A supervisor discovers that an employee has recently downloaded thousands of pages of confidential Company billing and financial information, and e-mailed it to her personal e-mail address. Upon further investigation, the supervisor discovers that the employee has asked other employees to also send Company documents to her personal e-mail address. This hypothethical is a scenario faced by employers more often than they would like. The recent NSA leaks involving contractor Edward Snowden underscore the importance of making sure that your company has an effective action plan in place to protect valuable company data from wannabe whistleblowers.

What Should the Company do?

In coordination with legal counsel, the Company will need to undertake an immediate internal investigation of the employee’s activities. The Company should review the information that was taken and determine whether the information was already publically available or whether it contains Company confidential or trade secret information. Additionally, the Company should determine whether multiple copies of the stolen documents exist and whether they have been designated or labeled as confidential or trade secret. The Company should evaluate its internal policies and procedures as well as its agreements with the employee to determine the scope of the employee’s violations as well as determine whether the employee has a history of similar violations or conduct. If so, hopefully those prior violations are documented.

The Company should involve its internal IT Security department or an outside IT security/forensic specialist to assess and remedy the data breach, and ensure that the Company has a full understanding of what data and/or documents were accessed and transferred, as well as to preserve the electronic evidence of the incident. Interviews of employees, including those employees from which the employee at issue attempted to solicit further documents, should be conducted to determine whether Company documents were actually provided to the employee, as well as to attempt to uncover the motivations for the employee’s actions. If other employees transferred documents to the employee, an investigation of their activities will be necessary. Additionally, depending upon the nature of the information taken by the employee(s) and any contractual obligations implicated, the Company may have an obligation to report a data breach, particularly if the employee has shared the purloined data with unauthorized third parties.

The Company should contact the employee and conduct an immediate in-person interview. During the interview, the employee should be confronted regarding the data transfers. The Company should determine whether there is an innocent explanation for the activity, as well as staying mindful of and adhering to its own whistleblower protection policies. The Company should probe the extent of the personal transfers, transfers from others, and whether the employee has disclosed the documents to third parties. The Company should also question the employee concerning the employee’s motivations as well as the employee’s awareness of Company policies and agreements prohibiting such activities. The Company should attempt to obtain concessions that the employee’s actions violate the Company’s policies/agreements. The Company should ask for the employee’s immediate cooperation in returning the data and request access to the employee’s personal email account as well as any other electronic devices or accounts that contain Company information to accomplish the same. It is important that the Company obtain the return of the data, particularly if the information is confidential or trade secret, so that the Company can attempt to preserve its confidential nature.

Assuming that there is no legitimate reason for the employee’s actions, the Company will need to consider appropriate discipline for the situation, including considering suspension or termination of the employee. The Company should have written documentation clearly demonstrating the reason for such discipline was for violation(s) of particular policies or agreements, not in retaliation for any purported whistleblowing. Civil legal theories against the employee may include, among other claims, breach of contract, breach of loyalty, conversion, trade secret misappropriation, and/or a violation of the Computer Fraud and Abuse Act (depending upon the jurisdiction) or similar state computer data protection or access laws. Depending upon the gravity of the situation, the Company may also want to consider approaching law enforcement to consider pressing charges against the employee. If the employee refuses to return the documents and make the employee’s accounts and other electronic devices/accounts containing Company data available for inspection to obtain the return of the purloined data, the Company may need to consider seeking immediate injunctive relief in court.

Before taking any adverse actions against the employee, however, the Company needs to evaluate the employee’s potential claims against the Company and any whistleblower protections for self-help discovery in the particular jurisdiction. For instance, in the SOX whistleblower case Vannoy v. Celanese Corp., No. 09-1118, 2011 DOLSOX LEXIS 68 (ARB Sept. 28, 2011), the Department of Labor’s Administrative Review Board recognized the tension between legitimate employer confidential policies and employee whistleblower bounty programs, like the provisions in Dodd-Frank that preclude companies from enforcing or threatening to enforce confidentiality agreements to prevent whistleblowers from cooperating with the SEC. The ARB, relying on Internal Revenue Service and SEC whistleblower bounty programs, reversed an ALJ’s finding in favor of the employer and remanded the matter for evidentiary hearing to determine whether the employee’s taking of company documents by sending them to his personal email account was protected lawful conduct within the scope of SOX.

Similarly in, Quinlan v. Curtiss-Wright Corp., 204 N.J. 239 (N.J. Dec. 2, 2010), the New Jersey Supreme Court, employed a seven factor test to determine the propriety of an employee’s taking of company documents to support her legal claims. “The ultimate question under the balancing test is whether the employee’s dissemination of confidential documents was reasonable under the circumstances. This type of test is consistent with the general notion that oppositional activity must be reasonable in order to receive protection under Title VII and other similar statutes.” In upholding a ten million dollar verdict against the employer, the court found that employer could have terminated plaintiff for taking the documents but not for her counsel’s use of the performance review in deposition. The court further found that the plaintiff’s attorney’s use of the comparator’s performance review at deposition was the actual reason for her discharge, and thus plaintiff was indeed discharged for engaging in protected activity. In reaching its decision, the court found the factors supporting plaintiff’s position were that plaintiff gave the performance review only to her attorneys, it was directly relevant to her claim, she had a colorable basis to believe that the performance review would not have been disclosed during discovery, and the disclosure of the document was not disruptive because its disclosure did not threaten the operation of the company in any way.

In contrast, in O’Day v. McDonnell Douglas Helicopter Co., 79 F.3d 756 (9th Cir. 1996), the Ninth Circuit rejected the plaintiff’s age discrimination claim based upon plaintiff’s theft of documents he found by rummaging through files in his supervisor’s office on the night he was denied the promotion. “In balancing an employer’s interest in maintaining a ‘harmonious and efficient’ workplace with the protections of the anti-discrimination laws, we are loathe to provide employees an incentive to rifle through confidential files looking for evidence that might come in handy in later litigation. The opposition clause protects reasonable attempts to contest an employer’s discriminatory practices; it is not an insurance policy, a license to flaunt company rules or an invitation to dishonest behavior.” The Sixth Circuit reached a similar result in Niswander v. Cincinnati Ins. Co., 529 F.3d 714, 718 (6th Cir. 2008).

In sum, courts addressing employee self-help discovery in whistleblower cases have reached differing results across the country. This reality provides Companies with a cautionary message: don’t accept the theft of Company documents in violation of Company policies and agreements but tailor your approach to fit the employee’s specific claims and your jurisdiction’s discovery self-help laws. Courts in whistleblower cases have generally analyzed six factors to determine whether the self-help taking of Company confidential documents is reasonable: (1) how the documents were obtained; (2) to whom the documents were given; (3) the content of the documents; (4) whether the documents were produced in response to a discovery request; (5) the scope of the employer’s confidentiality policies/agreements; and (6) the necessity to preserve the evidence by the employee. As evidenced by Vannoy, special attention should be given to the employee’s specific potential whistleblower claims as certain claims such as SOX claims may provide protection to take Company documents (or at a minimum divulge Company information), particularly if such information is shared with the SEC. Companies should have broad and comprehensive confidentiality policies, which are widely communicated and uniformly enforced and specific care should be given to mark documents as confidential and limit confidential documents on a need to know basis. Careful screening of job candidates and the consistent use of effective entrance and exit interviews are essential. Companies should also consider using data protection software which provide alerts regarding large data transfers by employees, limits the size of data transfers, and blocks specified computer activities, including access to select websites, including file-sharing sites, and/or placing limits or restricting use of USB devices. Also depending upon the jurisdiction, employers may consider computer monitoring and extra technical safeguards to protect mission critical data.

For more information on this important topic, please see our previously recorded webinar entitled Employee Theft of Trade Secrets or Confidential Information in Name of Protected Whistleblowing. Also, see the Fairly Competing Podcast on the topic as well.

Today’s blog post is part of Seyfarth’s Workplace Whistleblower Microblog Series. You can sign up for the entire series here.

Overview.  Non-compete and non-solicitation covenants in an employment agreement are not enforceable unless the restrictions are supported by adequate consideration.  Illinois courts have held that there “must be at least two years or more of continued employment to constitute adequate consideration in support of a restrictive covenant.”  No reported decisions from other states are in accord.

The covenants and the lawsuit.  Premier acquired Fifield’s prior employer and insisted that he sign an employment agreement.  He did so on October 30, 2010 and went to work for Premier two days later.  Its standard agreement contained nationwide two-year non-compete and non-solicitation covenants with respect to anyone with whom Premier had a business relationship during the 12 months immediately prior to termination.  Before signing, however, Fifield negotiated an amendment to the effect that the covenants would not apply if he was terminated without cause in his first year of employment.  Four months after he began working for Premier, he resigned and joined a competitor.  He and his new employer filed a complaint in the Circuit Court of Cook County, Illinois, seeking a declaratory judgment that the covenants were unenforceable for lack of consideration.  In a counterclaim, Premier asked for an injunction enforcing the covenants. 

Trial court grants requested declaratory relief.  Premier maintained that, since the agreement was signed before Fifield came to work, the consideration was employment itself.  Further, Premier argued that Illinois court decisions invalidating restrictive covenants in the absence of employment for a substantial period of time were intended to protect employees against deprivation of their livelihood if they are hired and then precipitously fired, but this couldn’t happen to Fifield because he was protected if he was discharged without cause within one year.  Rejecting Premier’s contentions, the trial court granted the declaratory judgment sought by Fifield and his new employer.

The Appellate Court’s analysis.  The court of appeals affirmed.  It held that in Illinois, “[P]ost-employment restrictive covenants are carefully scrutinized . . . because they operate as partial” restraints on trade.  Absent other consideration, there must be continuous employment for at least two years.  The court deemed irrelevant the facts that (a) Fifield’s employment started after he signed the employment agreement, (b) he resigned rather than being discharged, and (c) he was protected for one year which is only one-half of the requisite two-year mandatory protection.

What Fifield teaches.  The traditional rule in a breach of contract case is that the law does not inquire into the adequacy of consideration, only its existence.  In the context of postemployment restrictive covenants, however, Illinois appellate courts hold that less than two years of employment is insufficient consideration; the Illinois Supreme Court has not yet opined.  Under Fifield, assuming no consideration — other than employment — for such restrictions, employers who want to enforce the covenants may have to retain employees for at least two years.  Indeed, an employee apparently could nullify the restrictions unilaterally simply by resigning earlier than the second anniversary of the agreement.  To avoid these results, employers should consider whether the unique facts of this case requires the tender of something else of value besides just the offer of new or continued employment as consideration for the covenants.  Please also see Ken Vanko’s amusing “dissenting” opinion on the Fifield decision.

We previously reported on H.B. 6658, which was introduced earlier this year in the Connecticut House of Representatives.  The Connecticut Legislature passed the legislation on the last day of the legislative session.  The final text of the Act, which was enacted as Public Act No. 13-309 and will go into effect on October 1, 2013 assuming the Act is signed by the governor, can be found here.

The Act provides that, in certain circumstances specified in the Act, a “noncompete agreement” (which is not defined in the Act) entered into, renewed, or extended on or after October 1, 2013 between an employer and employee is void, unless, “before entering into the agreement, the employer provides the employee with a written copy of the agreement and a reasonable period of time, of not less than seven calendar days, to consider the merits of entering into the agreement.”  Employees can waive the right provided under the Act if the waiver is reduced to a separate writing, sets forth the right being waived and is signed by the employee prior to entering into the agreement.

Because the Act represents the first time that Connecticut has enacted a non-compete statute of general applicability to all employees in the state (existing statutes apply only to security guards and broadcasters), the Act represents a significant development in Connecticut noncompete law.  Nevertheless, the Act contains a significant limitation: unlike earlier drafts of the legislation, the Act only applies when:

(1)        “an employer is acquired by, or merged with, another employer,” and

(2)        “as a result of such merger or acquisition an employee of the employer is presented with a noncompete agreement as a condition of continued employment with the employer.”

The final version of the Act also contains three other noteworthy departures from the draft bill.

First, a prior draft of the bill would have provided employees with a statutory basis for filing suit against employers who act in violation of the law (including recovery of damages and attorney’s fees).  The Act lacks this provision.

Second, a prior draft of the bill would have required employers to provide employees with “at least 10 days, and more if reasonable, to consider the merits of entering into the agreement.”  The final bill dropped the number from 10 to 7 days and omitted the vague “more if reasonable” language.

Third, a prior draft of the bill provided that the bill applies to “an agreement or covenant which protects an employer’s reasonable competitive business interests and expressly prohibits an employee from engaging in employment or a line or business after termination of employment.”  In contrast, the final version of the Act refers only to “a noncompete agreement” without further definition.  It is unclear whether the legislature intended the language in the final version to be shorthand for true noncompete agreements (i.e., agreements that “expressly prohibits an employee from engaging in employment or a line or business after termination of employment”) or whether they intended the term “noncompete agreement” to include other post-termination restrictive covenants, such as covenants not to solicit customers and employees.  However, given that the final version of the Act limited the scope of the original bill in most respects, it seems unlikely that the legislature intended to expand the scope of the Act to include restrictive covenants other than true noncompete covenants.

We will continue to monitor developments on this new law. In the meantime, any employers with operations in Connecticut should include compliance with this statute in any due diligence checklist for mergers or other acquisitions. For more information on this legislation or other non-compete or trade secret legislation, please see our recent webinar and podcast regarding the topic.

Nevada and Colorado recently passed employee social networking privacy laws. Both laws prohibit employers from requiring disclosure of employees’ or applicants’ personal social-networking account login information, and from retaliating against them for refusing to provide that information.  But one or both of these statutes are somewhat different from other states’ social networking laws in that:

  1. The Colorado law does not allow employees or applicants to sue employer for violations.  The law only permits employees to file complaints with the Department of Labor and Employment, which after investigation may fine or sue employers on employees’ behalves.  It does not appear that other parts of the Colorado labor / employment code authorize employee lawsuits.
  2. Similarly, it is unclear what remedies Nevada employees and applicants have under that state’s new law.  The social media statute itself says nothing about remedies, even though its companion law passed at the same time – which prohibits mandatory employee credit information disclosure – does contain specific administrative remedies for employer violations.  Perhaps employees will be able to file complaints with the Nevada Equal Rights Commission under NRS 233, but that is unclear, and if that were the case, their remedies seem to be limited to cease-and-desist orders, reinstatement, and back pay and benefits.  Perhaps the law will be amended prior to its 10/1/13 effective date to clarify its remedies.
  3.  The Nevada law has no exceptions for employer investigations.  It only says that it does not prohibit mandatory disclosure of non-personal-social-media account or device passwords in order to access employer-owned devices and networks.  The Colorado law, on the other hand, contains the carve-outs and exceptions we see in other states’ social media laws regarding employer investigations into alleged employee misconduct, proprietary- or financial-information theft, violations of other law, for compliance purposes, and lawful personnel-policy enforcement.

In addition, both of these laws have the same problems as most other social-media laws in effect:  though they both prohibit mandatory disclosure of ‘personal’ SM account logins and information, neither defines ‘personal account.’  We’ve blogged a number of times on these definition gaps in the other SM privacy laws, as well as on the cases which say that the employer ‘owns’ its employee’s SM account content, at least where the employer required SM account usage and assisted in the account’s development, maintenance, and monitoring.  An employer may be able to circumvent the law by requiring new or existing SM account usage and maintenance as a condition of employment, even though employees may use such accounts for personal reasons as well.  Legislatures would do well to clarify the difference between ‘personal’ and ‘employment-related’ accounts.

The Obama Administration recently issued its 2013 Joint Strategic Plan on Intellectual Property Enforcement, building on the Joint Strategic Plan issued three years ago. In its 88 pages, the 2013 Plan outlines steps for federal agencies to take over the next three years to combat “[IP] infringement that has a significant impact on the economy, the global economic competitiveness of the United States, the security of our Nation, and the health and safety of the American public.”

U.S. Intellectual Property Enforcement Coordinator, Victoria Espinel, lauds “a number of accomplishments” achieved since the first Plan (pp. 1-3): increased law enforcement activity against infringers in terms of investigations and seizures; enactment of legislation heightening the penalties for trade secret theft and counterfeit drug trafficking; private sector companies’ adoption of “best practices” for curbing online piracy and the sale of counterfeit goods; and negotiations of agreements with trading partners for greater protection and enforcement abroad.  She notes that “the Administration will continue to improve upon these efforts” to protect an industry that in 2010 reportedly accounted for more than one-third of the U.S. gross domestic product, 60 percent of all U.S. experts, and more than 27 million jobs. She then focuses on three specific issues for ongoing discussion (pp. 5-7): “troubling patent litigation tactics that present a significant and growing challenge to innovation”; “efforts by foreign governments to condition market access or the ability to do business on the transfer of trade secrets or proprietary transfer” (“forced technology transfer”); and the challenges and opportunities presented by “trends and innovations” such as “cloud computing, mobile computing… and 3D printing.”

The heart of the 2013 Plan includes 26 specific action items, divided into six goal-oriented categories, to guide the agencies through 2016 and beyond. These items and goals include:

  •          Leading by Example (pp. 13-15): secure the U.S. Government supply chain against counterfeits; and ensure the Government’s software use complies with its license agreements.
  •          Improving Transparency and Public Outreach (pp. 15-19): increase openness in enforcement policy-making and international negotiations; maintain communications between federal law enforcement and IP stakeholders; organize an interagency group to evaluate issuance of exclusion orders by the International Trade Commission; educate authors about the fair use doctrine; and raise public awareness both here and abroad of the dangers of counterfeiting and piracy.
  •          Ensuring Efficiency and Coordination (pp. 19-25): increase cooperation of federal, state, and local law enforcement; organize an interagency group to identify new technology for use in border enforcement and other areas; continue the work of key U.S. Embassy IP Working Groups and diplomatic officials abroad; coordinate agencies in the delivery of IP-related training and capacity-building programs to foreign judges and other authorities; and consider the institution of copyright and patent small claims court proceedings.
  •          Enforcing Our Rights Abroad (pp. 25-34): expand partnerships between federal law enforcement and international counterparts; strengthen enforcement through international programs such as the World Customs Organization’s Cargo Target System; leverage trade policy tools such as Special 301 reviews of the IP protection schemes of trading partners; combat infringing foreign-based and foreign-controlled websites; ensure the continued protection of IP at ICANN as new generic top-level domains are implemented; educate and support small and medium-size enterprises in foreign markets; and study the nexus between counterfeiting activities and unacceptable labor conditions.
  •          Securing the Supply Chain (pp. 34-39): support efforts to expand the information-sharing authority of the Department of Homeland Security and Customs and Border Patrol; work with international postal operators and private sector-based express carriers to better identify shipments of counterfeit goods; encourage voluntary initiatives in the private sector to curb online IP infringement and illegal internet pharmacies; and combat counterfeit pharmaceuticals and medical devices through track-and-trace systems and destruction of counterfeits.
  •          Creating a Data-Driven Government (pp. 40-41): coordinate an interagency review of existing legislation, to be completed within 120 days of submission of the 2013 Plan; issue annual reports on the number of jobs and percentage of GDP attributable to IP, with the next such report due in December 2013; and issue annual reports on the agencies’ expenditure of resources for IP enforcement.

One blogger at BNA Bloomberg has generated a comparison of these action items with those listed in the 2010 Plan. There are seven new proposals in the 2013 Plan, including the one for consideration of small claims proceedings in patent and copyright matters and the one for examination of labor conditions associated with infringing goods.

The remainder of the 2013 Plan focuses on the recent major enforcement activities of the individual agencies (pp. 43-86), including the U.S. Patent and Trademark Office, U.S. Copyright Office, International Trade Administration, Commercial Law Development Program, Department of Homeland Security, Department of Health and Human Services, Department of Justice, and U.S. Trade Representative.

The 2013 Plan was issued on the heels of another report late last month by the Commission on the Theft of American Intellectual Property, an advisory group formed to provide recommendations to the U.S. Congress. The 89-page report outlines the staggering blow that IP theft deals to the American economy, roughly $300 billion worth of damage per year, with 50 to 80 percent of the blame attributed to theft originating in China. The report also outlines various measures that the U.S. Government may take to remedy the situation, and while some bloggers (see her­­e and here) cheered these recommendations, the report was largely criticized by others (see here, here, and here) who could not get past two paragraphs in the report (p. 81); the Commission recommended the potent­­­ial use of certain files — dubbed “ransomware” by the latter group — to “recover or render inoperable intellectual property stolen through cyber means.” Notably, the Commission recommends the creation of a private civil cause action for trade secret theft under the Economic Espionage Act.

The 2013 Plan does not address trade secrets in any great detail which is a bit of a surprise as IPEC published a Notice in the Federal Register soliciting public comments for a legislative review related to economic espionage and trade secret theft earlier this year as part of the “five point plan” intended to combat the theft of U.S. trade secrets. One explanation may be that the two plans have different focuses. The ABA IP Section and AIPLA, as well some legal commentators (e.g. John Marsh, Peter Toren, Ken Vanko and Seyfarth’s Robert Milligan), have come out in support of creating a civil claim in federal court for trade secret theft in some form. Hopefully, we will see more from the Administration on the trade secrets front later this summer to address trade secret theft, particularly by foreign governments, companies, or individuals or for their benefit.

We will continue to monitor developments the Administration and others take in the war against IP theft worldwide with a focus on trade secret protection.

By Robert Milligan and Joshua Salinas

Representative Zoe Lofgren (D- CA) has been very active in the technology and innovation legislation space of late. Last week, Representative Lofgren and Senator Ron Wyden (D-OR) formally introduced companion bills, nicknamed “Aaron’s Law,” in the House and Senate seeking to amend the Computer Fraud and Abuse Act. Almost unnoticed was the fact that Representative Lofgren also introduced last week a potentially significant bill that would provide a private civil claim for trade secrets theft under the Economic Espionage Act (“EEA”).

Specifically, Representative Lofgren introduced H.R. 2466, which is titled “Private Right of Action Against Theft of Trade Secrets Act of 2013” (“PRATSA”). Similar to the PATSIA legislation that was proposed last year, PRATSA provides a private civil action for trade secrets theft by amending the EEA.

PRATSA is much for simpler than PATSIA, however, and adds only the following two subsections to 18 U.S.C. Section 1832:

‘(c) Any person who suffers injury by reason of a violation of this section may maintain a civil action against the violator to obtain appropriate compensatory damages and injunctive relief or other equitable relief. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.

‘(d) For purposes of this section, the term ‘without authorization’ shall not mean independent derivation or working backwards from a lawfully obtained known product or service to divine the process which aided its development or manufacture.’

Section 1832 presently provides:

(a) Whoever, with intent to convert a trade secret, that is related to a product or service used in or intended for use in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly–

(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;

(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;

(3) receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization;

(4) attempts to commit any offense described in paragraphs (1) through (3); or

(5) conspires with one or more other persons to commit any offense described in paragraphs (1) through (3), and one or more of such persons do any act to effect the object of the conspiracy, shall, except as provided in subsection (b), be fined under this title or imprisoned not more than 10 years, or both.

(b) Any organization that commits any offense described in subsection (a) shall be fined not more than $5,000,000.

PRATSA has some key distinctions from PATSIA:

(1) it does not require a complaint describing in specificity reasonable secrecy measures or a declaration regarding the substantial need for nationwide service of process or misappropriation of trade secrets from the United States to another country;

(2) it does not provide for civil ex parte seizure orders;

(3) the statute of limitations is two years, not three;

(4) it provides for a more narrow civil claim by just providing a claim for a violation of Section 1832 rather than a violation of Section 1831 or a stand-alone misappropriation claim (e.g. a misappropriation of a trade secret that is related to or included in a product that is produced for or placed in interstate or foreign commerce); and

(5) it does not provide for a comprehensive list of remedies such as exemplary damages or attorneys’ fees.  

These deviations may help PRATSA where PATSIA struggled as some members of the legal community contested some of PATSIA’s provisions, including the definition of nationwide service of process and the scope and procedures regarding ex parte seizure orders.

It is important to recognize that by amending the EEA, PRATSA may inherently lead to conflicts with state trade secret laws. In particular, Section 1838 provides that the EEA “shall not be construed to preempt or displace any other remedies, whether civil or criminal, provided by United States Federal, State, commonwealth, possession, or territory law for the misappropriation of a trade secret….” Thus, a trade secret holder could potential bring claims under both their state’s respective trade secret laws and the EEA.

One benefit of PRATSA is that it attempts to resolve a deficiency under the current EEA. Specifically, PRATSA expressly exempts “reverse engineering” from violation of Section 1832. While the legislative history of the EEA suggests that traditional defenses available in a civil action for theft of trade secrets are equally applicable to a criminal violation, the EEA’s lack of specific language providing for a reverse engineering defense has troubled some commentators because the statute arguably implicates certain reverse engineering activities previously thought to be lawful. Regardless of its amendment for a private civil claim, PRATSA’s reverse engineering exemption will provide clarity to the existing statute.

Finally, one important implication of providing a private civil claim under the EEA is the extraterritoriality provision in Section 1837, which provides that the EEA also applies to conduct occurring outside the United States if the offender is a (a) citizen or permanent resident alien of U.S., or (b) organization organized under U.S. law. This may strengthen companies’ abilities to protect against trade secrets theft to or for foreign individuals, companies or governments provided either of these above requirements are satisified. In the criminal context, however, prosecutors have recently struggled in effectuating service of process over foreign companies under the Federal Criminal Rules of Procedure. Accordingly, additional modifications may be needed to this proposed legislation to ensure that it adequately addresses the threat posed to U.S. companies by foreign trade secret theft.

After a first reading of the proposed bill and recognizing it is likely a work in progress, we like PRATSA, particularly if it is modified to include Section 1831 claims in addition to Section 1832 claims (as well as possibly a stand-alone misappropriation claim), appropriate remedies (e.g. exemplary damages and attorneys’ fees), and it more adequately addresses trade secret theft by foreign actors. Its simple approach may contribute to its success. It left alone a lot of the hotly debated provisions from PATSIA upon which many legal commentators were unable to reach an agreement. Yet, PRATSA’s true value lies in its potential to provide a private civil claim for trade secret theft in federal court which may have certain advantages over state court, such as the ability to obtain discovery through the federal subpoena power and the potential to more adequately address trade secret theft by foreign individuals, companies, or governments.

By Robert Milligan and Grace Chuchla

Earlier this year, we blogged on federal legislative efforts to amend the Computer Fraud and Abuse Act (“CFAA”) following the death of computer activist Aaron Swartz.  These efforts were spearheaded by Representative Zoe Lofgren (D-CA), who released her discussion draft of proposed amendments to the CFAA on January 15, 2013 on Reddit.  Lofgren’s January draft sought to modify the definition of “exceeds authorized access” so that those who only violate, for example, a computer use policy or internet terms of service cannot be held liable under the CFAA.

On Thursday, June 20, Representative Lofgren and Senator Ron Wyden (D-OR) formally introduced companion bills in both the House and Senate seeking to amend the CFAA.  According to Senator Wyden’s website, these amendments seek to eliminate “vagueness” and “redundant provisions” from the CFAA and “establish that a mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA.”  Additionally, with the nickname “Aaron’s Law,” they also seek to limit what some see as the CFAA’s tendency to allow for overzealous prosecution that they claim characterized Aaron Swartz’s case.

As before, both bills seek to clarify the meaning of  “exceeds authorized access” by striking it and replacing it with the phrase “access without authorization,” which is defined to mean

a) “to obtain information on a protected computer”;

b) “that the accesser lacks authorization to obtain”; and

c) “by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.” 

Both bills also propose amendments to the definition of punishable offenses under the CFAA by inserting a requirement that offenses committed for commercial advantage or private financial gain must also involve information that has a market value over $5,000.  

Lofgren and Wyden said in their opinion piece for Wired that, “Aaron’s Law is not just about Aaron Swartz, but rather about refocusing the law away from common computer and Internet activity and toward damaging hacks.”

Opinions are split on how successful these proposed amendments will be.  On the one hand, previous efforts to amend the CFAA in April 2013 failed after  there was significant opposition from both the left and the right.  Those proposed amendments to the CFAA, however, are not similar to what is currently in front of Congress.  The Justice Department has previously been against amendments to the CFAA that would significantly narrow the Act’s scope. It recently obtained the conviction of David Nosal under the CFAA in San Francisco, California (the conviction has been appealed to the Ninth Circuit). Additionally, Richard Downing, Deputy Section Chief for Computer Crime and Intellectual Property, told the House in 2011 that removing key parts of the CFAA “could make it difficult or impossible to deter and punish serious threats from malicious insiders.”

BSA Software Alliance has come out against the proposed legislation, arguing that it would force companies to build additional security mechanisms into their networks and systems to adequately protect them from unauthorized parties. “Everyone agrees that lying about your age on Facebook shouldn’t be a felony, but Aaron’s Law is a flawed solution to that problem,” Tim Molino, BSA’s director of government relations, reportedly said in a statement. “Tying liability to theft that involves ‘knowingly circumventing technological or physical measures’ is out of step with the technology innovations driving today’s economy. It would compel many companies to erect new technical protection measures throughout their networks and support systems, reversing a trend that has contributed the growth of cloud computing, software as a service, and on-demand support.” 

Additionally, with the highly publicized omnipresent cybersecurity threat and recent high profile employee data theft cases, there may not be significant momentum to drastically change the CFAA, particularly with the Obama Adminstration focused on addressing the cybersecurity threat. Echoing those sentiments, Molino reportedly said the bill is “especially troubling at a time when hacking and intellectual property theft are rampant — weakening cybercrime laws would be like handing out keys to the castle.”

On the other hand, however, advocacy groups have come out in vocal support of Lofgren’s and Wyden’s bills.  The Center for Democracy and Technology and Demand Progress have both issues recent statements applauding Aaron’s Law for “prevent[ing] the government from using the Computer Fraud and Abuse Act (CFAA) to prosecute mere terms-of-service violations as computer crimes, and prevent prosecutors from bringing multiple redundant charges based on a single crime.” Further, the Electronic Frontier Foundation has also been a vocal supporter of the proposed amendments, stating that, “(t)he CFAA was originally intended to cover the hacking of defense department and bank computers, but it’s been expanded so that it now covers virtually every computer on the Internet while meting out disproportionate penalties for virtual crimes. We’ve written extensively about the need for CFAA reform and Aaron’s Law is a great first step.” Additionally, with the recent NSA and Snowden kerfuffle, there may be public support for limitations on the CFAA, including limiting its use for pure hacking scenarios.

How this will play out is anyone’s guess.  What started with a circuit split after the Ninth Circuit’s decision in U.S. v. Nosal has grown into a hot-button topic for everyone from civil rights activists to technology lobbying organizations to employers looking to protect their data.  Stay tuned for updates as the saga unfolds. 

By Erik Weibust and Ryan Malloy

You may recall that we previously reported on Advanced Micro Devices, Inc. v. Feldstein, et al., C.A. No. 13-40007, in which Judge Timothy S. Hillman of the U.S. District Court of Massachusetts granted a preliminary injunction against three former employees of Advanced Micro Devices (AMD) who allegedly stole trade secrets from the plaintiff, without requiring a showing that the defendants actually used that information for the benefit of a competitor.

In the same case, Judge Hillman has now ruled that AMD company cannot sue former employees under the Computer Fraud and Abuse Act (CFAA) for downloading proprietary information onto personal devices before they left to work for a competitor without establishing that the employees had fraudulently or unlawfully accessed the information. 

As noted in the previous blog entry, AMD is a designer and manufacturer of microprocessors and other computer parts.  Defendants are former AMD employees who left AMD and were hired by AMD’s competitor, Nvidia Corp.  According to AMD, three of the defendants copied proprietary data from AMD-owned storage devices onto their own thumb drives and external hard drives while still employed by AMD, and retained the information after they left.  Last January, AMD sued the defendants in U.S. District Court and asserted a claim for violation of the CFAA against the three defendants who allegedly copied proprietary data. 

Although Judge Hillman declined to dismiss AMD’s CFAA claim with prejudice, citing an “incomplete” evidentiary record, he nevertheless adopted a narrow definition of the term “authorized access” under the CFAA by requiring a showing that defendants acted with fraud or deception.  Specifically, Judge Hillman found that AMD’s allegations were insufficient to sustain a CFAA claim under a narrow interpretation of the statute, but permitted AMD to re-plead specific details indicating that some or all of the defendants used fraudulent or deceptive means to obtain confidential AMD information, and/or that they intentionally defeated or circumvented technologically implemented restrictions to obtain confidential AMD information.

In contrast, the broad definition of “authorized access” that has been adopted in other jurisdictions defines access in terms of use.  Under this approach, any time an employee breaches a contractual obligation or a fiduciary duty to its employer, then the employee’s authorization to access information on the employer’s system terminates and all subsequent access is considered unauthorized.  Noting that courts have taken conflicting approaches to the definition, Hillman warned:

[I]f this court were to adopt a broad interpretation of the term of art ‘access that exceeds the scope of authorization’ then arguably any violation of a contractual obligation regarding computer use [such as idle Internet browsing] becomes a federal tort … As between a broad definition that pulls trivial contractual violations into the realm of federal … penalties, and a narrow one that forces the victims of misappropriation and/or breach of contract to seek justice under state, rather than federal law, the prudent choice is clearly the narrower definition.

Defendants’ motion to dismiss was also denied as to all other claims, except for AMD’s claim for unfair competition under Mass. Gen. Laws ch. 93A, section 11, on the ground that defendants correctly asserted the “inter-enterprise” exception to the statute

The U.S. Attorney’s Office in New Jersey recently charged a former employee with stealing trade secrets from a New Jersey medical technology company. 

The former employee, an Indian national, worked in a group at his former employer responsible for the manufacture of pen injectors and pre-fillable syringes.  He resigned from the company last month, and in the weeks leading up to his resignation, “allegedly downloaded 8,000 files containing step-by-step assembly instructions and invoices for equipment to create self-administered disposable pens.”  According to the company’s own internal probe, he also “forwarded about 60 documents containing trade secrets from his work email account to one of his personal email accounts.”  He also allegedly called in sick the day before he resigned, but he was “busily downloading” company files using his work laptop, the complaint says.

Company representatives noticed the suspicious downloads and the authorities were alerted. The FBI then executed a search warrant for his hotel room, where he was staying prior to returning to India. The FBI seized hard drives, computer storage devices, and computers. The employee also informed agents of his plans to return to India in the next couple days. The agents also discovered evidence that he may have intended to use the trade secrets in future employment, including “a résumé and an ‘entrepreneurial finance book.’” According to FBI Agent Laurie A. Allen, “The numerous documents containing BD trade-secret information downloaded by defendant Maniar collectively constitute a veritable tool-kit for mass producing the disposable pen,” Allen said.  This stolen information could be used to set up a competing business.

The U.S. Attorney’s Office has charged the former employee with theft of trade secrets for his own economic benefit, and if convicted, he could face up to 10 years in prison and a $250,000 fine.  The employee has also been sued by his former employer in civil court for trade secret misappropriation in violation of New Jersey’s Trade Secrets Act.  The criminal case against the employee was temporarily placed on hold by Magistrate Judge Steven Mannion on Thursday June 12, as plea negotiations are currently in progress. 

The case highlights the growing use of criminal prosecution as a tool to dissuade theft of trade secrets. The case also highlights the importance of monitoring employee access to secure company databases and limiting access to important data to a need know basis. Furthermore, companies should consider using additional preventive means to prohibit employees from stealing trade secrets, such as configuring computers to restrict access to external devices, blocking a user from uploading information to a web-based site, and/or utilizing software that blocks employees from sending emails to certain domain names and either highlights or restricts the amount of data that can be sent out by a user. In an era in which data is becoming increasingly portable, companies must increase their vigilance in monitoring the use and export of their data and trade secrets.

We will continue to keep you posted as this case progresses.

While most NBA fans have been focused on the recently-concluded championship series between the Miami Heat and the San Antonio Spurs, those of us in Boston have been keeping a close eye a different NBA story (to the extent we’re not focused entirely on the Bruins’ Stanley Cup run):  What will become the fate of beloved coach Doc Rivers, who helped bring a 17th championship to Boston after 22 long years? A press conference with Rivers and president of basketball relations Danny Ainge scheduled for this afternoon was abruptly cancelled and postponed until Monday.

Rivers has indicated his desire to leave the team, and the Celtics seem willing to oblige.  There is one major issue getting in the way, however, and that is the fact that Rivers’ contract with the Celtics (which has three years and $21 million remaining) contains a non-compete clause that prohibits him from coaching for another team without the Celtics’ consent.  This is different, and far more restrictive, than most NBA coaches’ contracts, which permit teams to negotiate compensation for coaches to switch teams before their contracts expire.  The non-compete clause in Rivers’ contract also gives the Celtics far more leverage, and the ability to demand substantial compensation from any team who wishes to employ Rivers.  Hence the on-again-off-again talks between the Celtics and the Clippers, in which the Celtics have allegedly demanded star players and the Clippers don’t seem inclined to part with any decent players or draft picks (although recent reports indicate that the talks are, perhaps, on again). 

Of course, no team wants a disgruntled coach on its sideline, so there is little doubt that a deal will get done.  Celtics fans can only hope that, unlike former Red Sox general manager Theo Epstein (who the team allowed to leave for the Chicago Cubs in exchange for an injured relief pitcher and the promise of a “player to be named later”), the Celtics hold out for real compensation so that they can begin the process of rebuilding.

We could go into how this relates to your business, but Ken Vanko and Eric Ostroff have already done that in two very informative blog posts of their own.  We’ll just stick to sports for this one.