shutterstock_617698010As a special feature of our blog—special guest postings by experts, clients, and other professionals—please enjoy this blog entry from Charlie Platt, a director at iDiscovery Solutions and a Certified Ethical Hacker. He advises clients on data analytics, digital forensics, and cybersecurity.

At the airport recently, waiting for boarding, flipping through an issue of United States Cybersecurity Magazine, an article about detecting insider threats caught my eye. It was loosely based on a list of behaviors it claimed were ideal indicators for detecting insider threats. I thought, “Wow, this is great! I know plenty of clients who could benefit from this information.” Insider threats are difficult to detect, and I was excited by the opportunity to get new insight, but I became more and more distraught as I read on. The longer I read, the more I saw myself, and many of my cyber-colleagues, being described by the author’s so-called threat indicators. How could we, the good guys, be mistaken for threats?

I read through the list again, and for each point, I asked, “Is this a reliable indicator of a real threat, or a false positive?” I’ve provided the entire list below with my thoughts on each item. Continue Reading Great Employee or Insider Threat?

We are pleased to announce the webinar “2016
National Year In Review:webinar What You Need to Know About the Recent Cases/Developments in Trade Secrets, Non-Compete, and Computer Fraud Law” is now available as a webinar recording.

In Seyfarth’s first installment of its 2017 Trade Secrets Webinar series, Seyfarth attorneys reviewed noteworthy cases and other legal developments from across the nation over the last year in the areas of trade secrets and data theft, non-competes and other restrictive covenants, and computer fraud. Plus, they provided their predictions for what to watch for in 2017.

As a conclusion to this well-received webinar, we compiled a summary of three takeaways that were discussed during the webinar:

  • The DTSA can be a powerful tool to protect intellectual capital. However, in order to take full advantage of the DTSA, businesses should carefully check their agreements with employees, handbooks and equity awards to make sure they contain language mandated by the Defend Trade Secrets Act.
  • 2016 was a record year for data and information security breaches. Organizations should alert and train employees on following company policies, spotting potential social engineering attacks, and having a clear method to escalate potential security risks. Employee awareness, coupled with technological changes towards better security will reduce risk and exposure to liability.
  • Several states enacted laws to limit the scope and duration of non-competes in 2016. There were also some significant decisions limiting their scope and enforceability in 2016 as well. Companies should have their non-disclosure and non-compete agreements reviewed to ensure that they comply with the latest state and federal laws, including the new Defend Trade Secrets Act.

shutterstock_144630422Although stealing bases, and even signs, in baseball may be part of the game, stealing another team’s trade secrets can land you in federal prison, as one executive recently learned the hard way.

As we previously reported, the FBI has been investigating the St. Louis Cardinals for hacking into the Houston Astros’ internal computer network and stealing proprietary information, including internal discussions about trades, proprietary statistics, and scouting reports. The investigation has now concluded, the Cardinals’ former director of baseball development, Chris Correa, pleaded guilty to five counts of unauthorized access of a protected computer in January, and he has now been sentenced to 46 months in federal prison. He also must pay $279,038 in restitution. According to NPR, “U.S. District Judge Lynn Hughes, as she sentenced Correa, noted that the crime has resulted in stricter security at other baseball teams, according to a press release from the Justice Department. When Correa apologized and called his actions ‘reckless,’ [Judge] Hughes replied, ‘No, you intentionally and knowingly did these acts.’”

As the Department of Justice reported at the time of Correa’s plea:

The plea agreement details a selection of instances in which Correa unlawfully accessed the Astros’ computers. For example, during 2013, he was able to access scout rankings of every player eligible for the draft. He also viewed, among other things, an Astros weekly digest page which described the performance and injuries of prospects who the Astros were considering, and a regional scout’s estimates of prospects’ peak rise and the bonus he proposed be offered. He also viewed the team’s scouting crosscheck page, which listed prospects seen by higher level scouts. During the June 2013 amateur draft, he intruded into that account again and viewed information on players who had not yet been drafted as well as several players drafted by the Astros and other teams.

Correa later intruded into that account during the July 31, 2013, trade deadline and viewed notes of Astros’ trade discussions with other teams.

Another set of intrusions occurred in March 2014. The Astros reacted by implementing security precautions to include the actual Ground Control website address (URL) and required all users to change their passwords to more complex passwords. The team also reset all Ground Control passwords to a more complex default password and quickly e mailed the new default password and the new URL to all Ground Control users.

Shortly thereafter, Correa illegally accessed the aforementioned person’s e mail account and found the e mails that contained Ground Control’s new URL and the newly-reset password for all users. A few minutes later, Correa used this information to access another person’s Ground Control account without authorization. There, he viewed a total of 118 webpages including lists ranking the players whom Astros scouts desired in the upcoming draft, summaries of scouting evaluations and summaries of college players identified by the Astros’ analytics department as top performers.

On two more occasions, he again illicitly accessed that account and viewed confidential information such as projects the analytics department was researching, notes of Astros’ trade discussions with other Major League Baseball teams and reports of players in the Astros’ system and their development.

The parties agreed that Correa masked his identity, his location and the type of device that he used, and that the total intended loss for all of the intrusions is approximately $1.7 million.

Michael McCann provides a good analysis of the sentence for Sports Illustrated and describes potential penalties Major League Baseball may pursue against the Cardinals.

shutterstock_149599301We are pleased to announce the webinar “Data Security & Trade Secret Protection for Lawyers” is now available as a podcast and webinar recording.

In the second installment, Seyfarth attorneys, Richard D. Lutkus and James S. Yu, was joined by Joseph Martinez, Chief Technology Officer and Vice President of Forensics at Innovative Discovery. This program covered considerations that attorneys should take into account when in possession of any client data. Coverage included both technical considerations, best practices and policies, as well as practical advice to steer clear of ethical violations.

As a conclusion to this well-received webinar, we compiled a list of  brief summaries of the more significant cases that were discussed during the webinar:

  • Whether corporate or outside counsel, there are basic steps that can dramatically increase the security of your or your client’s data. Management of data will continue to be a necessity for any entity. Proper policies, protocols, and training should be developed and put into place to protect data in transit and at rest. Use of encryption and access control are both key to proper protection of data.
  • Social engineering is the number one cause of data breaches, leaks, and information theft. Organizations should alert and train employees on following policy, spotting potential social engineering attacks, and having a clear method to escalate potential security risks. Employee awareness, coupled with technological changes towards better security will reduce risk and exposure to liability.
  • Lawyers have an ethical duty to ensure that reasonable steps are taken to protect their client’s and employer’s data. Significant statistics have shown that many law firms and practitioners are behind the curve in terms of information security preparedness. Hackers have recently focused their targets on the lax security practices of law firms to obtain client data or inside information.

Join us Tuesday, March 29 at 12:00 p.m. Central. for our next webinar, “New Year, New Progress: 2016 Update on Defend Trade Secrets Act & EU Directive.” To register, click here.

shutterstock_261389492Ever since Iqbal and Twombly, it has become imperative that a complaint filed in federal court contains “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’”  Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 554, 570 (2007)).  The Eastern District of Michigan recently reiterated this point in the context of an alleged violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.  As detailed below, failure to include the requisite factual allegations can and will result in the dismissal of potential CFAA claims.

SUMMARY

In Fabreeka International Holdings, Inc. v. Robert Haley and Armadillo Noise & Vibration LLC, 2015 U.S. Dist. LEXIS 154869 (E.D. MI, Nov. 17, 2015), Fabreeka Intl. Holdings filed suit against its former employee, Robert Haley, and his new employer, alleging that Haley unlawfully accessed its computers to obtain confidential information in violation of the CFAA.  Specifically, Fabreeka alleged that: (1) during the period of his employment, Haley accessed confidential business information stored on Fabreeka’s servers; (2) Haley did not return all of Fabreeka’s confidential information at the time of his resignation; and (3) Haley authored or assisted in authoring proposals for his new employer using Fabreeka’s confidential information for the purpose of undercutting Fabreeka’s prices.

Fabreeka contended that its allegations establish violations under three sections of the CFAA: 18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(4), 1030(a)(5)(B) and (C).

  • Subsection (a)(2) prohibits (1) intentionally accessing a computer (2) without authorization or exceeding authorized access and (3) thereby obtaining information (4) from any protected computer (if the conduct involved an interstate or foreign communication) where (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.
  • Subsection (a)(4) prohibits (1) accessing a “protected computer” (2) without authorization or exceeding such authorization that was granted, (3) “knowingly” and with “intent to defraud,” and thereby (4) furthering the intended fraud and obtaining anything of value, causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.
  • Subsection (a)(5)(B) prohibits (1) intentionally accessing (2) a protected computer (3) without authorization, and (4) as a result of such conduct, recklessly causes damage. 18 U.S.C. § 1030(a)(5)(B).
  • Subsection (a)(5)(C) prohibits (1) intentionally accessing (2) a protected computer (3) without authorization, and (4) as a result of such conduct, causing damage and loss. 18 U.S.C. § 1030(a)(5)(C).

The District Court dismissed each of these CFAA claims for the following reasons:

  1. There was no dispute that Haley was authorized to access information on the Fabreeka’s servers, including sales and manufacturing data, during his employment at Fabreeka. Since the facts pled established Haley had authorization, the Court held that Fabreeka’s claims subsections (a)(5)(B) and (a)(5)(C), requiring the access be “without authorization,” should be dismissed. This left Fabreeka’s remaining CFAA claims, which the Court said could proceed so long as Fabreeka pled facts that establish Haley exceeded his authorized access.
  2. Fabreeka’s Complaint asserted that Haley misappropriated confidential information based solely on the similarity of proposals submitted by Fabreeka and his new employer. Based off those proposals, Fabreeka offered unsupported conclusions that Haley stole confidential files and assisted in authoring the competitor’s proposal. The Court held that because “[a] pleading must include factual allegations that exceed mere speculation, see Twombly, 550 U.S. at 555, and Fabreeka’s CFAA allegations fail to meet this standard.”

In addition, the Court noted that a complaint must state sufficient facts to “raise a reasonable expectation that discovery will reveal evidence” of a claim’s required elements.  Although Fabreeka’s Complaint alleged that Haley and his new employer’s owner communicated on Fabreeka’s computer during Haley’s employment, the Court found that the mere fact that the two discussed Haley joining Armadillo does not support a plausible inference that the two colluded to misappropriate confidential information. Thus, the Court held that it did “ not feel” that Fabreeka’s Complaint “pled sufficient facts to raise a reasonable expectation that further evidence of a CFAA violation will be revealed in discovery.”

  1. Fabreeka’s Complaint implied that the company considers all non-public information confidential. Defendants, on the other hand, claimed that Fabreeka’s proposals cannot be considered confidential because they are transmitted to third parties without any steps to protect the proposals or the information they contain.  The Court noted that the Sixth Circuit previously stated, in the context of trade secrets, that if a company did not take reasonable steps to maintain the confidentiality of alleged trade secrets, a misappropriation claim properly fails. See BDT Products, Inc. v. Lexmark Int’l, Inc., 124 F. App’x 329, 333 (6th Cir. 2005).  Accordingly, the Court held that insofar as Fabreeka’s allegations address confidential material taken, the company’s proposals submitted to customers may not be properly considered secret or confidential.
  2. Finally, the Court held that Fabreeka’s Complaint did not allege that the “damage and loss” allegedly suffered arose from the cost of responding to or from investigation into Haley’s alleged violation. Instead, the Complaint merely recited the elements of the CFAA and asserted there had been “damage and loss.”  The Court held this was insufficient.

TAKE-AWAY

When asserting claims under the CFAA, it is critical to not only review and pled the necessary elements that form the claims, but to also include the sufficient factual allegations to support those claims.  The Fabreeka decision highlights how more and more courts are cracking down on insufficient pleading, particularly in the context of CFAA suits.  As a plaintiff, do not fall victim to poor or lazy drafting and, as a defendant, carefully review a complaint’s factual allegations with an eye towards a possible motion to dismiss.

WebinarOn Thursday, February 25, 2016 at 12:00 p.m. Central, Seyfarth attorneys, Richard D. Lutkus and James S. Yu, will be joined by Joseph Martinez, Chief Technology Officer and Vice President of Forensics at Innovative Discovery to present the second installment of the 2016 Trade Secrets Webinar series. This program will cover considerations that attorneys should take into account when in possession of any client data. Coverage will include both technical considerations, best practices and policies, as well as practical advice to steer clear of ethical violations.

The panel will specifically address the following topics that often arise in trade secret investigations and litigation:

  • Information Storage, Retention, and Remediation
  • Device Management
  • Phishing and Social Engineering
  • Security Considerations
  • Cloud Storage and Ethical Considerations

There is no cost to attend this program, however, registration is required.

If you have any questions, please contact events@seyfarth.com.

*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.

register

shutterstock_337013828The Trans Pacific Partnership Agreement (“TPP) between twelve Pacific Rim counties, including Australia and the United States, was finally made public on 5 November.

The text of the Agreement will now be reviewed by various parliamentary committees before Parliament votes on legislation to implement the Agreement in Australia, likely to be in February or March next year. If the implementing legislation is passed in Australia and the other signatory countries, the Agreement will be ratified and come into force. It is expected that it could take up to two years before the Agreement comes into force in all 12 signatory countries.

The intellectual property provisions of the TPP Agreement are contained in Chapter 18. Chapter 18 includes a number of measures designed to protect intellectual property rights, many of which reflect Australia’s current intellectual property laws. However, a number of concerns have been raised including by the Australian Competition and Consumer Commission (ACCC), Australia’s competition regulator, in its submissions to the Productivity Commission. The ACCC is concerned that some of the provisions in Chapter 18 may “tilt the balance in favour of IP rights holders to the detriment of competition and consumers”. In addition, the ACCC has warned that the investor-state dispute settlement provisions (which give foreign companies the right to sue the Australia government for introducing laws which harm their interests) “risk impeding domestic reforms in the public interest”.

The biggest change to intellectual property law in Australia which will result if the Agreement is implemented in its current form is Australia would be required to implement criminal procedures and penalties for acts including the unauthorised misappropriation of trade secrets. Currently in Australia the only action which can be taken against a person or company who misappropriates trade secrets is a civil claim for breach of confidence. The Agreement also does not make clear what defences will be available to those alleged to have misappropriated trade secrets which is concerning for journalists and whistleblowers.

At this stage, it is still a case of wait and see. Various bodies are expected to conduct further analysis on the provisions of the Agreement to determine the likely impact on Australia. Also, depending on Parliament’s assessment of the implementation legislation, the Agreement may need to be renegotiated or side letters entered into to address any issues.

shutterstock_147820271In recent years, the prevalence of data and information security breaches at major corporations have become increasingly more commonplace.  While general awareness may be increasing, many companies are still neglecting to address serious information security issues.

Breached data can include proprietary or confidential information, trade secrets, personally identifiable information, health-related data, privileged communications, and regulatory data.  Such data is often subject to preservation due to pending or reasonably anticipated litigation, government investigation, due diligence, or other applicable legal matter, meaning the data is routinely transferred and shared with outside counsel for analysis and support of clients’ claims and defenses.

Many law firms provide guidance regarding information governance to clients, however more times than not, firms fail to realize that they too are also responsible for following similar guidelines. Appropriate precautions must be in place throughout a firm to protect the integrity and sanctity of client data, prevent unauthorized access, and to ensure timely remediation.  However, firms must also have this data available for litigation response, analysis, and review. Therefore, keeping data entirely offline is rarely an option.

There are several pillars of governance that law firms should consider when examining the handling of both their own data as well as that of clients.  As a fiduciary of their clients’ data, firms that fail to address these issues will eventually find themselves in an ethical nightmare, that when applied to a partnership creates a considerable problem.

Continue Reading Untrusted Advisor: How Your Law Firm May Fail to Protect Your Data

shutterstock_299582249On October 20, 2015, a Ninth Circuit panel consisting of Chief Judge Sidney Thomas and Judges M. Margaret McKeown and Stephen Reinhardt heard oral argument from the U.S. Department of Justice and counsel for David Nosal on Nosal’s criminal conviction arising under the Computer Fraud and Abuse Act (CFAA).   In 2013, Nosal was found to have violated the CFAA by allegedly conspiring to obtain access to company information belonging to his former employer, executive search firm Korn Ferry, through the borrowing of another employee’s login password. He was also convicted of trade secret misappropriation under the Economic Espionage Act.

The panel focused most of its questions around one main point of contention between the parties: the interpretation of the “without authorization” language appearing throughout Section (a) of the CFAA.  Such a focus makes sense given that the interpretation of this short phrase could completely change the legal landscape surrounding password sharing, not only in professional settings, but also in personal, consensual settings.

Nosal’s Points

Counsel for Nosal urged the panel to adopt a limited reading of the CFAA, based on the reasoning laid out in the Ninth Circuit’s previous en banc opinion (Nosal I).  Nosal I held that the CFAA was an “anti-hacking” statute and did not contemplate, nor criminalize, the misappropriation of trade secrets.  As an “anti-hacking” statute, the CFAA, the court held, criminalizes “the circumvention of technological access barriers.”  In other words, a person cannot be found to have accessed a computer “without authorization” if he did not circumvent a technological access barrier, or “hack” into a computer.

This time around, counsel for Nosal argued that password sharing is not hacking, and therefore, such an action cannot amount to a federal crime.  Further, counsel urged the panel to limit its interpretation of the “without authorization” language appearing throughout the Act, so as to prevent the over-criminalization of actions otherwise not prohibited by law (e.g., password sharing over a cloud system, or another consensual password sharing arrangement).   Nosal’s counsel also argued that the “without authorization” language be read consistently throughout the Act, so that the same interpretation would apply to both the misdemeanor and felony provisions of the Act.

U.S. Government’s Arguments

On the other side of the spectrum lie the government’s arguments.  Counsel for the government argued that protecting computers with passwords to prevent unintended user access indeed creates a “technological access barrier,” and any circumvention thereof (consensual or otherwise) constitutes a violation of the CFAA.  Such a broad interpretation was met with raised brows from the members of the judicial panel.

Counsel for the government repeatedly argued that the interpretation of the “without authorization” language should mirror the interpretation in the LVRC Holdings LLC v. Brecka case.  Per Brecka, a person accesses information “without authorization” under Sections (a)(2) and (4) of the CFAA when he has not received permission to use a computer for any purpose, or when the person’s employer has rescinded permission to access a computer and the person uses it anyway.  In other words, the government’s counsel seemed to advocate the criminalization of any sort of password sharing.  After receiving some push-back from the panel after making such an argument, counsel suggested limiting this interpretation to the employment context only, but members of the panel shot back because the CFAA includes no such limiting language. The government’s counsel argued that the person must have shared or used the password while also knowing it was prohibited by an employer to do so.

With regard to Nosal’s trade secrets conviction, the panel pressed the government’s counsel for a good portion of her allotted argument time.  Counsel argued the record revealed sufficient evidence to establish the element that source lists derive independent economic value for not being generally known by the general public.

Possible Outcomes for Nosal and Beyond

Though the panel did not give a clear indication one way or the other whose side it was likely to advocate in Nosal’s case, recent Ninth Circuit precedent may prove enlightening on the topic.  In the U.S. v. Christensen (9th Cir. 2015) decision, the Ninth Circuit (composed of a panel of different judges than those deciding Nosal’s fate) vehemently upheld the holdings in Nosal I, despite the different facts of each case.  In particular, the Christensen panel relied heavily on the Nosal I rationale that the CFAA only deals with violations of restrictions on access to information, not restrictions on use.  At the very least, Christensen demonstrates that the CFAA has been on the Ninth Circuit’s radar, even though its rationale may not impact the outcome in Nosal II.

Moreover, the panel’s surprise at the government’s assertion that all password sharing should be subject to criminal sanctions indicates an unwillingness to adopt such an argument.  As a previous post hypothesized, the panel’s final ruling will likely put to bed the password sharing issue, and limit it to certain situations (on which ground is still unclear), at least in the Ninth Circuit.  The ruling will hopefully provide helpful guidance on how to formulate acceptable computer policies prohibiting conduct running afoul of the CFAA. That way, employers and businesses can better protect their trade secrets from escaping the confines of their walls.

shutterstock_242602567While employee Lehman was employed by Experian and allegedly subject to various employment covenants, he incorporated Thorium, a competitor.  After Experian laid him off, he operated Thorium.  Experian sued Lehman and Thorium in a Michigan federal court, accusing them of wrongdoing including violations of the federal Computer Fraud and Abuse Act.  Holding that the CFAA is intended to criminalize hacking and that Experian’s allegations of hacking were oblique at best, the court dismissed most of Experian’s claims under that statute.

Status of the case.  Because some of Experian’s common law causes of action and one of its CFAA contentions were not dismissed, discovery is proceeding. Experian Marketing Solutions, Inc. v. Lehman, Case No. 15:cv-476 (W.D. Mich., Sept. 29, 2015).

Background.  Experian is part of a world-wide marketing services conglomerate that collects and analyzes business data.  At the time he was laid off, Lehman was Experian’s executive vice president.  He was based in Grand Rapids, Michigan, and was authorized to access the company’s computer files.  As a condition of his initial hire, and again later in connection with settlement of a claim he brought against the company while still its employee, he executed non-compete, non-solicitation, and confidentiality agreements.  He allegedly violated those agreements and the CFAA by creating and operating Thorium and by downloading Experian’s confidential information (both while he was an Experian employee and after he was laid off) to a hard drive that company had provided to him.  He also was accused of violations by purportedly instructing three Experian employees, whom Thorium later hired, to provide him with data from Experian’s computers, and by erasing all information on Experian’s hard drive before returning it.

Broad and narrow interpretations of the CFAA.  Federal courts are divided on the meaning of the phrases “[access] without authorization” and “exceeds authorized access” as used in the CFAA with respect to computers.  Four courts of appeal have interpreted the statute broadly, ruling that the purpose for accessing a computer is relevant in determining whether access was authorized.  Two federal appellate courts disagree.

The Sixth Circuit Court of Appeals.  The Sixth Circuit has not ruled definitively as to the meaning of those statutory phrases.  However, that court seemed to signal that it favored the majority position when it wrote, in a 2011 decision (quoting from a 2009 Ninth Circuit opinion), that “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations . . . has exceed[ed] authorized access.”  Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Amer., 648 F.3d 295, 304.

The ruling in Experian.  Concluding that the Sixth Circuit has not weighed in definitively on the meaning of “authorized” as used in the CFAA, and that the quote from Pulte Homes is mere dicta, the district court found the minority interpretation to be the most satisfying.  Since Lehman was “authorized” to access Experian’s computers when he downloaded its confidential data before he was laid off, the court held that the CFAA was not violated regardless of what he did with the data.  Similarly, the court ruled that the defendants did not violate the statute by obtaining, from three Experian employees who had “authorization” to access its computers, the company’s proprietary secrets after Lehman was terminated.  Although his continued use of an Experian computer after he was terminated clearly was not “authorized,” such use was held to be not actionable under the CFAA because Experian failed to allege that he or Thorium thereby obtained anything of value.

One of Experian’s CFAA claims was not dismissed.  The allegation that Lehman caused “impairment to the integrity or availability of data” by wiping the hard drive clean before returning it was held to state a statutory violation.

Takeaways.  A CFAA claim for unauthorized use of a computer not based on hacking is likely to be dismissed in the Fourth and Ninth circuits.  Four other Courts of Appeal — the First, Fifth, Seventh and Eleventh — disagree, holding that the CFAA also prohibits accessing a computer for an unauthorized purpose even though the user has authority to use the computer.  Individual district court judges in the circuits that have not ruled have reached varying decisions on this issue.  Eventually, either Congress must amend the statute to resolve this inconsistencies or the U.S. Supreme Court may be asked to do so.  In the meantime, litigants and their counsel can only guess how those circuit courts which have yet to decide, and the district courts in those circuits, will rule.