Hacked? Compromised Employee Data May Trigger Duty for Employer to Notify Affected Employees

Hackers are getting creative. As they gather information about potential targets for identify theft and other cybercrimes, they increasingly target companies’ human resources departments. Employee records often contain troves of sensitive personal information sought by such criminals – from original employee applications with social security numbers and driver’s license numbers, bank draft forms with bank account information, W2 forms and other tax documents, and even health insurance and medical information. And when employee data is compromised, employers may be responsible for notifying them.

Duty to Notify. Louisiana law generally requires notification to Louisiana residents when their computerized personal information is acquired and accessed without authorization. Yet notification is not required if it is determined that, “after a reasonable investigation,” there “is no reasonable likelihood of harm” to Louisiana residents. If notification is required, the “owner” or “licensee” of the compromised data – such as an employer with hacked HR records – must notify affected Louisiana residents – including affected employees- “in the most expedient time possible and without unreasonable delay but not later than sixty days from the discovery of the breach.” (If the breach is discovered by a third party – such as outsourced service provider, cloud vendor, or other data processor – it must notify the data owner, which in turn must notify affected individuals.) Within 10 days of notifying Louisiana residents, the law also requires separate notice to the Louisiana Attorney General; failure to timely notify the Attorney General may result in fines of up to $5,000 per day.

Securing Personal Information. Louisiana law also generally requires businesses to protect Louisiana residents’ digital personal information. Businesses must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” And when disposing of computerized data that includes Louisiana residents’ personal information, businesses must “take all reasonable steps to destroy or arrange for the destruction of the records … by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.” Failure to implement, maintain, and follow such requirements is deemed an unfair act or practice.

The Take Away. Thorough preparation is the best way to quickly contain a data breach. Employees with access to records containing personal information should participate in a semi-annual review of the company’s incident response plan. And because HR records often contain digital personal information of employees, employers should ensure that their HR professionals are familiar with the company’s security procedures and practices, too. Employers should also take care that they are properly disposing of digital HR records in accordance with their document destruction policies and the law.

For more on Louisiana’s Breach Notification Law, see Micah Fincher and Jessica Engler, One Year Later: Louisiana’s Database Security Breach Notification Law 2.0, Louisiana Bar Journal, Vol. 67, No. 2 (August/ September 2019).

Louisiana Supreme Court Allows Employer-Friendly Decision in Non-Compete Case to Stand

Drafting an enforceable (and meaningful) non-compete provision in an employment agreement can be difficult. Many states, like Louisiana, recognize that non-compete provisions in employment agreements raise a serious public policy concern. In Louisiana, this public policy is set forth in La. Rev. Stat. 23:921. It requires non-compete provisions to set forth specific parishes or municipalities in which competition is restricted and limits their duration to two years.

Generally, courts strictly construe non-compete provisions and will often strike provisions that may otherwise comply with the statute. But the Louisiana Supreme Court recently allowed a decision to stand from the Louisiana Fourth Circuit Court of Appeal that took a more flexible approach. In Causin, L.L.C. v. Pace Safety Consultants, LLC, 2018-0706 (La. App. 4 Cir. 01/30/18), the employee tried to invalidate his non-compete obligation by arguing that the following language related to the non-compete’s geographic scope was overbroad:

“Employee recognizes that from time to time, the Company’s business may expand to other parishes within Louisiana and/or other counties or municipalities in other states and Employee agrees that Company may amend Exhibit ‘A’ and append it to this agreement with the same force and effect as the original Exhibit ‘A.’ Company will provide Employee with any and all amendments. Employee and the Employer acknowledge and agree that the Company does business in all of the parishes contained in Exhibit ‘A.’ Employee agrees that if the Company provides him with an amendment to Exhibit ‘A’ that it will represent as fact that the Company does business in all of the geographical areas identified in such an exhibit unless the Employee provides the Company with written notice disputing that fact within seven days of his receipt of the amendment.”

The court could have reasoned that restricting an employee’s right to work in yet-to-be identified parishes violates that plain language of La. Rev. Stat. 23:921. But the court ultimately held that the naming of the parishes and counties where the employer does business, together with an avenue for the employee to contest any expansion, operated to satisfy the statutory requirements.

This employer-friendly decision gives employers guidance, and some leeway, when drafting non-competes that seek to provide protections as the company grows.

AT&T Sues Consulting Firm for Trade Secret Theft and Breach of Contract

AT&T Services, Inc. and its subsidiary, DirectTV, LLC (collectively, “AT&T”) sued Max Retrans, LLC (“Max Retrans”), a consulting company that works with local broadcasting companies to sell their content to Pay-TV service providers for re-broadcast.

Background. Local broadcasting companies—like the local affiliates of ABC, FOX, CBS, and NBC—are licensed by the FCC to broadcast their television signals over the air for free. In order for Pay-TV service providers—like AT&T, Cox, Comcast, etc.—to re-broadcast the signals of local broadcasting companies as part of their package, they need express consent in the form of a retransmission consent agreement (“RCA”).

Recently, there has been an increase in the amount of Pay-TV service providers, which local broadcasting companies have used to leverage higher prices for their RCAs. The increased competition has also created a cottage industry for consultants to negotiate higher RCA fees for several local broadcasting companies at the same time. As a result, AT&T requires all third-party consultants involved in negotiations to enter into Non-Disclosure Agreements (“NDAs”) that prohibit the consultants from sharing confidential rates and other RCA terms with their other clients.

The Lawsuit. The heavily-redacted Complaint filed in Missouri federal court last week alleges that the Max Retrans executed an NDA with AT&T as a consultant for a local broadcasting company negotiating a new RCA. Under the NDA, AT&T alleges Max Retrans was given restricted access to AT&T’s confidential pricing information and trade secrets. AT&T claims that Max Retrans misappropriated its trade secrets when consulting past clients and that Max Retrans has used and will continue to use these trade secrets when consulting other clients negotiating with AT&T.

What to Watch For. AT&T Services, Inc. et al. v. Max Retrans LLC, No. 4:19-cv-01925, in the U.S. District Court for the Eastern District of Missouri, presents some interesting trade secret issues that are worth monitoring. We will track the progress of this case and keep you informed.

Supreme Court Expands Confidentiality Protections for Private Companies

In Food Marketing Institute v. Argus Leader Media, the U.S. Supreme Court held that government agencies can withhold a private company’s records from public disclosure under Exemption 4 of the Freedom of Information Act (“FOIA”) if the company has treated the information as confidential and also received promises from the government agency to maintain the information’s confidentiality.

The Dispute. The case began with a simple FOIA request sent by a local newspaper in South Dakota to the United States Department of Agriculture (“USDA”). The newspaper wanted to know the names, addresses, and annual sales data for every retail store participating in the Supplemental Nutrition Assistance Program. The USDA released the names and addresses of all participating stores but withheld the annual sales data under FOIA’s Exemption 4, which protects  from disclosure “trade secrets and commercial or financial information obtained from a person and privileged or confidential.” The South Dakota newspaper was not satisfied with the USDA’s FOIA response and filed suit to compel disclosure of each participating store’s annual sales data.

The Decision. Previously, lower federal courts had created a hurdle for FOIA’s Exemption to apply. A private company would need to show that disclosure of information through a FOIA request would cause “substantial competitive harm.” Both the trial and appellate courts followed this line of cases. They ruled that the USDA must disclose the annual sales data for participating stores. The Supreme Court, however, refused to impose the additional judge-made burden of proving “substantial competitive harm.” Instead, it relied solely on the words of the statute. It found that Exemption 4 protects confidential, commercial, or financial information, and that the ordinary meaning of “confidential” is anything kept private or secret. The Supreme Court concluded that a private company’s information will remain “confidential” and protected from disclosure under Exemption 4, so long as the private company customarily and actually treats the information as private and has received assurance from the government that it will maintain the information’s confidentiality.

The Take Away. The Supreme Court’s ruling adds significant protections for private companies. Companies must be sure to clearly designate information as confidential as well as receive assurances from the government before disclosing it. If the private company does these two simple things, its confidential information is not at risk of being disclosed through a FOIA request.

Patent Application Not Fatal To Trade Secret Claims, Federal Court Rules

A federal court in New Orleans recently allowed a trade secret claim to proceed to trial, even though the alleged trade secrets were later disclosed in a patent application. Cajun Servs. Unlimited, LLC v. Benton Energy Serv. Co., No. 17-0491 (R. Doc. 241).

The Dispute.  The lawsuit concerns Cajun’s patented elevator roller insert system (ERIS), which is a technology used in drilling for oil. Before filing its patent application, Cajun agreed to rent ERIS to Benton Energy. During the course of their relationship, and without Cajun knowing, Benton Energy hired a third party to reverse engineer ERIS, using Cajun’s drawings and prototypes. Sometime later, Cajun filed its patent application for ERIS and then filed the lawsuit once it learned what Benton Energy was up to. Initially, Cajun brought claims for trade secret theft and unfair trade practices, but later added a patent infringement claim once the ERIS patent was granted while the lawsuit was pending.

The Decision. Benton Energy filed a summary judgment motion on Cajun’s trade secret claims. Among other points, Benton Energy argued that trade secret claims failed as a matter of law because Cajun publicly disclosed the ERIS technology through its patent application. That is, the information could not be a trade secret because it was no longer a “secret.” But the court disagreed. It noted that “publication of the ‘862 Patent application does not deprive Plaintiffs of a cause of action for misappropriation of trade secrets before the patent application was published.” In other words, the subsequent patent application did not absolve Benton Energy from liability for any misappropriation that occurred before the patent application.

The Take Away. Timing is key in a trade secret dispute. It’s a general rule of thumb that a company loses its trade secret protection by filing a patent application that publicly discloses the “secret.” But, according to this opinion, a company does not forfeit trade secret claims that predate the patent application.

Do You Need Hard Proof of Data Theft To Bring Trade Secret Claims? Maybe Not

The large majority of employment based trade secret claims start with an employer uncovering evidence that its employee or former employee improperly downloaded confidential business information. But a recent case in Boston illustrates that such evidence may not be necessary to bring a trade secret or unfair competition claim.

The Dispute. In Amgen USA Inc. v. Karyopharm Therapeutics Inc., Karyopharm hired away several of its competitor’s, Amgen, sales managers in 2018.  Presumably this would have been ok, but Amgen claimed that those sales managers then used confidential information to later hire away 14 of Amgen’s top sales reps, who all resigned on the same day. Amgen filed suit against Karyopharm alleging misappropriation of trade secrets, but there was no allegation that any of the departing employees stole proprietary documents before leaving Amgen.

Karyopharm filed a motion to dismiss the lawsuit arguing that none of the Amgen former employees had non-compete agreements and were free to work for Karyopharm.  At the hearing the Judge pressed both sides on their arguments. He asked Amgen’s lawyer, “Don’t you wish you had a covenant not to compete?” But he also noted that, without discovery, it would be hard for Amgen to know whether its former sales managers used confidential information to target its most successful sales reps.

Take Away. Ultimately, the court didn’t decide the motion at the hearing, but the relevant facts, arguments made, and the court’s response to those arguments do provide some important take-a-ways:

1.  You should always consider protecting your company’s most important assets (its employees) with enforceable non-compete agreements.

2.  You may still have a trade secret claim or unfair competition claim even if you don’t have evidence of physical documents or data being stolen.

3.  If a competitor files a trade secret claim without hard evidence of theft, it is worth filing an early motion to dismiss because, at the very least, you will educate the court on the weaknesses of the claim, which could be helpful in limiting discovery.

Fifth Circuit Rules Louisiana Trade Secret Claim Does Not Preempt Claim For Conversion Of Confidential Info

The Louisiana Supreme Court has not addressed whether a claim under the Louisiana Uniform Trade Secrets Act (LUTSA) precludes a claim for conversion of confidential information. But the U.S. Fifth Circuit recently did in  Brad Services, LLC v. Irex Corporation, No. 17-30660 (October 17, 2018), finding that these conversion claims are not preempted.

Factual Background. Brad Services is an industrial scaffolding company who sued its director competitor Irex after it hired one of Brand Services’ former employees. Brand Services alleged that prior to leaving, its former employee misappropriated Brand Services’ trade secrets and confidential information and transferred that information to Irex. Brand Services asserted that Irex violated LUTSA by knowingly accepting its trade secrets and was also liable under the tort theory of conversion.

Trial Court Decision. Irex filed a motion for summary judgment, arguing that the LUTSA preempted Brand Services’ claim for conversion of confidential information.  The trial court agreed. It ruled that LUTSA preempts claims for conversion of trade secrets as well as claims confidential information.

On Appeal. The Fifth Circuit first recognized that the Louisiana Supreme Court had not addressed this issue and that it, therefore, must determine how Louisiana’s high court would rule if the issue was before that court. The court then turned to the relevant language of LUTSA, which provides that it “displaces conflicting tort, restitutionary, and other laws of [Louisiana] pertaining to civil liability for misappropriation of a trade secret.” The court noted that LUTSA does not affect “civil liability or relief that is not based upon the misappropriation of a trade secret.” Based on the statute’s plain language, the acknowledged that LUTSA preempts claims for conversion of “trade secrets,” but ruled the statute has no effect on a claim for conversion of confidential information. The court reasoned that trade secrets and confidential information are separate and distinct concepts, with LUTSA only protecting the former, more valuable trade secrets, and thus reversed the trial court and reinstated Brand Services’ claim for conversion of confidential information.

The Take Away. Unless the Louisiana Supreme Court rules otherwise, federal courts within the Fifth Circuit will allow claims for conversion of confidential information to proceed along with LUTSA claims. The ruling gives companies seeking to protect trade secrets and confidential information backup recovery to protect stolen confidential information that may not rise to the level of a trade secret. Moving forward, companies should bring both claims when appropriate.

US Fifth Circuit Affirms Judgment on CFAA Violation

The U.S. Fifth Circuit recently affirmed a trial court’s verdict that a former bank officer violated the Computer Fraud and Abuse Act (CFAA) when he mass deleted thousand of files from his work computer shortly before departing. IberiaBank v. Broussard, Case No. 17-30662 (5th Cir. 10/25/2018).

Background.  In early 2013, IberiaBank announced a merger with a smaller regional bank, Teche Federal Bank of New Iberia. Several months later, after the merger was complete, IberiaBank discovered that a former senior Teche bank officer deleted thousands of computer files in the lead-up to the merger. At the time, the bank officer was pursuing employment with an IberiaBank competitor for himself and several other bankers whom he supervised, a scheme that IberiaBank later pieced together with the help of forensics on the bankers’ computers.

Trial Court Decision. IberiaBank brought suit against the bank officer, claiming that he violated the CFAA by unlawfully deleting data from Teche and IberiaBank servers and bringing state law claims based on fiduciary duty breaches and trade secret theft. On the CFAA claim, the trial court found that the bank officer violated the CFAA because he lacked authority to delete files from the bank’s network drives and caused damages that exceeded the CFAA-threshold of $5,000.

Fifth Circuit Decision. The Fifth Circuit affirmed the trial court’s decision, applying Section 1030(a)(5)(A) of CFAA that, according to the Fifth Circuit,  “prohibits intentionally damaging a computer system when there was no permission to engage in that particular act of damage.” The Fifth Circuit held that a mass deletion of data can legally qualify as “damaging a computer system” and emphasized that the question of authorization is a factual one, best left for the trial court to decide. Because there was sufficient evidence to support the trial court’s decision and the law was correctly applied, the Fifth Circuit left the trial court’s decision intact.

Jones Walker, LLP represented IberiaBank at trial and on appeal. 

Federal Courts in Louisiana Recognize Trend in Trade Secret Cases

Lawsuits alleging trade secret theft raise challenging discovery concerns, as they almost always arise in the context of an employee leaving to work for a direct competitor. Courts have struggled to balance a trade secret plaintiff’s right to obtain discovery with a competitor’s interest in protecting its own confidential business information.

This balancing is particularly difficult when trade secret plaintiffs allege that broad, non-descriptive categories of information — sometimes seemingly every piece of information a former employee was provided — have been taken. It becomes even more problematic when trade secret plaintiffs do not allege specific acts of misappropriation, but instead rely on the mere fact that a former employee left to compete and therefore will inevitably disclose information.

Two recent decisions from federal courts in Louisiana—Kalencom Corp. v. Shulman, No. 17-5453 (E.D. La. Apr. 17, 2018)  and J.J. Plank Co., LLC v. Bowman, No. 18-00789 (W.D. La. July 23, 2018)—recognized and followed an emerging discovery trend in these types of trade secret cases.

Kalencom v. Shulman. The Eastern District of Louisiana recognized a trend in federal jurisprudence requiring trade secret plaintiffs to identify “with reasonably particularity” the information that forms the basis of a misappropriation claim before allowing discovery into a competitor’s business dealings. The plaintiff, for instance, was ordered to produce “a list identifying the allegedly misappropriated confidential and proprietary information and trade secrets with reasonable particularity and for each item of allegedly misappropriated confidential and proprietary information, describing the basis for its expectation of confidentiality as to that specific piece of information.” That is, meaningful discovery could not proceed until the plaintiff undertook this step.

J.J. Plank Co. v. Bowman. The Western District of Louisiana cited the decision in Kalencom and likewise looked favorably on the trend requiring “pre-discovery identification” of trade secrets. But it cautioned that a fact-intensive inquiry must be undertaken: “[t]he balance of authorities seem to favor the former set of policy considerations [favoring pre-discovery identification of trade secrets]. Thus, requiring pre-discovery identification seems to be the predominate trend. But while a strong consensus may be growing, a mandate has not arisen. This area of litigation is complex, contentious, and fact-intensive. Therefore, a mandate may long elude us. And perhaps it should.”

Take Away. Compelling pre-discovery identification of trade secrets with reasonable particularity is an important step for trade secret defendants to take early in litigation. As this discovery trend continues, trade secret defendants should also consider seeking dismissal of lawsuits that vaguely allege the existence of trade secrets and acts of actual misappropriation. Though courts have yet to squarely adopt a heightened pleading standard for trade secret claims, an argument can be made that trade secret plaintiffs cannot plausibly allege the existence of a trade secret without reasonably identifying it, and there is no reason to delay such identification if discovery cannot proceed without doing so.

LexBlog