Are Your Smartphone Apps Leaking Your Trade Secrets?

As the online world shifts increasingly to mobile devices, new and unexpected threats to your company’s proprietary information emerge. Many apps on your smartphone contain in-app internet browsers. For example, when you open the twitter app, you can click on links within tweets, which you will then view in twitter’s in-app browser.

This blog post by web developer Craig Hockenberry shows that in-app browsers on iPhones and iPads have a serious security flaw: the app can record your keystrokes. Thus, any sensitive information entered in the in-app browser can be recorded by the app. So, for example, if one of your employees uses an in-app browser to send an email containing your proprietary information, that information could be at risk.

Hockenberry has a simple recommendation for avoiding this problem:

You should never enter any private information while you’re using an app that’s not Safari. An in-app browser is a great tool for quickly viewing web content, especially for things like links in Twitterrific’s timeline. But if you should always open a link in Safari if you have any concern that your information might be collected. Safari is the only app on iOS that comes with Apple’s guarantee of security.

Problems like this are hard to predict, since technology is changing so rapidly. The best way to avoid unexpected security risks is to implement a trade-secrets policy that restricts the manner in which your proprietary information can be circulated.

Will the “Internet of Things” Be A Nightmare for Trade Secrets?

I’ve been on a bit of a hiatus from posting over the past couple of weeks, during which I had a bench trial on a trade-secrets injunction. Since that case is still pending, I’m not going to write about it just yet.

Today, let’s look at the so-called “internet of things” — the increasing number of household, business, and other objects that are now internet enabled. I love being able to access things like my home alarm and thermostat remotely via my iPhone. And there’s no question that the “internet of things” will be growing exponentially in the near future. But does this present a threat to trade secrets and proprietary information?

A recent blog post by Michael Jordon shows the risks. He exposed security weaknesses in internet-enabled printers by getting a Cannon Pixma wireless printer to run the classic video game “Doom.”

The post contains a lot of technical details. But most importantly, his exercise shows that internet-enabled printers lag far behind traditional network devices when it comes to security. This is critical: if someone can hack into your company’s printers, they could have access to all of the documents that were printed.

Jordon’s organization recommends avoiding the internet of things entirely:

Context recommends that you do not put your wireless printers on the Internet, or any other ‘Internet of Things’ device.  To defend against the CRSF [cross-site request forgery] attack, well don’t follow any dodgy links is the best advice I can come up with.  Context is not aware of anyone in the wild actively using this type of attack, but hopefully we can increase the security of these types of devices before the bad guys start to. Finally, make sure that you always apply the latest available firmware to your devices. This is often not an automatic process and may require checking on the manufacturer’s website for updates.

As time goes on, it will be very difficult, if not impossible, to avoid using the “internet of things” in a business context. When you do connect devices to the internet, assume that they have security vulnerabilities. Thus, before connecting the device to the internet, you need to work with your IT department/consultants to make sure that it has adequate security features.

 

Can Mark Cuban’s Cyber Dust Help Protect Proprietary Information?

Cyber Dust is an app that lets users send text messages without leaving a digital fingerprint. All texts “self destruct” within 30 seconds, after which they are not stored anywhere — including on Cyber Dust’s servers. Also, Cyber Dust notifies you if someone takes a screenshot of one of your Cyber Dust texts.

Mark Cuban is behind Cyber Dust. In a recent Forbes article, he explained that the idea came from his own experience of having the SEC use his text messages in its insider-trading action against him: “That the phone companies and your text recipients own your texts and even the most innocent text can take on a whole new context. I wanted to have a means of communication that is analogous to face to face – where you can speak openly and honestly. That is why we created Cyber Dust.”

Similar technology is being developed for emails. For example, The Atlantic recently wrote about Pluto Mail, which includes features that allow the sender to set an email to expire after a set time. After that, the recipient can no longer view the email.

As Cuban notes, emails and texts create a digital record that can last forever. When your employees (or others, like consultants or vendors) send emails and text messages that contain your proprietary information, there is a risk of disclosure. As more companies use bring-your-own-device policies, those companies lose even more control of information sent via text and email.

I’ve been thinking of how to use this technology to minimize unwanted disclosure. For example, a company could require that all work-related text messages be sent via Cyber Dust. Emails are a bit more complicated, since there is often a need to preserve emails for later use. But a company could require that all emails containing proprietary information, or attaching certain proprietary documents, be sent with a scheduled expiration date.

In the end,  these policies would only be effective if there’s a way to monitor compliance. Otherwise, it’s not worth the effort. Also, these policies likely would not deter someone who is sending the information with malicious intent, such as an employee who knows he will be leaving to work for a competitor. UPDATE: In fact, such a person could use this technology to cover his tracks.

But it’s worth exploring how to use new technology like Cyber Dust to help bolster efforts to protect proprietary information.

Is Facebook Buying a Massive Trade-Secrets-Theft Liability?

Big trade-secret news last week. Oculus VR, Inc., the virtual-reality company Facebook is acquiring for $2 billion. was sued by Zenimax Media Inc. for trade-secrets misappropriation. Zenimax owns popular video-game titles such as Doom and Wolfenstein. A copy of the complaint is linked below.

Facebook’s acquisition of Oculus received widespread media coverage. This lawsuit, which will likely seek billions in damages, should draw extensive media interest.

According to the complaint, when Oculus’s founder (Palmer Luckey, named as a defendant) was developing Oculus’s VR headset called “Rift,” Zenimax provided Luckey with Zenimax’s proprietary information. This information allowed Oculus to transform Rift from a primitive, non-functional prototype into a viable platform justifying Facebook’s billions. After that, the Zenimax employees involved left to work for Oculus.

There are always two sides to every story, and so far we’ve only heard from Zenimax. But the complaint paints a pretty egregious picture of trade-secret theft. One example: After leaving Zenimax, where he had signed an agreement providing that any intellectual property he created for Zenimax belonged to Zenimax, to join Oculus, John Carmack tweeted: “When you are in a hurry, and you know you wrote the exact needed code (well!) at a previous job, reimplementation grates.”

While Zenimax appears to have a strong case, I see some potential issues. Most importantly, Zenimax did not have Oculus sign a nondisclosure agreement until after Zenimax had provided Oculus with at least some of its proprietary information. Oculus will likely argue that Zenimax did not reasonably protect this information, since it shared it with a third-party without requiring a confidentiality agreement.

This leads to the biggest takeaway thus far for companies looking to protect their proprietary information: Never share this information with anyone, for any purpose, unless that person/entity executes a nondisclosure agreement.

It’s also interesting that a company as sophisticated as Zenimax would allow its employees to provide significant proprietary information to a third party without first working out, and documenting, how it would be compensated. Later on, the two companies tried to negotiate a compensation agreement, to no avail.

Finally, any company that doubts the risks employees present to its proprietary information should look at the responses to the Carmack tweet I discussed above, which has 95 “favorites.” Sample response: “that’s what USB sticks are for…”

I will monitor this case and write about its developments.

Zenimax Complaint

 

In Defense of the Defend Trade Secrets Act

In my last post, I discussed the recently proposed, bipartisan Defend Trade Secrets Act that would create a federal cause of action for trade-secret misappropriation. I wrote favorably about the statute’s mechanism allowing a judge to enter an ex parte order to preserve evidence. Since then, I’ve discussed this provision with several people who have concerns about it. This post responds to these criticisms.

To start, I want to explain why this provision is so important. Trade-secret theft is overwhelmingly accomplished by electronic means, such as through email, downloading to portable media, or via remote access to IT systems. Companies suspecting trade-secret theft can often determine where and how the information was stolen. For example, forensic techniques can identify that certain documents were saved to a flash drive on a specific date.

The Defend Trade Secrets Act permits the company, armed with this information, to seek an order requiring seizure or preservation of the media/computer/etc to which the information was downloaded. As a result, critical evidence that could otherwise easily be destroyed would be preserved. Without a statutory provision specifically authorizing this remedy, most litigants find it very difficult to convince a judge to enter this type of order.

I’ve heard concerns about the risk that judges will improvidently grant ex parte seizure orders brought in bad faith by unscrupulous litigants, potentially causing significant unjustified damage to defendants. This risk, while real, is present any time a judge hears an ex parte motion for temporary restraining order. The overwhelming majority of judges are reluctant to enter an ex parte injunction unless absolutely necessary. And this statute contains requirements that make it materially more difficult to get a seizure order as compared to a TRO.

In particular, the Defend Trade Secrets Act borrows from the Trademark Act’s procedure for seizing goods containing counterfeit trademarks. These requirements go beyond the typical TRO prerequisites. For example, the movant must show evidence that the item to be seized will be in a certain location. The court must also take measures to protect the defendant from publicity regarding the seizure. Further, the order directing seizure remains sealed until the defendant has an opportunity to contest it at a hearing that must occur within 15 days of entering the ex parte order. And as a final example, the statute provides for damages, including punitive damages, if the defendant is damaged by the wrongful entry of a seizure order.

These protections go a long way to minimize the likelihood that orders are improperly entered. In the end, the benefit of avoiding destruction of evidence—which happens all too frequently—outweighs the risk of unwarranted orders, particularly given the statute’s protections.

Novel Legal Strategy Deflates Employer’s Trade-Secrets Case

Recently, in Putters v. Rmax Operating, LLC, 2014 WL 1466902 (N.D. Ga. April 15, 2014) (opinion linked below), the court dismissed a counterclaim for trade-secrets misappropriation, brought in response to a declaratory judgment action filed by the defendant’s former employee. When I first read this opinion, I thought that the defendant did not move fast enough, thereby allowing the plaintiff to select the forum. When I dug further, however, I found out I was wrong.

In this case, the defendant is a Texas company that manufacturers insulation materials. The plaintiff worked for the defendant for 26 years in Georgia as a sales manager, and had access to the defendant’s confidential information. After the plaintiff left the defendant to work for a competitor, the defendant discovered that the plaintiff “had downloaded documents containing proprietary and confidential information to an external hard drive.”

While not clear from this opinion, the complaint gives the back story. A copy is linked below. The defendant originally filed suit in Texas state court and obtained an ex parte temporary restraining order prohibiting the plaintiff from working for his new employer.

After that, the plaintiff made an interesting legal maneuver. He filed this lawsuit in Georgia state court, seeking a declaration that he is permitted to continue working for his new employer, and an injunction prohibiting the defendant from prosecuting the Texas action, since Texas courts did not have personal jurisdiction over him.

This maneuver worked. The case (after being removed to federal court) is proceeding in Georgia federal court, where the court dismissed the defendant’s counterclaim and denied the defendant’s request for a TRO.

Normally, when a defendant believes that there is no personal jurisdiction over him, he will simply litigate that issue in front of the court where the plaintiff filed the lawsuit. Here, the employee took an entirely different course and successfully redirected the litigation to a different forum. And he was able to get the case in front of a judge with much more favorable views of his case.

Takeaway: Companies should be wary of personal-jurisdiction issues when filing trade-secrets lawsuits. The last thing you want is to be bogged down in a personal jurisdiction fight before the court will even hear a temporary injunction motion. Or, even worse, you could end up like the employer in this case, who spent time and money getting a TRO, only to be whisked away to a Georgia court with a very different view of the employer’s arguments.

Also, had this company simply had its employees sign restrictive covenants (including a venue and jurisdiction clause), they would be in a far better legal position.

Order

Complaint

Trade-Secrets Interview: Pamela Passman of CREATe.org

Protecting Trade Secrets is launching a new regular feature, where we will interview people of interest in the trade-secrets world. Starting with Pamela Passman, President and CEO of CREATe.org. “The Center for Responsible Enterprise And Trade (CREATe.org) is a non-profit organization dedicated to helping companies and their suppliers and business partners reduce corruption and IP theft in the forms of counterfeiting, piracy and trade secret theft.”

Recently, I published a blog post discussing a new trade-secrets report published by CREATe.org. I asked Ms. Passman questions about CREATe.org and the report. I’ll be running the interview in two parts. Check back later this week for part 2.

PamelaPassman CREATe org sm (3)Protecting Trade Secrets: Let’s start with some background on CREATe.org. When was it created? By whom? Why? What are its primary activities?

Pamela Passman: While at Microsoft, as Corporate Vice President and Deputy General Counsel for Global Corporate and Regulatory Affairs, I led  regulatory compliance work on a range of issues in more than 100 countries. For nearly six years I also headed Legal and Corporate Affairs in Asia, based in Tokyo, with a focus on Japan, Korea and the People’s Republic of China.

My collective experience—in compliance, corporate leadership, public policy and emerging markets—led me to consider a new approach to two critical issues for companies around the world: intellectual property (IP) protection and anti-corruption.

The genesis for the idea of CREATe.org was based in recognizing that companies such as Microsoft, GE, P&G and many others have spent years developing robust management systems and best practices to appropriately manage and use IP and to prevent corruption. Equally important, was a belief that the private sector can play a powerful role in driving responsible business practices and bridging regulatory gaps where adequate laws do not exist or enforcement is weak.

From these perspectives, CREATe.org was founded in October 2011. As a non-profit organization, CREATe.org works across industries and geographies with a mission to bring leading practices in IP protection and anti-corruption to all companies. The organization works to provide cost-effective and practical assessments, benchmarking, tools and step-by-step guidance for companies, particularly those that lack a track record of developing and implementing compliance programs.

PTS: Does CREATe.org have any policy objectives (e.g., lobbying for legislation, regulations)?

PP: CREATe.org is focused on ways the private sector can more effectively address the issues of IP protection and anti-corruption. We do this by helping companies around the world improve practices and put systems in place to mitigate the risks of IP theft and corruption. CREATe.org is not a lobbying organization.

PTS: What precipitated the “Economic Impact of Trade Secret Theft” report?

PP: In the organization’s first two years, our team gathered insights from companies around the world, gave countless presentations and partnered with think tanks, academics and experts on IP protection and anti-corruption. The challenge of trade-secret theft was a topic that surfaced throughout these exchanges. Companies are finding it increasingly difficult to protect trade secrets, both within companies and among third-parties.

PTS: Let’s turn to some of the details of the report. Your framework to safeguard trade secrets involves bringing key stakeholders into the process. Often, senior executives can be reluctant to participate in such a process. Any suggestions for building enthusiasm among senior executives?

PP: Most senior executives appreciate that trade secrets are key to the company’s value, ability to innovate and compete. For many, the question is where to start? Our intent was to break down a comprehensive approach into steps and provide tools for making the process practical. Providing a clear path and the benefits of safeguarding trade secrets can be helpful for building support internally.

PTS: Similarly, your report acknowledges that protecting trade secrets can require actions that may cut against other company priorities, such as maximizing productivity. For example, increased security measures may result in it taking longer for employees to access documents they need to perform their jobs. Any suggestions for building a corporate culture that values protecting trade secrets on par with other financial priorities?

PP: Each company must determine the correct level of actions appropriate for their corporate culture and then invest in training and awareness campaigns to help educate employees on the importance of protecting company trade secrets. In our work in Asia, for example, we see companies with increasing focus on building awareness within their employee base and key third parties – including  IP protection campaigns that use a variety of media to promote good practices, from posters in the company cafeteria to e-learning and screen savers for desktop computers.

_______________________________

Later this week, Ms. Passman responds to my two critiques of the report and discusses CREATe.org’s next steps.

CREATe.org/PwC Report Makes the Case for Investing in Trade-Secret Protections

“Historically, . . . [trade secret protections] have been viewed as a cost, not an investment.” CREATe.org and PwC recently released a report titled “Economic Impact of Trade Secret Theft: A framework for companies to safeguard trade secrets and mitigate potential threats.” If you read this blog, you should read the report.

Next week, I will be interviewing for this blog one of CREATe.org’s principals responsible for the report. (CREATe.org is a non-profit “dedicated to helping companies and their suppliers and business partners reduce counterfeiting, piracy, trade secret theft and corruption.”)

The report seeks to change the mentality described in the above quote. It starts by estimating the cost of trade-secret theft, and concludes (based on a review of various proxies for trade-secret theft) that economic losses based on trade-secret theft amount to between 1 and 3 percent of GDP. Hopefully, numbers like this draw greater attention to the real risks companies face.

It next outlines of categories of “threat actors” — those who seek to steal trade secrets. These include nation states, malicious insiders (including current and former employees, third-party consultants, and suppliers), competitors, transnational organized crime, and hacktivists (who try to use corporate information for political or social purposes).

Regarding employees, the report notes that “cultural and technological factors may heighten the insider threat in coming years . . . The nature of U.S. employees’ loyalties to their employers is changing because of the much higher rate of lifetime job changes.” The report also identifies “bring your own device” policies as an increased risk.

The report presents a framework for companies to identify and evaluate their trade secrets, audit their current protections, and make value-based improvements to these protections based on measuring ROI. This approach involves key stakeholders, educates them about the risks of trade-secret theft, and helps make the business case for protections.

While I have some issues with the framework (which, if handled improperly, could create documents that may undermine litigation efforts, and would likely need to be altered for many small mid-sized businesses), it provides a comprehensive, incredibly useful starting point and roadmap.

Next week, I’ll examine the report in greater depth when I interview CREATe.org.

Small Business Data Theft: Risks and Solutions

Data theft is a hot topic now, with the recent high-profile thefts at Target and others. This issue has consequences for companies trying to protect trade secrets. For example, if a company is not taking measures to protect against data theft, a court could easily conclude that the company has not reasonably protected its proprietary information, and thus is not entitled to trade-secret protection under the Uniform Trade Secret Act.

Two recent articles in Entepreneur address this problem head on. In “Why Your Small Business Is At Risk of a Hack Attack,” Heesun Wee explains the risks facing small businesses:

Last year, 31 percent of all attacks were aimed at companies with less than 250 employees, according to Symantec’s 2013 Internet Security Threat Report.

But many small businesses do not appreciate this risk:

Smaller ventures are particularly vulnerable because cybercriminals know they likely spend less to protect their digital information and infrastructure. Cheaper security measures also tend to be static, meaning those systems don’t evolve to keep up with criminals’ newest tricks. . . . Roughly 77 percent of small firms believe their company is safe from a cyberattack–even though 83 percent of those firms do not have a written security policy in place, according to the National Cyber Security Alliance and Symantec.

Small businesses need to do more to protect their sensitive data and proprietary information. In “Preventing Another Target Attack,” Eric Basu offers some suggestions for retailers that apply with equal force to many small businesses.

First, you should use network-monitoring software:

There are next generation software solutions that effectively visualize network traffic, break down machine-to-machine connections by service protocols and allow filtering by machine, service or even internet destination. For example, a North American-based retailer using a payment processing partner from the same continent should not see outbound connections from a POS terminal to places like Russia, China or Brazil.  If they do, the connection should be dropped and the security administrator should be notified of the machine initiating the connection.

Second, improve application-level security:

Keeping [software applications] up to date with the latest versions and patches as well as performing penetration tests on both internal- and external-facing interfaces would have gone a long way to preventing the lateral movements the Target attackers were able to pull off in a short amount of time. Companies that develop in-house applications should also ensure they are designed securely from the get go, performing both static and active secure code reviews at every minor release. Furthermore, only authorized white-listed applications should be allowed to run and properly identified.

Many small business do not have the know-how or resources to deal with this issue in-house. In that case, perhaps the most important step you can take is to speak with an IT expert to obtain customized recommendations for protecting your business’ sensitive information. Combining up-to-date IT solutions with proactive legal protections gives you the best chance of avoiding a problem in the first place. And it gives you the best chance to mitigate the damage if a breach occurs.

%d bloggers like this: