2011 Trade Secrets Webinar Series - Year in Review

Posted on December 20, 2011 by Robert Milligan

Throughout 2011, Seyfarth Shaw LLP’s dedicated Trade Secrets, Computer Fraud & Non-Competes practice group hosted a series of CLE webinars that addressed significant issues facing clients today in this important and ever changing area of law. The series consisted of six webinars: Trade Secrets in the Financial Services Industry, The Anatomy of a Trade Secret Audit, Georgia’s New Non-Compete Statute, Managing and Protecting Trade Secrets in the Brave New World of Cloud Computing and Social Media, Choosing the Right IP Protection: Patent, Trade Secret or Both?, and Key Considerations Concerning Trade Secrets and Non-Competes in Business Transactions. As a conclusion to this well-received 2011 webinar series, we have compiled a list of key takeaway points for each of the webinars, which are listed below. For those clients who missed any of the programs in this year’s webinar series, the webinars are available on compact disc upon request and CLE credit is available as discussed below. We are also pleased to announce that Seyfarth Shaw LLP will continue its trade secrets webinar programming in 2012 and has several exciting topics lined up.

Trade Secrets in the Financial Services Industry

The first webinar of the year, Trade Secrets in the Financial Services Industry, was led by Seyfarth attorneys Scott Humphrey and Scott Schaefers.   The financial services industry has unique concerns with respect to trade secret protection. This webinar had a particular focus on a financial institution’s relationship with its FINRA members and also covered practical steps that can be implemented to protect trade secrets and what to do if trade secrets are disclosed.

  • Enforcement of restrictive covenants and confidentiality obligations for FINRA and non-FINRA members are different. Although FINRA allows a former employer to initially file an injunction action before both the Court and FINRA, FINRA, not the Court, will ultimately decide whether to enter a permanent injunction and/or whether the former employer is entitled to damages as a result of the former employee’s illegal conduct.
     
  • Address restrictive covenant enforcement and trade secret protection before a crisis situation arises. An early understanding of the viability of your restrictive covenants and the steps that you have taken to ensure that your confidential information remains confidential will allow you to successfully and swiftly evaluate your legal options when an emergency arises.
     
  • Understand the Protocol for Broker Recruiting’s impact on your restrictive covenant and confidentially requirements. The Protocol significantly limits the use of restrictive covenants and allows departing brokers to take client and account information with them to their new firm.

The Anatomy of a Trade Secret Audit

The second webinar was led by Robert Milligan, Bob Niemann and David Monachino. This webinar dissected what is involved in an audit of your company’s trade secret protections, including, identifying trade secrets and secrecy protections and implementing effective secrecy protections and hiring and termination protocols. The webinar also discussed employing a comprehensive trade secret protection plan, as well as managing and working to protect computer-stored data, including responding to emergency issues related to computer fraud and security breaches.

  • The issues relating to all the aspects of trade secrets can be overwhelming to those that deal with it on rare occasions or in emergencies. Having effective checklists are helpful to marshal evidence, evaluate your claims, and be pro-active to pursue litigation and defend against claims.  Ask your Seyfarth Shaw attorney for sample checklists.
     
  • Use a forensic computer investigator to assess former employees’ computer activities, including use of email and USB devices to unlawfully transmit company data.  Ensure that you have strong computer usage restrictions that prohibit unauthorized and unpermitted computer activities on your computer network.
     
  • Mark your confidential documents confidential and treat them as such, including having company policies requiring that they not be removed from the workplace and that they be returned at time of termination. Also establish clear employee entrance and exit policies to ensure that trade secret information is adequately protected throughout the hiring and termination process.

Georgia’s New Non-Compete Statute

The third webinar of the year, led by Bob Stevens and Erika Birg with guest panelist Kevin Levitas, former member of the Georgia House of Representatives, focused on Georgia’s Revised Restrictive Covenant Act. The webinar addressed the fundamental paradigm shift toward enforcing restrictive covenant agreements in Georgia and addressed the underlying legislation, legislative history that led to the 180 degree change for enforcement of such agreements in Georgia and detailed the significant changes to the law.  

  • There has been a fundamental change in Georgia public policy toward enforcement of restrictive covenant agreements, including non-competes and non-solicits.
     
  • The Georgia Revised Restrictive Covenant Act addressing restrictive covenants permits courts for the first time to blue pencil or modify agreements entered into after May 10, 2011 to make overbroad agreements enforceable. The old Georgia law still applies to agreements entered into prior to January 1, 2011. Due to arguments over the constitutionality over Georgia’s Restrictive Covenant Act passed in late 2010, the law regarding agreements entered into between January 1, 2011 and May 10, 2011 is still uncertain.
     
  • Employers operating in Georgia should have their non-compete agreements evaluated by competent counsel to ensure that they comply with the new Act and provide employers with the greatest protections under Georgia law.  

Managing and Protecting Trade Secrets in the Brave New World of Cloud Computing and Social Media

2011’s fourth trade secrets webinar focused on cloud computing and social media and their impact on trade secret  status and protection efforts. Robert Milligan, Jason Stiehl and Jason Priebe led this highly attended webinar. This webinar discussed a technological overview of cloud computing and social media, “both sides of the coin” look at cloud computing adoption as a business decision, trade secrets and reasonable secrecy measures, key considerations in selecting a cloud provider from a security and trade secrets perspective, effective vendor and employment agreements and policies to protect trade secrets in the cloud, and effective social media policies to protect trade secrets.

  • When utilizing cloud computing, generally follow a three-step process: (1) ensure you understand and define your trade secrets internally through a trade secret audit before consider placing such information in the cloud; (2) create necessary barrier/security protocol to protect those secrets; and (3) develop comprehensive and cohesive social media and restrictive covenants/confidentiality policies to avoid disclosure.
     
  • Identifying and collecting information to fulfill an organization’s duty to preserve and/or discovery obligations can be tricky in cloud environments. While the information may belong to your company or organization, the underlying software structure belongs to a service provider, and the data may be scattered over multiple locations. It is a good idea to consider potential issues of data control, ownership, and jurisdiction when evaluating a software as a service (SAAS) cloud-based platform solution.
     
  • Carefully review the proposed service agreement with the cloud provider and ensure that provider agrees to keep data confidential and has reasonable security measures in place to protect your information; also consider avoiding contractual limitations on provider liability depending upon bargaining power.  If the secrets involved are “bet the company” type information, the cloud may not be the place to store it.

Choosing the Right IP Protection: Patent, Trade Secret or Both?

The fifth webinar, led by Brian Michaelis, Dan Schwartz and Jim McNairy, focused on choosing the best legal tool to protect particular types of intellectual property. The topics discussed in this webinar included a definition of a patent and what information is patentable, defining a trade secret and what information qualifies for trade secret protection, the pros and cons of patent vs. trade secret protection, which types of information/technology may be best protected through both trade secret and patent protection, the impact the new America Invent Act (Patent Reform Legislation) has on the decision to seek patent or trade secret protection.

  • There may be “tension” between patent protection and trade secrets; for instance, patents require public disclosure in return for a government granted monopoly whereas trade secret require that the information remain secret throughout its life. Once information is no longer secret or otherwise becomes available, trade secret protection will be lost.
     
  • The remedies available under patent laws and trade secret law differ significantly. A patent owner is always entitled to at least a “reasonable royalty” for any infringement. There is no statutory floor of damages such as a “reasonable royalty” for trade secret owners.
     
  • Recent changes to the patent laws provide trade secret owners with additional defenses to allegations of patent infringement where the trade secret owner has maintained as a trade secret a later patented method or system.

Key Considerations Concerning Trade Secrets and Non-Competes in Business Transactions

The final webinar of 2011 was led by Todd Hunt, Erik Weibust and Jim McNairy. This webinar included a discussion of which relationships other than employer/employee relationships require trade secret protections, the most significant risks to the trade secret status of your valuable confidential information under the Uniform Trade Secrets Act and best practices for protecting trade secrets in business transactions.

  • Broader non-competes are better tolerated in the sale of a business context, but care should be taken to carefully assess your specific facts and applicable law to help ensure that time, place, and subject matter restrictions, if any, are consistent with law in the jurisdiction(s) at issue. Pay special consideration to choice of law and choice of forum issues as they impact enforceability.
     
  • Adequately protecting trade secrets and goodwill in business presentations and transactions requires careful planning and forethought. The often large and frequent exchange of information in these contexts requires use of Non-Disclosure/Confidentiality Agreements.
     
  • All business relationships are potential threats to trade secret status and opportunities for misappropriation. Given this, it is imperative to identify any trade secrets at issue and proactively assess any aspects of the business relationship or transaction that may present risks of unintended or unauthorized disclosure or use of trade secrets, as well opportunities for bad actors to improperly acquire your trade secret information.

2012 Trade Secrets Webinar Series

Beginning in January 2012, we will begin another series of Trade Secret webinars. The first webinar of 2012, Latest Developments in the Computer Fraud and Abuse Act, Social Media and Privacy, will be held on January 26. To receive an invitation to this webinar or any of our future webinars, please sign up for our Trade Secrets, Computer Fraud & Non-Competes mailing list by clicking here.

For client attorneys licensed in Illinois, New York or California, who are interested in receiving CLE credit for viewing recorded versions of the 2011 webinars, please e-mail CLE@seyfarth.com to request a username and password.

If you have any questions, please contact the Seyfarth Shaw attorney with whom you work or any Trade Secrets, Computer Fraud & Non-Compete attorney on our website (www.seyfarth.com/tradesecrets). 

Tags: , , , , , , , , , , ,

Department of Justice Takes Pro-Employer Stance On Amendments To Computer Fraud And Abuse Act: Employers Should Continue To Be Able To Hold Employees Liable For Violations Of Computer Usage Policies Under The Act

Posted on November 22, 2011 by Robert Milligan

By Robert Milligan and Joshua Salinas

In connection with proposed Congressional amendments to the federal Computer Fraud and Abuse Act (CFAA), on November 15, 2011, Department of Justice Deputy Chief Richard W. Downing (Computer Crime and Intellectual Property Section) emphasized the importance of an expansive CFAA before the House Committee on the Judiciary and came out against attempts by critics of the CFAA to restrict employers' ability to use the CFAA against employees who steal company data in violation of company computer usage policies. The Department of Justice prepared a statement in advance of Mr. Downing's live testimony.

Mr. Downing addressed concerns that an expansive reading of “exceeds authorized access” under the CFAA might subject computer users to prosecution for merely violating a website’s terms of use. We have blogged about recent cases in which courts have applied an expansive view of the CFAA. In U.S. v. Nosal, the Ninth Circuit Court of Appeal held that an employee’s violations of an  employer’s computer use policies constituted “exceeding authorized access.” A California district court in Facebook v. MaxBounty applied Nosal’s holding and found that Facebook could sufficiently state a claim under the CFAA because the defendant advertising company had violated Facebook’s terms of service policies. Note, the Ninth Circuit Court of Appeal recently ordered that Nosal be heard before an en banc panel. 

Mr. Downing stressed that a restrictive reading of the CFAA would make it difficult or impossible to deter and address serious insider threats, including threats by rogue employees working for competitors to steal their employers' data. Technology has become so pervasive that nearly every employee is required to access database with large amounts of information. Mr. Downing highlighted the importance of protecting the nation’s economic security and not just national security. Indeed, businesses should have confidence that their confidential, proprietary, and/or trade secret information is protected.

Mr. Downing provided several examples in which a restrictive reading of “exceeds authorized access” would allow violators to escape any liability for their wrongdoings. For example, in 2006 a contract systems administrator for a medical services provider used his authorized computer access to download thousands of employee names and social security numbers. See United States v. Salum, 578 F. 3d 682 (7th Cir. 2009).   In 2008, nine employees of Vangent, Inc. used their authorized computer access to obtain and disclose loan records and confidential information regarding President Obama and other well known political figures, celebrities, and sports figures. A restrictive reading of the CFAA would not only hurt employers, but would also hurt the public and customers whose information is often the subject of data theft.

Mr. Downing highlighted that the use of employer agreements and internal computer usage policies are routinely used for prosecuting offenders in such cases. Mr. Downing reiterated the Department of Justice's growing concern that advancements in computer technology have increased the vulnerability of businesses which rely on trade secret, confidential, and/or proprietary information. In the age of Wikileaks, Facebook, Twitter, and rapidly evolving social media, employees are able to leak company information to the entire world in only a matter of minutes. Mr. Downing and the Department of Justice support the ability of companies to be proactive and clearly communicate the restrictions on computer usage to employees and hold them accountable in civil and criminal court for violations of such policies. Restricting the CFAA to only hackers (rather than insiders) through proposed amendments to the CFAA would provide employees a license to steal company data and weaken a company's defenses in protecting its data.

 

Tags: , , , ,

EX-EMPLOYEE VIOLATED DUTY OF LOYALTY, BREACHED NON-COMPETE, AND COMMITTED COMPUTER FRAUD ACT VIOLATION, BUT NEW EMPLOYER NOT LIABLE FOR MISAPPROPRIATION OF NON-TRADE SECRET "CONFIDENTIAL INFORMATION"

Posted on September 11, 2011 by Paul Freehling

A dental products supply company, DHPI, won partial summary judgment from a Wisconsin federal court against its ex-employee, Ringo, for competing with DHPI both while still an employee and soon after resigning. The most interesting issues in the opinion, however, concern application of the Computer Fraud and Abuse Act to Ringo’s copying of DHPI’s computer hard drive, and DHPI’s unsuccessful claim against Ringo’s new employer for “misappropriation of confidential information.” Additionally, Ringo’s Illinois Wage Payment Act counterclaim failed because DHPI is a Wisconsin corporation with its principal place of business in that state. Dental Health Products, Inc. v. Ringo, Case No. 08-C-1039 (E.D.Wis., Aug. 24, 2011).

Ringo began working for DHPI in 2002 as a salesman and became Illinois branch manager in 2005. He was subject to a confidentiality and 90-day post-employment non-compete agreement. In 2007, while still employed by DHPI, Ringo began making sales through his own dental equipment sales company. He resigned from DHPI the following year and immediately went to work for his wife’s competing company. Not surprisingly, the court held that Ringo breached his duty of loyalty to DHPI and his non-compete agreement.

Before leaving DHPI, Ringo made a copy of his employer’s computer’s hard drive. In response to DHPI’s Computer Fraud and Abuse Act claim, he protested that he had permission to access the computer at the time he copied the hard drive. Further, he emphasized that he had not damaged the computer system, that he knew most of the information or could have developed it with little difficulty, and that he never viewed the copy. The court held that Ringo’s authorization to access DHPI’s computer ended when he decided to copy the hard drive and quit. 

The CFAA has a $5,000 minimum damages provision. DHPI claimed as damages the $16,000 it paid to a computer forensic expert to determine the extent of Ringo’s unauthorized conduct. The court concluded that DHPI’s expenditure “was a reasonable reaction to the knowledge that one of its key salesmen had left the company in order to compete with it and had made a copy of a company hard drive before doing so.”

Ringo counterclaimed under the Illinois Wage Payment and Collection Act for wrongful withholding of earned commissions, failure to compensate him for unused vacation time, and refusal to reimburse him for health insurance premiums he paid while a DHPI manager. The court held, quoting a 1996 Northern District of Illinois decision, that the Act only applies “to a group of employers and employees, all of whom are in Illinois.” Since DHPI was a Wisconsin corporation with its headquarters there, it was not liable.

Lastly, the court rejected DHPI’s misappropriation claim. The company conceded that its customer lists and basic financial information did not constitute trade secrets but insisted that the information was confidential and deserving of protection. The court held that there is no statutory or common law basis for a misappropriation claim other than for trade secrets.

This case teaches that the CFAA prohibits an employee’s illicit access to a company computer and permits reimbursement of expenditures incurred by the employer to determine the extent of its injury. Further, “misappropriation of confidential information” which is not a trade secret is not actionable. The DHPI decision adds to the body of authority limiting the geographic scope of the Illinois Wage Act. Finally, the opinion reminds us that blatant violations of the duty of loyalty and of a reasonable non-compete provision may be summarily punished. 

Tags: , , , ,

Private Information Stored On Electronic Devices Subject To Search By Law Enforcement If Arrested In California

Posted on March 16, 2011 by Robert Milligan

By Robert Milligan and Joshua Salinas

Police officers are free to review private and confidential information stored on your cell phone if the search is incident to an arrest in California. The Supreme Court of California recently upheld the warrantless search of a cell phone text message folder in People v. Diaz, 51 Cal. 4th 84 (2011). The decision places no restraints on the type or amount of data police officers may access when searching an arrestee’s cell phone.

Defendant Gregory Diaz allegedly purchased Ecstasy from a police informant. Police officers arrested Diaz, seized his cell phone from his pocket, and transported him to the sheriff’s station. Ninety minutes later, a police officer searched Diaz’s cell phone text message folder and found an incriminating message. The officer showed Diaz the message and Diaz admitted to the alleged sale of Ecstasy. Diaz later argued that the search of his phone’s text messages folder constituted an unlawful warrantless search.

The Supreme Court of California found the cell phone search a valid search incident to lawful custodial arrest. The court compared the search to previous U.S. Supreme Court cases that allowed the search of a cigarette box (United States v. Robinson, 414 US 218 (1973) and clothing (United States v. Edwards, 415 US 800 (1974) found on the arrestee’s person. The court rejected the argument that a warrantless search of property turns on the character of the property. The court found that the seizure and search was valid because of the reduced expectation of privacy resulting from the arrest. The court rejected the argument that cell phones’ ability to store vast amounts of personal information warrants heightened privacy interests. The court also found that there was no legal basis for distinguishing the contents of an item found on the person from the item itself.

In the dissenting opinion, Justice Moreno criticized the majority’s decision stating it “goes much further, apparently allowing police carte blanche, with no showing of exigency, to rummage at leisure through the wealth of personal and business information that can be carried on a mobile phone or handheld computer merely because the device was taken from an arrestee’s person. The majority thus sanctions a highly intrusive and unjustified type of search, one meeting neither the warrant requirement nor the reasonableness requirement of the Fourth Amendment to the United States Constitution.”

What does this case mean for those who carry smart phones or other electronic devices that store confidential or private information?

1. Confidential and private information contained on electronic devices can be seized by law enforcement if you are arrested. Technological advancements have shrunk the size of storage devices and simultaneously increased their accessibility and storage capacity. iPhones, Blackberries, and other smart phones have become intertwined with business and personal information, including social networking. Diaz’s phone search involved text messages. However, this case arguably permits police officers to access confidential emails, documents, and voicemail messages that may contain private business or client information and personal information. Additionally, the character of the property seized is irrelevant. Thus, flash drives, digital cameras, and laptops found on the person may also be searched. 

2. Password protecting a device may not be enough. If a device requires a password for access, an arrestee may decide to refuse to provide police officers with his or her password. However, nothing prevents officers from seizing the device and using forensic software to copy and analyze the data and circumvent any password protection.

3. Diaz may be headed to the U.S. Supreme Court. Unlike Diaz, a 2009 Ohio Supreme Court case found a warrantless search of an arrestee’s cell phone unlawful. (State v. Smith, 920 N.E. 2d 949 (2009)). While the Court denied Smith cert., it may take up Diaz in light of the current state split and the scarce case law on cell phone searches.

4. Employers need to be cautious in determining what access to confidential and business information that they permit their employees to have in general, and specifically, through electronic storage devices, such as cell phones, laptops, thumb drives, etc., as sensitive data stored on such devices may be subject to search if the employee is later arrested.

Tags: , , , , , , ,

District Court Holds That Computer Forensic Investigation Costs Satisfy "Loss" Requirement of Computer Fraud and Abuse Act

Posted on February 9, 2011 by Robert Milligan

By Robert Milligan and Joshua Salinas

A Colorado federal district court recently held that the computer forensic investigator costs of investigating Computer Fraud and Abuse Act (CFAA) violations constitute “loss” under the statute. (AssociationVoice, Inc. v. AtHomeNet,Inc.,No. 10-cv-00109-CMA-MEH, 2011 WL 63508 (D.Colo 2011)). The court echoed the growing trend in circuit and district courts, which permit civil claims under the CFAA absent any damage or interruption of service. Consequently, this decision underscores the viability of asserting CFAA claims in cases involving data theft and the importance of utilizing qualified computer forensic investigators in such cases.  

The plaintiff and defendants in AssociationVoice offered competing web-based software applications for homeowners associations (HOA). The defendants allegedly acted as fictitious HOA customers in order to purchase the plaintiff’s software and access the plaintiff’s password-protected “site admin” areas. In order to access the web site, the defendants also allegedly entered into a Services Agreement, which prohibited the defendants from reverse engineering and copying the plaintiff’s source code or using the plaintiff’s confidential and proprietary information. 

The defendants allegedly copied, reverse engineered, and misappropriated information from the plaintiff’s password-protected site and allegedly added at least forty-four new features to the defendants’ own applications.

The plaintiff filed suit against the defendants, alleging, inter alia, violations of the CFAA, copyright infringement, trade secret misappropriation, and breach of the Services Agreement.

The plaintiff moved for two preliminary injunctions. The plaintiff sought to enjoin the defendants, per the Services Agreement, from providing the defendants’ customers with the allegedly copied, reverse engineered, and misappropriated features. Additionally, the plaintiff sought to enjoin the defendants, pursuant to the CFAA, from further accessing the password-protected “site admin” areas.

The court denied the Services Agreement injunction because the plaintiff did not make a “strong showing” of the four injunction factors to justify altering the status quo. However, the court granted the CFAA injunction.

The noteworthy aspect of this case is the court's analysis of the “likelihood of success” factor in granting the plaintiff’s CFAA injunction. 

In order to bring a civil claim under the CFAA, the plaintiff was required to prove that the violations resulted in the loss of at least $5,000 within a one-year period. (18 U.S.C. § 1030(g) and (c)(4)(A)(i)). The parties disputed whether the plaintiff’s hiring of a third-party computer forensic investigator to assist with its investigations constituted a “loss.” Additionally, the defendants argued that the plaintiff could not bring a claim because it suffered no interruption of service. 

The court recognized that the majority of courts find the costs of investigations and responses to security breaches constitute “loss,” regardless of whether service is interrupted. (See, e.g.,A.V. v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009);EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 584 (1st Cir. 2001);SuccessFactors, Inc. v. Softscape, Inc., 544 F.Supp.2d 975, 980-81 (N.D.Cal. 2008); Res. Ctr. for Indep. Living v. Ability Res., Inc., 534 F.Supp.2d 1204, 2111 (D.Kan. 2008);Patrick Patterson Custom Homes, Inc. v. Bach, 586 F.Supp.2d 1026, 1036 (N.D.Ill 2008); NCMIC Fin. Corp. v. Artino, 638 F.Supp.2d 1042, 1064 (S.D. Iowa 2009)).

The court reasoned that the plain language of “loss” defined in § 1030(e)(11) distinguishes between the costs of responding to CFAA violations and the consequential damages from interruptions of service. In fact, the legislative history of the CFAA indicates that it the statute was designed to address situations in which damage never occurred. The court found this case almost identical to the California district court decision in SuccessFactors. In SuccessFactors, the court held that  when confidential information is obtained, it is necessary for the violated party to discover who has the confidential information, how they accessed it, and what the violators were doing with it. Thus, the defendants’ alleged access of the plaintiff’s protectable confidential information naturally incurred the costs of an investigation. Specifically, the court stated "[i]t, therefore, is not surprising that Plaintiff also had to go to great lengths to uncover Defendants’ identity, as well as to uncover the extent of their unauthorized access and the methods they used. Accordingly, Defendants should not be allowed to complain about the costs Plaintiff incurred in doing so."

While the court in AssociationVoice followed the growing majority, the Second Circuit and district courts in Florida, Virginia, Connecticut, and Louisiana still require an interruption of service in order to bring a claim under the CFAA. (See, e.g., Nexans Wires S.S. v. Sark-USA, Inc., 166 Fed.Appx. 559, 563 (2d Cir. 2006)).

What does this mean? The CFAA remains a viable option to combat data theft. Although some courts have narrowed the applicability of the CFAA, many courts, like the AssociationVoice court, recognize CFAA claims even where the defendants' actions do not result in any interruptions of service. Some courts have even extended the “costs to respond” to include investigations into ways to improve security. (See, e. g., JedsonEng’g, Inc., v Spirit Construction Services, Inc., (S.D. Ohio 2010). Accordingly, in order to satisfy the "loss" requirement under the CFAA, make sure that  qualified computer forensic investigators are utilized (in coordination with legal counsel) to respond to and assess the computer breach as soon as your company learns of the data theft.  

 

Tags: , , , ,

Recent Headlines Underscore Need for Protective Measures

Posted on July 10, 2008 by Kurt Kappes

A company's trade secrets may be some of its most important assets.  Recent headlines underscore their importance, and vulnerability:

  1. Recently, an employee was arrested at the airport and over 1,000 company proprietary documents containing trade secrets were seized that the employee was attempting to transport with her to her new job.
  2.  A national retailer recently was hit with a $21.5 million verdict after a jury found the retailer liable for stealing the design of a popular home improvement tool. 
  3. A former employee recently pleaded guilty in a U.S. District Court in California to stealing proprietary technologies from his former employer and selling or offering them for sale to foreign governments and military contractors.

A survey of companies estimated that in just one year, companies likely were to have lost as much as $53 to $59 billion dollars in proprietary information and intellectual property through theft and misappropriation.  Seeking trade secret counseling and an audit can assist clients to determine best practices to help protect their most important assets.

Tags: , , , , , , , ,

Missouri Woman Pleads Not Guilty to MySpace Harassment Charges

Posted on June 24, 2008 by Dawn Mertineit

A 49-year-old Missouri woman is being tried in Federal Court in Los Angeles for posing as a young boy and taunting a 13-year-old girl on the social networking site MySpace, leading the girl to hang herself. The woman was charged with conspiracy and violations of the Computer Fraud and Abuse Act (CFAA). This case is the first time the CFAA is being used in a social networking case.

Prosecutors say Lori Drew created a fake MySpace under the name of “Josh Evans” and initiated a fake friendship with Megan Meier. Drew later used the account to send cruel messages to Meier, culminating in an October 2006 message stating “the world would be a better place without you.” After receiving the message, Meier hanged herself and died the following day.

MySpace prohibits the use of fraudulent registration information, the use of accounts to obtain personal information about juvenile users, the use of the site to harass, abuse, or harm other users, and the promotion of false or misleading information.

Drew pleaded not guilty at trial. If found guilty, she could serve up to 5 years for the conspiracy count and up to five years for each of the three CFAA charges. Since the news of Drew’s alleged actions became public, she has been the victim of cyberbullying.

Tags:

He Said He Said, Not Enough to Prove Computer Fraud and Trade Secret Misappropriation

Posted on June 3, 2008 by LexBlog

By Scott Krol, New York

The United States Court of Appeals for the Fourth Circuit recently upheld summary judgment holding that a former employee did not violate the Virginia Computer Crimes Act (“VCCA”) when the former company could not prove that they were unaware of employees’ use of company funds. Further, the employee did not violate the Virginia Uniform Trade Secrets Act (“VUTSA”) when the company could not show any evidence that the employee in fact used any of the otherwise protected trade secrets for his benefit.

The parties to this case are closely linked. Jerry Nims is an entrepreneur who obtained patents on many technologies used in making identification cards more difficult to temper with or counterfeit. Nims started Orasee which owned many of these patents.

In 2003, Nims formed EC4 Technologies Limited (“EC4 UK”), a wholly owned subsidiary of Orasee, to license the technologies.

In 2005, Nims set up Othentec Ltd. (“Othentec UK”) as a subsidiary of EC4 UK.

Nims’s son-in-law, Jeffrey Phelan, was appointed Managing Director of both EC4 UK and Othentec UK, and later was put in charge of better distributing the company’s product in the United States.

On March 17, 2005, Phelan formed EC4 Technologies, Incorporated (“EC4 USA”) and became that company’s CEO. He began to market and distribute Orasee technologies in the U.S. pursuant to a sublicense agreement between the EC4 UK and EC4 USA. In November 2005, another executive formed Othentec Limited (“Othentec USA”) for the same purpose as EC4 USA, this time as wholly owned by Othentec UK.

By early 2006, after a considerable amount of friction developed between the parties, Phelan was discharged from his positions at the UK companies, but continued to do business as EC4 USA. This gave rise to the case at hand, essentially Nims’ companies claimed that Phelan abused his position of power and trust to form EC 4 USA fraudulently and proceeded to use Othentec UK’s money and trade secrets to run the U.S. business successfully. Phelan moved for and won summary judgment against Othentec UK on all issues except whether Phelan breached his fiduciary duty to Othentec UK.

The district court explained that there are three elements of committing a violation of the VCCA: “(1) using a computer or computer network (2) without authority (3) intending to obtain, embezzle, or convert the property of another.” Va. Code Ann, §18.2-152.3.

The Court found that Phelan clearly was authorized to access Othentec UK bank account, Othentec UK was aware of the withdrawals, and Phelan did not directly withdraw the money using a computer. Instead, Phelan merely sent an email to the accountant asking for the withdrawal. Hence, there was no evidence of the unauthorized use of a computer to commit a crime. Othentec UK “produced no evidence outside of self-serving speculations that Phelan committed a violation. of the VCCA.”

The VUTSA makes it illegal for a person to misappropriate trade secrets from another. Othentec UK argued that Phelan, as Managing Director, was intimately familiar with the technology, “unless someone is foolish enough to believe that all that (EC4 USA’s technology) was developed in a clean-room environment without reference to, use of, or attempting to work around” Othentec UK’s proprietary and highly confidential software and manufacturing process, than Othentec UK had no basis for its argument. The Court agreed with the last part, ruling that these “allegations, speculations, and inference are not enough to survive summary judgment.See Othentec Ltd. v. Phelan, --- F.3d ----, Case No. 06-2297, 2008 WL 2009740 (4th Cir. May 12, 2008) (emphasis added).

Tags: , , ,

Arizona District Court Issues Decision Limiting Applicability Of Computer Fraud And Abuse Act Claims

Posted on April 9, 2008 by Robert Milligan

A district court in Arizona recently issued a published decision limiting the use of the Computer Fraud and Abuse Act (“CFAA”) by employers who have been the victim of electronic data theft by their former employees. In Shamrock Foods v. Gast, --- F.Supp.2d ----, 2008 WL 450556 (D.Ariz.), the district court held that a departing employee’s transmittal of confidential information to his personal e-mail account prior to his resignation did not give rise to a cause of action under CFAA.

According to the employer’s complaint, the employee, who had executed a confidentiality agreement with the employer, allegedly e-mailed numerous company confidential and proprietary files to his personal e-mail account shortly after the employee had begun employment negotiations with a competitor. The day after he sent the company material to his personal e-mail account he allegedly told his manager that he was considering leaving the company and shortly thereafter informed the company that he was joining a direct competitor.

In its complaint, the company alleged that the employee was acting as an agent of the competitor when he assessed and e-mailed the confidential information. The company further alleged that he provided the information to the competitor and that the competitor was using the information to the company’s detriment.

The company brought suit in federal court asserting CFAA claims under 18 U.S.C. § 1030(a)(2), (4), and (5)(iii), as well as state law misappropriation claims. The employee and the competitor moved to dismiss the CFAA claims for failure to state a claim.

The district court granted the motion to dismiss concluding that 1) a violation for accessing a protected computer “without authorization” occurs only when the initial access is not permitted; and 2) an “exceeds authorized access” violation occurs only when initial access to a protected computer is permitted but the access of certain information is not permitted.

The court analyzed the CFAA statute in some depth and the specific CFAA claims that the employer brought. The court stated that it is a violation of section 1030(a)(2) when a person “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer if the conduct involved an interstate or foreign communication.” Next, the court stated that section 1030(a)(4) is violated when a person “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value....” Finally, the court declared that section (a)(5)(A)(iii) is violated when a person “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage. . . .”

In sum, the court reasoned that to state a claim under (a)(2) and (a)(4), the employer must allege conduct showing that the employee accessed a protected computer without authorization or exceeded authorized access and under section (a)(5)(A)(iii), the employer must allege conduct showing that the employee accessed a protected computer without authorization.

The competitor and the employee argued the CFAA claims were not actionable because the employee was authorized to access the computer and information at issue. The employer argued that the employee was no longer authorized to access its confidential information once he acquired the improper purpose to use this information to benefit himself and the competitor.

The district court acknowledged that there were two lines of cases interpreting the meaning of “authorization” under the CFAA. According to the court, some courts have applied principles of agency law to the CFAA and have held that an employee accesses a computer “without authorization” whenever the employee, without knowledge of the employer, acquires an adverse interest or is guilty of a serious breach of loyalty. The court cited the following the cases in support of that proposition: Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420-421 (7th Cir.2006); ViChip Corp. v. Lee, 438 F.Supp.2d 1087, 1100 (N.D.Cal.2006); Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1125 (W.D.Wash.2000).

The court also stated that other courts “have opted for a less expansive view, holding that the phrase ‘without authorization’ generally only reaches conduct by outsiders who do not have permission to access the plaintiff's computer in the first place.” The court cited the following cases in support of this contrasting position: Diamond Power Intern., Inc. v. Davidson, Nos. 1:04-CV-0091-RWS-CCH and 1:04-CV-1708-RWS-CCH, 2007 WL 2904119, at *13 (N.D.Ga. Oct.1, 2007); Brett Senior & Assocs., P.C. v. Fitzgerald, No. 06-1412, 2007 WL 2043377, at *2-4 (E.D.Pa. July 13, 2007); Lockheed Martin Corp. v. Speed, No. 6:05-CV-1580-ORL-31, 2006 WL 2683058, at *5 (M.D.Fla. Aug.1, 2006); Int'l Ass'n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F.Supp.2d 479, 495 (D.Md.2005).

Continue Reading...
Tags: , ,

Coldwell Banker Sues Former Executives Who Form Competing Brokerage, Take Staff, Clients, and Trade Secrets

Posted on January 29, 2008 by Sara LeClerc

Coldwell Banker Residential Brokerage v. D’Ambrosia, No. 08-CV-00166, Complaint (D. Md. Jan. 18, 2008)

On January 18, 2008, Coldwell Banker Residential Brokerage filed a federal lawsuit in Maryland against three former key employees and newly-formed competitor Car-Tay, Inc., an affiliate of GMAC Real Estate. The complaint alleges that the former employees, two of whom had been high-level executives, conspired to form the competing brokerage in violation of their employment agreements, the federal Computer Fraud and Abuse Act, and state law.

Coldwell Banker claims that the former employees began actively, but covertly, planning, staffing, and building the competing venture more than one year before their departure. Key evidence cited in the complaint includes an extensive trail of emails purportedly sent and received by the defendants while still employed by Coldwell Banker. In the emails, the defendants openly discuss solicitation of Coldwell Banker salespersons, tips for persuading Coldwell Banker clients to move their listings to GMAC, how to access Coldwell Banker’s highly-guarded commercial document database, and how to copy data from Coldwell Banker computers. This “scheme,” the complaint says, was a targeted effort “to eviscerate [Coldwell Banker’s] ability to compete with GMAC.”

Indeed, Coldwell Banker points out that the very day following defendant Ann D’Ambrosia’s resignation, the defendants’ GMAC office opened its doors for business. Within one month, two dozen Coldwell Banker salespersons joined the defendants at GMAC. In six weeks time, Coldwell Banker had received requests from approximately ten clients to cancel and void their listing agreements; all of these clients re-listed with GMAC after securing the releases. Each of these results, Coldwell Banker contends, arose directly from the defendants’ pre-resignation solicitation efforts.

In its fourteen-count complaint, Coldwell Banker claims the defendants violated the federal Computer Fraud and Abuse Act by improperly accessing protected computers and removing confidential and proprietary Coldwell Banker information, including client files, listing agreements, contracts, and property records; breached their employment contracts and duty of loyalty owed to Coldwell Banker; tortiously interfered with contractual and prospective economic relations; and misappropriated trade secrets in violation of the Maryland Trade Secrets Act. Coldwell Banker seeks monetary damages in the amount of $2 million – $1 million as compensatory damages and $1 million as punitive damages – as well as injunctive relief enjoining the defendants from soliciting Coldwell Banker’s clients and employees for one year, and from using Coldwell Banker’s confidential and trade secret information.

Tags: , , , ,

Seventh Circuit Rules that Injunction is Insufficiently Specific in not Defining the "Trade Secrets and Confidential Information Covered

Posted on January 17, 2008 by Michael Elkon

In Patriot Homes, Inc. v. Forest River Housing, Inc., No. 06-3012, 2008 WL 90081 (7th Cir. Jan. 10, 2008), the U.S. Court of Appeals for the Seventh Circuit vacated an injunction entered by the U.S. District Court for the Northern District of Indiana, ruling that it was insufficiently specific and therefore was not in compliance with Rule 65(d) of the Federal Rules of Civil Procedure.

The facts of the matter as set forth in Patriot Homes are as follows: Forest River hired four employees of Patriot Homes after merger talks between the two companies fell through. Forest River formed a new company named Sterling with the new employees. Patriot Homes, Forest River, and Sterling are all in the modular homes industry. The four employees copied information from Patriot Homes’s computer system before resigning and utilized that information for Sterling. Sterling did not deny that its employees had done so, but it argued that the information taken from Patriot Homes was not a trade secret because it was filed by Patriot Homes with various state governments and could be procured through Freedom of Information Act requests. Discovery revealed that most, but not all, of the information taken from Patriot Homes and used by the four employees could indeed be procured from state governments.

The District Court entered a preliminary injunction forbidding Sterling from “[u]sing, copying, disclosing, converting, appropriating, retaining, selling, transferring, or otherwise exploiting Patriot's copyrights, confidential information, trade secrets, or computer files.” The preliminary injunction also required Sterling to: “[c]ertify that copied data and materials of Patriot's property, confidential information and trade secrets on computer files and removable media (CDs, DVDs, tapes, etc.) have been deleted or rendered unusable.”

The Court of Appeals found that the injunction was not specific enough to put Sterling on notice as to what acts on its part would constitute contempt of court: “The preliminary injunction entered by the district court uses a collection of verbs to prohibit Sterling from engaging in certain conduct, but ultimately it fails to detail what the conduct is, i.e., the substance of the “trade secret” or “confidential information” to which the verbs refer.” The Court of Appeals based its decision on Sterling’s uncertainty as to what information was truly a trade secret or confidential information and what was not entitled to such protection by virtue of being publicly available. The case stands as a reminder that injunctions compelling parties to simply “follow the law” without more instruction do not comply with Rule 65(d).

Tags: , , ,

Georgia Court of Appeals Affirms Criminal Conviction for Trade Secrets Theft For Taking and Using a Client List

Posted on November 30, 2007 by Seyfarth Shaw LLP

The taking and using of customer lists is no longer just a matter for civil proceedings and injunctive relief. On Monday, November 26, 2007, the Georgia Court of Appeals affirmed a jury’s criminal conviction of an individual who took and used her former employer’s master client list to solicit customers, who used company computers to plan her new business venture, and otherwise misappropriated client files.

Defendant Shan DuCom was tried and convicted after it was discovered that she had attempted to wipe out her former employer (C&D)’s property management business completely by converting the property management function to her own, newly created entity. Indeed, DuCom conspired with other employees to start a new firm, used C&D’s computers to create new “letterhead and logos, press releases, solicitation postcards, and various ‘to-do’ lists,” as well as to engage in “massive” copying of information maintained on C&D’s computer hard drives to discs. Her actions were apparently so wanton that the day after she left, the former employers’ team came to work and found the office had “been left barren, ‘cleaned out.’ The computer server was turned off, the hard copies of client files were missing, the fax and credit card phone lines had been sabotaged, and office supplies and equipment were missing.” Once the computer service was restored, C&D found that entire databases were missing and that the C&D website had been transferred to DuCom’s new firm. Three of DuCom’s co-workers resigned and joined her new firm as well. Georgia’s Uniform Trade Secrets Act specifically protects client and customer lists as trade secrets, provided they

(A) Derives economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and

(B) Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

O.C.G.A. § 16-8-13(a)-(b). The appellate court remarked, in particular, that as a new business, DuCom’s new firm “would have opened its doors with little or no property to manage, and with no property to manage, it would have very little income,” reflecting that her head-start approach runs afoul of the law. Noting the damage that she caused by her acts in stealing the client list, the court affirmed the lower court’s award of restitution based on valuation of C&D’s “book of business.”

DuCom also was convicted of “computer theft” under O.C.G.A. § 16-9-93(a) for using C&D’s computers without authorization. The appeals court reflected that she had downloaded data she was not permitted to use and that the jury could have found “beyond a reasonable doubt that DuCom used a computer, owned by her employer, with knowledge that such use was without authority and with the intention of removing programs or data from that computer and appropriating them for her own use.” Under Georgia law, unauthorized use includes “the use of a computer or computer network in a manner that exceeds any right or permission granted by the owner of the computer or computer network” O.C.G.A. 16-9-92(18). With a broad definition and unassailable facts, the appellate court did not waste much time in discussing its reasoning to affirm.

Although it is not unusual to hear tales of such wanton conduct in preparing to compete in a new business, it is not very often that we hear of criminal prosecutions of such matters at the state level in Georgia. We’ll be keeping our eyes and ears open for any further such cases.

Tags: , , , ,