The Attorneys General of ten states are investigating fast food franchisors for their alleged use of “no poach” provisions in their franchise agreements, according to a press release by the New Jersey Attorney General’s Office, and as reported by NPR. In a July 9, 2018 letter, the Attorneys General for New Jersey, Massachusetts, California, Washington, D.C., Illinois, Maryland, Minnesota, New York, Oregon, Pennsylvania, and Rhode Island requested information from eight fast food companies about their alleged use of such provisions. The letter states that the Attorneys General “have learned that certain franchise agreements used in our States and the District of Columbia . . . may contain provisions that impact some employees’ ability to obtain higher paying or more attractive positions with a different franchisee.” In other words, the agreements purportedly prohibit one franchisee of a particular brand from hiring employees of another franchisee of the same brand. Continue Reading State Attorneys General Investigate Fast Food Franchisor “No Poach” Agreements
Two competitors who do research and analysis for advertisers and media companies, concerning how television viewing impacts consumer purchasing, have been in a legal battle over alleged trade secret misappropriation, patent infringement, and other causes of action. The dispute already has produced at least six district court opinions. Recently, in a 47-page non-precedential order issued by the Court of Appeals for the Federal Circuit, the district court’s summary judgment order — reported at 984 F. Supp. 2d 205 (S.D.N.Y. 2013) (Scheidlin, J.) — was affirmed in part, reversed in part, vacated in part, and remanded. TNS Media Research, LLC v. TiVo Research & Analytics, Inc., No. 2014-1668 (Fed. Cir., Sept. 16, 2015).
Status of the case.
TNS Media Research (referred to by the courts as “Kantar”) sued TiVo (referred to as “TRA”). Kantar sought a declaratory judgment that it did not infringe a particular TRA patent. TRA counterclaimed for infringement of that patent and two others, plus misappropriation of trade secrets, breach of contract, and breach of fiduciary duty. After extensive discovery, TRA moved for summary judgment. Judge Scheidlin granted the motion in substantial part. She (a) held that TRA did not infringe Kantar’s patents, (b) dismissed TRA’s misappropriation claim as a discovery sanction, (c) ruled that TRA’s allegedly confidential information did not constitute trade secrets, (d) held that TRA submitted insufficient evidence to support a claim for damages, and (e) denied TRA’s requests for injunctive relief relating to allegations of a breach of fiduciary duty and for a jury trial on compensatory damages. According to the appeals tribunal, many of these rulings were erroneous.
Before they were competitors, Kantar was a substantial investor in TRA, a seemingly valuable corporation at the time. As a result of its investment, Kantar was given a seat on TRA’s Board and considered merging with TRA. Kantar allegedly was given access to TRA’s trade secrets both as a Board member and in the course of the companies’ merger negotiations, ultimately abandoned. After Kantar purchased and began operating a competing analytics company, TRA’s fortunes dwindled, and it was sold for a fraction of its former value. The purchaser continued to operate the acquired company under the TRA name.
The ruling below regarding TRA’s trade secret claims.
Absence of trade secrets. In its counterclaim, TRA alleged that Kantar misused TRA’s confidential information. After originally asserting more than 20 categories of trade secrets, on the eve of summary judgment briefing TRA reduced the number to five including characteristics of its products and its strategic plans.
Judge Scheidlin found that TRA had disclosed publicly most of the properties of its products. Further, she ruled that there was no evidence that Kantar’s products used any of TRA’s technical information. Regarding TRA’s strategic plans, she concluded that these were merely goals which are not protectable trade secrets under New York law. Judge Scheidlin added that “TRA’s trade secret claims had no colorable basis and were brought in bad faith.” Thus, she granted summary judgment as to misappropriation. She did not consider whether TRA’s customer contract terms, proposals and pricing were protectable.
Dismissal as a sanction. Kantar alleged that TRA had failed during discovery to identify trade secrets with sufficient specificity. The district court agreed. It held that dismissal of the misappropriation claims was warranted as a sanction because TRA’s violation of Federal Civil Procedure Rule 26(e) (requiring timely supplementation or correction of disclosures and responses) was “manifestly prejudicial to [Kantar] and taxing on the Court.”
Rulings on appeal by the Federal Circuit.
Grant of summary judgment. TRA had a proprietary product called Media TRAnalytics. The company claimed that the product’s speed, reliability, scalability and performance were trade secrets. The Federal Circuit concluded that the information concerning Media TRAnalytics that was publicly disclosed was merely an overview. In addition, the court held that the question of whether Kantar improperly used TRA’s confidential product information to gain a competitive advantage requires a determination by a fact finder rather than a summary disposition. Further, proprietary financial projections and strategic plans may be protectable if “not publicly known, not readily identifiable, or otherwise complex.”
In the Federal Circuit’s view, customer contract terms, proposals and pricing can be trade secrets. The district court was held to have committed reversible error by granting summary judgment regarding misappropriation without considering whether TRA’s customer information warranted protection. Similarly, “TRA presented sufficient evidence to create a colorable question about Kantar’s intent to injure TRA,” and so TRA was entitled to a trial on the subject of its entitlement to punitive damages.
Dismissal of trade secrets claims as a sanction. The Federal Circuit said that dismissal as punishment was not warranted here: “[T]here is no indication that TRA purposefully shirked its discovery obligations.” Further, TRA was not given a warning, and the lower court’s finding of prejudice to Kantar was unexplained. On remand, the district court was directed to consider a less harsh sanction.
The Federal Circuit’s order teaches that proprietary financial projections, strategic plans, and customer contract terms, proposals and pricing, all may be trade secrets. Further, a mere overview, or only partial disclosure, of a product’s confidential characteristics does not defeat trade secret protection for the undisclosed portion. In addition, whether a party’s protected information was used by another to gain a competitive advantage is a question to be decided by the fact finder.
This week, at the ITech Law World Technology Conference in New York, Seyfarth attorney Dan Hart briefed members of the International Technology Law Association’s Intellectual Property Committee about the European Commission’s proposed Directive on trade secret protection. As we have written, the new Directive, if enacted, will substantially alter the legal landscape in Europe regarding trade secret protection and will enhance cross-border certainty within the EU. Dan’s presentation generated lively discussion among lawyers from a wide variety of jurisdictions regarding the similarities and dissimilarities between European and US trade secret law and similar attempts in the US to federalize trade secret protection.
The ITech Law World Technology Conference concludes today. If you are attending the ITech Law World Technology Conference, please be sure stop by our table in the Vanderbilt Room of the Waldorf-Astoria Hotel.
As part of our annual tradition, we are pleased to present our discussion of the top 10 developments/headlines in trade secret, computer fraud, and non-compete law for 2013. Please join us for our complimentary webinar on March 6, 2014, at 10:00 a.m. P.S.T., where we will discuss them in greater detail. As with all of our other webinars (including the 12 installments in our 2013 Trade Secrets webinar series), this webinar will be recorded and later uploaded to our Trading Secrets blog to view at your convenience.
Last year we predicted that social media would continue to generate disputes in trade secret, computer fraud, and non-compete law, as well as in privacy law. 2013 did not disappoint with significant social media decisions involving the ownership of social media accounts and “followers” and “connections,” as well as cases addressing liability or consequences for actions taken on social media, such as updating one’s status, communicating with “restricted” connections, creating fake social media accounts, or deleting one’s account during pending litigation.
We also saw more states (e.g., Arkansas, Utah, New Mexico, California, Colorado, Nevada, Michigan, New Jersey, Oregon, and Washington) enact legislation to protect employees’ “personal” social media accounts and we expect more states to follow.
The circuit split regarding the interpretation of what is unlawful access under the Computer Fraud and Abuse Act (“CFAA”) remains unresolved and another case will need to make its way up to the Supreme Court or legislation passed to clarify its scope as federal courts continue to reach differing results concerning whether employees can be held liable under for violating computer use or access policies.
There have also been several legislative efforts to modify trade secret, computer fraud, or non-compete law in various jurisdictions. Texas adopted a version of the Uniform Trade Secrets Act, leaving Massachusetts and New York as the lone holdouts. Oklahoma passed legislation expressly permitting employee non-solicit agreements. Massachusetts, Michigan, Illinois, New Jersey, Maryland, Minnesota, and Connecticut considered bills that would provide certain limitations on non-compete agreements but they were not adopted.
We expect more legislative activity in 2014, particularly regarding privacy, the scope of the CFAA, and trade secret legislation to curb foreign trade secret theft and cyber-attacks.
Finally, while the Snowden kerfuffle and NSA snooping captured the headlines in 2013, government agencies remained active, including some high profile prosecutions under the Economic Espionage Act, the release of the Obama Administration’s Strategy on Mitigating the Theft of U.S. Trade Secrets, and the National Labor Relations Board’s continued scrutiny of employers’ social media policies. We expect more government activity in this space in 2014.
Here is our listing of top developments/headlines in trade secret, computer fraud, and non-compete law for 2013 in no particular order:
1) Dust Off Those Agreements . . . Significant New Non-Compete Cases Keep Employers On Their Toes
Employers were kept on their toes with some significant non-compete decisions which forced some employers to update their agreements and onboarding/exiting practices. First, in Fifield v. Premier Dealer Services, an Illinois appellate court found that less than two years employment is inadequate consideration to enforce a non-compete against an at-will employee where no other consideration was given for the non-compete. Second, in Dawson v. Ameritox, an Alabama federal court found that a non-compete executed prior to employment was unenforceable. Next, in Corporate Tech. v. Hartnett, a Massachusetts federal court held that initiating contact was not necessary for finding solicitation in breach of a customer non-solicitation agreement. Lastly, in Assurance Data v. Malyevac, the Virginia Supreme Court found that a demurrer (i.e., a pleading challenge) should not be used to determine the enforceability of non-compete provisions but rather evidence should be introduced before making such a determination.
2) Continued Split of Authority On the Computer Fraud and Abuse Act and Efforts to Reform CFAA and Enhance Federal Trade Secret and Cybersecurity Law
Courts in Massachusetts, Minnesota, and New York joined the Ninth Circuit’s narrow reading of the CFAA and limited its applicability to pure hacking scenarios rather violations of employer computer usage or access policies. Additionally, in 2013, Representative Zoe Lofgren introduced Aaron’s Law, named after the political hackvist Aaron Swartz, to reform of the Computer Fraud and Abuse Act. Her proposed legislation would limit the CFAA to pure hacking scenarios and exclude violations of computer usage policies and internet terms of service from its scope. Lofgren also introduced legislation which would create a federal civil cause of action in federal court for trade secret misappropriation. Other legislation to prevent intellectual property theft was also introduced including the Deter Cyber Theft Act, which aims to block products that contain intellectual property stolen from U.S. companies by foreign countries from being sold in the United States. The Cyber Economic Espionage Accountability Act was also introduced and allows U.S. authorities to “punish criminals backed by China, Russia or other foreign governments for cyberspying and theft.” We expect Congress to consider similar legislation in 2014.
3) Texas Adopts Uniform Trade Secrets Act
Texas joined forty-seven other states in adopting some version of the Uniform Trade Secrets Act. Until recently, Texas common law governed misappropriation of trade secrets lawsuits in Texas. The new changes under the Texas UTSA (which we discuss in more detail here) provide protection for customer lists, the ability to recover attorneys’ fees, a presumption in favor of granting protective orders to preserve the secrecy of trade secrets during pending litigation, and that information obtained by reverse engineering does not meet the definition of a trade secret. Legislation has been introduced in Massachusetts to adopt the Act but has yet to pass. For additional information on recent trade secret and non-compete legislative updates, check out our webinar “Trade Secrets and Non-Compete Legislative Update.”
4) High Profile Prosecutions and Trials under Computer Fraud and Abuse Act and Economic Espionage Act
2013 saw several high profile prosecutions and trials under the CFAA and Economic Espionage Act. Bradley Manning, who allegedly leaked confidential government documents, to WikiLeaks, and Andrew ‘Weev’ Auernheimer, who allegedly hacked AT&T’s servers, were both convicted under the CFAA. Executive recruiter David Nosal was convicted by a San Francisco jury of violating federal trade secret laws and the CFAA and sentenced to one year and a day in federal prison. In U.S v. Jin, the Seventh Circuit upheld the conviction of a Chicago woman sentenced to four years in prison for stealing trade secrets of her employer before boarding a plane for China. For additional information on criminal liability for trade secret misappropriation, check out our webinar “The Stakes Just Got Higher: Criminal Prosecution of Trade Secret Misappropriation.”
5) More Social Media Privacy Legislation
Arkansas, Utah, New Mexico, Colorado, Nevada, Michigan, New Jersey, Oregon, and Washington all passed legislation social media privacy legislation in 2013 that prohibited employers from asking or insisting that their employees provide access to their personal social networking accounts. California extended its current social media privacy law to specify that it encompassed public employers. We expect more states to enact social media privacy legislation in 2014.
6) Continued Uncertainty on the Scope of Trade Secret Preemption
Courts have continued struggled with the scope and timing of applying preemption in trade secret cases but there is a growing movement to displace common law tort claims for the theft of information. Such claims are typically tortious interference with contract, conversion, unfair competition, and breach of fiduciary duty. In essence, plaintiffs may only be left with breach of contract and a trade secret claim for the theft of information if a jurisdiction has adopted a broad preemption perspective. Courts in western states such as Arizona, Hawaii, Nevada, Utah, and Washington have preempted “confidential information” theft claims under their respective trade secret preemption statutes.
In K.F. Jacobsen v. Gaylor, an Oregon federal court, however, found that a conversion claim for theft of confidential information was not preempted. In Triage Consulting Group v. IMA, a Pennsylvania federal court permitted the pleading of preempted claims in the alternative. Additionally, in Angelica Textile Svcs. v. Park, a California Court of Appeal found that there was no preemption of claims for breach of contract, unfair competition, conversion, or tortious interference because the claims were based on facts distinct from the trade secret claim and the conversion claim asserted the theft of tangible documents. In contrast, in Anheuser-Busch v. Clark, a California federal court found that a return of personal property claim based on the taking of “confidential, proprietary, and/or trade secret information” was preempted because there was no other basis beside trade secrets law for a property right in the taken information. For additional information on the practical impact of preemption on protecting trade secrets and litigating trade secret cases, check out our webinar “How and Why California is Different When it Comes to Trade Secrets and Non-Competes.”
7) Growing Challenge of Protecting of Information in the Cloud with Increasing Prevalence of BYOD and Online Storage
While the benefits of cloud computing are well documented, the growth of third party online data storage has facilitated the ability for rogue employees to take valuable trade secrets and other proprietary company electronic files, in the matter of minutes, if not seconds. The increasing use of mobile devices and cloud technologies by companies both large and small is likely to result in more mobile devices and online storage being relevant in litigation. A recent article in The Recorder entitled “Trade Secrets Spat Center on Cloud,” observed that the existence of cloud computing services within the workplace makes it “harder for companies to distinguish true data breaches from false alarms.”
An insightful Symantec/Ponemon study on employees’ beliefs about IP and data theft was released in 2013. It surveyed 3,317 employees in 6 countries (U.S., U.K., France, Brazil, China, South Korea). According to the survey, 1 in 3 employees move work files to file sharing apps (e.g. Drop Box). Half of employees who left/lost their jobs kept confidential information 40% plan to use confidential information at new job. The top reasons employees believe data theft acceptable: (1) does not harm the company does not strictly enforce its policies; (2) information is not secured and generally available; or (3) employee would not receive any economic gain. The results of this study serve as a reminder that employers must be vigilant to ensure that they have robust agreements and policies with their employees as well as other sound trade secret protections, including employee training and IT security, to protect their valuable trade secrets and company data before they are compromised and stolen. Employers should implement policies and agreements to restrict or clarify the use of cloud computing services for storing and sharing company data by employees. Some employers may prefer to simply block all access to such cloud computing services and document the same in their policies and agreements. For a further discussion about steps and responses companies can take when their confidential information and/or trade secrets appear, or are threatened to appear, on the Internet, check out our webinar “My Company’s Confidential Information is Posted on the Internet! What Can I Do?”
8) Continued Significance of Choice of Law and Forum Selection Provisions In Non-Compete and Trade Secret Disputes
The U.S. Supreme Court’s recent decision in Atlantic Marine v. U.S.D.C. for the W.D. of Texas appears to strengthen the enforceability of forum selection clauses as it held that courts should ordinarily transfer cases pursuant to applicable and enforceable forum selection clauses in all but the most extraordinary circumstances. While Atlantic Marine did not concern restrictive covenant agreements or the employer-employee context, it may nonetheless make it more difficult for current and/or former employees to circumvent the forum selection clauses contained in their non-compete or trade secret protection agreements. Many federal courts continue to enforce out-of-state forum selection clauses in non-compete disputes (see AJZN v. Yu and Meras Eng’r’g v. CH2O), while some courts have disregarded forum selection clauses in such disputes “in the interests of justice.” The Federal Circuit in Convolve and MIT v. Compaq and Seagate, held that information at issue lost its trade secret protection when the trade secret holder disclosed the information because it failed to comply with the confidential marking requirement set forth in a non-disclosure agreement. Accordingly, trade secret holders should be careful what their non-disclosure agreements say about trade secret protection otherwise they may lose such protection if they fail to follow such agreements.
9) Social Media Continues to Change Traditional Legal Definitions and Analyses
Social media continues to change the way we define various activities in employment, litigation, and our everyday lives. A Pennsylvania federal district court in the closely watched Eagle v. Morgan case found that a former employee was able to successfully prove her causes of action against her former employer for the theft of her LinkedIn account, but she was unable to prove damages with reasonable certainty. Recent cases in Massachusetts and Oklahoma held that social media posts, updates and communications with former customers did not violate their non-solicitation restrictive covenants with their former employer. In the litigation context, a New Jersey federal court issued sanctions against a litigant for deleting his Facebook profile, while a New York federal court allowed the FTC to effectuate service of process on foreign defendants through Facebook. The Fourth Circuit held that “liking” something on Facebook is “a form of free speech protected by the First Amendment.” Federal district courts in Nevada and New Jersey illustrated the growing trend of courts finding that individuals may lack a reasonable expectation of privacy in social media posts. For further discussion on the relationship between social media and trade secrets, check out our webinar “Employee Privacy and Social Networking: Can Your Trade Secret Survive?”
10) ITC Remains Attractive Forum to Address Trade Secret Theft
The Federal Circuit caught the attention of the ITC and trade secret litigators alike when it ruled in TianRui Group Co. v. ITC that the ITC can exercise its jurisdiction over acts of misappropriation occurring entirely in China. Since then, victims of trade secret theft by foreign entities are increasingly seeking relief from the ITC (e.g. In the Matter of Certain Rubber Resins and Processes for Manufacturing Same (Inv. No. 337-TA-849)). For valuable insight on protecting trade secrets and confidential information in China and other Asian countries, including the effective use of non-compete and non-disclosure agreements, please check out our recent webinar titled, “Trade Secret and Non-Compete Considerations in Asia.“
We thank everyone who followed us this year and we really appreciate all of your support. We also thank everyone who helped us make the ABA’s Top 100 Law Blogs list. We will continue to provide up-to-the-minute information on the latest legal trends and cases across the country, as well as important thought leadership and resource links and materials.
Don’t forget to register to receive a copy of our Annual Blog Year in Review.
Earlier this month, New York Pizzeria, Inc., a pizzeria chain with over thirty restaurants in the United States and the Middle East, filed a complaint in federal court in Texas alleging trade secret misappropriation. New York Pizzeria alleged that a former employee, as well as individual restaurant owners, were conspiring to misappropriate its trade secrets for the purposes of creating a competing business. According to New York Pizzeria’s allegations, a former employee and the owner of a competing business conspired to steal and use the company’s trade secrets. The defendants allegedly used this unlawfully obtained information to start a competing franchise chain.
According to the complaint, the former employee previously owned a New York Pizza franchise. His employment with the company was terminated in March 2011, and in October of that same year, the company sought to terminate his franchise as well. The parties allegedly agreed that New York Pizzeria would assume ownership of the restaurant, and would buy the former employee out. However, the former employee allegedly failed to honor certain obligations from this contract, and sued for breach of contract. In response, New York Pizzeria filed a counterclaim, alleging misappropriation of trade secrets. The suit eventually settled, however, after the settlement, New York Pizzeria alleged that the former employee continued to steal New York Pizzeria’s product, and the company filed a second lawsuit, asserting independent trade secret misappropriation claims.
According to Plaintiff’s allegations, the former employee “had access to . . . confidential, proprietary information, including NYPI’s recipes, ‘plate specifications,’ supplier and ingredient lists, and training and restaurant operations manuals. . . [and the former employee] provided that information to the . . . [the other] defendants, without privilege to do so.” Additionally, Plaintiff alleges that the former employee and cohorts illegally accessed New York Pizzeria’s online portal by using one of New York Pizzeria’s company user names and passwords. This login information allegedly enabled defendants to obtain New York Pizzeria’s confidential and proprietary information, including special recipes and concepts for pizza, eggplant parmesean, baked ziti and pizza.
From a legal standpoint, it remains to be seen whether and to what extent New York Pizzeria has a protectable interest in the recipes and concepts and whether it will be successful in obtaining injunctive relief for their alleged use. This case, like the previous recipe case that we recently blogged about, serves as a reminder that those in the restaurant industry must closely guard their cooking secrets and employ effective non-disclosure and confidentiality agreements. Additionally, franchisors must carefully guard the proprietary aspect of their franchise systems through appropriate agreements. No other hearings have been scheduled as of yet, but we will continue to keep you updated with any material developments in this tasty case.
By Marcus Mintz
A New York Supreme Court recently affirmed the viability of the “employee choice doctrine” in a rescission action involving employee equity grants. See Lenel Systems Int’l., Inc. v. Smith, 106 A.D. 3d 1536, 966 N.Y.S.2d 618 (N.Y. App. Div. 2013). The “employee choice doctrine” arises when an employee has a choice between complying with post-employment obligations, such as a non-compete or non-solicitation agreement, or risk forfeiting certain benefits, such as equity grants.
Generally, post-employment restrictions will be reviewed by a court for reasonableness and are disfavored as a restraint on an employee’s ability to earn a living. When an employee is given the choice of compliance or forfeiture of benefits, however, “there is no unreasonable restraint upon an employee’s liberty to earn a living” as a matter of law. Put simply, if an employee can choose whether or not to comply with a restrictive covenant, then there is no “unreasonable restraint” on the employee’s ability to earn a living.
The New York Supreme Court was recently asked to consider the application of the employee choice doctrine to an action for rescission of stock options granted to an ex-employee, Smith, based on his alleged breach of a non-compete provision in the stock option agreement. While employed at plaintiff Lenel Systems International, Inc., Smith was granted stock options. The stock option agreement required that, as a condition of the grant, Smith would not compete with Lenel while employed and for two years following his termination from employment. Smith voluntarily terminated his employment and assumed employment with an alleged competitor.
Lenel filed a lawsuit against Smith, alleging that he was violating the non-compete in his stock option agreement and seeking rescission of the stock options. Smith moved for summary judgment on Lenel’s claim for rescission, arguing that the restrictive covenants in the stock option agreement were unreasonable and, therefore, unenforceable as a matter of law. While the court acknowledged the general policy of disfavoring restrictive covenants against employees, it held that such policy did not apply to the facts in Lenel Systems because the employee had a choice between compliance and forfeiture. In addition, the court held that when the “employee choice doctrine” applies, a restrictive covenant will be enforceable “without regard to reasonableness” provided that the employee voluntarily terminated his or her employment.
In addition to other tools an employer may use to protect its business interests, enforcing restrictive covenants contained in equity grants through actions for enforcement of express forfeiture provisions may provide an effective mechanism for retaining employees. However, employers must be mindful that any inducements to comply with restrictive covenants must be sufficiently lucrative to ensure employee compliance.
A recently unsealed criminal complaint out of the Eastern District of New York raises allegations that paint a frightening picture for employers of the havoc that disgruntled ex-employees can wreak on company computer networks.
The prosecution alleges that a former employee of an unnamed company that manufactures high-voltage power supplies in Suffolk County, New York improperly downloaded company files, accessed the company network, and altered key company source code after his resignation on December 30, 2011.
The employee allegedly resigned because he was unhappy about being passed over for a promotion and set his final day to be January 13, 2012. However, only one week after announcing his resignation, on January 6, 2012, the employee’s supervisor claims to have observed him copying files from his computer onto a flashdrive. Acting swiftly, the company blocked his access to their servers and VPN on January 7, 2013, but unfortunately, this was not enough to thwart the employee’s alleged tampering with the company’s networks.
During his time at the company, the employee worked with another unnamed employee maintaining the company’s software. In the course of working together, this employee allegedly shared his password with the defendant. Furthermore, this employee had the practice of rotating between the same two or three passwords whenever the company’s system prompted him to change it, and thus, the prosecution claims that the defendant, with some easy guesswork, was able to gain access to the company’s systems via their VPN even after he had resigned and after the company had blocked his access to its system.
Working under his former coworker’s credentials and after he left the company’s employee, the defendant allegedly:
• Obtained the email addresses of candidates applying to fill his now vacant position and sent them messages from firstname.lastname@example.org telling them not to work for the Company;
• Modified dates within the computer code for the Company’s Period Roll Tables, which prevented the Company from processing transactions during a critical month-end period;
• Deleted purchase order tables from the Company’s systems; and
• Deleted key lines of code from a program that calculates work order costs, which led to incorrect calculations.
When all was said and done, the company estimates that it spent approximately $94,000 investigating and addressing the employee’ s alleged actions.
The U.S. Attorneys’ Office charged the defendant under the Computer Fraud and Abuse Act.
“The defendant engaged in a 21st century campaign of cyber-vandalism and high-tech revenge,” Loretta E. Lynch of the U.S. Attorney’s Office for the Eastern District of New York said in a statement. “We will hold accountable any individual who victimizes others by exploiting computer network vulnerabilities.”
FBI Assistant Director in Charge Venizelos stated, “Bent on revenge, the defendant exploited his access and his technical know-how to sabotage his former employer. As alleged, he caused significant disruption and monetary damage. The FBI is committed to vigorous enforcement of laws governing computer intrusions.”
The defendant could face up to 10 years in prison, a $250,000 fine and restitution. He posted a $50,000 bond and a Federal Defender was appointed to represent him.
The case is United States of America v. Meneses, case number 13M343, in the United States District Court for the Eastern District of New York.
This case follows the highly publicized U.S. v. Nosal case in which an executive recruiter was convicted under the Computer Fraud and Abuse Act where there were allegations of password sharing to obtain access to the company’s computer network.
Regardless of the outcome of Meneses, the allegations made by the prosecution highlight a core rule of data protection — employees must keep their passwords confidential. In this day and age, we have hundreds of passwords swirling around our heads. It’s no wonder, therefore, that they begin to lose their importance, and all too often, employees will nonchalantly share their passwords with a colleague or rotate between the same few passwords whenever the system requires a password change. Employers should be on the lookout for this kind of activity and should frequently impress upon employees how important it is to have both unique and confidential passwords and that they routinely change their passwords. IT specialists recommend that special care should be given to password security. Some believe that the use of biometric authentication will eventually surpass conventional passwords. Even implementing other trade secret protection measures — such as granting employees access to trade secrets only on a need-to-know basis — are useless if one employee obtains another employee’s password and is able to have free reign on the company’s computer network.
Additionally, companies must immediately disable network access of departing employees at termination. Most internal attacks happen through access obtained on the job that is not removed when the employee leaves, FBI assistant special agent Austin Berglas reportedly told businesses leaders at a recent cybersecurity conference. More commonly a “company fires someone in their IT department and forgets to block or cancel their login credentials,” Mr. Berglas reportedly said. “It’s just so easy for them to use that password to steal data or do destructive things to the network…and it looks like normal traffic to IT staff.”
In this case, the company shut down the employee’s access the day he left but he was allegedly able to figure out another employee’s password because he had previously shared it with the defendant and that colleague rotated between similar passwords.
In the end, hindsight is 20/20, but the simple steps of maintaining the confidentiality of employee passwords, having unique passwords that are changed often, and shutting off network access of departing employees at termination can go a long way toward protecting your trade secrets and your company networks as a whole. Companies should also stay abreast of the latest in technologic enhancements, such as biometric authentication. We will continue to keep you apprised of developments in this case. For more information on the threats to trade secrets posed by cybersecurity attacks and mitigation strategies, please see my recent presentation with U.S. Attorney Wesley Hsu and cybersecurity specialist Steve Lee.
An old folk melody describes the world as “a very narrow bridge,” where one misstep can bring disaster. The song seeks to inspire, calling on people to have “no fear at all” while crossing through life’s perils.
However inspiring this song might be, some metaphorical bridges just aren’t worth crossing. Trying to assert Computer Fraud and Abuse Act (“CFAA”) claims against disloyal employees is a perfect example. Employers rightly want to seek relief against employees who steal confidential information that might not qualify as “trade secrets.” And, at first glance, the CFAA appears to present a promising bridge into federal court for just such a claim. Even better, for a while, many federal courts adopted a broad view of the statute that permitted precisely these claims. In fact, between 2001 and 2010, the First, Fifth, Seventh, and Eleventh Circuits all issued opinions that interpreted the CFAA broadly, which still stand as the precedent in those Circuits.
Over the past few years, however, other federal courts have increasingly construed the CFAA narrowly. In a number of decisions, various federal courts have restricted both the claims that can be brought under the CFAA and the damages available for violations. These days, simply asserting a CFAA claim will almost certainly be met with a time-consuming and burdensome motion to dismiss. And, often, the CFAA proves to be a bridge to nowhere, because the Court dismisses the claim.
The plaintiff in JBCHoldings NY, LLC v. Pakter, 2013 U.S.Dist. LEXIS 39157 (S.D.N.Y. 3/20/13) recently learned this lesson. In JBCHoldings NY LLC, an employer was faced with a familiar situation: it gave a trusted employee access to its highly confidential information, only to have her allegedly misappropriate it for herself, and then allegedly misuse it to pilfer the company’s business opportunities which she then allegedly provided to former business colleagues who had set up a competing entity with her. The employer responded with a CFAA claim, alleging that the disloyal employer had violated the statute because, by stealing data, she accessed the company’s computers “without authorization” or “exceeded [her] authorized access.”
On March 20, 2013, the Southern District of New York dismissed the employer’s claim. The Court reasoned that the CFAA’s “plain meaning” only prohibits accessing information “without authorization” or “exceed[ing] authorized access,” but “does not speak to the misuse of permitted access or the misappropriation of information which an employee is authorized to access.” In so doing, the Court followed recent decisions by the Fourth and Ninth Circuits in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) and United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), respectively, along with a plethora of Second Circuit district court decisions.
The Court further reasoned that a “review of the statute as a whole confirms the narrow interpretation,” because it defines “loss” quite narrowly. In this regard, the Court noted that an unpublished Second Circuit decision held that the CFAA did not cover losses sustained due to the plaintiff’s misappropriation of proprietary information. See Nexans Wires S.A. v. Sark-USA, Inc., 166 F. App’x 559, 563 (2d Cir. 2006). Given this limitation, the Court in JBCHoldings articulated that “[i]t would be illogical for the statute to prohibit misappropriation of employer information, but not define loss to include the losses resulting from that misappropriation.”
Additionally, the Court held that, while it “does not find the statute ambiguous,” the “rule of lenity” would caution towards a narrow interpretation, “because the CFAA is primarily a criminal statute.”
The Court’s opinion does leave two narrow bridges of hope for employers. First, on the law, the CFAA’s interpretation is far from settled. Despite WEC Carolina Energy Solutions, Nosal, and district court decisions like JBCHoldings, a majority of circuit courts that have addressed this issue have come down on the side of the broader interpretation. And the Supreme Court won’t be resolving this circuit-split anytime soon. The Department of Justice declined to seek certiorari in the Nosal case and, back in January, the Supreme Court dismissed the certiorari petition in WEC Carolina Energy Solutions, upon the parties’ stipulation. So a “broad” CFAA claim remains viable in many jurisdictions.
Second, on the facts, the JBCHoldings court provided direction on how employers can sometimes successfully navigate a narrow CFAA claim. For, although the Court held that the CFAA doesn’t provide a remedy against a disloyal employee who misuses access to a computer, it does apply to an “outside hacker” who lacks any permission whatsoever. The Court further noted that at least some of the Complaint’s allegations created an inference of “outside hack[ing],” including allegations that the disloyal employee may have used spyware or malware to accomplish her goals. That being said, the Court ultimately found that these allegations were “couched in terms of sheer possibility,” and thus failed to pass the Twombly/Iqbal “plausibility” standard. This is because it was much more likely that the employee “simply copied the information to her personal laptop,” without resorting to a nefarious program.
Taking that reasoning to heart, employers should remember that the JBCHoldings case is not every case. While disloyal employees often just swipe information that they can lawfully access, sometimes they get even greedier. They may load spyware and malware onto their employer’s server to farm for useful information. They may decrypt passwords to access higher-level information than they are permitted. Or they might “hack” this data in other ways. And, when employees engage in such conduct, they do more than just misuse information that they can lawfully access. They exceed their authorized access to a company’s computers, and thus indisputably fall within the CFAA’s ambit.
In fact, this kind of conduct may very well have happened in the JBCHoldings case. The employer just didn’t have the facts to back it up its allegations. For, although it began some kind of investigation into the employee’s conduct, this investigation remained “incomplete” when they filed their Complaint, and apparently wasn’t too detailed.
This may have been a fatal mistake. A professional forensic examination can reveal what employees stole, how they stole it, whether they engaged in any other sinister conduct (such as deleting data), and whether they comprised the system’s integrity. Accordingly, this kind of examination can – at least sometimes – provide factual backing for a CFAA claim, even if a Court construes the CFAA narrowly. In short, a forensic examination can help employers decide which potential CFAA claims to avoid, and which to pursue. After all, when you’re crossing a narrow bridge, you want it to be as strongly supported as possible. Even if you have no fear at all.
Employers may also find that they have a better chance of successfully articulating a successful CFAA claim in a “narrow interpretation” circuit, if they draft their confidentiality/trade secrets policies with the express precepts of the CFAA in mind. Thus, for example, it may pay for an employer to expressly provide that an employee’s authorization to access certain specified confidential information of the employer ceases immediately upon certain triggering events. Needless to say, the Courts will have the last word as to whether such policy language can “trump” their interpretation of the terms of the CFAA, but where the employer’s polices closely track those very terms, it may be more difficult for the Court to find that authorization, once given, cannot be lost. Just sayin’. . .
On February 6, 2013, the federal Second Circuit Court of Appeals affirmed $15 million of a $18.1 million dollar jury verdict (onto which the trial court tacked on an additional $1.5 million in interest) in favor of a New York subway brake manufacturer on its trade secret misappropriation claim against a former licensee turned competitor. Faively Transport USA, Inc. v. Wabtec Corp., No. 11-3518-cv, 2013 WL 440200 (2nd Cir. Feb. 6, 2013). The legal issues are interesting, sure, but I’d like to focus on the more valuable lesson of the wisdom of settlement that this case screamed for.
The litigation lasted nearly five-and-a-half years, and involved a Swedish arbitration, two American district court cases and two 2nd Circuit appeals. The lawyers were from globally-renowned law firms. All told, the litigation involved no less than four trials (an arbitration, two preliminary injunction hearings, and a jury trial), two federal appeals, and mountains of briefing in all those proceedings. In the end, plaintiff got $20 million in damages and interest, with apparently no fee awards. I have to ask: was it worth it?
Here’s what happened. Faively claimed that Wabtec took its subway-car air-brake system technology, resulting in Wabteck’s landing a subway modernization contract with the New York Transit Authority in 2007 (and perhaps other deals). Between 1993 and 2005, Wabtec designed brake systems under a license agreement with its sister company, SAB Wabco. Faively bought SAB Wabco in 2004, including its licensing agreements, and terminated Wabtec’s license effective yearend 2005. Wabtec claimed to have “reverse engineered” its own air brake system prior to the end date, without using any of Faively’s drawings or information to which it had access under the license agreement. No less than seven times was that claim rejected by an arbitration panel, two federal trial judges, two federal appellate panels, and a federal jury.
Plaintiff Faively European arm first sued Wabtec in October 2007 in Sweden for misappropriation of Faively’s trade secret drawings. While the arbitration was pending, that same plaintiff sued in the New York Southern District for an injunction against further use of the Faively’s subway brake secrets. The District Court agreed that Wabtec likely misused Faively’s trade secrets, and granted the injunction. The Second Circuit also agreed that Wabtec likely misused the secrets, but vacated the injunction due to the absence of irreparable harm.
Back to Sweden, the arbitration panel’s December 2009 award rejected Wabtec’s claim (its third, by that time) that it properly reverse-engineered its brake system. The panel awarded Faively Europe a $3.9 million royalty, based on projected profits through 2011. The panel’s award apparently excluded any of Faively USA’s claims against Wabtec, and the panel reportedly said that Faively USA was the primary victim of Wabtec’s trade secret misuse. The award did not appear to include any attorneys’ fees.
So, in May 2010, Faively went back to New York, where its USA-arm filed a separate trade secret misappropriation suit based on the air brake system. Wabtec filed a motion to dismiss, which the court denied. Wabtec later filed a motion for summary judgment based in part on its reverse-engineering claim, which the court rejected for a fourth time. In fact, the court granted Faively’s motion for summary judgment on Wabtec’s trade secret misappropriation liability, and set the case for trial on damages.
Undeterred, Wabtec went to trial on Faively’s damages in late June 2011. After trial, the jury rejected Wabtec’s argument that it came up with its systems on its own (fifth rejection), and awarded Faively $18.1 million in compensatory damages. No fees were awarded, probably because New York has not adopted the Uniform Trade Secrets Act, which in section 4 permits attorney fee awards for willful and malicious misappropriation.
On August 1, 2011, the district court denied Wabtec’s post-trial motion in which it re-asserted its reverse engineering theory (sixth rejection), and entered judgment on the jury’s verdict, plus $1.5 million in pre-judgment interest. The Second Circuit’s February 6th decision again rejected, for a seventh time, Wabtec’s argument in its appellate brief that it properly reverse engineered its subway brakes (as well as Wabtec’s other arguments).
What did we learn from this case? Protracted trade secret litigation can be very expensive. Only the parties can tell if it was worth it in this case.
Garrod, a salesman for more than 25 years in the field of elastomeric precision products (EPP), was terminated in mid-2012 after spending an aggregate of a dozen of those years working for manufacturers of EPP parts Fenner and a company acquired by Fenner.
He had signed both employers’ agreements containing non-compete and customer non-solicitation clauses–which appeared reasonable on their face–and Pennsylvania choice-of-law provisions. After Fenner discharged him, he was hired by Mearthane, another EPP company. When he began calling on Fenner’s customers, Fenner sued Mearthane and him in the U.S. District Court for the Western District of New York, seeking to enforce the restrictive covenants contained within the employment agreements.
Earlier this month, Fenner’s motion for a preliminary injunction was denied largely because the court found the non-compete and non-solicitation clauses to be unreasonable. According to the court, Pennsylvania law “disfavors enforcement of restrictive covenants against employees who are fired for poor performance” since the employer views those employees as “worthless.” Fenner Precision, Inc. v. Mearthane Products Corp., Case No. 12-CV-6610 CJS (W.D.N.Y., Feb. 4, 2013).
Garrod asserted that the agreements lack consideration, and that Fenner had not made a sufficient showing of irreparable harm, but the court rejected those assertions. He was more successful with his argument that the agreements are not enforceable because they are unreasonable. He pointed out that he is 58 years old, reducing the likelihood that he can obtain employment outside the EPP industry, and that Fenner gave no reason for his termination. He emphasized that he had worked in the EPP industry for more years before joining Fenner’s predecessor than he spent with that company and Fenner, and that he had significant contacts with, and knowledge about, EPP manufacturers before he became their employee.
The court concluded that Fenner’s concerns about Garrod’s ability to harm its sales “seem overstated in light of the fact that he yet to close any sales since commencing work for Mearthane.” Moreover, those concerns “are belied” by Fenner having “removed him from the company’s most profitable accounts” before firing him. In sum, “Considering all the relevant factors in the record, and weighing the parties’ competing interests,” the court found that “Garrod is likely to prevail in demonstrating that enforcement of the non-solicitation clause against him would not be reasonable.”
This case reminds us that employers can face an uphill battle in enforcing a non-compete clause against a terminated employee. However, there are courts that enforce such contracts as written regardless of the reason the employee left his or her prior employment.