Tag Archives: cybertheft

Can Mark Cuban’s Cyber Dust Help Protect Proprietary Information?

July 24, 2014 By in Advice, General, Trade secrets, Trade Secrets In the News Tags: , , , , , , , Leave a comment

Cyber Dust is an app that lets users send text messages without leaving a digital fingerprint. All texts “self destruct” within 30 seconds, after which they are not stored anywhere — including on Cyber Dust’s servers. Also, Cyber Dust notifies you if someone takes a screenshot of one of your Cyber Dust texts.

Mark Cuban is behind Cyber Dust. In a recent Forbes article, he explained that the idea came from his own experience of having the SEC use his text messages in its insider-trading action against him: “That the phone companies and your text recipients own your texts and even the most innocent text can take on a whole new context. I wanted to have a means of communication that is analogous to face to face – where you can speak openly and honestly. That is why we created Cyber Dust.”

Similar technology is being developed for emails. For example, The Atlantic recently wrote about Pluto Mail, which includes features that allow the sender to set an email to expire after a set time. After that, the recipient can no longer view the email.

As Cuban notes, emails and texts create a digital record that can last forever. When your employees (or others, like consultants or vendors) send emails and text messages that contain your proprietary information, there is a risk of disclosure. As more companies use bring-your-own-device policies, those companies lose even more control of information sent via text and email.

I’ve been thinking of how to use this technology to minimize unwanted disclosure. For example, a company could require that all work-related text messages be sent via Cyber Dust. Emails are a bit more complicated, since there is often a need to preserve emails for later use. But a company could require that all emails containing proprietary information, or attaching certain proprietary documents, be sent with a scheduled expiration date.

In the end,  these policies would only be effective if there’s a way to monitor compliance. Otherwise, it’s not worth the effort. Also, these policies likely would not deter someone who is sending the information with malicious intent, such as an employee who knows he will be leaving to work for a competitor. UPDATE: In fact, such a person could use this technology to cover his tracks.

But it’s worth exploring how to use new technology like Cyber Dust to help bolster efforts to protect proprietary information.

In Defense of the Defend Trade Secrets Act

May 21, 2014 By in General, Trade secrets, Trade Secrets In the News Tags: , , , , , , , , , , , 6 Comments

In my last post, I discussed the recently proposed, bipartisan Defend Trade Secrets Act that would create a federal cause of action for trade-secret misappropriation. I wrote favorably about the statute’s mechanism allowing a judge to enter an ex parte order to preserve evidence. Since then, I’ve discussed this provision with several people who have concerns about it. This post responds to these criticisms.

To start, I want to explain why this provision is so important. Trade-secret theft is overwhelmingly accomplished by electronic means, such as through email, downloading to portable media, or via remote access to IT systems. Companies suspecting trade-secret theft can often determine where and how the information was stolen. For example, forensic techniques can identify that certain documents were saved to a flash drive on a specific date.

The Defend Trade Secrets Act permits the company, armed with this information, to seek an order requiring seizure or preservation of the media/computer/etc to which the information was downloaded. As a result, critical evidence that could otherwise easily be destroyed would be preserved. Without a statutory provision specifically authorizing this remedy, most litigants find it very difficult to convince a judge to enter this type of order.

I’ve heard concerns about the risk that judges will improvidently grant ex parte seizure orders brought in bad faith by unscrupulous litigants, potentially causing significant unjustified damage to defendants. This risk, while real, is present any time a judge hears an ex parte motion for temporary restraining order. The overwhelming majority of judges are reluctant to enter an ex parte injunction unless absolutely necessary. And this statute contains requirements that make it materially more difficult to get a seizure order as compared to a TRO.

In particular, the Defend Trade Secrets Act borrows from the Trademark Act’s procedure for seizing goods containing counterfeit trademarks. These requirements go beyond the typical TRO prerequisites. For example, the movant must show evidence that the item to be seized will be in a certain location. The court must also take measures to protect the defendant from publicity regarding the seizure. Further, the order directing seizure remains sealed until the defendant has an opportunity to contest it at a hearing that must occur within 15 days of entering the ex parte order. And as a final example, the statute provides for damages, including punitive damages, if the defendant is damaged by the wrongful entry of a seizure order.

These protections go a long way to minimize the likelihood that orders are improperly entered. In the end, the benefit of avoiding destruction of evidence—which happens all too frequently—outweighs the risk of unwarranted orders, particularly given the statute’s protections.

Thoughts About the Defend Trade Secrets Act

May 8, 2014 By in Trade secrets Tags: , , , , , , 3 Comments

Last week, Senators Hatch and Coons introduced bipartisan legislation, called the Defend Trade Secrets Act, that would create a federal private right of action for trade-secrets theft. This act adds to the Economic Espionage Act, which was passed in 1996 and made trade-secret theft a crime. Copies of the Defend Trade Secrets Act and the Economic Espionage Act are linked below.

While I’m still thinking through some of these issues, my first reaction to this law is a strongly positive one. Companies would benefit from having a national standard for trade-secret misappropriation. Today, while most states have adopted the Uniform Trade Secret Act (UTSA), there are state-by-state variations in the statutory text and interpretation. Also, this law would allow companies to litigate in federal court, where cases often proceed more quickly than in state court.

The act also acknowledges the e-discovery issues that frequently arise in trade-secret litigation by allowing for the ex parte entry of an order to preserve evidence, specifically allowing an order compelling “a copy of an electronic storage medium that contains the trade secret.” Today, it can be difficult to obtain such an order, with plaintiffs forced to resort to conventional injunction proceedings in front of state-court judges, who may not be as familiar with e-discovery issues.

The Defend Trade Secrets Act has a five-year statute of limitations, as opposed to the three years in the UTSA. Given that misappropriation is commonly done through surreptitious means, five years is more reasonable.

This proposed law is not perfect—for example, I would like to see a broader definition of “improper means” instead of just adopting the UTSA’s definition—but overall, this law would be a step forward for companies trying to protect their trade secrets. Hopefully, this bipartisan effort will have more success than other recent attempts to create a federal civil action for trade-secrets misappropriation.

Economic Espionage Act

Defend Trade Secrets Act

Trade-Secrets Interview: Pamela Passman of CREATe.org (Part 2)

March 19, 2014 By in Trade secrets Tags: , , , , , , Leave a comment

Last week, I published part 1 of my interview with Pamela Passman, CEO of CREATE.org regarding its recent trade-secrets report. Here’s part 2:

PamelaPassman CREATe org sm (3)Protecting Trade Secrets: You have done an excellent job setting forth a framework for companies to protect their trade secrets. But I have two issues with your approach. First, I am concerned that this process will result in the creation of documents that, if produced in litigation, will undermine misappropriation claims. This concern can be mitigated if an attorney is involved in creating and maintaining these documents, keeping them as attorney work product.

Pamela Passman: For most companies, lawyers will be involved in implementing the framework we propose and actively engaged in developing the documentation.  However, for many companies in emerging markets, there are small legal teams inside companies and outside lawyers are not generally engaged other than for disputes.  That should not limit a company’s focus on prioritizing, documenting and securing trade secrets, as in most cases, the ability to demonstrate that you have secured your trade secrets is critical to seeking redress if they are misappropriated.

PTS: Second, your approach may be difficult for small and midsize businesses, who have limited resources and in-house capabilities, to implement. 

PP: For many small and mid-size companies, trade secrets are at the core of their value and ability to compete and innovate. While many can’t implement a full comprehensive program, they should consider scaling the recommended steps in a way that is appropriate to the company.  For example, at CREATe.org, we are working with private equity firms that want to ensure that their portfolio companies are aware of leading practices and have the ability to implement business processes to protect IP and prevent corruption. Although the firms are small in size, they scale accordingly by prioritizing areas for improvement.

PTS: Turning to the report’s views of the future, you talk about “the emergence of walled gardens or the creation of IT networks that are separated from the wider Internet.” Can you elaborate more on what the “walled gardens” will look like? How would this differ from company intranets and smartphone apps that exist today?

PP: The walled garden scenarios stemmed out of recent moves that could point towards countries (or sectors or groups of entities) segmenting internet traffic. For example:

  • German telecom giant Deutsche Telekom, in which the government still owns a minority share, has publicly discussed the potential for German companies to place some information and activities on a separate, national internet system. Deutsche Telekom’s proposal is unlikely to be adopted at this point and would require major regulatory, technical and policy changes in Germany and the European Union. However, its announcement confirms that some of the world’s most advanced countries and companies are thinking about walled gardens as an option going forward.
  • Brazil’s government is also considering how it might segment or wall off parts of its internet traffic and emails. Sao Paolo is reacting to the recent US Government contractor who claims that US intelligence agencies were snooping on a large target set.

PTS: Finally, what are your next steps now that the report has been issued?

PP: There is tremendous interest in the topic of trade secret protection. As you know, several months ago the European Commission published draft rules to thwart the theft of trade secrets. This initiative, along with companies facing increased threats, have prompted invitations for CREATe.org to present our report findings to business organizations around the world.  We will be in France,  Germany and China in March, and Mexico in April meeting with companies and business organizations interested in comprehensive ways to advance IP protection, and in particular, mitigating trade secret theft. We are also presenting at conferences and via webinars in the U.S. and elsewhere.

Additionally, CREATe.org continues to work with companies around the world to help them put systems in place to better protect IP, and to work with their supply chain and other business partners. We do this with our three-step service, CREATe Leading Practices for IP Protection, which offers an assessment, benchmarking and tools and resources designed to improve systems for IP protection. It is currently available in English, Brazilian Portuguese, Chinese and Spanish.

Protecting Trade Secrets Blog Quoted in the New York Times

March 18, 2014 By in Trade secrets, Trade Secrets In the News Tags: , , , , , , Leave a comment

The New York Times has been covering the dispute between David Einhorn’s Greenlight Capital and an anonymous blogger who published Greenlight’s confidential investment strategy. I wrote about the case here. The New York Times published an article about the case that includes a quote from my blog post:

“Laws prohibiting trade-secret misappropriation by definition restrict speech,” Eric W. Ostroff, a commercial litigation and trade secret lawyer with Meland Russin & Budwick, wrote on his blog. “Allowing someone to hide behind an online pseudonym could render these laws ineffective.”

As the article notes, this is a very interesting case that highlights the competing interests between the First Amendment and trade-secret misappropriation laws. In a world where everyone has access to social media and blogging resources that allow for the free, easy, and widespread dissemination of information, trade-secret-misappropriation laws need to restrict people from anonymously disclosing trade secrets.

Trade-Secrets Interview: Pamela Passman of CREATe.org

March 10, 2014 By in Trade secrets, Trade Secrets In the News, Trade-Secrets Interview Tags: , , , , , , , , , , , 1 Comment

Protecting Trade Secrets is launching a new regular feature, where we will interview people of interest in the trade-secrets world. Starting with Pamela Passman, President and CEO of CREATe.org. “The Center for Responsible Enterprise And Trade (CREATe.org) is a non-profit organization dedicated to helping companies and their suppliers and business partners reduce corruption and IP theft in the forms of counterfeiting, piracy and trade secret theft.”

Recently, I published a blog post discussing a new trade-secrets report published by CREATe.org. I asked Ms. Passman questions about CREATe.org and the report. I’ll be running the interview in two parts. Check back later this week for part 2.

PamelaPassman CREATe org sm (3)Protecting Trade Secrets: Let’s start with some background on CREATe.org. When was it created? By whom? Why? What are its primary activities?

Pamela Passman: While at Microsoft, as Corporate Vice President and Deputy General Counsel for Global Corporate and Regulatory Affairs, I led  regulatory compliance work on a range of issues in more than 100 countries. For nearly six years I also headed Legal and Corporate Affairs in Asia, based in Tokyo, with a focus on Japan, Korea and the People’s Republic of China.

My collective experience—in compliance, corporate leadership, public policy and emerging markets—led me to consider a new approach to two critical issues for companies around the world: intellectual property (IP) protection and anti-corruption.

The genesis for the idea of CREATe.org was based in recognizing that companies such as Microsoft, GE, P&G and many others have spent years developing robust management systems and best practices to appropriately manage and use IP and to prevent corruption. Equally important, was a belief that the private sector can play a powerful role in driving responsible business practices and bridging regulatory gaps where adequate laws do not exist or enforcement is weak.

From these perspectives, CREATe.org was founded in October 2011. As a non-profit organization, CREATe.org works across industries and geographies with a mission to bring leading practices in IP protection and anti-corruption to all companies. The organization works to provide cost-effective and practical assessments, benchmarking, tools and step-by-step guidance for companies, particularly those that lack a track record of developing and implementing compliance programs.

PTS: Does CREATe.org have any policy objectives (e.g., lobbying for legislation, regulations)?

PP: CREATe.org is focused on ways the private sector can more effectively address the issues of IP protection and anti-corruption. We do this by helping companies around the world improve practices and put systems in place to mitigate the risks of IP theft and corruption. CREATe.org is not a lobbying organization.

PTS: What precipitated the “Economic Impact of Trade Secret Theft” report?

PP: In the organization’s first two years, our team gathered insights from companies around the world, gave countless presentations and partnered with think tanks, academics and experts on IP protection and anti-corruption. The challenge of trade-secret theft was a topic that surfaced throughout these exchanges. Companies are finding it increasingly difficult to protect trade secrets, both within companies and among third-parties.

PTS: Let’s turn to some of the details of the report. Your framework to safeguard trade secrets involves bringing key stakeholders into the process. Often, senior executives can be reluctant to participate in such a process. Any suggestions for building enthusiasm among senior executives?

PP: Most senior executives appreciate that trade secrets are key to the company’s value, ability to innovate and compete. For many, the question is where to start? Our intent was to break down a comprehensive approach into steps and provide tools for making the process practical. Providing a clear path and the benefits of safeguarding trade secrets can be helpful for building support internally.

PTS: Similarly, your report acknowledges that protecting trade secrets can require actions that may cut against other company priorities, such as maximizing productivity. For example, increased security measures may result in it taking longer for employees to access documents they need to perform their jobs. Any suggestions for building a corporate culture that values protecting trade secrets on par with other financial priorities?

PP: Each company must determine the correct level of actions appropriate for their corporate culture and then invest in training and awareness campaigns to help educate employees on the importance of protecting company trade secrets. In our work in Asia, for example, we see companies with increasing focus on building awareness within their employee base and key third parties – including  IP protection campaigns that use a variety of media to promote good practices, from posters in the company cafeteria to e-learning and screen savers for desktop computers.

_______________________________

Later this week, Ms. Passman responds to my two critiques of the report and discusses CREATe.org’s next steps.

CREATe.org/PwC Report Makes the Case for Investing in Trade-Secret Protections

February 27, 2014 By in Noncompete, Trade secrets, Trade Secrets In the News Tags: , , , , , , , , , , 2 Comments

“Historically, . . . [trade secret protections] have been viewed as a cost, not an investment.” CREATe.org and PwC recently released a report titled “Economic Impact of Trade Secret Theft: A framework for companies to safeguard trade secrets and mitigate potential threats.” If you read this blog, you should read the report.

Next week, I will be interviewing for this blog one of CREATe.org’s principals responsible for the report. (CREATe.org is a non-profit “dedicated to helping companies and their suppliers and business partners reduce counterfeiting, piracy, trade secret theft and corruption.”)

The report seeks to change the mentality described in the above quote. It starts by estimating the cost of trade-secret theft, and concludes (based on a review of various proxies for trade-secret theft) that economic losses based on trade-secret theft amount to between 1 and 3 percent of GDP. Hopefully, numbers like this draw greater attention to the real risks companies face.

It next outlines of categories of “threat actors” — those who seek to steal trade secrets. These include nation states, malicious insiders (including current and former employees, third-party consultants, and suppliers), competitors, transnational organized crime, and hacktivists (who try to use corporate information for political or social purposes).

Regarding employees, the report notes that “cultural and technological factors may heighten the insider threat in coming years . . . The nature of U.S. employees’ loyalties to their employers is changing because of the much higher rate of lifetime job changes.” The report also identifies “bring your own device” policies as an increased risk.

The report presents a framework for companies to identify and evaluate their trade secrets, audit their current protections, and make value-based improvements to these protections based on measuring ROI. This approach involves key stakeholders, educates them about the risks of trade-secret theft, and helps make the business case for protections.

While I have some issues with the framework (which, if handled improperly, could create documents that may undermine litigation efforts, and would likely need to be altered for many small mid-sized businesses), it provides a comprehensive, incredibly useful starting point and roadmap.

Next week, I’ll examine the report in greater depth when I interview CREATe.org.

Small Business Data Theft: Risks and Solutions

February 13, 2014 By in Advice, Trade secrets, Trade Secrets In the News Tags: , , , , , , , 2 Comments

Data theft is a hot topic now, with the recent high-profile thefts at Target and others. This issue has consequences for companies trying to protect trade secrets. For example, if a company is not taking measures to protect against data theft, a court could easily conclude that the company has not reasonably protected its proprietary information, and thus is not entitled to trade-secret protection under the Uniform Trade Secret Act.

Two recent articles in Entepreneur address this problem head on. In “Why Your Small Business Is At Risk of a Hack Attack,” Heesun Wee explains the risks facing small businesses:

Last year, 31 percent of all attacks were aimed at companies with less than 250 employees, according to Symantec’s 2013 Internet Security Threat Report.

But many small businesses do not appreciate this risk:

Smaller ventures are particularly vulnerable because cybercriminals know they likely spend less to protect their digital information and infrastructure. Cheaper security measures also tend to be static, meaning those systems don’t evolve to keep up with criminals’ newest tricks. . . . Roughly 77 percent of small firms believe their company is safe from a cyberattack–even though 83 percent of those firms do not have a written security policy in place, according to the National Cyber Security Alliance and Symantec.

Small businesses need to do more to protect their sensitive data and proprietary information. In “Preventing Another Target Attack,” Eric Basu offers some suggestions for retailers that apply with equal force to many small businesses.

First, you should use network-monitoring software:

There are next generation software solutions that effectively visualize network traffic, break down machine-to-machine connections by service protocols and allow filtering by machine, service or even internet destination. For example, a North American-based retailer using a payment processing partner from the same continent should not see outbound connections from a POS terminal to places like Russia, China or Brazil.  If they do, the connection should be dropped and the security administrator should be notified of the machine initiating the connection.

Second, improve application-level security:

Keeping [software applications] up to date with the latest versions and patches as well as performing penetration tests on both internal- and external-facing interfaces would have gone a long way to preventing the lateral movements the Target attackers were able to pull off in a short amount of time. Companies that develop in-house applications should also ensure they are designed securely from the get go, performing both static and active secure code reviews at every minor release. Furthermore, only authorized white-listed applications should be allowed to run and properly identified.

Many small business do not have the know-how or resources to deal with this issue in-house. In that case, perhaps the most important step you can take is to speak with an IT expert to obtain customized recommendations for protecting your business’ sensitive information. Combining up-to-date IT solutions with proactive legal protections gives you the best chance of avoiding a problem in the first place. And it gives you the best chance to mitigate the damage if a breach occurs.

%d bloggers like this: