Trade Secret Theft Accounts For 1-3% of US GDP—Trade Secret Audits A Must

By PJ Kee on Posted in Data Protection, Trade Secret, Trade Secret Audit

PricewaterhouseCoopers LLP (PwC) andCapture the Center for Responsible Enterprise and Trade (CREATe.org) collaborated to access the economic impact of trade secret theft. Their recently published Report estimates that trade secret theft accounts for nearly 1-3% of the US GDP. This impact highlights that companies should focus on tightening internal safeguards to protect trade secrets information. The Report offers a helpful framework for doing so, as well as highlights the significant value that trade secret audits can offer.

The first steps in a trade secret audit will assist with identifying what are the company’s trade secrets and  where those secrets are vulnerable. These are the fundamental questions—and ones that the Report underscore.

A company strategy to mitigate losses from trade secret theft, the Report advises, must first identify and inventory the company’s trade secrets:

Our collective experiences indicate that many companies fail to effectively manage their trade secret portfolios for multiple reasons, including a lack of consensus on what assets actually constitute the portfolio. … To best protect those trade secrets whose theft would cause the most harm, companies should first document, locate and inventory their trade secrets. This first step gathers key stakeholders—senior executives, business unit leaders, corporate functional leaders—to inventory the trade secrets maintained by the company.

Next, companies must locate the risks and vulnerability, both within and outside the company. The first step is to determine who are the “threat actors”:

Operating in today’s global marketplace exposes companies to unique and varied threat actors. As such, management must understand the scope of the company’s operating environment (e.g., office locations, sales/marketplace footprint, supply chain, product/ service mix, key personnel, and growth strategies) in context of the potential threat actors seeking to engage in illicit activity to adversely impact the company. Assessing the risk posed by individual threat actors within this construct, the probability that they will attempt to steal a company’s trade secrets, and the severity of such an event, is critical to determining which trade secrets merit the highest level of protection and enables management to implement more effective protective measures.

The second step is to access how these threat actors can potentially compromise trade secrets:

[C]ompanies must proactively identify potential internal vulnerabilities in their policies, procedures and controls, as well as their reliance on suppliers and other business partners, and take steps to mitigate any exposure resulting from these weaknesses. These vulnerabilities can range from a lack of training on information security to employees using software without routinely checking for updates, to a highly valuable trade secret stored on an unsecured server with broad access within the company, to a lack of awareness among employees of where trade secrets are kept.

A trade secret audit with experienced counsel will help companies navigate through this process. It will also help them determine the best individualized way to respond to the vulnerabilities they face. As the Report insists, developing a trade secret strategy and ensuring that those secrets are protected should be viewed as an up-front investment, rather than a cost. Especially given the increasing and costly rise of trade secret theft.

Texas Court Dissolves Injunction Vaguely Defining “Confidential Information”

By PJ Kee on Posted in Confidential Information, Data Protection, Injunction

gavelAn employer in Texas did nearly everything right to protect its stolen trade secrets—except adequately specify what the injunction restrained the employee from doing.  The opinion in Lasser v. Amistco Separation Products Inc., No. 01-13-00690 (Tex. App.—Houston Feb. 6, 2014), highlights the need for clearly defining restraints in any injunctive relief sought.

Amistco Separation Products, Inc., entered into an asset purchase agreement with Robert Lasser’s former employer ACS Industries, LP.  One asset was Lasser’s non-compete agreement. Within a year-and-a-half, Lasser resigned from Amistco to work for a “sideline” competitor. Amistco conducted a forensic examination of Lasser’s company laptop shortly after he resigned and discovered that Lasser had downloaded Amistco’s confidential information. Amistco also discovered that Lasser’s new employer was opening a new division that would compete directly with Amistco’s products.  Amistco filed suit in the Texas District Court for Harris County, requesting an injunction to order the return of its trade secrets and confidential information and to restrain Lasser from disclosing/using its information and from soliciting Amistco’s customers.  The district court granted Amistco’s request, and the restraints read, in pertinent part:

  • Lasser is ordered to return to Amistco, and to cease and desist from using, any of Amistco’s confidential information and trade secrets; and
  • Lasser is restrained from directly or indirectly disclosing, copying or otherwise reproducing, or giving access to any of Amistco’s confidential information and trade secrets.

On appeal, Lasser complained that it’s impossible “to determine from the injunction what documents or information constitutes [Amistco’s] confidential information and has instead been forced to guess what items if any the Court is seeking to be returned and not disclosed.”  The Court of Appeal agreed. It reasoned that, “[b]y failing to identify, define, explain or otherwise describe what constitute [Amistco’s] confidential information and trade secrets, the order compels Lasser to ‘make inferences or conclusions about which person might well differ’ regarding what particular information or item in his possession constituted ‘confidential information’ subject to the injunction.” The Court of Appeal ultimately held that those provisions were void and dissolved the injunction.

This opinion hits an important point that can sometimes get lost in a fast-paced trade-secret/non-compete litigation. After undertaking the laborious work of investigating and then prosecuting employee theft/non-compete claims, employers and their counsel must ensure that any proposed injunction signed by the judge sufficiently defines the sought-after restraints. Doing so not only protects against appellate attacks but also—and just as an importantly—will form the basis for any contempt-of-court finding if the employee violates the injunction’s restraints. You don’t want to give a “free pass” to an employee who violates what appears to be a valid injunction.

FDA Spy Games: Employee Monitoring Requires Legal Advice

By PJ Kee on Posted in Confidential Information, Employee Monitoring, Trade Secret

FDAThe Office of Inspector General and a joint staff for two ranking Republican lawmakers recently issued critical reports on the FDA’s 2010-2011 employee monitoring for trade-secret leaks (see OIG and Joint Staff). They criticize the FDA for essentially “spying” on its employees without first assessing whether the computer monitoring may violate federal wiretapping laws and whistleblower protections. Coming at a time when the FDA is embroiled in litigation concerning this surveillance, these reports highlight how employers can avoid liability when trying to uncover suspected trade-secret or confidential-data theft.

The FDA’s employee monitoring was a response to several news articles that referenced specific confidential data when reporting on disputes between FDA scientists and managers about medical-device approvals (e.g., NYT 1/12/09 and NYT 3/28/10). After receiving complaints from companies whose secrets and data may have been disclosed, the FDA began real-time monitoring of employees’ computer activities to determine the potential leak. The FDA used two forensic monitoring tools. “EnCase” captured retrospective images of the employees’ computer hard-drives and attached external drives, while “SpectorSoft” captured real-time screenshots—every few seconds—of the employees’ computers and keystrokes. Immediately before and during the monitoring, the FDA also used a notice banner that appeared when an employee logged onto a network computer. It prompted the employee to click “OK” to continue, and read, in part:

 USE OF THIS SYSTEM BY ANY USER, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO THIS MONITORING, INTERCEPTION, RECORDING, READING, COPYING, OR CAPTURING AND DISCLOSURE. THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM.

The FDA’s monitoring captured nearly everything these employees had done and were doing on and through their FDA computers: including images of non-FDA thumb-drives plugged into the computers; passwords to personal email accounts; attorney-client communications; and communications with Congress. The FDA ultimately relied on what the monitoring uncovered to take employment actions against several employees suspected of leaking the confidential data. Continue Reading

LexBlog