ve written about before. Every company needs to ask: what can we do to create a culture of protection?

The article starts by identifying the problem:

We should be concerned that, as a society, our minds go mushy when it comes to “digital literacy,” “information security,” “online safety,” or whichever name we choose. In fact, that mushiness is a major reason why America’s current approach to cybersecurity is so dangerous. We’re ignoring the behaviors of the overwhelming majority of actual users, and therefore leaving the largest attack surface undefended. . . . To the extent we are all part of the contest in cyberspace, we’re essentially deploying our troops without armor, our submarines without sonar.

And as a result, “cybersecurity has transformed what is actually a ‘people problem with a technology component’ into its exact opposite.” Yes! Technology is not a panacea for preventing cyber attacks. Technology can’t protect your company’s biggest vulnerability: the people working there. “Until we embrace a vision of public cybersecurity that sees all people, at all ranges of skill, as essential to our collective security, there will be no widespread cybersecurity.” The same goes with your company. You can spend millions or more on tech-based protections, but if you ignore the human risk, your security is virtually certain to fail. And of course, if you are at risk of a cyberattack, you are at risk of trade-secret theft.

The article finishes with a great analogy between cybersecurity and public health:

We need to get better to increase our herd immunity against botnets. We need to see that cybersecurity—like all aspects of safety, security, and resilience—is a shared responsibility. Better devices and apps won’t save us, since there are myriad other ways that individuals—even highly trained ones—become the weak link allowing bad guys to access personal, corporate, and government information assets. And almost all efforts at online safety, while well-meaning, are so poorly designed as to preclude knowing whether they work. It’s not magic: As with health or safety education, we need to start with basic steps and repeatable behaviors—like hand-washing or looking both ways before crossing.

This is the key. In a mature organization that has fully embraced and achieved a culture of protection, the employees will treat cybersecurity as second nature. Good habits will have become routine. Unfortunately, I have yet to encounter a company that has reached this point. For a variety of reasons—dependence on technology first among them—just about all employees have a host of bad habits that put the company at risk.

Creating this culture is not easy. To the contrary, it will require repeated, sustained effort, initiated and supported from the very top of the organization down, over a long period of time. Nor will it guarantee that all cyberattacks will be thwarted. But I see no viable alternative. Any company that has not made employee-level protection a top priority is virtually certain to suffer repeated cyberattacks.

“Just Doin Blow and Erasing Evidence”

As the Defend Trade Secrets Act—which would create a federal cause of action for trade-secrets theft—makes its way through Congress, critics have focused on the proposed statute’s ex parte seizure provision. In a nutshell, the statute would allow for the entry of ex parte orders to seize specifically identified repositories of evidence that are at risk of destruction.

I’ve responded to these criticisms multiple times before (see here, here, and here). The statutory protections (e.g., the party subject to the order is entitled to a hearing within 7 days) combined with federal judges’ reluctance to issue ex parte orders are, in my view, sufficient to prevent abuse.

Meanwhile, the threat of evidence destruction is real. A recent case shows how far defendants can go to allegedly destroy evidence of trade-secrets theft.

As described in Law360, a radio-controlled-vehicle company sued several former employees for violating restrictive covenants and misappropriating trade secrets, among other claims. The plaintiff filed a motion seeking sanctions against the defendants for destroying evidence.

According to the plaintiff, the defendants destroyed “scores of emails, texts, and documents that described their scheme to start at least one rival toy car and boat business.”

One of the defendants—who sounds like a real winner—apparently sent a text message talking about how he expected to get served with the complaint, saying “That’s what I’m trying to deal with now so I can’t go out, just doin blow and erasing evidence.”

In misappropriation cases, the evidence is almost always in electronic form. And it’s way too easy for defendants to destroy this evidence. While a plaintiff could seek sanctions (as the plaintiff here is seeking against the guy “doin blow”), a plaintiff would almost always rather have the actual smoking gun proving misappropriation.

The ex parte seizure provision is a powerful tool that may allow companies to preserve critical evidence.

Can Periscope Broadcast Your Trade Secrets to the World?

Periscope is an app that allows users to broadcast live video using their smart phone. This technology has the power to transform the delivery of media and information. Essentially, every person can now effortlessly create live video content, whether it’s sharing a family event with those who can’t attend or witnessing a newsworthy event.

I keep hearing more and more about Periscope. For example, I’ve seen media members use it to share press conferences or behind-the-scenes info. At first blush, this may seem irrelevant to your company’s trade secrets. But that may not be the case.

Right now, through Periscope and similar apps, every one of your employees can instantaneously broadcast live video to the world. It’s much easier to share exactly what’s going on, in real time, at your company.

This raises multiple levels of concern. To start, employees may inadvertently transmit proprietary information. For example, an employee could be sharing a broadcast from work intended for his friends and family, while other employees discuss proprietary information within earshot. Even though there was no intent, this information was still shared outside the company.

Even worse, Periscope is a powerful tool in the hands of someone with malicious intent. There has long been a risk that malicious actors can easily capture video. But now, that video can be shared live. For example, an employee could surreptitiously broadcast a company meeting. Or live video of a proprietary process or system.

Periscope is another example of how rapidly evolving technology is constantly creating new risks to your trade secrets. Your trade-secrets policy needs periodic review to make sure it addresses new technology. Depending on the nature of your business, it may make sense to ban live broadcasts completely. Most importantly, you should discuss these issues with an attorney who can help you decide what protections are appropriate for your business.

 

 

The DOJ Announced Another Trade-Secrets Prosecution. What Does That Mean For Your Company?

There has been a lot of news coverage of the DOJ’s charges against Chinese professors for trade-secrets theft and violations of the Economic Espionage Act. Stories like this have become more common, as the DOJ has increased its focus on prosecuting trade-secrets theft. Often, these cases involve defendants with connections to foreign governments, and China in particular. As these cases have become more prevalent, the federal government has dedicated more resources to combating them.

Unfortunately, this will have little effect on most companies that fall victim to trade-secrets theft. The DOJ appears to have little interest in prosecuting run-of-the-mill trade-secrets theft, even though there may have been violations of a federal statute like the Economic Espionage Act. The DOJ simply does not have the resources to deal with the huge number of these cases. Thus, the vast majority of trade-secret misappropriation cases will be handled through civil lawsuits.

So what should you do if you believe your company has been the victim of trade-secrets theft? The answer is simple: you need to consult with an attorney specializing in this area of the law as soon as possible. Time is of the essence, and even a delay of a day or two could cause serious problems. Your attorney can advise you of your options. If your case is a good candidate for federal prosecution, your attorney should let you know. More likely, your options will involve civil remedies. Either way, you will need to make important decisions very quickly.

2-Minute Jimmy Kimmel Clip Shows Our Cybersecurity Culture Crisis

This video speaks volumes about our country’s attitudes towards cybersecurity:

Last week, I wrote about the importance of creating a culture that makes protection of trade secrets a top-line priority. This video shows why this culture is so important. Your employees need to be constantly aware of surreptitious attempts to get passwords. Spear phishing attacks are becoming more and more sophisticated; your employees need to be immediately suspicious of any attempt to get personal information, particularly passwords.

In the real world, bad actors are far more subtle than a Jimmy Kimmel reporter with a microphone and a video camera. The fact that people are willing to turn over their passwords on TV shows—particularly now, when cybersecurity issues have never been more visible—is depressing. Make sure your employees know better.

Trade Secrets Best Practices: Exit Interviews

This is the next in a series of posts addressing best practices for protecting trade secrets and proprietary information. Today’s topic: exit interviews, which can be a powerful tool to avoid, or at least anticipate, unwanted disclosure.

An exit interview is exactly what it sounds like. When an employee is leaving your company, you have someone meet with him to discuss various aspects of his departure. There are several goals: remind the employee of his legal obligations; make sure he has returned all company information, documents, and devices; and gather intelligence about his next job to determine the risk of unwanted disclosure.

The key is to have a set process that is automatically followed each time an employee leaves. Depending on the size and structure of your company, a single person or department should be responsible for conducting the interviews. That person should work from a checklist that includes all topics that must be discussed. To develop this process, consult with an attorney who specializes in trade-secrets issues who can help customize it to fit your company’s needs.

The checklist should include, at a minimum, the following:

Review of restrictive covenants and related agreements: Give the employee copies of any agreements he signed and remind him of specific noncompete, nonsolicitation, nondisclosure, and related obligations.

Review of non-contractual legal obligations: Remind the employee of his ongoing legal obligations to, for example, keep certain information confidential. The applicable laws vary state-by-state, so make sure to consult with an attorney familiar with your state’s laws.

Review inventory of all company devices: Hopefully, you are keeping an inventory of all company devices issued to the employee. Go through this inventory and make sure he has returned all of these devices.

Company information and documents: Ask whether the employee has any hard-copy documents or electronically stored information on his personal computer, devices, and storage medium. If he does, give a set date for him to return or destroy the documents/information.

Sign acknowledgment: Have the employee sign an acknowledgment form that confirms he is aware of his legal obligations, has returned all company devices, and returned or destroyed all company documents/information.

Gather information: Ask the employee where he will be working next, and in what capacity. Also make sure you have the employee’s updated contact information.

Additionally, prior to the interview, you should work with your IT department to see if the departing employee recently accessed or used trade-secret information, particularly in an out-of-the-ordinary manner. If so, consult with an attorney, since it may be advisable to address this issue with the employee during the exit interview.

Often, this process will allow you to handicap the risk that the departing employee will illegally use your trade secrets and proprietary information. For example, be wary of an employee who refuses to tell you where he will be working next. Or an employee who refuses to attend the exit interview. In cases where you suspect something is amiss, consult with an attorney right away, since time is of the essence in these cases.

Again, there is no one-size-fits-all approach to exit interviews. Speak with with an attorney to develop the process that best fits your company’s needs.

Data Breaches Increase Seven-Fold In One Year

According to a report by California’s attorney general, 18.5 million Californians were victims of cyber intrusions or data breaches in 2013. Remarkably, this was up from 2.5 million in 2012, a seven-fold increase. (Note that two major data breaches at Target and LivingSocial account for much of the increase.) A copy of the report is linked below, and this article summarizes the report.

The study breaks down the cause of the various breaches, with 53% caused by cyber incursions (e.g., hacking and malware), 26% arising from physical loss or theft, and the remainder coming from unintentional errors or deliberate misuse.

This report is yet another sign that the threat of data loss continues to increase dramatically. While the report focuses on breaches affecting consumer information, it has broader application to companies seeking to protect their proprietary information. Measures necessary to enhance data security and protect trade secrets overlap. Network security is at the heart of these efforts, and companies need to be willing to invest significant resources to keep their networks safe.

But network security is not the only area of concern. This report shows that the loss or theft of computers and other storage media presents another significant risk. For companies seeking to protect their trade secrets, this problem presents on various fronts. For example, companies need to make sure that company-issued computers, smartphones, and media have sufficient protections in case they are lost or stolen. Also, and more problematic, companies need to understand how their employees are using company documents and information on their personal devices. Similarly, companies need to keep tabs on how third parties, like vendors and consultants, are protecting shared proprietary documents.

I have frequently written about the need for companies to implement a trade-secrets policy. This policy would address these issues. For example, it could require that all proprietary documents are encrypted. And it could make sure that these documents are disseminated narrowly, to those employees who need them to do their jobs. For those companies that fail to implement and enforce necessary restrictions, the loss of proprietary information may be inevitable.

2014 California Data Breach Report

Recycled Passwords Can Trash Your Trade Secrets

Recently, a hacker posted a number of usernames and passwords for Dropbox. Considering how many companies are now using Dropbox and other cloud-based providers to share documents, this is obviously a problem. But it does not appear that Dropbox itself was hacked. Instead, as noted by this Slate article, the hacker likely targeted smaller sites with weaker security:

The most likely source of the information is a third-party site that had poor security. Hackers know that most internet users re-use their passwords, so they often target smaller apps made by amateur developers. These easy targets have poor security — so usernames, passwords or files may be stored in a way that’s easy for hackers to steal them.

In other words, most people use the same passwords across multiple sites. Including your employees. This is a BIG problem. Forgive the cliché, but password protection is only as good as the weakest link in the chain. You can spend millions of dollars protecting your network and proprietary information. But if another site where your employees have accounts is hacked, and your employees use the exact same passwords there as they use for your network, your network and information is at risk.

I cannot overstate the importance of making sure that your employees don’t use the same password for your system that they use for other sites. You need to make employees aware of this rule, and strictly enforce it. One option is to create passwords for your employees instead of allowing them to create their own. And change the passwords routinely. Also, as biometric technology develops and becomes more affordable, it presents another option.

There’s a reason we all use the same passwords across multiple sites: it makes life easier. But you need to ensure that your employees don’t allow their convenience to threaten your company.

%d bloggers like this: