Header graphic for print
Trading Secrets A Law Blog on Trade Secrets, Non-Competes, and Computer Fraud

Employee Data Theft and Corporate Hacking Studies Point to Need for Additional Federal Trade Secrets Legislation

Posted in Computer Fraud and Abuse Act, Data Theft, Espionage, Legislation, Trade Secrets

By Robert Milligan and Jessica Mendelson

Today is the deadline for public comments requested by the Obama Adminstration on any proposed changes to federal law to combat trade secret theft. 

Some legal commentators have proposed several suggested changes to improve America’s trade secrets laws, including creating a federal civil cause of action for trade secrets misappropriation and clarifying that the Economic Espionage Act applies to defendants who provide trade secrets to a foreign corporation or entity. In addition, others are considering proposing clarifying that the Computer Fraud and Abuse Act applies to employee data theft, enhancing the penalties for violations of the Economic Espionage Act, and providing U.S. Customs with greater clarity concerning its ability to seize products containing misappropriated trade secrets. 

In addition, the American Bar Association Intellectual Property Section supported a resolution creating a federal civil action for trade secret misappropriation laying out five guiding principles that any future legislation should observe. Others believe that additional legislation may stifle innovation, privacy, and individual rights, or that the existing legal framework is sufficient or further legislation unnecessary.

I have included my personal submission to the Obama Adminstration on proposed trade secret legislation.    

Two recent studies concerning employee data theft and corporate hacking highlight the growing problem and potential need for further legislation to protect valuable proprietary assets from theft and cyber attack. 

Symantec recently released a rather depressing survey on employee attitudes toward confidential information, finding that half of employees surveyed who had left jobs within the past year retained confidential information from their former employers.  The survey, conducted by the Ponemon Institute, was designed to look at intellectual property theft in the workplace.  The survey participants numbered over 3,000, and included individuals from the United States, France, Brazil, Korea, China, and Great Britain.  More than half of these employees admit to emailing business documents from workplace to personal emails, and 41% of respondents admitted to doing it on a weekly basis.  Furthermore, more than a third of these employees use file sharing applications without their employer’s permission, and generally fail to delete the documents included in the files after their use.

While many security initiatives focus on threats by cyber criminals and hackers, often trusted employees can be a significant threat to a company’s intellectual property.  “Companies cannot just focus on external attackers and malicious insiders stealing data for financial gain,” said Lawrence Bruhmuller, Vice-President of Engineering and Product Management at Symantec. As Robert Hamilton, Director of Product Marketing at Symantec, puts it, “employees are the less obvious player, but they can be frenemy #1.”  According to the results of the survey, over half of the surveyed employees who had left jobs in the past year retained confidential information and 40% planned to us this confidential information in their new jobs.  Perhaps more disturbing, 62% believed there was nothing wrong with transferring corporate data to their personal devices or cloud file-sharing applications, and 42% thought that there was nothing wrong with reusing another company’s source code for another company.  Furthermore, a third of employees believe that there is nothing wrong with retaining confidential information, so long as the employee doesn’t profit economically.  The majority of these employees rationalized their actions by saying that retaining this confidential information was not harmful to the company.

The survey results suggest “employees are not aware that they are putting themselves and their employers at risk” by sharing confidential information.  Furthermore, the study suggests employees don’t believe using confidential information from a previous employer to be a crime, and instead, consider the owner of the intellectual property to be the person who created the IP.

The results of this study highlight the importance for employers of having coherent policies in place to protect company intellectual property.  “The time to protect your IP is before it walks out the door,” Bruhmuller said.  Bruhmuller encouraged employers to educate their employees to ensure employee awareness of IP theft, and to establish clear policies regarding confidential information and intellectual property.  Employers should also use caution in conducting screening interviews to ensure new employees are not bringing intellectual property from a former employer to their new company.  68% of employees surveyed said that their companies were not taking steps to ensure employees were not using confidential information from competitors, a figure that needs to change if employers wish to prevent costly lawsuits.

Next, a second study by Symantec revealed a 42% surge during 2012 in targeted hacking attacks compared to the prior year. According to the report, targeted cyberespionage attacks, designed to steal intellectual property,  are increasingly hitting the manufacturing sector as well as small businesses, which are the target of 31% of these attacks. 

“This year’s ISTR shows that cybercriminals aren’t slowing down, and they continue to devise new ways to steal information from organizations of all sizes,” said Stephen Trilling, Chief Technology Officer of Symantec. “The sophistication of attacks coupled with today’s IT complexities, such as virtualization, mobility and cloud, require organizations to remain proactive and use ‘defense in depth’ security measures to stay ahead of attacks.”

According to the study, small businesses are now the target of 31% of all attacks, a threefold increase from 2011. Cybercriminals are reportedly enticed by these organizations’ bank account information, customer data and intellectual property.

The study also revealed that manufacturing has moved to the top of the list of industries targeted for attacks in 2012. The study attributes the increase in attacks to cybercriminals targeting the supply chain  and contractors and subcontractors who are susceptible to attack and often in possession of valuable intellectual property. According to the study, the most commonly targeted victims of these types of attacks across all industries were knowledge workers (27%) with access to intellectual property as well as those in sales (24%).

Additionally, the Obama Administration’s Strategy on Mitigating the Theft of U.S. Trade Secrets stated:  

Emerging trends indicate that the pace of economic espionage and trade secret theft against U.S. corporations is accelerating. There appears to be multiple vectors of attack for persons and governments seeking to steal trade secrets. Foreign competitors of U.S. corporations, some with ties to foreign governments, have increased their efforts to steal trade secret information through the recruitment of current or former employees. Additionally, there are indications that U.S. companies, law firms, academia, and financial institutions are experiencing cyber intrusion activity against electronic repositories containing trade secret information. Trade secret theft threatens American businesses, undermines national security, and places the security of the U.S. economy in jeopardy. These acts also diminish U.S. export prospects around the globe and put American jobs at risk.

Whether additional federal trade secrets legislation is passed to protect U.S. companies from attack and enhance national security, companies can protect themselves from trade secret theft by employing effective trade secret protections now. Employers should ensure that company information is properly classified and protected and that non-disclosure agreements are specific about what can and cannot be disclosed, as well providing clear employee responsibilities for safeguarding confidential information.  Employers should also foster a culture of confidentiality so that employees genuinely understand the importance and their self-interest in maintaining the confidentiality of company information. Exit interviews should include a mention of the continued duty to protect confidential information and return company property or devices.  Furthermore, employers should consider implementing or updating their data protection policies and computer access policies to ensure intellectual property is not being taken or used inappropriately and employers must enforce their policies. Lastly, companies should employ respected cybersecurity specialists to protect their systems from attack.