Computer Fraud and Abuse Act

shutterstock_214450246An ex-employee’s former employer sued him for alleged violations of the Kansas Uniform Trade Secrets Act (KUTSA) and the federal Computer Fraud and Abuse Act (CFAA).  The first claim was based on the company’s hunch that he had misappropriated trade secrets and thereby breached his non-disclosure agreement.  Two forensic experts were paid $38,000 to examine the computers and flash drives he had used, looking for evidence that he had used or disclosed confidential information.  The second claim centered on his admission that, shortly before resigning from the company, he had read a top-secret file which was, but should not have been, accessible to employees.  He moved for summary judgment on both claims.  The court granted the motion, holding that (a) payments to the experts did not satisfy the KUTSA requirement of showing an “actual loss caused by misappropriation” (K.S.A. 60-3322(a)), and (b) he was authorized to access the company’s shared files and, therefore, he did not violate the CFAA. Tank Connection, LLC v. Haight, No. 6:13-cv-01392-JTM (D. Kan., Feb. 5, 2016) (Marten, C.J.).

Summary of the case.  Haight was International Sales Manager of Tank Connection, a  manufacturer of large storage tanks.  He signed a confidentiality agreement (but not a non-compete).   With the company’s consent, he downloaded confidential information onto the laptop and flash drives provided to him by the company.  However, he also downloaded company data onto his own flash drives.  Further, he reviewed — but did not copy — the company’s president’s confidential computer file.  Following his resignation, he returned the company’s laptop and what he asserted were all of its flash drives.  Further, he insisted that he had neither disclosed the company’s secrets to his new employer nor used the information, and that he had deleted all of Tank Connection’s data from his personal flash drives.  Concluding that Tank Connection had produced no evidence contrary to his disavowal of trade secret misappropriation, and that reading the shared file was not a violation of the CFAA, the court entered judgment for Haight.

Why the claim of trade secret misappropriation failed.

Tank Connection’s expert witnesses determined that, shortly before Haight’s resignation, he accessed the company’s server and transferred to the company’s laptop and flash drives, and to his own flash drives, a lot of confidential information.  The company contended that “harvesting” of that data circumstantially supported the claim that he had used proprietary information improperly and/or had disclosed it to his new employer.  However, Chief Judge Marten ruled that without any hard evidence of wrongdoing, and in the face of Haight’s unqualified denial of culpability, Tank Connection’s speculation of improper conduct was insufficient to create KUTSA liability.

Tank Connection alleged that its damages from Haight’s “misappropriation” aggregated $1,238,000: $1.2 million that the company had expended for creating, developing and updating the computer programs, plus $38,000 it had paid to the experts.  Chief Judge Marten rejected the $1.2 million claim because the company did not show any loss of data, damage to its computers or programs, unfair competition, or unjust enrichment.  Further, the statutory alternative of assessing “a reasonable royalty” was inapplicable due to the absence of proof that Haight disclosed or used confidential information.

Finally, the court held that payments to computer forensic experts retained by Tank Connection to investigate an alleged but unproved theft of trade secrets were not an “actual loss caused by misappropriation.”  The judge said that the question has not been decided by Kansas judges, and that Connecticut Appellate and Virginia Supreme Court rulings are in diametric opposition to each other.  Concluding that the payments were “not within the traditional realm of tort damages,” and that they were incurred merely in an attempt to ascertain if there had been a theft, the court held that they were not compensable losses under KUTSA.

Why the claim of a CFAA violation failed. 

A few days before Haight resigned, a co-worker brought to his attention a computerized folder containing highly sensitive information intended solely for the eyes of the company president and one administrator.  The company was unaware that incorrect security settings for the folder enabled employees such as Haight to access it.  He admitted that he had looked at it, which constituted a CFAA violation according to Tank Connection, but he insisted that he and other employees regularly viewed shared files in the course of their work and that he did not copy, disclose or use the folder’s contents.

Chief Judge Marten observed that the president’s folder was in a shared file, and there was no evidence that Tank Connection told its employees not to open the folder.  He said that, therefore, Haight clearly did not violate the statutory prohibition against accessing a computer “without authorization.”  The difficult question under the CFAA was whether Haight exceeded his authorized computer access.  The judge found persuasive U.S. v. Valle, 807 F.3d 508 (2nd Cir. 2015), which held that an employee’s authority to access a computer file is dispositive in determining that the CFAA has not been violated, regardless of the use to or purpose for which the file is accessed.  Thus, summary judgment was granted on the CFAA claim as well.

Takeaways.  Haight prevailed on the trade secrets misappropriation claim largely because he was authorized to use Tank Connection’s confidential data in the course of his employment, and the company had no evidence that he disclosed or used the data other than for company business.  In the absence of a smoking gun or an eye witness to wrongdoing (Tank Connection had neither), employers often have difficulty disproving an ex-employee’s denial of culpability.  Perhaps Tank Connection might have strengthened its case if it had examined Haight’s personal flash drives before he deleted all of the information on them.

The ruling declining reimbursement of Tank Connection’s expenses for computer forensic experts seems to have been driven by the company’s inability to prove that any misappropriation occurred.  A number of courts have held that amounts paid to such experts, for tasks associated with a pretrial investigation launched because of suspected trade secret theft, are recoverable damages.  However, in those cases typically, the experts concluded that the company’s suspicion was well-founded.  Tank Connection is unusual because reimbursement was sought in the face of a failure to prove any impropriety.  Under these circumstances, the expenses did not qualify as an “actual loss caused by misappropriation.”

Chief Judge Marten’s ruling regarding the scope of the CFAA is another in the litany of disputes pitting a narrow statutory interpretation against a broader one.  Compare such decisions as Valle cited by the court (holding that the Act only prohibits computer hacking by an outsider), with, e.g., Epic Systems Corp. v. Tata Consultancy Services Ltd., No. 14-cv-748 (W.D. Wis., Nov. 18, 2015) (opining that the CFAA also criminalizes “insider hacking,” that is, unauthorized use of data by someone authorized to access the computer).  The conflict in these decisions probably can only be resolved by Congress or the U.S. Supreme Court.

shutterstock_261389492Ever since Iqbal and Twombly, it has become imperative that a complaint filed in federal court contains “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’”  Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 554, 570 (2007)).  The Eastern District of Michigan recently reiterated this point in the context of an alleged violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.  As detailed below, failure to include the requisite factual allegations can and will result in the dismissal of potential CFAA claims.

SUMMARY

In Fabreeka International Holdings, Inc. v. Robert Haley and Armadillo Noise & Vibration LLC, 2015 U.S. Dist. LEXIS 154869 (E.D. MI, Nov. 17, 2015), Fabreeka Intl. Holdings filed suit against its former employee, Robert Haley, and his new employer, alleging that Haley unlawfully accessed its computers to obtain confidential information in violation of the CFAA.  Specifically, Fabreeka alleged that: (1) during the period of his employment, Haley accessed confidential business information stored on Fabreeka’s servers; (2) Haley did not return all of Fabreeka’s confidential information at the time of his resignation; and (3) Haley authored or assisted in authoring proposals for his new employer using Fabreeka’s confidential information for the purpose of undercutting Fabreeka’s prices.

Fabreeka contended that its allegations establish violations under three sections of the CFAA: 18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(4), 1030(a)(5)(B) and (C).

  • Subsection (a)(2) prohibits (1) intentionally accessing a computer (2) without authorization or exceeding authorized access and (3) thereby obtaining information (4) from any protected computer (if the conduct involved an interstate or foreign communication) where (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.
  • Subsection (a)(4) prohibits (1) accessing a “protected computer” (2) without authorization or exceeding such authorization that was granted, (3) “knowingly” and with “intent to defraud,” and thereby (4) furthering the intended fraud and obtaining anything of value, causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.
  • Subsection (a)(5)(B) prohibits (1) intentionally accessing (2) a protected computer (3) without authorization, and (4) as a result of such conduct, recklessly causes damage. 18 U.S.C. § 1030(a)(5)(B).
  • Subsection (a)(5)(C) prohibits (1) intentionally accessing (2) a protected computer (3) without authorization, and (4) as a result of such conduct, causing damage and loss. 18 U.S.C. § 1030(a)(5)(C).

The District Court dismissed each of these CFAA claims for the following reasons:

  1. There was no dispute that Haley was authorized to access information on the Fabreeka’s servers, including sales and manufacturing data, during his employment at Fabreeka. Since the facts pled established Haley had authorization, the Court held that Fabreeka’s claims subsections (a)(5)(B) and (a)(5)(C), requiring the access be “without authorization,” should be dismissed. This left Fabreeka’s remaining CFAA claims, which the Court said could proceed so long as Fabreeka pled facts that establish Haley exceeded his authorized access.
  2. Fabreeka’s Complaint asserted that Haley misappropriated confidential information based solely on the similarity of proposals submitted by Fabreeka and his new employer. Based off those proposals, Fabreeka offered unsupported conclusions that Haley stole confidential files and assisted in authoring the competitor’s proposal. The Court held that because “[a] pleading must include factual allegations that exceed mere speculation, see Twombly, 550 U.S. at 555, and Fabreeka’s CFAA allegations fail to meet this standard.”

In addition, the Court noted that a complaint must state sufficient facts to “raise a reasonable expectation that discovery will reveal evidence” of a claim’s required elements.  Although Fabreeka’s Complaint alleged that Haley and his new employer’s owner communicated on Fabreeka’s computer during Haley’s employment, the Court found that the mere fact that the two discussed Haley joining Armadillo does not support a plausible inference that the two colluded to misappropriate confidential information. Thus, the Court held that it did “ not feel” that Fabreeka’s Complaint “pled sufficient facts to raise a reasonable expectation that further evidence of a CFAA violation will be revealed in discovery.”

  1. Fabreeka’s Complaint implied that the company considers all non-public information confidential. Defendants, on the other hand, claimed that Fabreeka’s proposals cannot be considered confidential because they are transmitted to third parties without any steps to protect the proposals or the information they contain.  The Court noted that the Sixth Circuit previously stated, in the context of trade secrets, that if a company did not take reasonable steps to maintain the confidentiality of alleged trade secrets, a misappropriation claim properly fails. See BDT Products, Inc. v. Lexmark Int’l, Inc., 124 F. App’x 329, 333 (6th Cir. 2005).  Accordingly, the Court held that insofar as Fabreeka’s allegations address confidential material taken, the company’s proposals submitted to customers may not be properly considered secret or confidential.
  2. Finally, the Court held that Fabreeka’s Complaint did not allege that the “damage and loss” allegedly suffered arose from the cost of responding to or from investigation into Haley’s alleged violation. Instead, the Complaint merely recited the elements of the CFAA and asserted there had been “damage and loss.”  The Court held this was insufficient.

TAKE-AWAY

When asserting claims under the CFAA, it is critical to not only review and pled the necessary elements that form the claims, but to also include the sufficient factual allegations to support those claims.  The Fabreeka decision highlights how more and more courts are cracking down on insufficient pleading, particularly in the context of CFAA suits.  As a plaintiff, do not fall victim to poor or lazy drafting and, as a defendant, carefully review a complaint’s factual allegations with an eye towards a possible motion to dismiss.

shutterstock_131284286In a recent Computer Fraud and Abuse Act case, the Seventh Circuit Court of Appeals affirmed the district court’s conclusion that the plaintiff had produced no evidence refuting the defendant’s contention that it honestly believed it was engaging in lawful business practices rather than intentionally deceiving or defrauding the plaintiff.  Accordingly, entry of judgment for the defendant was appropriate.  Fidlar Technologies v. LPS Real Estate Data Solutions, Inc., Case No. 4:13-CV-4021 (7th Cir., Jan. 21, 2016).

Summary of the case.  Fidlar licenses technology to county governments enabling them quickly to scan and digitize real estate transaction documents.  The county-licensees pay Fidlar a fee for using its technology.  In turn, county-licensees making the digitized documents available on line charge an access fee.  Persons who access the digitized documents and print copies must remit copying fees to Fidlar.

LPS gathers, analyzes and sells data concerning real estate transactions.  It developed software that permits the company, in exchange for a monthly payment to the county-licensees, to harvest and download en masse documents digitized by the counties using Fidlar’s technology.  The software enables LPS to analyze the digitized data without printing the documents and, thereby, to avoid paying copying fees which otherwise would have been owed to Fidlar.  When Fidlar learned what LPS was doing, Fidlar accused LPS of computer fraud in violation of the CFAA.  LPS denied wrongdoing and prevailed in court on summary judgment.

The parties’ contentions.  According to Fidlar, LPS defrauded Fidlar because LPS knew about the copying fee and had to know that its system for harvesting the information contained in the digitized real estate transaction documents allowed it to benefit from Fidlar’s technology without paying anything to that company.  LPS responded that, far from intending to deceive or defraud, its business practices were driven by its need to access and analyze data quickly and efficiently, and that printing copies of the documents was unnecessary.

Did LPS intend to defraud Fidlar?  Counties pay a fee to Fidlar for using its technology in order to digitize the contents of documents.  LPS pays a fee to counties for enabling its computers to access the digitized data.  LPS avoided remunerating Fidlar by not printing copies of the information.  And, significantly, there was neither disruption nor destruction of Fidlar’s computer system or intellectual property.  Fidlar apparently failed to anticipate, and therefore did not forbid, LPS’ access to and use of the data in this manner.

The CFAA criminalizes fraudulently accessing a computer or computer system with the intent of deceiving or cheating.  In opposition to LPS’s summary judgment motion, Fidlar maintained that whether LPS intended to defraud Fidlar is a question of fact requiring a trial.  However, both the lower and appellate tribunals said that the entry of summary judgment was appropriate because Fidlar was required, but failed, to demonstrate that there was evidence in the record supporting Fidlar’s claim that LPS had a fraudulent intent.

Takeaways.  Proving a CFAA violation requires evidence of an intentional fraud.  Even though Fidlar’s technology did not expressly permit third parties to access the digitized records and use the information without printing copies, thereby avoiding payment of fees to Fidlar, such access and use were not prohibited.  Fidlar lost the case because it failed to design its software to require payments to the company by third parties who figured out how to make use of the data without printing it.

shutterstock_208633174Background

Imagine if you could manage all of your social media platforms on one app.  Believe it or not, there was an app for that (or, at least a website), created by a company named Power Ventures (“Power”).  Back in 2008, Power instituted its “Power 100” campaign, which offered its users the chance to win $100 if they invited 100 friends to join.  After asking its users’ permission, Power would access its users’ Facebook accounts to send messages to friends of its users to encourage them to join Power.  These messages were sent to friends of Power users from email addresses containing Facebook in the source name (e.g., amy@facebookmail.com), thus giving the impression that the messages came from Facebook personnel, not from Power.

Lo and behold, the “real” Facebook became aware of Power’s plan and tried to stop it through the use of an IP block, which Power was able to overcome.  Facebook continued combatting Power’s activity by sending cease and desist letters, reiterating how Power’s activities went beyond the scope of its authorized use, but Power failed to act in compliance with these requests.  Thereafter, Facebook slapped Power with a lawsuit, alleging (among other things) a violation of the Computer Fraud and Abuse Act (“CFAA”), primarily based on Power’s unauthorized use of Facebook data and systems.  Four years later in 2012, the U.S. District Court for the Northern District of California found that Power indeed violated Section (a)(2)(C) of the CFAA.  The following year, the district court issued an order granting not only a permanent injunction against Power, but also prescribed damages in excess of $3 million to be paid to Facebook.

Status of the Case

As perhaps any party would do following such a dismal outcome at district court, Power decided to appeal to the Court of Appeals for the Ninth Circuit.  Oral arguments were heard in December, and a Ninth Circuit court opinion is expected to come down in the coming months.

Ninth Circuit Oral Argument

At oral argument, counsel for Power argued that Power could not have violated the CFAA because it never owned the data at issue in the case.  As such, it was beyond Facebook’s power to grant or deny authorization to user accounts to third-parties.  Counsel pressed that acting with authorization means one has authorization from the owner of the data; Facebook, according to Power’s counsel, explicitly disclaimed ownership of such data.  In other words, because individual Facebook users granted Power access to their accounts, Power was acting within the scope of authorization, and is therefore not liable to Facebook under the CFAA.

From another standpoint came Power’s former CEO, Steve Vachani, who made a statement that Facebook, now a social media giant, is acting anti-competitively by still litigating this case after seven years.  Counsel for Facebook disagreed, saying that his client was not being anti-competitive, but rather acting in compliance with its legal obligations.

Third-Party Perspectives

This is not the only CFAA-related case the Ninth Circuit has faced as of late.  Some time ago, the court heard oral arguments for the U.S. v. Nosal case, blogged here.  Given the recent interest in this CFAA line of cases, commentators have piped up and expressed their thoughts on the CFAA and its application to password sharing scenarios.

For instance, the Electronic Frontier Foundation (“EFF”) wrote as amici in support of Power’s position, noting that Facebook’s use of the CFAA is “dangerous to follow-on innovators and consumers and would criminalize widely accepted Internet behavior.”

Additionally, Professor Orin Kerr appears to support curbing the interpretation and application of the CFAA to password sharing scenarios and believes any user of a personal account may authorize a third-party agent to access the account, but such would not be the case if the individual were acting within the scope of employment.  In other words, if the individual gave her employer’s account credentials to a third-party agent for the third-party’s own purposes, that would not constitute authorization because it would be beyond the employer’s grant of authorization to its employee.

Takeaways

Given the compensatory and equitable damages awarded to Facebook at the district court level, it will be especially interesting to see if the Ninth Circuit upholds the district court findings and damages, especially against a now defunct company.  Upholding the district court’s damages award will certainly call practitioners and their clients to attention.

It will also be interesting to see if the Ninth Circuit somehow consolidates its rationale in Nosal into this case, and finally carves a distinction between password sharing in the workplace and personal password sharing scenarios.

shutterstock_334793126Continuing our tradition of presenting annually our thoughts concerning the top 10 developments/headlines this past year in trade secret, computer fraud, and non-compete law, here—in no particular order—is our listing for 2015 and a few predictions for 2016.  Please join us for our first webinar of the New Year on January 29, 2016 discussing these developments/headlines.

1) Enactment of federal trade secret legislation moves closer, while federal non-compete bill gains no traction.  In last year’s Top 10 listing, and in several blog posts from 2015, we described the ongoing effort of a large bipartisan group of U.S. Senators and Representatives to create a federal civil cause of action for trade secret misappropriation (according to govtrack.us, as of January 11, 2016 there were 23 cosponsors of such legislation in the Senate and 107 in the House).  The proposed bill is entitled “The Defend Trade Secrets Act of 2015” (“DTSA”).  On December 2, 2015, the Senate Judiciary Committee held a hearing on the DTSA and it received a positive reaction from the Committee. We expect that the DTSA will be voted on by Congress in the spring of 2016.

Many industry representatives who have written or spoken on the subject support the DTSA.  They cite such reasons as: (a) it will provide uniform statutory provisions in contrast to the “Uniform Trade Secrets Act” (“UTSA”)—adopted by every state except New York and Massachusetts—but which contains some significant state variations; (b) rather than litigate in state courts, some attorneys and companies prefer federal courts, particularly because of federal bench experience with patent, trademark, and copyright cases; (c) personal jurisdiction over defendants may be easier to obtain in a federal court than in a state court with respect to individuals or businesses charged with claims involving overseas trade secret misappropriation or computer fraud and discovery of parties and non-parties may be easier to conduct in federal court; and (d) the statute of limitations in the proposed DTSA is longer, and the maximum amount that can be awarded as punitive damages is higher than the amount available under the UTSA.

A number of academics oppose adoption of the DTSA.  They suggest that the expense of litigating in federal court often exceeds the cost of handling a case in a state court.  Some also take issue with, among other sections, the ex parte seizure provisions in the DTSA (although proponents cite those provisions as advantages).  Opponents of the DTSA mention that the UTSA has had years of judicial interpretation that provides some measure of predictability.  Opponents have also voiced concern with respect to some potentially ambiguous terms in the proposed DTSA.

We also reported on proposed federal legislation to ban enforcement of non-competes against low wage employees and to require employers to disclose in advance that employees must sign non-competes.  The Senate bill is called “Mobility and Opportunity for Vulnerable Employees” (“MOVE”).  At present, MOVE has few sponsors and does not appear to be gaining any traction.

Please see our dedicated page for the latest updates on the proposed federal trade secret legislation. As discussed below, we expect regulators and employees to continue to challenge the necessity and breadth and scope of non-compete agreements in certain industries.

2) Watch for challenges to (a) confidentiality covenants interpreted as discouraging cooperation with government agency investigations or chilling Section 7 rights and (b) “do-not-hire” agreements.  In 2015, federal government agencies such as the SEC took aim at confidentiality clauses seemingly intended to dissuade employees from whistleblowing with respect to alleged employer misconduct.  Additionally, the NLRB continued its crusade of striking employer confidentiality agreements/policies that may chill employees from exercising their rights under the National Labor Relations Act. Accordingly, we expect that non-disclosure provisions that interfere with government investigations or chill Section 7 rights will continue to be scrutinized in 2016.  Further, the government previously challenged agreements among competitors that prohibited them from hiring their competitors’ employees.  Plaintiffs’ attorneys have attempted to capitalize on such efforts by bringing class actions for alleged unlawful “do-not-hire” arrangements between competitors and some cases have resulted in large settlements. We expect to see more such cases in 2016.

3) The Ninth Circuit’s narrow interpretation of the Computer Fraud and Abuse Act (“CFAA”) was supported by some courts in other circuits, but rejected by others, and other computer hacking issues continue to percolate.  The CFAA states that one who “intentionally accesses a computer without authorization or exceeds authorized access” commits a crime.  18 U.S.C. § 1030.  In 2012, in U.S. v. Nosal, the Ninth Circuit Court of Appeals (in a divided en banc decision) adopted the narrow interpretation that the only intended targets of the law were hackers who “break into” a computer and that the statute does not criminalize the unauthorized use of computerized data by misguided employees.  676 F.2d 854.  The same court reiterated that view in U.S. v. Christensen, Nos. 08-50531, et al. (Aug. 28, 2015).  The court added, however, that California Penal Code § 502, which prohibits taking or using information on a computer without permission, does not require unauthorized access and, therefore, is markedly unlike 18 U.S.C. § 1030.

In decisions announced before 2015, the Fourth Circuit concurred with Nosal, but the First, Fifth, Seventh, and Eleventh disagreed.  Judicial decisions in 2015 supported each position and, therefore, further muddied the waters.

In U.S. v. Valle, Nos. 14-2710-cr and 14-4396-cr (2d Cir., Dec. 3, 2015) (2-1 decision), the majority concluded that there is equal merit to the narrow statutory interpretation announced in Nosal, and the diametrically opposed, broader interpretation set forth by courts disagreeing with Nosal.  Based solely on the doctrine of lenity, the Second Circuit adopted the narrow view.

Judges have reached opposite conclusions regarding Nosal (compare, for example, Experian Marketing Solutions, Inc. v. Lehman, No. 15-cv-476 (W.D. Mich., Sept. 25, 2015) and Allied Portables v. Youmans, 2015 WL 6813669 (June 15, 2015) (following Nosal), with Epic Systems Corp. v. Tata Consultancy Services Ltd., No. 14-cv-748 (W.D. Wis., Nov. 18, 2015) (rejecting Nosal)).  A judge in the Eastern District of Michigan wrote a lengthy criticism of Nosal, and a prediction that the Sixth Circuit would not follow the Ninth, but the judge ultimately decided that the complaint before him stated a cause of action regardless of which statutory interpretation was intended.  American Furukawa, Inc. v. Hossain, No. 14-cv-13633 (May 6, 2015).  These widely disparate rulings will leave many employers without a clear path to follow.

Moreover, one Assistant U.S. Attorney told Congress in 2015 that the CFAA should be amended to clarify which of the two conflicting views Congress intended.  We predict that, unless the statute is amended, the U.S. Supreme Court will have to resolve the circuit court split.

Additionally, we expect that the Ninth Circuit will issue another decision in the U.S. v. Nosal case this year to address whether password sharing to obtain access to a protected computer is actionable under the CFAA. Additionally, we expect to see more Penal Code section 502 claims in California based upon the alleged misuse of company information “without permission.”

4) Security breaches continue to plague owners of confidential data.  Hackers, nation states, competitors, and disgruntled employees are among those responsible for the breach and dissemination of confidential data.  Following the Ashley Madison incident and some other highly publicized incidents, we expect to see more data breaches and resulting litigation in 2016, particularly in those jurisdictions where courts have been willing to soften the standing requirements for maintaining such suits. To guard against this risk, it is essential that companies have comprehensive information security policies and solid data breach response plans in place.

Sometimes the breach benefits only a single individual or entity, such as when an employee transfers employers and provides proprietary information belonging to the former employer to the new employer.  However, the more serious consequences occur when, without the owner’s authorization, such data is published on-line for all the world to see.  To make matters worse, social media privacy legislation and other privacy laws can often frustrate efforts to identify the thief and to abort the publication.

In connection with a recent New York Supreme Court—New York’s trial court—injunction hearing, a party accidentally filed its trade secrets on the New York State Courts Electronic Filing system.  The adversary insisted, over the vehement objection of the party that made the inadvertent filing, that this act constituted a posting on the Internet that rendered the information publicly available.  The court has delayed making a definitive ruling. On the other coast, the Northern District of California recognized that the issue occurring in New York could arise in California.  The court, proactively, promulgated guidelines on its website for the prompt and effective removal of erroneous e-filings.

5) Employers’ attempts to enforce non-compete and non-solicitation covenants against lower level employees troubles courts and legislators.  At one time, courts normally appeared sympathetic to the principle espoused by employers that parties’ non-competition and non-solicitation covenants were contracts that should be enforced.  In 2015, although some courts enforced restrictive covenants, a number of judges refused to grant preliminary injunctions sought by former employers against ex-employees.  See, e.g., Great Lakes Home Health Services Inc. v. Crissman, No. 15-cv-11053 (E.D. Mich., Nov. 2, 2015); Evans v. Generic Solutions Engineering, No. 5D15-578 (Fla. App., Oct. 30, 2015); Burleigh v. Center Point Contractors, 2015 Ark. App. 615 (Oct. 28, 2015).  Each of these courts concluded that the employers had not demonstrated the requisite extreme need for injunctive relief and protection.  We expect courts to continue to make it difficult on employers to obtain injunctive relief in 2016, particularly where the employee is lower level and there is no clear evidence of imminent harm. We also saw some efforts (though not successful) in Michigan, Washington, Iowa, and Massachusetts to ban or otherwise limit non-competes.

6) Enforcement of restrictive covenants against franchisees gains traction.  The NLRB signaled in 2015 its view that a franchisor’s control over the business practices of franchisees may lead to treating the franchisor as a joint employer of the franchisees’ employees.  Additionally, some courts held in 2015 that restrictive covenants in a franchise agreement could be enforced by the franchisor against both the franchisees and persons who benefit from but are not signatories to the franchise agreement.

Some franchisors have sued to enforce covenants in contracts with franchisees.  An Ohio federal judge in 2015 ordered an ex-franchisee that had signed a confidentiality agreement to return to the franchisor its operations manual, brochures, contracts, correspondence, client files, computer database, and other records relating to the franchise agreement.  H.H. Franchising Sys., Inc. v. Aronson, No. ­12-cv-708 (Jan. 28, 2015).  Additionally, a Wisconsin judge held that an individual who was not a signatory to a franchise agreement that included a confidentiality clause, but who had benefitted from the franchise, was prohibited from using the franchisor’s trade secrets.  Everett v. Paul Davis Restoration, Inc., No. 10-C-634 (E.D. Wis., Apr. 20, 2015). We expect to see more litigation involving franchisees and related parties in 2016.

7) Courts struggle with issues relating to the adequacy of consideration for restrictive covenants.  The controversial Fifield decision by the Illinois Appellate Court several years ago continued to make waves in 2015.  The court in Fifield held that a restrictive covenant executed by an at-will employee is unenforceable, for lack of adequate consideration, unless the employment relationship lasts at least two years beyond the date of execution.  Fifield v. Premier Dealer Service, 993 N.E.2d 938 (Il. App (1st) 2013).  The Illinois Supreme Court has not yet opined on that holding.  This past year, several Chicago federal trial judges, adjudicating cases in which they decided it was necessary to predict whether the Illinois Supreme Court would agree with Fifield, reached opposing conclusions.  Moreover, in McInnis v. OAG Motorcycle Ventures, Inc., 35 N.E.3d 1076 (Il. App. (1st) 2015), a panel of the Illinois Appellate Court split 2-1 on the question of whether Fifield should be followed.

Another wrinkle involving consideration arose in Pennsylvania, which adopted the so-called “Uniform Written Obligations Act” (“UWOA”) (solely in force in Pennsylvania).  Under the UWOA, if a written contract contains a commitment to which the parties “intend to be legally bound,” then the parties may not question the adequacy of consideration for the agreement.  On the other hand, the state has a long history of disfavoring restrictive covenants in employment agreements.  This past year, the Pennsylvania Supreme Court ruled unenforceable for lack of consideration a covenant entered into after the commencement of employment, but for which no benefit or favorable change in employment status was given to the employee.  Socko v. Mid-Atlantic Systems of CPA, Inc., Case No. 3-40-2015 (Nov. 18, 2015).  This ruling came down notwithstanding the UWOA, even though the agreement expressly quoted the “legally bound” language of that law.  See id.  This decision does not alter the doctrine that covenants signed by employees upon hire are supported by adequate consideration. We expect to see more challenges to the adequacy of consideration by employees in 2016.

8) New state legislation concerning restrictive covenants.  State legislatures have enacted, and probably will continue to enact, new laws bearing on restrictive covenants.

  1. New Hawaii statute. Passed in 2015, it provides that a non-compete or non-solicit clause in an employment contract for an employee of a technology business is void.
  2. New Connecticut, Montana, and Virginia statutes. In 2015, these three states joined more than a dozen others by enacting laws that restrict employer access to personal social media accounts of employees and job applicants.  We predict that these laws will adversely impact employers’ efforts to uncover trade secret theft.
  3. New Mexico health care practitioner statute. A law passed in 2015 provides that an employer of a health care practitioner may not enforce a non-compete covenant restricting the practitioner from providing post-termination clinical health care services.
  4. Alabama and Oregon statutes. Alabama revised its non-compete statute (effective January 1, 2016). The revised statute will make it easier for employers to enforce non-competes against Alabama employees. Additionally, Oregon limited the duration of non-competes with employees to 18 months. The new law is also effective January 1, 2016.

9) Rulings regarding validity of forum selection provisions in restrictive covenant agreements.  Some multi-state employers use one-size-fits-all covenants, and that practice—coupled with a litigant’s forum shopping—sometimes leads to unexpected inconsistencies.  California’s policy, articulated in Business and Professions Code Section 16600 (which provides that employee non-compete  clauses are typically void), has figured in a number of these cases and likely will continue to do so.  California courts continue to dismiss or transfer such cases to other states in accordance with contracting parties’ forum choice notwithstanding employees’ arguments that the forum state might enforce covenants which seemingly are void in California. We did see some reluctance by courts in Delaware and New York to impose broad restrictive covenants on employees in 2015, particularly where the designated choice of law may unfairly impact the employee.

10) Proposed EU Directive to protect trade secrets makes progress; vote nears on U.S. involvement in Trans Pacific Partnership. The European Union and other foreign countries have varying rules with regard to the protection of trade secrets.  In some instances, there are no rules regarding trade secret protection or the laws are not enforced.  A U.S. company doing business abroad may encounter a wide variety of practices applicable to trade secrets. There has been an effort to harmonize trade secrets law abroad to provide minimum standards as exemplified by the proposed EU Directive.

As we reported, the proposed EU Directive crossed yet one more procedural hurdle with a provisional agreement on the Directive reached by the European Council (represented by the Luxembourg presidency) and representatives of the European Parliament. Now that the provisional agreement has been reached, the Parliament and Council will conduct a legal-linguistic review of the text.  Once that process has been completed, the proposed Directive will then be submitted to the full Parliament for approval.  Currently, the Parliament is expected to vote on the Directive around March 2016, but the precise date for a first reading has yet to be determined.

Additionally, as we reported, a proposed trade agreement, the Trans Pacific Partnership, was reached in October 2015 among a dozen Pacific Rim countries and the U.S.  While the implementing legislation still needs to be passed by the signatory countries, the agreement will require signatory nations,  such as Australia, Canada, Singapore, and Malaysia, to implement criminal procedures and penalties for the unauthorized misappropriation of trade secrets.  The agreement signifies the Obama Administration’s continued effort to enhance trade secret protections at home and abroad for the benefit of U.S. companies.

shutterstock_276783140We are pleased to announce the webinar “Social Media Privacy Legislation Update” is now available as a podcast and webinar recording.

In Seyfarth’s eighth installment in its series of Trade Secrets Webinars, Seyfarth social media attorneys discussed their recently released Social Media Privacy Legislation Desktop Reference and addressed the relationship between trade secrets, social media, and privacy legislation.

As a conclusion to this well-received webinar, we compiled a list of  brief summaries of the more significant cases that were discussed during the  webinar:

  • In KNF&T Staffing Inc. v. Muller, Case No. 13-3676 (Mass. Super. Oct. 24, 2013) a Massachusetts court held that updating a LinkedIn account to identify one’s new employer and listing generic skills does not constitute solicitation. The court did not address whether a LinkedIn post could ever violate a restrictive covenant.
  • Outside of the employment context, the Indiana Court of Appeals in Enhanced Network Solutions Group Inc. v. Hypersonic Technologies Corp., 951 N.E.2d 265 (Ind. Ct. App. 2011) held that a nonsolicitation agreement between a company and its vendor was not violated when the vendor posted a job on LinkedIn and an employee of the company applied and was hired for the position, because the employee initiated all major steps that led to the employment.
  • In the context of Facebook, a Massachusetts court ruled in Invidia LLC v. DiFonzo, 2012 WL 5576406 (Mass. Super. Oct. 22, 2012) that a hairstylist did not violate her nonsolicitation provision by “friending” her former employer’s customers on Facebook because “one can be Facebook friends with others without soliciting those friends to change hair salons, and [plaintiff] has presented no evidence of any communications, through Facebook or otherwise, in which [defendant] has suggested to these Facebook friends that they should take their business to her chair.”
  • Similarly, in Pre-Paid Legal Services, Inc. v. Cahill, Case No. CIV-12-346-JHP, 2013 U.S. Dist. LEXIS 19323 (E.D. Okla., Jan. 22, 2013) a former employee posted information about his new employer on his Facebook page “touting both the benefits of [its] products and his professional satisfaction with [it]” and sent general requests to his former co-employees to join Twitter. A federal court in Oklahoma denied his former employer’s request for a preliminary injunction, holding that communications were neither solicitations nor impermissible conduct under the terms of his restrictive covenants
  • The Virginia Supreme Court in Allied Concrete Co. v. Lester, 285 Va. 295 (2013) upheld a decision sanctioning a plaintiff and his attorney a combined $722,000 for deleting a Facebook account and associated photographs that undermined the plaintiff’s claim for damages stemming from the wrongful death of his wife in an car accident. The deleted photographs showed plaintiff holding a beer while wearing a T-shirt with the message, “I Love hot moms.” Subsequent testimony revealed that the plaintiff’s attorney had instructed his paralegal to tell the plaintiff to “clean up” his Facebook entries because “we do not want blowups of this stuff at trial.”
  • PhoneDog v. Noah Kravitz, No. C11-03474 MEJ, 2011 U.S. Dist. LEXIS 129229 (N.D. Cal., 2012) involved a dispute over whether a Twitter account’s followers constitute trade secrets even when they are publically visible. The court denied the defendant’s motion to dismiss and ruled that PhoneDog, an interactive mobile news and reviews web resource, could proceed with its lawsuit against Noah Kravitz, a former employee, who PhoneDog claimed unlawfully continued using the company’s Twitter account after he quit.  The court held that PhoneDog had described the subject matter of the trade secret with “sufficient particularity” and satisfied its pleading burden as to Kravitz’s alleged misappropriation by alleging that it had demanded that Kravitz relinquish use of the password and Twitter account, but that he has refused to do so.  With respect to Kravitz’s challenge to PhoneDog’s assertion that the password and the Account followers do, in fact, constitute trade secrets — and whether Kravitz’s conduct constitutes misappropriation, the court ruled that the such determinations require the consideration of evidence outside the scope of the pleading and should, therefore, be raised at summary judgment, rather than on a motion to dismiss.  The parties ultimately resolved the dispute.
  • The Second Circuit Court of Appeals in Triple Play v. National Labor Relations Board, No. 14-3284 (2d. Cir. Oct. 21, 2015) affirmed an NLRB decision that a Facebook discussion regarding an employer’s tax withholding calculations and an employee’s “like” of the discussion constituted concerted activities protected by Section 7 of the National Labor Relations Act. The Facebook activity at issued involved a former employee posting to Facebook, “[m]aybe someone should do the owners of Triple Play a favor and buy it from them. They can’t even do the tax paperwork correctly!!! Now I OWE money . . . Wtf!!!!” A current employee “liked” the post and another current employee posted, “I owe too. Such an asshole.” The employer terminated the two employees for their Facebook activity. The 2nd Circuit affirmed the NLRB’s decision that the employer’s termination of the two employees for their aforementioned Facebook activity was unlawful.

The following is a collection of social media policies that have been implemented by various companies:  http://socialmediagovernance.com/policies/. While these policies can serve as a helpful guide, companies should tailor their own social media policies and consult with counsel.

For more information, please contact your Seyfarth Shaw LLP attorney, Robert B. Milligan at rmilligan@seyfarth.com, Daniel P. Hart at dhart@seyfarth.com or Joshua Salinas at jsalinas@seyfarth.com.

shutterstock_299582249On October 20, 2015, a Ninth Circuit panel consisting of Chief Judge Sidney Thomas and Judges M. Margaret McKeown and Stephen Reinhardt heard oral argument from the U.S. Department of Justice and counsel for David Nosal on Nosal’s criminal conviction arising under the Computer Fraud and Abuse Act (CFAA).   In 2013, Nosal was found to have violated the CFAA by allegedly conspiring to obtain access to company information belonging to his former employer, executive search firm Korn Ferry, through the borrowing of another employee’s login password. He was also convicted of trade secret misappropriation under the Economic Espionage Act.

The panel focused most of its questions around one main point of contention between the parties: the interpretation of the “without authorization” language appearing throughout Section (a) of the CFAA.  Such a focus makes sense given that the interpretation of this short phrase could completely change the legal landscape surrounding password sharing, not only in professional settings, but also in personal, consensual settings.

Nosal’s Points

Counsel for Nosal urged the panel to adopt a limited reading of the CFAA, based on the reasoning laid out in the Ninth Circuit’s previous en banc opinion (Nosal I).  Nosal I held that the CFAA was an “anti-hacking” statute and did not contemplate, nor criminalize, the misappropriation of trade secrets.  As an “anti-hacking” statute, the CFAA, the court held, criminalizes “the circumvention of technological access barriers.”  In other words, a person cannot be found to have accessed a computer “without authorization” if he did not circumvent a technological access barrier, or “hack” into a computer.

This time around, counsel for Nosal argued that password sharing is not hacking, and therefore, such an action cannot amount to a federal crime.  Further, counsel urged the panel to limit its interpretation of the “without authorization” language appearing throughout the Act, so as to prevent the over-criminalization of actions otherwise not prohibited by law (e.g., password sharing over a cloud system, or another consensual password sharing arrangement).   Nosal’s counsel also argued that the “without authorization” language be read consistently throughout the Act, so that the same interpretation would apply to both the misdemeanor and felony provisions of the Act.

U.S. Government’s Arguments

On the other side of the spectrum lie the government’s arguments.  Counsel for the government argued that protecting computers with passwords to prevent unintended user access indeed creates a “technological access barrier,” and any circumvention thereof (consensual or otherwise) constitutes a violation of the CFAA.  Such a broad interpretation was met with raised brows from the members of the judicial panel.

Counsel for the government repeatedly argued that the interpretation of the “without authorization” language should mirror the interpretation in the LVRC Holdings LLC v. Brecka case.  Per Brecka, a person accesses information “without authorization” under Sections (a)(2) and (4) of the CFAA when he has not received permission to use a computer for any purpose, or when the person’s employer has rescinded permission to access a computer and the person uses it anyway.  In other words, the government’s counsel seemed to advocate the criminalization of any sort of password sharing.  After receiving some push-back from the panel after making such an argument, counsel suggested limiting this interpretation to the employment context only, but members of the panel shot back because the CFAA includes no such limiting language. The government’s counsel argued that the person must have shared or used the password while also knowing it was prohibited by an employer to do so.

With regard to Nosal’s trade secrets conviction, the panel pressed the government’s counsel for a good portion of her allotted argument time.  Counsel argued the record revealed sufficient evidence to establish the element that source lists derive independent economic value for not being generally known by the general public.

Possible Outcomes for Nosal and Beyond

Though the panel did not give a clear indication one way or the other whose side it was likely to advocate in Nosal’s case, recent Ninth Circuit precedent may prove enlightening on the topic.  In the U.S. v. Christensen (9th Cir. 2015) decision, the Ninth Circuit (composed of a panel of different judges than those deciding Nosal’s fate) vehemently upheld the holdings in Nosal I, despite the different facts of each case.  In particular, the Christensen panel relied heavily on the Nosal I rationale that the CFAA only deals with violations of restrictions on access to information, not restrictions on use.  At the very least, Christensen demonstrates that the CFAA has been on the Ninth Circuit’s radar, even though its rationale may not impact the outcome in Nosal II.

Moreover, the panel’s surprise at the government’s assertion that all password sharing should be subject to criminal sanctions indicates an unwillingness to adopt such an argument.  As a previous post hypothesized, the panel’s final ruling will likely put to bed the password sharing issue, and limit it to certain situations (on which ground is still unclear), at least in the Ninth Circuit.  The ruling will hopefully provide helpful guidance on how to formulate acceptable computer policies prohibiting conduct running afoul of the CFAA. That way, employers and businesses can better protect their trade secrets from escaping the confines of their walls.

shutterstock_242602567While employee Lehman was employed by Experian and allegedly subject to various employment covenants, he incorporated Thorium, a competitor.  After Experian laid him off, he operated Thorium.  Experian sued Lehman and Thorium in a Michigan federal court, accusing them of wrongdoing including violations of the federal Computer Fraud and Abuse Act.  Holding that the CFAA is intended to criminalize hacking and that Experian’s allegations of hacking were oblique at best, the court dismissed most of Experian’s claims under that statute.

Status of the case.  Because some of Experian’s common law causes of action and one of its CFAA contentions were not dismissed, discovery is proceeding. Experian Marketing Solutions, Inc. v. Lehman, Case No. 15:cv-476 (W.D. Mich., Sept. 29, 2015).

Background.  Experian is part of a world-wide marketing services conglomerate that collects and analyzes business data.  At the time he was laid off, Lehman was Experian’s executive vice president.  He was based in Grand Rapids, Michigan, and was authorized to access the company’s computer files.  As a condition of his initial hire, and again later in connection with settlement of a claim he brought against the company while still its employee, he executed non-compete, non-solicitation, and confidentiality agreements.  He allegedly violated those agreements and the CFAA by creating and operating Thorium and by downloading Experian’s confidential information (both while he was an Experian employee and after he was laid off) to a hard drive that company had provided to him.  He also was accused of violations by purportedly instructing three Experian employees, whom Thorium later hired, to provide him with data from Experian’s computers, and by erasing all information on Experian’s hard drive before returning it.

Broad and narrow interpretations of the CFAA.  Federal courts are divided on the meaning of the phrases “[access] without authorization” and “exceeds authorized access” as used in the CFAA with respect to computers.  Four courts of appeal have interpreted the statute broadly, ruling that the purpose for accessing a computer is relevant in determining whether access was authorized.  Two federal appellate courts disagree.

The Sixth Circuit Court of Appeals.  The Sixth Circuit has not ruled definitively as to the meaning of those statutory phrases.  However, that court seemed to signal that it favored the majority position when it wrote, in a 2011 decision (quoting from a 2009 Ninth Circuit opinion), that “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations . . . has exceed[ed] authorized access.”  Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Amer., 648 F.3d 295, 304.

The ruling in Experian.  Concluding that the Sixth Circuit has not weighed in definitively on the meaning of “authorized” as used in the CFAA, and that the quote from Pulte Homes is mere dicta, the district court found the minority interpretation to be the most satisfying.  Since Lehman was “authorized” to access Experian’s computers when he downloaded its confidential data before he was laid off, the court held that the CFAA was not violated regardless of what he did with the data.  Similarly, the court ruled that the defendants did not violate the statute by obtaining, from three Experian employees who had “authorization” to access its computers, the company’s proprietary secrets after Lehman was terminated.  Although his continued use of an Experian computer after he was terminated clearly was not “authorized,” such use was held to be not actionable under the CFAA because Experian failed to allege that he or Thorium thereby obtained anything of value.

One of Experian’s CFAA claims was not dismissed.  The allegation that Lehman caused “impairment to the integrity or availability of data” by wiping the hard drive clean before returning it was held to state a statutory violation.

Takeaways.  A CFAA claim for unauthorized use of a computer not based on hacking is likely to be dismissed in the Fourth and Ninth circuits.  Four other Courts of Appeal — the First, Fifth, Seventh and Eleventh — disagree, holding that the CFAA also prohibits accessing a computer for an unauthorized purpose even though the user has authority to use the computer.  Individual district court judges in the circuits that have not ruled have reached varying decisions on this issue.  Eventually, either Congress must amend the statute to resolve this inconsistencies or the U.S. Supreme Court may be asked to do so.  In the meantime, litigants and their counsel can only guess how those circuit courts which have yet to decide, and the district courts in those circuits, will rule.

shutterstock_152933135In today’s post, we have answered some of the most frequent and significant questions that we are asked about trade secret disputes and employment risks.

  1.  Could you provide a brief snapshot of current trends in trade secret disputes? Do companies need to be more aware of the potential risks in this area?

Milligan: Data theft of valuable company trade secrets through the use of portable electronic storage devices is occurring more and more, as is theft through cloud storage. We are also seeing an increase in more sophisticated hacking of company networks to obtain proprietary data by organized crime and foreign companies or states. Technological tools and employee use of personal mobile devices such as smartphones and tablets have given rise to a parallel trend of employers allowing — or requiring — their employees to use their own personal mobile devices at work. This “Bring Your Own Device” (BYOD) movement can provide benefits to employees and employers, such as convenience, greater flexibility and productivity, as well as cost savings. However, BYOD programs can also create risks for employers. Companies need to be aware of potential data security issues, BYOD policies in a unionized workforce, employee privacy concerns and intellectual property issues. Moreover, the recovery of stolen information and workplace investigations can be hampered by employee-owned devices, not to mention challenges in litigation when trying to gain access to such devices where privacy considerations are often leveraged. Additionally, attacks on reasonable secrecy measures — part of the definition of a trade secret — is also on the rise: One court recently ruled that password protection alone was not enough to demonstrate reasonable secrecy measures.

Wexler: Further, like the EU, the United States is considering enhancing trade secret protections through additions to its laws. There are two bills pending in the United States Congress to create a civil cause of action for trade secret misappropriation in federal court. If passed, the legislation would provide companies with an additional forum and remedy to combat trade secret theft. With the increasing accessibility of data from a variety of electronic devices and threats by insiders and outsiders, companies also need to be more aware of potential risks to their data and ensure that they have appropriate policies and agreements in place with employees, vendors, and business partners, as well as top of the class data security protections.

  1. How severe is the threat of losing trade secrets to a departing employee or departing executive? What are some of the common scenarios in which trade secrets can be compromised in this manner? Does the threat level change depending on the size of the company – small cap, mid cap, Fortune 50?

Wexler: The threat of losing trade secrets to a departing employee is real and not a matter of if, but when. Prudent companies will make sure that they have appropriate processes in place to address the threat when it occurs. As today’s businesses meet the challenges of intensifying global competition, a more volatile workforce and information being transmitted at an unprecedented speed, they also face a greater risk of losing their valuable proprietary information to theft, inadvertent disclosure, or coordinated employee departures. At a minimum, failure to take both proactive and immediate reactive measures could result in significant loss of profitability and erosion of an established employee and customer base. The threat of losing trade secrets to a departing employee or executive is enhanced if you don’t have appropriate policies and agreements in place to prevent such theft or hold employees accountable for their unlawful conduct. And it can happen so easily and rapidly: One thumb drive can carry millions of pages of proprietary information and company information transferred to a personal email account or in a personal cloud all pose means for theft.

Milligan: Just look at recent headlines involving some of the world’s largest companies who have seen their proprietary information compromised by insiders and outsiders. The crown jewels of many companies are at risk, and millions of dollars are in play. Lack of market secrecy measures, sloppy practices including poor supply side protections, lack of employee education and stale agreements and policies, poor security and different standards for executives who say one thing and do another are all common scenarios that put a company at risk. Common scenarios in which trade secrets can be compromised include letting an employee take company data when he or she leaves. Another red flag scenario is not utilizing non-compete or non-disclosure agreements. There can also be scenarios where the particular industry is highly competitive and competitors are willing to take the enhanced risks to acquire the business or technology. In such scenarios, companies need to make sure they have in place appropriate onboarding and off-boarding practices and procedures, and use the appropriate agreements so they are not exposed. In our experience, the threat level does not necessarily change depending on the size of the company, but the magnitude of harm may increase. The larger the company, the more information to protect and employees/third parties to regulate and police. But small and mid-cap companies have similar concerns because they oftentimes have innovative technology that competitors or other third parties want, so these companies can also be vulnerable.

  1. What steps can companies take during the hiring process to reduce the threat that it may later be sued for trade secret misappropriation – particularly executives or those employees with higher level access to sensitive IP assets?

Milligan: Companies need to have a thoughtful, pro-active process in place when hiring employees from competitors that is calculated to ensure that new employees do not violate their lawful agreements with their former employees, including using or disclosing their former employers’ trade secrets, and retaining any of their former employers’ property. It’s important to regulate who interviews the job candidate and evaluate the candidate’s non-compete or confidentiality agreement. Advise company personnel who are interviewing the candidate not to ask about a competitor’s confidential information during the hiring process. Focus the interview on the recruit’s general skills and experience in the industry. It’s also important not to disclose company trade secrets to the candidate — be careful of the access permitted to the candidate. Candidates for employment should sign certifications that they will not disclose any trade secrets of their current employer. Additionally, make sure you analyze a recruit’s agreements in advance of an offer being made. Should the candidate accept an offer, provide clear instructions to the employee that you don’t want the former employer’s trade secrets or property and use agreements with the employee documenting the same. There are unique issues surrounding the retention and departure of high-level executives, particularly related to non-compete and trade secret issues. Since businesses can become targets of trade secret-related lawsuits if they hire executives and senior management who have worked at a competitor and misappropriate trade secrets or otherwise violate their restrictive covenants, it’s important for companies to conduct due diligence on prospective employees and make sure that they have thoughtful plan in place before bringing on any high risk hires.

Wexler: Simple steps such as retaining hard drives when an employee leaves and inspecting computers, devices, cloud storage, and email accounts can alert an employer to theft of information. More sophisticated methods such a forensic exam and monitoring software can also detect theft. Most of all, create a culture in which recruits and new employees are told “we do not want anything from your prior employer.” Some additional best practice considerations follow below. Do not allow a recruit to do any work for your company until he or she has left his or her prior employer. Assist the employee in announcing the change in employment upon commencement of employment as appropriate. Focus on making the transition as smooth as possible for the current employer and encourage the departing employee to give proper notice and work out a mutually agreeable transition schedule with his or her current employer. With respect to the employee’s new position, don’t put the employee in a position in the company where he or she will necessarily need to reveal trade secrets. Finally, HR personnel needs to follow up with the employee to make sure that she is following her agreements and not pushing the envelope, and also follow up with managers to make sure the employee is doing the same.

  1. In what ways is the technology now available to employees changing the playing field in terms of loss or theft of trade secrets?

Milligan: The constant evolution of technology, particularly in mobile devices, data storage and security, and social media, has created legal challenges for companies and the playing field has changed tremendously. Portable electronic storage devices, online data storage, and personal email are available to employees for nominal to no expense and can provide the means to trade secret theft. Additionally, business leaders often want data and information immediately and often want to make it accessible to various constituents, but companies don’t necessarily keep up with the latest in security in protecting such data. Companies need to stay on top of technology, including the latest in data storage and security and storage devices. Hacking of computers and mobile devices is more of a concern these days, and more mobility for employees also means more potential security issues for companies. Companies also need to stay on top of social media. Given its rapid and somewhat haphazard growth, social media carries with it a set of issues that traditional avenues of trade secret disclosure do not. For instance, unlike the departing employee who knowingly takes with him a box of documents, the relaxed and non-professional environment of social media sites could lead to employees disclosing confidential information without even realizing they are doing so. Exposure of confidential company information and employee privacy rights are all issues that companies are now struggling with.

Wexler: Social media privacy legislation has become increasingly common in the United States and often impacts trade secret investigations. Issues related to social media privacy in the workplace are not going away and we expect to see more disputes to define acceptable practices in this area. In light of this uncertainty, employers should determine whether their company has employees in any of the states that have adopted or are planning to adopt social media privacy laws in order to ensure compliance with such laws. Employers should also be aware that state laws may restrict requests for information about such activity. Counsel should review the applicable state social media access law before asking an employee for any account-related information. Additionally, employers should not overlook social media evidence in conducting employee investigations, and trade secrets and restrictive covenant lawsuits, but make sure that your company’s review and access of such information does not violate applicable law.

  1. How can companies avoid trade secret misappropriation and what should they do if they suspect misappropriation has occurred? What forensic investigation options might be available?

Wexler: Apart from civil liability, the Economic Espionage Act makes it a federal crime to steal trade secrets, and companies can be liable if they hire employees who misappropriate trade secrets for their new employers’ benefit. Make sure your executives know the importance of playing by the rules. Employers can best avoid trade secret misappropriation with solid hiring practices and strong off-boarding procedures which are calculated to protect trade secrets and honor lawful agreements, coupled with effective ongoing employee training on trade secret protection and fair competition. Protecting your company information is critical to avoid trade secret misappropriation, and companies should work with their outside counsel to create solid policies and agreements, and solutions for onboarding to avoid exposure on restrictive covenants and trade secrets. It’s also crucial to know your business partners, and have them vetted, so that they don’t expose your valuable trade secrets. Critical to any trade secret matter is the thorough investigation of what, if any, wrongdoing occurred. Companies should work with legal counsel who is experienced in conducting such investigations. Comprehensive interviews and a review of relevant files, emails and workspaces are often the starting points of a competent investigation.

Milligan: We also regularly collaborate with forensic experts and computer specialists to find out how secrets were taken, and by whom, and to preserve any evidence necessary to future litigation. It’s important to preserve data, review emails, and talk to relevant witnesses to interpret the forensic data. A digital forensics examination often includes collecting and analyzing artifacts from the operating system, internet history, and unallocated space. Routine eDiscovery does not typically delve into questions about the source computer or storage device and ESI, although eDiscovery may uncover the need to ask questions related to internet history, webmail, cloud storage, mobile devices and phone back-ups, and removable devices.

  1. How should companies interact with criminal prosecutors and federal/state law enforcement to complement civil claims for trade secret misappropriation?

Milligan: Private companies can investigate misappropriation claims and provide information to authorities for purposes of prosecuting Economic Espionage Act and/or Computer Fraud & Abuse Act claims as well as similar state criminal laws, but businesses need to be aware of two important points: 1) allowing law enforcement access to the business can be a double edged sword creating interference with operations and disclosure of more information than the business may want, and 2) when conducting an investigation be certain to follow accepted forensic practices and chains of custody in collecting information. In sum, ensure that you have your house in order so you don’t become the target of an investigation. When considering criminal prosecutions, always be cognizant of the ethical rule required of attorneys that generally prohibits threatening or initiating criminal proceedings to gain an advantage in a civil proceeding. Consultation with criminal authorities should be done in secrecy and ideally by non-attorneys so as not to run afoul of ethical rules. However, note an attorney can have contact with authorities, it is not prohibited in and of itself.

Wexler: It should also be noted that criminal prosecutors may make a request regarding the secrecy of the investigation or to hold off taking certain actions in the civil matter (or pursing the case altogether while the criminal case is ongoing) as they are focused on the criminal matter whereas a company and its counsel may be focused on the civil matter and damages. These differing interests can collide at times, so coordination is key. No private right of action exists yet under the Economic Espionage Act. The U.S. Senate and House are currently considering legislation on this issue.

  1. What kinds of challenges do US companies face in pursuing trade secrets and non-compete claims against foreign companies, particularly from China?

Milligan: U.S. companies may face the challenge of not being able to enforce injunctive relief orders and judgments, as well as jurisdictional challenges posed by foreign companies. Additionally, in some cases, Chinese companies doing business in the U.S. have quite limited assets in the U.S. and individual defendants may be judgment proof. Even if a U.S. company obtains a favorable judgment from the U.S. court, the judgment may not be recognized or enforceable in China, and thus, the company may not obtain sufficient monetary or equitable remedy. Therefore, the U.S. company must carefully select its business partners and the jurisdiction in a confidentiality or non-compete agreement to attempt to enhance its ability to obtain an injunction and judgment. If forced to sue abroad, remember the court systems are different and there are different views on IP. Your company may not be able to get complete relief in a foreign jurisdiction. The EU Commission has proposed a directive to harmonize trade secrets law in Europe that may assist in this regard in the future if approved.

  1. What are some practical considerations for US companies or multinational companies doing business in Asia and Europe to protect their trade secrets and confidential information?

Wexler: Know your business partners. Have them fully vetted so they don’t steal your IP. Try to protect your supply side with appropriate agreements. You should also be careful about what you share with your business partners. If it is bet-the-company information, consider keeping that internal. In addition to getting employees and business partners to execute well-prepared agreements, training — both on-board and on-the-job — can be a powerful measure. Employers should make sure that access to trade secrets and confidential information is granted only to those with necessity to know and make sure your local workforce abroad is trained on company policies and signs appropriate agreements to protect IP. Realize that you are not in the U.S., and the legal systems and respect for IP may be different. For example, in China, different locales may have different views on trade secret protections and non-compete agreements. For instance, the statutory minimum non-compete compensation in Shenzhen is higher than the one in Shanghai. U.S. companies or multinational companies doing business in China should be aware of such local variations and may need to take different measures in different places to ensure protection.

Milligan: Within a foreign forum the selection of the right venue, meaning a locale where the court is more willing to implement the rule of law is essential. In China, for example, the enforcement varies by locale. For instance, recent decisions indicate that Shanghai courts are more willing to give protection to the employer in trade secret and non-compete cases, including issuing injunctive relief. Try to use contractual choice of law, consent to jurisdiction, and forum clauses for the most favorable forum for you. Also consider international arbitration. Assess your security vulnerabilities, particularly in light of the foreign locale, and put in place appropriate safeguards. Carefully access your IT security in foreign countries and be alert for unauthorized monitoring and surveillance. Provide training to executives on traveling abroad and conducting business abroad to ensure that trade secrets are not carelessly compromised.

  1. In your experience, what should a company do if a trade secret dispute arises between it and a former employee?

Milligan: If a company suspects that valuable information has been improperly taken or compromised, you need to first assess the potential competitive threat to the company. It’s important to take fast, effective action and consider whether to pursue civil remedies or criminal intervention against the former employee. If litigation is anticipated with the departure of an employee, you should take precautionary steps immediately:

  • Secure and establish a chain of custody for all items returned by the departing employee, including laptop computer, desktop computer, USB devices, tablets, and physical property.
  • Secure and maintain a chain of custody of the employee’s office and the items in that office until it is searched.
  • Retain outside counsel to investigate the departure and have outside counsel secure the services of a digital forensic investigation firm with a good reputation.
  • If the employee is computer savvy, do an immediate search of the internet for relevant materials posted to social media sites, including LinkedIn, Facebook, and Twitter.

Wexler: When our clients are faced with possible trade secret misappropriation by former employees, we immediately investigate and develop the facts through interviews, document review, and collaborate with a qualified digital forensic expert. Forensic investigation of computing devices to identify the possible theft of confidential information is a must. We assess the company’s business objectives as well as the chance of success, and assuming that there is sufficient evidence to pursue, we demand compliance and appropriate remedies via cease and desist demands prior to the initiation of litigation. Should written requests for compliance not be successful, we seek injunctive relief and damages to protect company assets and further our client’s objectives.

  1. In the battle against trade secret theft and related disputes, do companies place enough importance on the language and provisions contained in employment contracts? How can employment contracts be strengthened to either reduce trade secret theft or improve the company’s chances of reaching a successful outcome in a trade secret dispute?

Wexler: In our experience, companies should place more importance on their agreements with employees, vendors, and business partners to protect trade secrets. Companies need to strengthen the language and provisions contained in such agreements, including clearer definitions of protectable trade secrets, return of company property provisions, appropriate restrictive covenants, and appropriate forum and choice of law provisions. Well-drafted agreements can reduce the risk of information being misappropriated. Such agreements should be updated annually, as needed, based on changes in the law, and companies should routinely audit their practices to make sure each employee has an appropriate agreement. Companies should also make it an agreed requirement for employees to sit for an exit interview and return any company confidential information stored on any personal devices. Finally, agreements should include an attorneys’ fee provision for breach.

Milligan: Additionally, a thorough exit interview should be conducted at the time any employee separates, and as part of that exit interview process, each exiting employee should be given a written reminder of their ongoing trade secret, confidentiality and social networking obligations, and should be asked to sign the reminder acknowledging receipt and their agreement to comply with such obligations. The exit interview is also the time to get company property returned by the departing employee and make any arrangements for the return and remediation of company property on any personal devices.

California -- brick wallIn United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc), the court held that the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, prohibits unlawful access to a computer but not unauthorized use of computerized information.  Although that holding represents a minority position, two recent opinions — one in a Ninth Circuit criminal case and one by a California district court in a civil proceeding — indicate that the ruling in Nosal still is the law out west.

Recent Ninth Circuit and California district court CFAA cases. 

Christensen.  The 100+ page opinion in U.S. v. Christensen, Nos. 08-50531, et al. (9th Cir., Aug. 25, 2015), details what the court described as “a widespread criminal enterprise offering illegal private investigation services in Southern California.”  Six individuals were accused and convicted in the District Court for the Central District of California pre-Nosal of computer fraud, bribery, racketeering, wiretapping, identity theft, and more.  On appeal, several convictions were affirmed, and some others were remanded but just for resentencing.  Of particular interest to readers of this blog, however, all three convictions for violating the CFAA were vacated on the ground that Nosal rendered the jury instructions clearly erroneous and prejudicial.  A retrial may be possible.

Loop AI Labs.  In Loop AI Labs Inc. v. Gatti, No. 15-cv-00798 (N.D. Cal., Sept. 2, 2015), the defendants’ motion to dismiss certain counts of the amended complaint was granted in part and denied in part.  The defendant was Loop AI Labs’ former CEO.  Although she had left the company and worked for a competitor, she continued to log in to Loop AI Labs’ computers.  The court ruled that until Loop AI Labs formally revoked her authorization to access the company’s computers, she did not violate the CFAA by logging in, regardless of her motive.

Faulty jury instructions in Christensen.  One of the defendants was a Los Angeles police officer.  He was charged with violating the CFAA, among other statutes, by (a) logging in to confidential state and federal law enforcement databases — which he had the right to access — and (b) in exchange for a bribe, providing to two other defendants information they requested from those databases but to which they were not entitled.  The prosecutor simply assumed, and did not attempt to prove, that the officer thereby committed a CFAA violation.  According to the Ninth Circuit, that assumption was unwarranted after Nosal was decided.

By the same token, at trial the three defendants accused of CFAA violations did not object when the court instructed the jurors — before Nosal — that they should find a CFAA violation if they determined that a computer had been knowingly accessed with the intent to use the information to commit a fraud.  In Christensen, the appellate court held that those jury instructions were plainly erroneous in light of Nosal and clearly were prejudicial.  For these reasons, the CFAA convictions were vacated.

Takeaways.  Approximately one-half of the circuit courts of appeal have ruled on the meaning of the phrase “exceeds authorized access” as used in the CFAA.  In the circuits where there has not yet been a ruling, obviously, there is uncertainty as to which position the court will adopt.

The majority — so-called liberal — view is exemplified by holdings in cases such as International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (CFAA violated by accessing a computer for an unauthorized purpose).  Nosal, and now Christensen, represent the minority (or narrow) position that an individual with authorization to access a computer does not commit a CFAA violation regardless of what the individual does with the information so obtained.

Adding to the confusion, courts are not in agreement over the meaning of Nosal.  For example, in the recent case of U.S. v. Shen, Case No. 4:14-CR-122 (W.D. Mo. Apr. 21, 2015), the facts were somewhat similar to those in Loop AI Labs.  Citing Nosal, the court in Shen stated: “There is some disagreement as to whether an employee who properly accesses a computer and then misuses the information can be convicted” of violating the CFAA.  The Missouri court added: “However, courts are clear that employees who gain access to a computer through their employment lose authorization once they have resigned or been terminated.  Moreover, persons of common intelligence would understand as much.”  Id. at p.4 (citations omitted).  As is apparent, the judge who decided Loop AI Labs does not concur. Further, there are also federal courts in California who have concurred with the Shen reasoning.

Similarly, one cannot be sure that all courts agreeing with the “narrow view” set forth in Nosal also would accept the holding implicit in Christensen that a corrupt police officer does not exceed his “authorized access” to confidential government data bases when he logs in solely for the purpose of providing other persons, in exchange for a bribe, information to which they have no right. With all this uncertainty, the one thing that is certain is that the Ninth Circuit continues to embrace a very narrow and restrictive view of CFAA liability, in contrast to most of the other circuits in the nation.