“Just Doin Blow and Erasing Evidence”

As the Defend Trade Secrets Act—which would create a federal cause of action for trade-secrets theft—makes its way through Congress, critics have focused on the proposed statute’s ex parte seizure provision. In a nutshell, the statute would allow for the entry of ex parte orders to seize specifically identified repositories of evidence that are at risk of destruction.

I’ve responded to these criticisms multiple times before (see here, here, and here). The statutory protections (e.g., the party subject to the order is entitled to a hearing within 7 days) combined with federal judges’ reluctance to issue ex parte orders are, in my view, sufficient to prevent abuse.

Meanwhile, the threat of evidence destruction is real. A recent case shows how far defendants can go to allegedly destroy evidence of trade-secrets theft.

As described in Law360, a radio-controlled-vehicle company sued several former employees for violating restrictive covenants and misappropriating trade secrets, among other claims. The plaintiff filed a motion seeking sanctions against the defendants for destroying evidence.

According to the plaintiff, the defendants destroyed “scores of emails, texts, and documents that described their scheme to start at least one rival toy car and boat business.”

One of the defendants—who sounds like a real winner—apparently sent a text message talking about how he expected to get served with the complaint, saying “That’s what I’m trying to deal with now so I can’t go out, just doin blow and erasing evidence.”

In misappropriation cases, the evidence is almost always in electronic form. And it’s way too easy for defendants to destroy this evidence. While a plaintiff could seek sanctions (as the plaintiff here is seeking against the guy “doin blow”), a plaintiff would almost always rather have the actual smoking gun proving misappropriation.

The ex parte seizure provision is a powerful tool that may allow companies to preserve critical evidence.

What’s Worse Than Having Trade Secrets Stolen? Waiting Too Long to Do Something About It.

If you discover that your trade secrets have been stolen, you must act immediately. That’s the lesson from a recent case in the Middle District of Florida, Dyncorp International LLC v. AAR Airlift Group, Inc. A copy of the order can be downloaded below.

The Plaintiff, Dyncorp, has been providing aviation services to the State Department under a contract going back more than 20 years. Apparently, the State Department is now re-bidding that contract. The Defendant, AAR, is one of the bidders. Dyncorp alleges that AAR hired former Dyncorp employees and “coerced” those employees into disclosing Dyncorp’s trade secrets, which AAR used in its bid.

Dyncorp filed suit for, among other things, violating the Florida Uniform Trade Secrets Act. About three weeks later, Dyncorp filed a motion for preliminary injunction that sought to enjoin AAR from using Dyncorp’s trade secrets.

The district court denied the motion, finding that Dyncorp did not satisfy any of the injunction prerequisites. Of particular note, the court found that Dyncorp’s delay in filing suit showed that it had not suffered irreparable injury:

Dyncorp admits that it was notified of AAR’s alleged misappropriation of trade secrets in April 2015 but let more than four months pass without filing suit. Dyncorp attempts to explain the delay away by arguing that it complained to the State Department and AAR and conducted its own investigation during this time, but offers no explanation as to why those undertakings and this suit could not proceed simultaneously – particularly if, as Dyncorp asserts, it was facing the prospect of irreparable injury.

This case shows that once you discover—or even suspect—that your trade secrets are being improperly used, you must act fast. Any delay can be cited by a defendant as a reason for denying injunctive relief, just as AAR did here. While not every case will demand the immediate filing of a lawsuit, you need to at least consult with an attorney right away. Then, your attorney can advise you of your various legal options, and the risks and benefits of each.

Dyncorp v. AAR — Order Denying Preliminary Injunction

Can Periscope Broadcast Your Trade Secrets to the World?

Periscope is an app that allows users to broadcast live video using their smart phone. This technology has the power to transform the delivery of media and information. Essentially, every person can now effortlessly create live video content, whether it’s sharing a family event with those who can’t attend or witnessing a newsworthy event.

I keep hearing more and more about Periscope. For example, I’ve seen media members use it to share press conferences or behind-the-scenes info. At first blush, this may seem irrelevant to your company’s trade secrets. But that may not be the case.

Right now, through Periscope and similar apps, every one of your employees can instantaneously broadcast live video to the world. It’s much easier to share exactly what’s going on, in real time, at your company.

This raises multiple levels of concern. To start, employees may inadvertently transmit proprietary information. For example, an employee could be sharing a broadcast from work intended for his friends and family, while other employees discuss proprietary information within earshot. Even though there was no intent, this information was still shared outside the company.

Even worse, Periscope is a powerful tool in the hands of someone with malicious intent. There has long been a risk that malicious actors can easily capture video. But now, that video can be shared live. For example, an employee could surreptitiously broadcast a company meeting. Or live video of a proprietary process or system.

Periscope is another example of how rapidly evolving technology is constantly creating new risks to your trade secrets. Your trade-secrets policy needs periodic review to make sure it addresses new technology. Depending on the nature of your business, it may make sense to ban live broadcasts completely. Most importantly, you should discuss these issues with an attorney who can help you decide what protections are appropriate for your business.

 

 

The DOJ Announced Another Trade-Secrets Prosecution. What Does That Mean For Your Company?

There has been a lot of news coverage of the DOJ’s charges against Chinese professors for trade-secrets theft and violations of the Economic Espionage Act. Stories like this have become more common, as the DOJ has increased its focus on prosecuting trade-secrets theft. Often, these cases involve defendants with connections to foreign governments, and China in particular. As these cases have become more prevalent, the federal government has dedicated more resources to combating them.

Unfortunately, this will have little effect on most companies that fall victim to trade-secrets theft. The DOJ appears to have little interest in prosecuting run-of-the-mill trade-secrets theft, even though there may have been violations of a federal statute like the Economic Espionage Act. The DOJ simply does not have the resources to deal with the huge number of these cases. Thus, the vast majority of trade-secret misappropriation cases will be handled through civil lawsuits.

So what should you do if you believe your company has been the victim of trade-secrets theft? The answer is simple: you need to consult with an attorney specializing in this area of the law as soon as possible. Time is of the essence, and even a delay of a day or two could cause serious problems. Your attorney can advise you of your options. If your case is a good candidate for federal prosecution, your attorney should let you know. More likely, your options will involve civil remedies. Either way, you will need to make important decisions very quickly.

2-Minute Jimmy Kimmel Clip Shows Our Cybersecurity Culture Crisis

This video speaks volumes about our country’s attitudes towards cybersecurity:

Last week, I wrote about the importance of creating a culture that makes protection of trade secrets a top-line priority. This video shows why this culture is so important. Your employees need to be constantly aware of surreptitious attempts to get passwords. Spear phishing attacks are becoming more and more sophisticated; your employees need to be immediately suspicious of any attempt to get personal information, particularly passwords.

In the real world, bad actors are far more subtle than a Jimmy Kimmel reporter with a microphone and a video camera. The fact that people are willing to turn over their passwords on TV shows—particularly now, when cybersecurity issues have never been more visible—is depressing. Make sure your employees know better.

Trade Secrets Best Practices: Exit Interviews

This is the next in a series of posts addressing best practices for protecting trade secrets and proprietary information. Today’s topic: exit interviews, which can be a powerful tool to avoid, or at least anticipate, unwanted disclosure.

An exit interview is exactly what it sounds like. When an employee is leaving your company, you have someone meet with him to discuss various aspects of his departure. There are several goals: remind the employee of his legal obligations; make sure he has returned all company information, documents, and devices; and gather intelligence about his next job to determine the risk of unwanted disclosure.

The key is to have a set process that is automatically followed each time an employee leaves. Depending on the size and structure of your company, a single person or department should be responsible for conducting the interviews. That person should work from a checklist that includes all topics that must be discussed. To develop this process, consult with an attorney who specializes in trade-secrets issues who can help customize it to fit your company’s needs.

The checklist should include, at a minimum, the following:

Review of restrictive covenants and related agreements: Give the employee copies of any agreements he signed and remind him of specific noncompete, nonsolicitation, nondisclosure, and related obligations.

Review of non-contractual legal obligations: Remind the employee of his ongoing legal obligations to, for example, keep certain information confidential. The applicable laws vary state-by-state, so make sure to consult with an attorney familiar with your state’s laws.

Review inventory of all company devices: Hopefully, you are keeping an inventory of all company devices issued to the employee. Go through this inventory and make sure he has returned all of these devices.

Company information and documents: Ask whether the employee has any hard-copy documents or electronically stored information on his personal computer, devices, and storage medium. If he does, give a set date for him to return or destroy the documents/information.

Sign acknowledgment: Have the employee sign an acknowledgment form that confirms he is aware of his legal obligations, has returned all company devices, and returned or destroyed all company documents/information.

Gather information: Ask the employee where he will be working next, and in what capacity. Also make sure you have the employee’s updated contact information.

Additionally, prior to the interview, you should work with your IT department to see if the departing employee recently accessed or used trade-secret information, particularly in an out-of-the-ordinary manner. If so, consult with an attorney, since it may be advisable to address this issue with the employee during the exit interview.

Often, this process will allow you to handicap the risk that the departing employee will illegally use your trade secrets and proprietary information. For example, be wary of an employee who refuses to tell you where he will be working next. Or an employee who refuses to attend the exit interview. In cases where you suspect something is amiss, consult with an attorney right away, since time is of the essence in these cases.

Again, there is no one-size-fits-all approach to exit interviews. Speak with with an attorney to develop the process that best fits your company’s needs.

Data Breaches Increase Seven-Fold In One Year

According to a report by California’s attorney general, 18.5 million Californians were victims of cyber intrusions or data breaches in 2013. Remarkably, this was up from 2.5 million in 2012, a seven-fold increase. (Note that two major data breaches at Target and LivingSocial account for much of the increase.) A copy of the report is linked below, and this article summarizes the report.

The study breaks down the cause of the various breaches, with 53% caused by cyber incursions (e.g., hacking and malware), 26% arising from physical loss or theft, and the remainder coming from unintentional errors or deliberate misuse.

This report is yet another sign that the threat of data loss continues to increase dramatically. While the report focuses on breaches affecting consumer information, it has broader application to companies seeking to protect their proprietary information. Measures necessary to enhance data security and protect trade secrets overlap. Network security is at the heart of these efforts, and companies need to be willing to invest significant resources to keep their networks safe.

But network security is not the only area of concern. This report shows that the loss or theft of computers and other storage media presents another significant risk. For companies seeking to protect their trade secrets, this problem presents on various fronts. For example, companies need to make sure that company-issued computers, smartphones, and media have sufficient protections in case they are lost or stolen. Also, and more problematic, companies need to understand how their employees are using company documents and information on their personal devices. Similarly, companies need to keep tabs on how third parties, like vendors and consultants, are protecting shared proprietary documents.

I have frequently written about the need for companies to implement a trade-secrets policy. This policy would address these issues. For example, it could require that all proprietary documents are encrypted. And it could make sure that these documents are disseminated narrowly, to those employees who need them to do their jobs. For those companies that fail to implement and enforce necessary restrictions, the loss of proprietary information may be inevitable.

2014 California Data Breach Report

Recycled Passwords Can Trash Your Trade Secrets

Recently, a hacker posted a number of usernames and passwords for Dropbox. Considering how many companies are now using Dropbox and other cloud-based providers to share documents, this is obviously a problem. But it does not appear that Dropbox itself was hacked. Instead, as noted by this Slate article, the hacker likely targeted smaller sites with weaker security:

The most likely source of the information is a third-party site that had poor security. Hackers know that most internet users re-use their passwords, so they often target smaller apps made by amateur developers. These easy targets have poor security — so usernames, passwords or files may be stored in a way that’s easy for hackers to steal them.

In other words, most people use the same passwords across multiple sites. Including your employees. This is a BIG problem. Forgive the cliché, but password protection is only as good as the weakest link in the chain. You can spend millions of dollars protecting your network and proprietary information. But if another site where your employees have accounts is hacked, and your employees use the exact same passwords there as they use for your network, your network and information is at risk.

I cannot overstate the importance of making sure that your employees don’t use the same password for your system that they use for other sites. You need to make employees aware of this rule, and strictly enforce it. One option is to create passwords for your employees instead of allowing them to create their own. And change the passwords routinely. Also, as biometric technology develops and becomes more affordable, it presents another option.

There’s a reason we all use the same passwords across multiple sites: it makes life easier. But you need to ensure that your employees don’t allow their convenience to threaten your company.

Are Your Smartphone Apps Leaking Your Trade Secrets?

As the online world shifts increasingly to mobile devices, new and unexpected threats to your company’s proprietary information emerge. Many apps on your smartphone contain in-app internet browsers. For example, when you open the twitter app, you can click on links within tweets, which you will then view in twitter’s in-app browser.

This blog post by web developer Craig Hockenberry shows that in-app browsers on iPhones and iPads have a serious security flaw: the app can record your keystrokes. Thus, any sensitive information entered in the in-app browser can be recorded by the app. So, for example, if one of your employees uses an in-app browser to send an email containing your proprietary information, that information could be at risk.

Hockenberry has a simple recommendation for avoiding this problem:

You should never enter any private information while you’re using an app that’s not Safari. An in-app browser is a great tool for quickly viewing web content, especially for things like links in Twitterrific’s timeline. But if you should always open a link in Safari if you have any concern that your information might be collected. Safari is the only app on iOS that comes with Apple’s guarantee of security.

Problems like this are hard to predict, since technology is changing so rapidly. The best way to avoid unexpected security risks is to implement a trade-secrets policy that restricts the manner in which your proprietary information can be circulated.

Will the “Internet of Things” Be A Nightmare for Trade Secrets?

I’ve been on a bit of a hiatus from posting over the past couple of weeks, during which I had a bench trial on a trade-secrets injunction. Since that case is still pending, I’m not going to write about it just yet.

Today, let’s look at the so-called “internet of things” — the increasing number of household, business, and other objects that are now internet enabled. I love being able to access things like my home alarm and thermostat remotely via my iPhone. And there’s no question that the “internet of things” will be growing exponentially in the near future. But does this present a threat to trade secrets and proprietary information?

A recent blog post by Michael Jordon shows the risks. He exposed security weaknesses in internet-enabled printers by getting a Cannon Pixma wireless printer to run the classic video game “Doom.”

The post contains a lot of technical details. But most importantly, his exercise shows that internet-enabled printers lag far behind traditional network devices when it comes to security. This is critical: if someone can hack into your company’s printers, they could have access to all of the documents that were printed.

Jordon’s organization recommends avoiding the internet of things entirely:

Context recommends that you do not put your wireless printers on the Internet, or any other ‘Internet of Things’ device.  To defend against the CRSF [cross-site request forgery] attack, well don’t follow any dodgy links is the best advice I can come up with.  Context is not aware of anyone in the wild actively using this type of attack, but hopefully we can increase the security of these types of devices before the bad guys start to. Finally, make sure that you always apply the latest available firmware to your devices. This is often not an automatic process and may require checking on the manufacturer’s website for updates.

As time goes on, it will be very difficult, if not impossible, to avoid using the “internet of things” in a business context. When you do connect devices to the internet, assume that they have security vulnerabilities. Thus, before connecting the device to the internet, you need to work with your IT department/consultants to make sure that it has adequate security features.

 

%d