Tag Archives: cybertheft

The Cybersecurity Article that Every Executive Should Read Immediately

April 6, 2017 By in Advice, Cybersecurity, Trade secrets, Uncategorized Tags: , , , , , , Leave a comment

I love this article, titled Why America’s Current Approach to Cybersecurity Is So Dangerous. It should be required reading for all executives at companies at risk of a cyber attack — in other words, all companies. While the whole article is great, its core message can be reduced to a single sentence: People, not technology, are the key to reducing the risk of cyberattacks. I could not agree more, as I’ve written about before. Every company needs to ask: what can we do to create a culture of protection?

The article starts by identifying the problem:

We should be concerned that, as a society, our minds go mushy when it comes to “digital literacy,” “information security,” “online safety,” or whichever name we choose. In fact, that mushiness is a major reason why America’s current approach to cybersecurity is so dangerous. We’re ignoring the behaviors of the overwhelming majority of actual users, and therefore leaving the largest attack surface undefended. . . . To the extent we are all part of the contest in cyberspace, we’re essentially deploying our troops without armor, our submarines without sonar.

And as a result, “cybersecurity has transformed what is actually a ‘people problem with a technology component’ into its exact opposite.” Yes! Technology is not a panacea for preventing cyber attacks. Technology can’t protect your company’s biggest vulnerability: the people working there. “Until we embrace a vision of public cybersecurity that sees all people, at all ranges of skill, as essential to our collective security, there will be no widespread cybersecurity.” The same goes with your company. You can spend millions or more on tech-based protections, but if you ignore the human risk, your security is virtually certain to fail. And of course, if you are at risk of a cyberattack, you are at risk of trade-secret theft.

The article finishes with a great analogy between cybersecurity and public health:

We need to get better to increase our herd immunity against botnets. We need to see that cybersecurity—like all aspects of safety, security, and resilience—is a shared responsibility. Better devices and apps won’t save us, since there are myriad other ways that individuals—even highly trained ones—become the weak link allowing bad guys to access personal, corporate, and government information assets. And almost all efforts at online safety, while well-meaning, are so poorly designed as to preclude knowing whether they work. It’s not magic: As with health or safety education, we need to start with basic steps and repeatable behaviors—like hand-washing or looking both ways before crossing.

This is the key. In a mature organization that has fully embraced and achieved a culture of protection, the employees will treat cybersecurity as second nature. Good habits will have become routine. Unfortunately, I have yet to encounter a company that has reached this point. For a variety of reasons—dependence on technology first among them—just about all employees have a host of bad habits that put the company at risk.

Creating this culture is not easy. To the contrary, it will require repeated, sustained effort, initiated and supported from the very top of the organization down, over a long period of time. Nor will it guarantee that all cyberattacks will be thwarted. But I see no viable alternative. Any company that has not made employee-level protection a top priority is virtually certain to suffer repeated cyberattacks.

“Just Doin Blow and Erasing Evidence”

November 20, 2015 By in Case Summary, Noncompete, Trade secrets, Trade Secrets In the News, Uncategorized Tags: , , , , , , , , , , , , , , Leave a comment

As the Defend Trade Secrets Act—which would create a federal cause of action for trade-secrets theft—makes its way through Congress, critics have focused on the proposed statute’s ex parte seizure provision. In a nutshell, the statute would allow for the entry of ex parte orders to seize specifically identified repositories of evidence that are at risk of destruction.

I’ve responded to these criticisms multiple times before (see here, here, and here). The statutory protections (e.g., the party subject to the order is entitled to a hearing within 7 days) combined with federal judges’ reluctance to issue ex parte orders are, in my view, sufficient to prevent abuse.

Meanwhile, the threat of evidence destruction is real. A recent case shows how far defendants can go to allegedly destroy evidence of trade-secrets theft.

As described in Law360, a radio-controlled-vehicle company sued several former employees for violating restrictive covenants and misappropriating trade secrets, among other claims. The plaintiff filed a motion seeking sanctions against the defendants for destroying evidence.

According to the plaintiff, the defendants destroyed “scores of emails, texts, and documents that described their scheme to start at least one rival toy car and boat business.”

One of the defendants—who sounds like a real winner—apparently sent a text message talking about how he expected to get served with the complaint, saying “That’s what I’m trying to deal with now so I can’t go out, just doin blow and erasing evidence.”

In misappropriation cases, the evidence is almost always in electronic form. And it’s way too easy for defendants to destroy this evidence. While a plaintiff could seek sanctions (as the plaintiff here is seeking against the guy “doin blow”), a plaintiff would almost always rather have the actual smoking gun proving misappropriation.

The ex parte seizure provision is a powerful tool that may allow companies to preserve critical evidence.

The DOJ Announced Another Trade-Secrets Prosecution. What Does That Mean For Your Company?

May 22, 2015 By in Advice, Trade secrets, Trade Secrets Best Practices, Trade Secrets In the News Tags: , , , , , , , , Leave a comment

There has been a lot of news coverage of the DOJ’s charges against Chinese professors for trade-secrets theft and violations of the Economic Espionage Act. Stories like this have become more common, as the DOJ has increased its focus on prosecuting trade-secrets theft. Often, these cases involve defendants with connections to foreign governments, and China in particular. As these cases have become more prevalent, the federal government has dedicated more resources to combating them.

Unfortunately, this will have little effect on most companies that fall victim to trade-secrets theft. The DOJ appears to have little interest in prosecuting run-of-the-mill trade-secrets theft, even though there may have been violations of a federal statute like the Economic Espionage Act. The DOJ simply does not have the resources to deal with the huge number of these cases. Thus, the vast majority of trade-secret misappropriation cases will be handled through civil lawsuits.

So what should you do if you believe your company has been the victim of trade-secrets theft? The answer is simple: you need to consult with an attorney specializing in this area of the law as soon as possible. Time is of the essence, and even a delay of a day or two could cause serious problems. Your attorney can advise you of your options. If your case is a good candidate for federal prosecution, your attorney should let you know. More likely, your options will involve civil remedies. Either way, you will need to make important decisions very quickly.

Professors Invent Threat of “Trade Secret Trolls”

January 29, 2015 By in General, Trade secrets, Trade Secrets In the News Tags: , , , , , , , , , 8 Comments

I’ve written several times in the past about the proposed legislation to create a federal cause of action for trade-secrets misappropriation (see herehere, and here). I also wrote a response to a letter signed by a number of professors who opposed this legislation. Now, Professors David S. Levine and Sharon K. Sandeen have written a law review article titled “Here Come the Trade Secret Trolls.” This article misses the mark by a mile.

Here is the article’s core argument:

The [proposed federal] Acts are most likely to spawn a new intellectual property predator: the heretofore unknown “trade secret troll,” an alleged trade secret owning entity that uses broad trade secret law to exact rents via dubious threats of litigation directed at unsuspecting defendants.

The use of the term “troll” is meant to evoke patent trolls, who have been the subject of much scorn. But the so-called “trade secret troll” is far different than a patent troll. The latter actually own patent rights, which they wield to seek licensing fees. The article’s mythical trade-secret troll is simply someone willing to bring a frivolous lawsuit to extort an undeserved settlement. I suspect the authors chose this term to piggyback on the negative attention heaped on patent trolls, thereby arming the legislation’s opponents with a pejorative term that may scare legislators or their constituents.

Putting titles aside, the article can’t reconcile its core argument with the fact that, as the authors acknowledge, “trade secrecy has been generally free of similar trolling behavior.” In other words, there is no epidemic of frivolous trade-secret lawsuits under the current state-law framework. (Certainly, there are weak misappropriation cases, just like with any cause of action. But I haven’t seen any evidence to suggest that such cases are disproportionately filed.)

The authors try to make the point that the proposed federal acts would transform trade-secrets law such that threatening and filing frivolous lawsuits would become commonplace. Yet the article does not really explain why this is so. It gets closest when discussing the proposed ex parte seizure provisions. But as I mentioned in my response to the professors’ letter, this risk is highly overblown. Convincing a federal judge to enter ex parte relief is no simple matter. And the defendant will have the right to challenge any seizure order very soon after its entry. Federal judges will not be amused if they have been manipulated into entering unnecessary ex parte orders.

The article fears that “trolls” will be able to threaten an ex parte seizure, which will be sufficient to scare a defendant into paying up before the suit is filed. Yet any innocent defendant will know that the likelihood of such an order being entered is slim. Further, simply sending the letter would undermine an attempt to get an ex parte seizure order. If the plaintiff was able to send a demand letter, thereby putting the defendant on notice of the possible claim, then a judge would be highly skeptical of a claimed need for an ex parte order.

The article also argues that unsettled interpretative questions relating to the acts will fuel frivolous lawsuits. But the article forgets that creating a federal cause of action will quickly lead to a much more robust body of published caselaw interpreting the statute. While there are very few published trial-court-level decisions in state courts, U.S. district court orders are widely available.

Frankly, state courts are much more susceptible to frivolous trade-secrets suits than federal courts. Take Florida, for example. Here, state court judges have to deal with remarkably bloated dockets. In fact, I’ve had multiple cases where it took months to get an emergency injunction hearing. State-court judges generally don’t have law clerks. And in Florida, judges often rotate between civil, criminal, family, and dependency divisions. This latter point is critical: judges often don’t spend enough time in the civil division to develop a familiarity with trade-secrets law. All of these issues lead to uncertainty, which would seemingly aid the unscrupulous litigant looking to extort a settlement. Yet, as the authors themselves acknowledge, we simply have not seen this so-called trolling.

There’s no question that frivolous lawsuits would be filed under the proposed federal legislation, just as like every other cause of action. But there is absolutely no credible reason to believe that such suits can’t be remedied with the typical mechanisms deigned to ferret out meritless claims, like Rule 11 motions.

As I’ve argued in the past, the proposed legislation has tangible benefits that aid trade-secrets owners in protecting their critical proprietary information. The arguments lobbed up in opposition—including the manufactured risk of “trolling”—don’t hold up to careful scrutiny.

2-Minute Jimmy Kimmel Clip Shows Our Cybersecurity Culture Crisis

January 16, 2015 By in Advice, Trade secrets, Trade Secrets In the News Tags: , , , , , , Leave a comment

This video speaks volumes about our country’s attitudes towards cybersecurity:

Last week, I wrote about the importance of creating a culture that makes protection of trade secrets a top-line priority. This video shows why this culture is so important. Your employees need to be constantly aware of surreptitious attempts to get passwords. Spear phishing attacks are becoming more and more sophisticated; your employees need to be immediately suspicious of any attempt to get personal information, particularly passwords.

In the real world, bad actors are far more subtle than a Jimmy Kimmel reporter with a microphone and a video camera. The fact that people are willing to turn over their passwords on TV shows—particularly now, when cybersecurity issues have never been more visible—is depressing. Make sure your employees know better.

Data Breaches Increase Seven-Fold In One Year

October 31, 2014 By in Advice, Trade secrets, Trade Secrets In the News Tags: , , , , , , , Leave a comment

According to a report by California’s attorney general, 18.5 million Californians were victims of cyber intrusions or data breaches in 2013. Remarkably, this was up from 2.5 million in 2012, a seven-fold increase. (Note that two major data breaches at Target and LivingSocial account for much of the increase.) A copy of the report is linked below, and this article summarizes the report.

The study breaks down the cause of the various breaches, with 53% caused by cyber incursions (e.g., hacking and malware), 26% arising from physical loss or theft, and the remainder coming from unintentional errors or deliberate misuse.

This report is yet another sign that the threat of data loss continues to increase dramatically. While the report focuses on breaches affecting consumer information, it has broader application to companies seeking to protect their proprietary information. Measures necessary to enhance data security and protect trade secrets overlap. Network security is at the heart of these efforts, and companies need to be willing to invest significant resources to keep their networks safe.

But network security is not the only area of concern. This report shows that the loss or theft of computers and other storage media presents another significant risk. For companies seeking to protect their trade secrets, this problem presents on various fronts. For example, companies need to make sure that company-issued computers, smartphones, and media have sufficient protections in case they are lost or stolen. Also, and more problematic, companies need to understand how their employees are using company documents and information on their personal devices. Similarly, companies need to keep tabs on how third parties, like vendors and consultants, are protecting shared proprietary documents.

I have frequently written about the need for companies to implement a trade-secrets policy. This policy would address these issues. For example, it could require that all proprietary documents are encrypted. And it could make sure that these documents are disseminated narrowly, to those employees who need them to do their jobs. For those companies that fail to implement and enforce necessary restrictions, the loss of proprietary information may be inevitable.

2014 California Data Breach Report

Recycled Passwords Can Trash Your Trade Secrets

October 17, 2014 By in Advice, Trade secrets, Trade Secrets In the News Tags: , , , , , , Leave a comment

Recently, a hacker posted a number of usernames and passwords for Dropbox. Considering how many companies are now using Dropbox and other cloud-based providers to share documents, this is obviously a problem. But it does not appear that Dropbox itself was hacked. Instead, as noted by this Slate article, the hacker likely targeted smaller sites with weaker security:

The most likely source of the information is a third-party site that had poor security. Hackers know that most internet users re-use their passwords, so they often target smaller apps made by amateur developers. These easy targets have poor security — so usernames, passwords or files may be stored in a way that’s easy for hackers to steal them.

In other words, most people use the same passwords across multiple sites. Including your employees. This is a BIG problem. Forgive the cliché, but password protection is only as good as the weakest link in the chain. You can spend millions of dollars protecting your network and proprietary information. But if another site where your employees have accounts is hacked, and your employees use the exact same passwords there as they use for your network, your network and information is at risk.

I cannot overstate the importance of making sure that your employees don’t use the same password for your system that they use for other sites. You need to make employees aware of this rule, and strictly enforce it. One option is to create passwords for your employees instead of allowing them to create their own. And change the passwords routinely. Also, as biometric technology develops and becomes more affordable, it presents another option.

There’s a reason we all use the same passwords across multiple sites: it makes life easier. But you need to ensure that your employees don’t allow their convenience to threaten your company.

Are Your Smartphone Apps Leaking Your Trade Secrets?

October 2, 2014 By in Advice, General, Trade secrets Tags: , , , 1 Comment

As the online world shifts increasingly to mobile devices, new and unexpected threats to your company’s proprietary information emerge. Many apps on your smartphone contain in-app internet browsers. For example, when you open the twitter app, you can click on links within tweets, which you will then view in twitter’s in-app browser.

This blog post by web developer Craig Hockenberry shows that in-app browsers on iPhones and iPads have a serious security flaw: the app can record your keystrokes. Thus, any sensitive information entered in the in-app browser can be recorded by the app. So, for example, if one of your employees uses an in-app browser to send an email containing your proprietary information, that information could be at risk.

Hockenberry has a simple recommendation for avoiding this problem:

You should never enter any private information while you’re using an app that’s not Safari. An in-app browser is a great tool for quickly viewing web content, especially for things like links in Twitterrific’s timeline. But if you should always open a link in Safari if you have any concern that your information might be collected. Safari is the only app on iOS that comes with Apple’s guarantee of security.

Problems like this are hard to predict, since technology is changing so rapidly. The best way to avoid unexpected security risks is to implement a trade-secrets policy that restricts the manner in which your proprietary information can be circulated.

Will the “Internet of Things” Be A Nightmare for Trade Secrets?

September 22, 2014 By in Advice, Trade secrets, Trade Secrets in the Cloud, Trade Secrets In the News Tags: , , , , , , , 3 Comments

I’ve been on a bit of a hiatus from posting over the past couple of weeks, during which I had a bench trial on a trade-secrets injunction. Since that case is still pending, I’m not going to write about it just yet.

Today, let’s look at the so-called “internet of things” — the increasing number of household, business, and other objects that are now internet enabled. I love being able to access things like my home alarm and thermostat remotely via my iPhone. And there’s no question that the “internet of things” will be growing exponentially in the near future. But does this present a threat to trade secrets and proprietary information?

A recent blog post by Michael Jordon shows the risks. He exposed security weaknesses in internet-enabled printers by getting a Cannon Pixma wireless printer to run the classic video game “Doom.”

The post contains a lot of technical details. But most importantly, his exercise shows that internet-enabled printers lag far behind traditional network devices when it comes to security. This is critical: if someone can hack into your company’s printers, they could have access to all of the documents that were printed.

Jordon’s organization recommends avoiding the internet of things entirely:

Context recommends that you do not put your wireless printers on the Internet, or any other ‘Internet of Things’ device.  To defend against the CRSF [cross-site request forgery] attack, well don’t follow any dodgy links is the best advice I can come up with.  Context is not aware of anyone in the wild actively using this type of attack, but hopefully we can increase the security of these types of devices before the bad guys start to. Finally, make sure that you always apply the latest available firmware to your devices. This is often not an automatic process and may require checking on the manufacturer’s website for updates.

As time goes on, it will be very difficult, if not impossible, to avoid using the “internet of things” in a business context. When you do connect devices to the internet, assume that they have security vulnerabilities. Thus, before connecting the device to the internet, you need to work with your IT department/consultants to make sure that it has adequate security features.

 

Congressmen Explain Why You Need to Be Proactive About Trade-Secret Theft

August 25, 2014 By in Advice, Trade secrets, Trade Secrets In the News Tags: , , , , , , , , 2 Comments

In today’s partisan political climate, it’s rare to see an issue that unites members of both parties. But trade-secrets theft has become such a significant threat to our economy that there is now a bipartisan effort to pass federal trade-secret legislation.

Last week, Congressmen Hakeem Jeffries (D-NY), Howard Coble (R-NC), John Conyers Jr. (D-MI), Steve Chabot (R-OH), Jerrold Nadler (D-NY), and George Holding (R-NC), all members of the House Judiciary Committee, published an article explaining why they introduced the “Trade Secrets Protection Act of 2014.”

The Congressmen’s article does a great job detailing the threat that companies face.

They start off with a sobering statistic: “The devastating reality is that theft of trade secrets costs the American economy billions of dollars per year.” They cite to a 2013 study by the Executive Office of the President that found that “the pace of economic espionage and trade secret theft against U.S. corporations is accelerating.” That study gave examples of large-scale trade-secret theft, including stolen trade secrets from Dupont and Goldman Sachs valued at $400 million and $500 million, respectively.

They close by making the point that the current scheme, under which each state has its own trade-secret-misappropriation laws, is inadequate to confront the threat:

The current patchwork is simply not enough to combat organized trade secret theft. All other forms of intellectual property – patents, copyrights, and trademarks – are afforded a civil cause of action in federal law. It is time we confer trade secrets with a similar level of protection to substantially mitigate the billions of dollars lost annually through theft of our intellectual property.

Hopefully, either this or the similar Defend Trade Secrets Act (discussed here and here) will pass. But regardless, companies must be proactive about protecting their trade secrets. State and federal laws creating causes of action for trade-secret theft are great, but litigation is never ideal. You should consult with an attorney with expertise in this area to make sure you are taking all reasonable steps to protect your proprietary information. Doing so will help you avoid the need for expensive and time-consuming litigation.

%d bloggers like this: