shutterstock_299582249On October 20, 2015, a Ninth Circuit panel consisting of Chief Judge Sidney Thomas and Judges M. Margaret McKeown and Stephen Reinhardt heard oral argument from the U.S. Department of Justice and counsel for David Nosal on Nosal’s criminal conviction arising under the Computer Fraud and Abuse Act (CFAA).   In 2013, Nosal was found to have violated the CFAA by allegedly conspiring to obtain access to company information belonging to his former employer, executive search firm Korn Ferry, through the borrowing of another employee’s login password. He was also convicted of trade secret misappropriation under the Economic Espionage Act.

The panel focused most of its questions around one main point of contention between the parties: the interpretation of the “without authorization” language appearing throughout Section (a) of the CFAA.  Such a focus makes sense given that the interpretation of this short phrase could completely change the legal landscape surrounding password sharing, not only in professional settings, but also in personal, consensual settings.

Nosal’s Points

Counsel for Nosal urged the panel to adopt a limited reading of the CFAA, based on the reasoning laid out in the Ninth Circuit’s previous en banc opinion (Nosal I).  Nosal I held that the CFAA was an “anti-hacking” statute and did not contemplate, nor criminalize, the misappropriation of trade secrets.  As an “anti-hacking” statute, the CFAA, the court held, criminalizes “the circumvention of technological access barriers.”  In other words, a person cannot be found to have accessed a computer “without authorization” if he did not circumvent a technological access barrier, or “hack” into a computer.

This time around, counsel for Nosal argued that password sharing is not hacking, and therefore, such an action cannot amount to a federal crime.  Further, counsel urged the panel to limit its interpretation of the “without authorization” language appearing throughout the Act, so as to prevent the over-criminalization of actions otherwise not prohibited by law (e.g., password sharing over a cloud system, or another consensual password sharing arrangement).   Nosal’s counsel also argued that the “without authorization” language be read consistently throughout the Act, so that the same interpretation would apply to both the misdemeanor and felony provisions of the Act.

U.S. Government’s Arguments

On the other side of the spectrum lie the government’s arguments.  Counsel for the government argued that protecting computers with passwords to prevent unintended user access indeed creates a “technological access barrier,” and any circumvention thereof (consensual or otherwise) constitutes a violation of the CFAA.  Such a broad interpretation was met with raised brows from the members of the judicial panel.

Counsel for the government repeatedly argued that the interpretation of the “without authorization” language should mirror the interpretation in the LVRC Holdings LLC v. Brecka case.  Per Brecka, a person accesses information “without authorization” under Sections (a)(2) and (4) of the CFAA when he has not received permission to use a computer for any purpose, or when the person’s employer has rescinded permission to access a computer and the person uses it anyway.  In other words, the government’s counsel seemed to advocate the criminalization of any sort of password sharing.  After receiving some push-back from the panel after making such an argument, counsel suggested limiting this interpretation to the employment context only, but members of the panel shot back because the CFAA includes no such limiting language. The government’s counsel argued that the person must have shared or used the password while also knowing it was prohibited by an employer to do so.

With regard to Nosal’s trade secrets conviction, the panel pressed the government’s counsel for a good portion of her allotted argument time.  Counsel argued the record revealed sufficient evidence to establish the element that source lists derive independent economic value for not being generally known by the general public.

Possible Outcomes for Nosal and Beyond

Though the panel did not give a clear indication one way or the other whose side it was likely to advocate in Nosal’s case, recent Ninth Circuit precedent may prove enlightening on the topic.  In the U.S. v. Christensen (9th Cir. 2015) decision, the Ninth Circuit (composed of a panel of different judges than those deciding Nosal’s fate) vehemently upheld the holdings in Nosal I, despite the different facts of each case.  In particular, the Christensen panel relied heavily on the Nosal I rationale that the CFAA only deals with violations of restrictions on access to information, not restrictions on use.  At the very least, Christensen demonstrates that the CFAA has been on the Ninth Circuit’s radar, even though its rationale may not impact the outcome in Nosal II.

Moreover, the panel’s surprise at the government’s assertion that all password sharing should be subject to criminal sanctions indicates an unwillingness to adopt such an argument.  As a previous post hypothesized, the panel’s final ruling will likely put to bed the password sharing issue, and limit it to certain situations (on which ground is still unclear), at least in the Ninth Circuit.  The ruling will hopefully provide helpful guidance on how to formulate acceptable computer policies prohibiting conduct running afoul of the CFAA. That way, employers and businesses can better protect their trade secrets from escaping the confines of their walls.

shutterstock_299243177As the 2016 presidential race moves into the debate phase, one issue sure to get more and more attention is the proposed Trans Pacific Partnership (“TPP”).  In simplest terms, the TPP is a proposed trade agreement between twelve Pacific Rim countries, including the United States, concerning a wide variety of matters of economic policy.  Together, the countries account for 40 percent of world economic output.  After years of negotiations, an agreement was recently reached on October 5, 2015 after marathon talks in Atlanta, Georgia.

Before negotiations ever began, each of the TPP countries signed confidentiality agreements promising to maintain the secrecy of the negotiations, including the specific terms and provisions being debated.  As a result, even though a “deal” has been reached, the exact terms of that deal remain a mystery.  That said, before the TPP can become official, the text of the agreement has to be signed and ratified in accordance with the procedures of each of the twelve countries involved.  In the United States, that means Congress must accept or reject the TPP within 90 legislative days once the deal is formally submitted for review.  According to Politico, many expect Congress to vote on the bill either during the Summer of 2016 or in the lame-duck session after the 2016 elections.

The final terms of the TPP will obviously need to be provided to Congress before any vote can be taken.  In the meantime, however, WikiLeaks has been publishing purported “drafts” of the TPP on a regular basis since 2013.  According to these leaked materials, the TPP will include a chapter on intellectual property covering copyright, trademarks, and patents, as well as trade secrets.  These disclosures are consistent with a public statement from Office of the United States Trade Representative, indicating that each of the TPP countries have agreed that they will “provide strong enforcement systems, including, for example, civil procedures, provisional measures, border measures, and criminal procedures and penalties for commercial-scale trademark counterfeiting and copyright or related rights piracy. In particular, TPP Parties will provide the legal means to prevent the misappropriation of trade secrets, and establish criminal procedures and penalties for trade secret theft, including by means of cyber-theft […].”

One recently leaked “draft” of the TPP includes language requiring TPP signatories to follow the trade secret language found in the Agreement on Trade Related Aspects of Intellectual-Property Rights (commonly referred to as “TRIPS”), which is essentially the same as the trade secret language in the Uniform Trade Secret Act.  The leaked documents also indicate that the TPP will move many aspects of trade secrecy into the realm of criminal law, which would obviously be a fairly fundamental change to the focus of current trade secret law, where it is generally treated as a purely civil matter.  That said, only when the “official” TPP is finally revealed will we be able to analyze its actual terms.  Based on the leaked versions, though, several groups have already begun publishing highly critical commentaries on the TPP’s various proposals for handling intellectual property rights.

It will also be extremely interesting to see how the TPP’s provisions regarding trade secrets interacts with the proposed Federal Trade Secret Legislation recently introduced in the United States’ House and Senate.  For more on that, please follow this link to Seyfarth’s ongoing updates.  Suffice it to say, 2016 is already shaping up to possible be a watershed year for trade secret legislation on multiple fronts.

shutterstock_326369231The Utah Supreme Court recently issued a significant decision laying out a presumption of harm evidentiary standard in trade secret cases, which will be very useful for plaintiffs seeking injunctive relief in cases involving trade secret and breach of non-disclosure claims. InnoSys v. Mercer, 2015 UT 80 (August 28, 2015).

The trade secret battle involved a defense industry-focused technology company, InnoSys, Inc., and its former engineer, Amanda Mercer.

InnoSys alleged that Mercer violated a non-disclosure agreement she signed at the time of hire, which memorialized her promise not to copy or transmit any company-protected information.  InnoSys further alleged that Mercer engaged in misappropriation of trade secrets when she sent company information and a confidential company business plan to her personal email account and downloaded it onto a personal thumb drive and used the information in an administrative unemployment hearing following her dismissal from InnoSys.

In district court, Mercer prevailed on her motion for summary judgment based on the determination that InnoSys had not met its burden of showing that Mercer’s acts amounted to actual, irreparable harm.  As a result, InnoSys was slapped with sanctions under Federal Rule 11 and Mercer recovered her attorney’s fees under Utah state law.

The Utah Supreme Court reversed the district court in a 3-2 decision, asserting that “Mercer’s disclosures [of InnoSys’ confidential information] at least arguably sustain[ed] a presumption of harm to InnoSys.”

First, the Court reasoned that InnoSys “at least arguably” asserted a prima facie case of misappropriation of trade secrets under the Utah Uniform Trade Secret Act (UTSA).  Under the UTSA, a prima facie case of misappropriation is established on the basis of two elements: 1) existence of a protectable trade secret by a plaintiff; and 2) demonstration of misappropriation by a defendant. Utah Code § 13-24-2.  The Court found that the business plan and other confidential information indisputably were trade secrets because they derived independent economic value from not being generally known by others.  In determining whether Mercer was entitled to judgment as a matter of law on this issue, the Court reasoned that InnoSys arguably made a prima facie showing of infringement under the UTSA and under its claim of breach of the non-disclosure agreement, which showing sustained a presumption of irreparable harm.

Second, the Court noted undisputed evidence of misappropriation on the summary judgment record, which included proof of unlawful disclosure and unlawful acquisition.  Only a showing of one is necessary under the UTSA.  Id. § 13-24-2(2)(a), (b).  Mercer’s transmission of company information from the company system to a personal email account and thumb drive coupled with her subsequent use of that information in an administrative proceeding “at least arguably amount[ed] to misappropriation” under the UTSA, the Court concluded.  Moreover, the UTSA provides no basis for a defense to the unauthorized disclosure of a trade secret, no matter the circumstances.  Therefore, Mercer had no reasonable basis grounded in the UTSA to disclose company information in the way she did to the administrative body during her proceeding; such a lack of a defense further supported InnoSys’ prima facie showing.

The Court reasoned that InnoSys was able to withstand Mercer’s motion for summary judgment because its prima facie showing gave rise to a rebuttable presumption of irreparable harm, to which Mercer provided no rebuttal.  The court further discussed the presumption of irreparable harm upon the showing of misappropriation, noting that trade secrets, as property rights, are protected by such a legal presumption.  Any trespass on such a right is subject to injunctive relief to “vindicate that right and prevent future harm.”  The Court emphasized that such a presumption is “rarely questioned,” and exists as strong precedent in trade secret law.

The Court later analyzed how Mercer failed to rebut the presumption of irreparable harm.  The Court considered the possibility, given expert testimony supporting such a hypothesis, that Mercer kept other copies of the confidential information elsewhere, despite deleting some documents in the presence of her sister and attorney.  If she did not harbor such information, injury to her upon the issuance of an injunction would harm her little; if she did harbor the information with the intention to further harm InnoSys, then the injunction would be priceless for InnoSys.  In other words, issuing an injunction in favor of InnoSys at the very least would protect it from any fathomable future disclosure by Mercer, with little harm to her.

Even without the presumption, the Court stated that InnoSys provided actual evidence of threatened harm, which would allow its claim to survive summary judgment.  This actual evidence included a showing of Mercer’s use of a web-based personal email account to access InnoSys’ trade secrets.  Transmission of protected company information to an email server not bound to any confidentiality agreement nor capable of ever actually deleting a message, InnoSys argued, amounted to an ongoing threat of harmful disclosure.  Further, the Court noted that Mercer could go and re-access her administrative hearing file, which contained the trade secret information at issue.  Moreover, Mercer’s recurring inconsistent statements made throughout the history of the case undermined her credibility and introduced a “core genuine issue as to her supposed intent to reform and never again harm InnoSys.”

Regarding the breach of the non-disclosure agreement claim, the presumption of irreparable harm in and of itself, the Court noted, was enough to sustain InnoSys’ prima facie case.  The court reversed the summary judgment on the breach of fiduciary duty claim and attorney’s fees as well for the reasons outlined above, and others.  In sum, the Court held that because Mercer made no attempt to rebut the presumption of irreparable harm to InnoSys, the district court’s grant of summary judgment, Rule 11 sanctions, and attorney’s fees was improper.

The majority opinion, authored by Associate Chief Justice Lee (“ACJ Lee”), acknowledged the dissent’s arguments several times throughout the opinion.  Perhaps most interestingly, the dissent asserted that Mercer was entitled to summary judgment because InnoSys failed to show an actual threat of future harm by Mercer.  ACJ Lee directly addressed this argument, noting that it fell short on two grounds: 1) the issue it raised was not preserved; and 2) Mercer’s deletion of emails failed to rebut the presumption of irreparable harm.  Regarding the former, ACJ Lee noted that Mercer’s entire argument was that InnoSys never produced evidence of actual or threatened harm; meaning, InnoSys never showed the economic impact following Mercer’s disclosures.  Such failure to produce was not enough to affirm a summary judgment ruling, in the majority’s opinion.  As to the latter issue, the ACJ recalled that a defendant’s claiming her voluntary compliance moots a case bears “a formidable burden of showing that it is absolutely clear the allegedly wrongful behavior could not be reasonably expected to occur.”  The dissent argued that the fact that Mercer deleted all of the confidential information from her email was undisputed and that InnoSys failed to produce evidence that she would be a future threat of harm, but the majority disagreed because it assumed facts not made of record and gave the benefit of the doubt to the wrong party, the movant.  The majority continued that Mercer failed to meet the aforementioned formidable burden because her acts of deletion could be construed as self-serving and not enough to defeat summary judgment.

Takeaways

This case provides a significant evidentiary tool to plaintiffs who have evidence of illicit data transfer despite claims by the defendant that the data has subsequently been deleted and/or that there has been no harm to the plaintiff. Additionally, the case underscores the importance for trade secret victims to conduct thorough computer forensic investigations to uncover evidence of data misuse to support their claims.

shutterstock_317654018For Dumpling Daughter and its newly opened rival Dumpling Girl, things are heating up in the kitchen and the courtroom, as reported by the Boston Globe, after the former filed a lawsuit in federal court in Boston asserting a host of claims against Dumpling Girl and its three owners, including misappropriation of trade secrets, unfair competition, trademark infringement, conversion, and unjust enrichment.

Dumpling Daughter claims that the individual defendants, two of whom are former Dumpling Daughter employees, opened a virtually identical restaurant using Dumpling Daughter’s confidential and proprietary recipes, a nearly indistinguishable menu, and “ordering, check-out, food preparation, and food delivery operations” that are likewise identical to Dumpling Daughter’s.  The complaint alleges that Dumpling Girl’s actions have already confused several Dumpling Daughter clients, who have asked the latter’s owner if she is opening a new restaurant where Dumpling Girl is currently located (and in fact, the complaint attaches documentary evidence of such queries from customers).

The verified complaint also attaches the aforementioned menus which bear more than a mere resemblance — in fact, Dumpling Girl’s menu is a near duplicate of Dumpling Daughter’s menu.  By way of example, the description for the restaurants’ respective pork ramen dishes are nearly verbatim.  Dumpling Daughter’s description reads:

NOT the instant kind!!!!!!!!  Classic pork broth, fresh ramen noodles, pork belly, soft egg, bamboo red pickled ginger, kombu seaweed, scallions.

In contrast, Dumpling Girl’s pork ramen dish is described as follows:

NOT the instant kind!!!!!!!!  Classic pork broth, fresh ramen noodles, pork belly,
soft egg, bamboo red pickled ginger kombu seaweed, scallions.

The only changes in Dumpling Girl’s description are one fewer exclamation point and a missing comma.  Nearly every other menu item is similarly alike.  With these striking similarities (which, when taken cumulatively, no reasonable person could claim are mere coincidences), it seems like Dumpling Girl will have an uphill battle proving to the that its restaurant is not merely a carbon copy of Dumpling Daughter.  Further compounding Dumpling Girl’s plight are alleged admissions by its employees that the purpose of the restaurant is to copy Dumpling Daughter’s concept, and their alleged attempts to hire Dumping Daughter’s vendor to manufacture dumplings and buns using Dumpling Daughter’s exact recipes.

Of course, to prevail on its misappropriation claim, Dumpling Daughter will have to prove to the court that its recipes are trade secrets; while we frequently see client lists and highly technical inventions as the alleged trade secrets in misappropriation cases, there’s no reason why recipes can’t be trade secrets under the right circumstances.  In fact, an oft-cited Massachusetts case, Peggy Lawton Kitchens, Inc. v. Hogan, 18 Mass. App. Ct. 937 (1984), held that a chocolate chip cookie recipe constituted a trade secret.  Accordingly, Magistrate Judge Donald Cabell will likely consider the following six-factor test utilized by Massachusetts courts in determining whether Dumpling Daughter’s recipes are trade secrets:

  1. The extent to which the information is known outside of the business;
  2. The extent to which the information is known by employees and others involved in the business;
  3. The extent of Dumpling Daughter’s measures to guard the information’s secrecy;
  4. The information’s value to Dumpling Daughter and its competitors;
  5. The amount of effort or money Dumping Daughter spent to develop the information; and
  6. The ease or difficulty for others to properly acquire or duplicate the information.

Given the complaint’s many allegations regarding the secrecy with which Dumpling Daughter protected the restaurant’s recipes and the time and expense its owner devoted to their development, the court very well may determine that the recipes are indeed trade secrets, assuming discovery supports these allegations.

Thus far, Dumping Girl has not responded to the suit, and it remains to be seen whether it will get its just desserts.  Stay tuned for the outcome of this delicious dispute.

WebinarSocial media and related issues in the workplace can be a headache for employers. There is no denying that social media has transformed the way that companies conduct business. In light of the rapid evolution of social media, companies today face significant legal challenges on a variety of issues ranging from employee privacy and protected activity to data practices, identity theft, cybersecurity, and protection of intellectual property.

On Tuesday, October 27, 2015 at 10:00 a.m. Central, Robert B. Milligan, Daniel P. Hart and Joshua Salinas will present the eighth installment in its series of Trade Secrets Webinars. They will discuss their recently released Social Media Privacy Legislation Desktop Reference and address the relationship between trade secrets, social media, and privacy legislation.

The Seyfarth panel will specifically address the following topics:

  • ​​Discussing recent and proposed employee privacy legislation, and how it may impact policies dictating mandatory turnover of social networking passwords and employee privacy concerns.
  • Discussing the National Labor Relations Board’s (NLRB) treatment of employer social media policies, whether it applies to you, and what steps should be taken to avoid potential penalties for violating NLRB rulings.
  • Discussing the interplay between social medial privacy laws and workplace investigations, and how developing internal company policy and/or contracts can protect companies’ assets.
  • Defining, understanding, and protecting trade secrets in social media.
  • How courts are interpreting ownership of social media accounts and whether social media sites constitute property and preventing trade secret misappropriation or distribution through social media channels.
  • Discussing the interplay between protection of company information and ownership of company accounts in the social media age.

register

There is no cost to attend this program, however, registration is required.

*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.

If you have any questions, please contact events@seyfarth.com.

shutterstock_242602567While employee Lehman was employed by Experian and allegedly subject to various employment covenants, he incorporated Thorium, a competitor.  After Experian laid him off, he operated Thorium.  Experian sued Lehman and Thorium in a Michigan federal court, accusing them of wrongdoing including violations of the federal Computer Fraud and Abuse Act.  Holding that the CFAA is intended to criminalize hacking and that Experian’s allegations of hacking were oblique at best, the court dismissed most of Experian’s claims under that statute.

Status of the case.  Because some of Experian’s common law causes of action and one of its CFAA contentions were not dismissed, discovery is proceeding. Experian Marketing Solutions, Inc. v. Lehman, Case No. 15:cv-476 (W.D. Mich., Sept. 29, 2015).

Background.  Experian is part of a world-wide marketing services conglomerate that collects and analyzes business data.  At the time he was laid off, Lehman was Experian’s executive vice president.  He was based in Grand Rapids, Michigan, and was authorized to access the company’s computer files.  As a condition of his initial hire, and again later in connection with settlement of a claim he brought against the company while still its employee, he executed non-compete, non-solicitation, and confidentiality agreements.  He allegedly violated those agreements and the CFAA by creating and operating Thorium and by downloading Experian’s confidential information (both while he was an Experian employee and after he was laid off) to a hard drive that company had provided to him.  He also was accused of violations by purportedly instructing three Experian employees, whom Thorium later hired, to provide him with data from Experian’s computers, and by erasing all information on Experian’s hard drive before returning it.

Broad and narrow interpretations of the CFAA.  Federal courts are divided on the meaning of the phrases “[access] without authorization” and “exceeds authorized access” as used in the CFAA with respect to computers.  Four courts of appeal have interpreted the statute broadly, ruling that the purpose for accessing a computer is relevant in determining whether access was authorized.  Two federal appellate courts disagree.

The Sixth Circuit Court of Appeals.  The Sixth Circuit has not ruled definitively as to the meaning of those statutory phrases.  However, that court seemed to signal that it favored the majority position when it wrote, in a 2011 decision (quoting from a 2009 Ninth Circuit opinion), that “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations . . . has exceed[ed] authorized access.”  Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Amer., 648 F.3d 295, 304.

The ruling in Experian.  Concluding that the Sixth Circuit has not weighed in definitively on the meaning of “authorized” as used in the CFAA, and that the quote from Pulte Homes is mere dicta, the district court found the minority interpretation to be the most satisfying.  Since Lehman was “authorized” to access Experian’s computers when he downloaded its confidential data before he was laid off, the court held that the CFAA was not violated regardless of what he did with the data.  Similarly, the court ruled that the defendants did not violate the statute by obtaining, from three Experian employees who had “authorization” to access its computers, the company’s proprietary secrets after Lehman was terminated.  Although his continued use of an Experian computer after he was terminated clearly was not “authorized,” such use was held to be not actionable under the CFAA because Experian failed to allege that he or Thorium thereby obtained anything of value.

One of Experian’s CFAA claims was not dismissed.  The allegation that Lehman caused “impairment to the integrity or availability of data” by wiping the hard drive clean before returning it was held to state a statutory violation.

Takeaways.  A CFAA claim for unauthorized use of a computer not based on hacking is likely to be dismissed in the Fourth and Ninth circuits.  Four other Courts of Appeal — the First, Fifth, Seventh and Eleventh — disagree, holding that the CFAA also prohibits accessing a computer for an unauthorized purpose even though the user has authority to use the computer.  Individual district court judges in the circuits that have not ruled have reached varying decisions on this issue.  Eventually, either Congress must amend the statute to resolve this inconsistencies or the U.S. Supreme Court may be asked to do so.  In the meantime, litigants and their counsel can only guess how those circuit courts which have yet to decide, and the district courts in those circuits, will rule.

shutterstock_299107145While season-long fantasy sports leagues have long been in existence, the emergence of daily fantasy sports (“DFS”) has been relatively recent.  DFS allows participants to enter daily contests for money where a salary cap is used to “draft” a team and compete against anywhere from one to hundreds of thousands of other participants.  Points are allocated based on each player’s respective performance (e.g., receiving yards, touchdowns, etc.) and winners receive cash payouts that can be in the millions.

If the ever-present commercials did not make you aware already, DFS is big business.  Reports indicate that the industry collected approximately $2.6 billion in entry fees this year and may reach as much as $2 billion in revenues by 2020.

On October 5, 2015, the nascent industry was rocked when the New York Times reported that an employee of Draft Kings, the current market leader, used proprietary information regarding player usage in Draft Kings’ contests to win $350,000 in a contest hosted by competitor Fan Duel.  The industry, and Draft Kings in particular, have since come under a flood of criticism for a lack of internal controls and running a rigged game.

The information that was allegedly misused by the Draft Kings employee is player usage data — the percentages that particular players are “drafted” by contest participants.  This information is neither public nor available by any lawful means until changes to a participant’s line-up are “locked” and cannot be changed.  By having this information prior to being “locked” in, a DFS participant would get an unfair advantage by being able to calculate a line-up around the players that are owned by existing participants and thus may have a statistically higher change of winning certain large-format contests where a unique line-up makes the chances of winning much greater.

Prior to the incident becoming public, no ban was in place prohibiting employees from playing on other sites; they were only prohibited from playing in contests hosted by their employers.  The amount of money at stake, however, raises significant questions about how DFS trade secrets may be misappropriated and misused.  Risks include not only employees misusing insider information regarding player usage to compete in competitor’s games, but also leaks to an insider’s friends and family or an employee unfairly competing through an account set-up under an alias.

This scandal evidences the need for public-facing companies in particular to make sure that adequate measures are taken to safe guard company trade secrets and confidential information.  Draft Kings in particular has come under criticism for a lack of internal controls and safeguards to prevent the unauthorized access and use of its non-public information.  If sufficient safe guards are put into place, the threat of a trade secret claim against an employee or other user of player usage data may be used as another tool to prevent unfair competition and a corresponding loss in public confidence.  Trade secret protection, however, is only available to those who establish sufficient safe guards to keep the information confidential in the first place.

While industry leaders Draft Kings and Fan Duel announced the retention of a third-party auditor to investigate their internal controls, only time will tell if the industry can regain the trust lost by this week’s news.

shutterstock_164426618We are pleased to announce the webinar “Information Security Policies and Data Breach Response Plans” is now available as a podcast and webinar recording.

With the recent uptick of high-profile data breaches and lawsuits being filed as a result by both employees and consumers as a result, every business should take a fresh look at its information security policies and data breach response plans with two thoughts in mind: compliance with applicable laws, and limiting liability in the event of litigation. Cybersecurity is a critical and timely issue for all businesses. If your company has employees and pays them or gives them benefits, then your company is maintaining their personally identifiable information and faces liability in the event of a data breach.

Currently, there is no comprehensive federal law that sets forth a uniform compliance standard for information security best practices or data breach response plans. Companies operating in the U.S. must comply with a patchwork of 47 different states’ laws that set forth a company’s obligations in the event of a data breach. In the wake of several high-profile data breaches, state legislators in the U.S. have been updating these state laws in the past few months, adding new requirements.

In addition to dictating how and when a company must respond in the event of a data breach in which personal information has been compromised, a number of these laws also contain substantive requirements about cybersecurity measures a company must take generally. Add into this mix that a U.S. Court of Appeals agreed with the Federal Trade Commission (FTC) that it has the right to file lawsuits against businesses that it deems have lax information security protocols – without informing companies in advance of the standard to which they will be held.

Against this backdrop, Seyfarth attorneys  Karla Grossenbacher and John T. Tomaszewski provided a high-level discussion on how businesses can structure an information security program to comply with applicable law and minimize liability – since waiting for a breach is not an option. They discussed, from a legal perspective:

  • Essential components of a comprehensive information security policy;
  • Key elements of a data breach response plan including strategies for state law compliance; and
  • Best practices for dealing with third party vendors that store personally identifiable information for your company.

shutterstock_318803609We are pleased to announce the webinar “So You Want An Injunction in a Non-Compete or Trade Secret Case? ” is now available as a podcast and webinar recording.

In Seyfarth’s seventh installment in its series of 2015 Trade Secret Webinars, attorneys Justin K. Beyer, Eric Barton and Robert C. Stevens focused on the issues confronting plaintiffs in preparing for and prosecuting trade secret cases and the various ins and outs of seeking both temporary restraining orders and preliminary injunctions.

  • Employers can best protect their trade secrets by instituting robust training, policies and procedures aimed at educating its work force as to what constitutes confidential information and that this information belongs to the employer, not the employee. By utilizing confidentiality, invention assignment, and reasonable restrictive covenants, as well as implementing onboarding and off-boarding protocols, educating employees on non-disclosure obligations, educating employees on that data which the employer considers confidential, clearly marking the most sensitive data, and restricting access to confidential information, both systemically and through hardware and software blocks, employers can both educate and prevent misappropriation.
  • If an employee voluntarily resigns his or her employment with the company, the employer should already have in place a specific protocol to ensure that the employee does not misappropriate company trade secrets. Such steps include questioning the employee on where he intends to go, evaluating whether to shut off access to emails and company systems prior to the expiration of the notice period, requesting a return of company property, including if the company utilizes a BYOD policy, and reminding the employee of his or her continuing obligations to the company. Likewise, companies should have robust onboarding policies in place to help avoid suit, such as attorney review of restrictive covenants, offer letters that specifically disclaim any desire to receive confidential information from competitors, and monitoring of the employee after hire to ensure that they are not breaching any confidentiality or non-solicitation obligations to the former employer.
  • If a company finds itself embroiled in litigation based on either theft of its trade secrets or allegations that it either stole or received stolen trade secrets, it is important to take swift action, including interviewing the players, preserving the evidence, and utilizing forensic resources to ascertain the actual theft or infection (if you are on the defense side). Companies defending against trade secret litigation also need to analyze and consider whether an agreed injunction is in its best interests, while it investigates the allegations. These types of cases tend to be fast and furious and the internal business must be made aware of the impact this could have on its customer base and internal resources.

shutterstock_295640804By Christopher Lowe and Robert T. Szyba

In a recent ruling, the New Jersey Supreme Court gave employers a great recourse for dealing with former employees who breach their duty of loyalty.  In Bruce Kaye v. Alan P. Rosefielde, the Court allowed an employer to recover compensation paid to a disloyal, recently terminated, employee, even where the employer sustained no economic hardship from the employee’s acts of disloyalty.

Background

In Kaye, the employee, an attorney, who was only licensed to practice in New York, was hired as Chief Operating Officer (“COO”) and General Counsel for plaintiff’s business selling and managing timeshares in Atlantic County, New Jersey.  Interestingly, although the defendant’s contract refers to his salary as a retainer for his services, and it appeared that both parties intended  defendant to be an independent contractor, both parties agreed that defendant performed the services of an employee rather than an independent contractor.

While employed in the hybrid COO/General Counsel role — earning a salary of  $500,000 per year — the Court found that the employee committed a number of “egregious” acts that ultimately resulted in the termination of his employment, including: (1) expensing a $4,000 personal trip to Las Vegas, the cost of which included a hotel suite with three “adult film stars”; (2) fraudulently applying for health insurance; (3) forging signatures on false quitclaim deeds of defaulting timeshare owners; (4) carved out a greater-than-agreed-upon personal interest in one of his employer’s corporate entities; (5) creating an entity under his employer’s name, without his employer’s consent, taking a 20% interest in that entity for himself (the employee); and (6) making numerous sexual advances towards other employees.  When the employer learned what was going on, he fired the employee and sued him for breach of fiduciary duty, fraud, legal malpractice, unlicensed practice of law, and breach of duty of loyalty.

The Trial and Appellate Courts

After a 26-day bench trial, the trial court found that the former employee breached his duty of loyalty to the employer, and committed legal malpractice and fraud.  The employer was awarded $4,000 for the Las Vegas trip, over $800,000 in counsel fees and costs, and rescission of all of the employee’s ill-gotten interests in the employer’s other companies.  But despite it being “difficult to imagine more egregious conduct by a corporate officer,” the trial court declined to order equitable disgorgement for the former employee’s compensation during the period of disloyalty.  The trial court interpreted a prior Supreme Court decision, Cameco, Inc. v. Gedicke, as holding that “in order to compel disgorgement of a disloyal employee’s compensation, a court must first find that ‘the employee’s breach proximately caused the requested damages.’”  The Appellate Division agreed with the trial court on that point and affirmed that the employer could not disgorge the compensation paid to the disloyal former employee because it could prove no actual harm.

The New Jersey Supreme Court granted certification only to address the specific question of “whether a court may remedy disgorgement of a disloyal employee’s salary to an employer that has sustained no economic damages.”

The Court reversed the courts below, holding that disgorgement is an equitable remedy within the trial court’s authority, including where a disloyal former employee’s misconduct is not tied to an economic loss suffered by the employer on account of the employee’s disloyalty.  The Court directed lower courts to consider four factors to determine whether an employee breaches his/her duty of loyalty:

(1) the existence of contractual provisions relevant to the employee’s actions;

(2) the employer’s knowledge of, or agreement to, the employee’s actions;

(3) the status of the employee and his/her relationship to the employer (for example, corporate officer or director versus production line worker); and

(4) the nature of the employee’s conduct and its effect on the employer.

In effect, courts are directed to consider “the parties’ expectations of the services that the employee will perform in return for his or her compensation, as well as the ‘egregiousness’ of the misconduct that leads to the claim.”

The Court further clarified that once the employee is found to have breached the duty of loyalty, courts should decide whether disgorgement is a proper remedy by considering: “[t]he employee’s degree of responsibility and level of compensation, the number of acts of disloyalty, the extent to which those acts placed the employer’s business in jeopardy,” “the degree of planning to undermine the employer that is undertaken by the employee,” as well as “other factors” that may be relevant.  And once disgorgement is found to be appropriate, the court suggested apportionment commensurate to misconduct at issue, as opposed to “wholesale disgorgement.”

Outlook for Employers

New Jersey employers scored a significant win and a meaningful tool to deter and redress a breach of an employee’s duty of loyalty.  The Kaye Court addressed the circumstance of a disloyal employee who’s employment was terminated, however the analysis  is certainly  instructive in addressing situations with current employees.  The ability to recoup some or all of a disloyal employee’s salary/compensation is certainly a powerful tool in the right circumstances, and certainly something to consider when faced with a breach of the duty of loyalty.