[BreachExchange] Trade Secrets 2.0
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Jun 19 19:49:00 EDT 2017
http://www.ipeg.com/trade-secrets-2-0/
The enactment of the Defend Trade Secrets Act (DTSA) of 2016 in the United
States creates a new paradigm and is a watershed event in intellectual
property law. Former U.S. President Barack Obama signed the bill into law
on May 11, 2016, and the DTSA now applies to any misappropriation that
occurred on or after that date. A trade secret is any technical or
nontechnical information that can be used in the operation of a business or
other enterprise and that is sufficiently valuable and secret to afford an
actual or potential economic advantage over others.
The law allows trade secret owners to file a civil action in a U.S.
district court for relief for trade secret misappropriation related to a
product or service in interstate or foreign commerce. The term “owner” is a
defined statutory term. It means “the person or entity in whom or in which
rightful legal or equitable title to, or license in, the trade secret is
reposed,” according to the DTSA. Under the DTSA, in extraordinary
circumstances, a trade secret owner can apply for and a court may grant an
ex-parte seizure order (which allows property to be seized, such as a
computer that a stolen trade secret might be saved on) to prevent a stolen
trade secret from being disseminated if three conditions are met.
First, the owner must demonstrate, in a sworn affidavit or a verified
complaint, that the ex-parte seizure order is necessary. The owner must
then prove that a temporary restraining order is inadequate. Second, that
immediate and irreparable injury will occur if the seizure is not ordered.
Third, that the person the seizure would be ordered against has possession
of the trade secret and property that is to be seized. Once the ex-parte
seizure order is granted, the court must take custody of and secure the
seized property and hold a seizure hearing within seven days. Individuals
can also file a motion to have the seized material encrypted.
With this development in the law, trade secret assets are no longer
stepchild intellectual property rights. Trade secret assets are now on the
same playing field as patents, copyrights, and trademarks. The DTSA
reinforces that a trade secret asset is a property asset by creating this
new federal civil cause of action.
And there is no preemption. The U.S. district courts have original
jurisdiction over a DTSA civil cause of action, which coexists with a
private civil cause of action under the Uniform Trade Secrets Act (UTSA),
which codified common law standards and remedies from the state level for
trade secret misappropriation. It also coexists with criminal prosecutions
under the Economic Espionage Act of 1996 (EEA), which makes it a federal
crime to steal or misappropriate commercial trade secrets with the
intention to benefit a foreign power.
And if the losses from a stolen or misappropriated trade secret are severe,
both the board of directors and senior executives of the company will be
charged with malfeasance, including the willful failure to take reasonable
measures to protect the corporate trade secret assets from insider theft or
foreign economic espionage.
What the DTSA Means
A trade secret asset must be managed like other property assets. However,
trade secret asset management differs because it first requires the
identification of the alleged trade secret asset. Because millions of bits
of information within a company can qualify as proprietary trade secrets,
classification and ranking trade secret assets is a critical exercise.
Most companies focus on the protection phase of trade secret asset
management without first identifying and classifying their trade secrets.
This approach is doomed to fail without a thorough analysis. Unless the
company knows what it’s protecting, there can be no effective protection.
And all three phases—identification, classification, and protection—must
occur before an accurate valuation of trade secret assets can be determined.
EONA proofs
Additionally, information assets must be validated in a court of law as
statutory trade secret assets. There is no public registry for trade secret
assets. The courts require proof of existence, ownership, notice, and
access (EONA). The first element requires proof of existence of the trade
secret asset. The litmus test for proving the existence of a trade secret
has six factors: the extent to which the information is known outside the
business; the extent to which the information is known inside the business;
the extent of measures taken to guide the secrecy of the information; the
value of the information to the business and to competitors; the amount of
time, effort, and money expended to develop the information; and the ease
or difficulty with which the information could be properly acquired or
duplicated by others.
For proof of ownership, the plaintiff must show that it is the person or
entity in whom or in which rightful legal or equitable title to, or license
in, the trade secret is reposed. A misappropriator cannot be the owner of a
trade secret. However, a person who independently develops or independently
reverse engineers the trade secret can be the owner of the trade secret.
Further, an employee (who has not been assigned his or her intellectual
property rights in the trade secret asset) may also be the lawful
owner—instead of the employer.
For proof of notice, the plaintiff must show that the defendants had
actual, constructive, or implied notice of the alleged trade secret. A
former employee may use his or her general knowledge, skills, and
experience. However, a former employee may not disclose or use the trade
secrets of the former employer. The former employer cannot claim that
“everything we do is a trade secret.” The court will take judicial notice
that there is both unprotected and protected (trade secret) information in
every company. If the line is unclear, the court will draw the line in
favor of the ex-employee.
For proof of access, the plaintiff must prove that the defendant had access
to the alleged trade secret. If the evidence shows that the defendant never
had direct or indirect access to the trade secret, and there is no
conspiracy claim (involving coconspirators that had access to the trade
secret), there cannot be misappropriation. This is because misappropriation
requires proof of unauthorized acquisition, disclosure or use of the trade
secret by the alleged trade secret thief.
Protection
The DTSA also requires that the trade secret owner take reasonable measures
to protect the secrecy of trade secret assets. This is a much more
challenging task today because trade secret assets are no longer at rest in
a locked file cabinet in an engineer’s office. Today, trade secrets are in
motion and in use via computer systems and networks with access points all
over the world.
This presents a huge challenge. Companies must actively monitor the access
and movement of critical trade secret assets throughout the corporate
enterprise, or risk the serious consequences of forfeiting trade secret
assets by failing to take the reasonable efforts necessary to protect these
assets.
The Valspar economic espionage case in 2009 is a case in point. In this
incident, a 52-year-old senior scientist, David Yen Lee, suddenly resigned
from Valspar on March 19, 2009, and bought a one-way ticket to Shanghai,
scheduled to leave on March 27. Fortunately for Valspar, a coworker
discovered irregularities in Lee’s work computer. Upon further
investigation, an unauthorized program called “Sync Toy” was uncovered in
invisible Windows files. It showed that Lee downloaded 44 gigabytes of
paint and coating formulas, product and raw material data, sales and cost
data, and product development and test information.
The FBI was informed and brought in to investigate. The bureau raided Lee’s
Arlington Heights apartment and recovered the stolen trade secret assets
before Lee’s flight left for Shanghai. Valspar escaped a major disaster
because of the alertness of one coworker who spotted irregularities on
Lee’s work computer. Like most companies, Valspar’s security readiness was
directed to protection against outside intrusions. However, there was
little security in place to guard against trade secret theft by insiders
and trusted employees.Valspar now faced the reality that a trusted employee
could steal a vast amount of trade secrets due to access to computer data
and files. The solution: Valspar set up an internal identification and
classification system for trade secrets called the CPR (Classify, Protect,
Report) model. Valspar now tracks the movement of all critical trade secret
assets within the various computer environments with triggers that are
activated if unauthorized activities are detected.
The reasonable measures necessary for the protection of trade secret assets
continues to grow as the risk of sensitive data loss increases by various
means: unauthorized uploading of trade secret assets to an insecure cloud
or Web application; unauthorized email communications disclosing trade
secret information; unauthorized acquisition of highly classified trade
secret assets onto USB drives; and undetected incoming malware, phishing
emails, and corrupted Web software all facilitating foreign economic
espionage and theft of corporate trade secret assets.
Seizures
The DTSA provides powerful provisions for ex parte seizure orders, but
companies cannot take advantage of these provisions unless effective trade
secret asset management protocols are in place before the actual or
threatened misappropriation occurs. A court can issue an ex parte seizure
order, according to the DTSA, “in extraordinary circumstances” to “prevent
the propagation or dissemination of the trade secret” or to “preserve
evidence.” These circumstances exist when a trade secret thief is
attempting to flee the country, if he or she is planning to disclose the
trade secret to a third party, or if it can be shown that he or she will
not comply with court orders.
The Valspar case is an excellent example of the necessity for ex parte
seizure orders. However, the FBI will not always be there, and the window
of time to protect against the loss of trade secret assets and destruction
of the evidence will often be shorter than the eight-day period in the
Valspar case. This is why a DTSA civil cause of action and an ex parte
seizure order are so important to protect U.S. trade secret assets.
The protection of trade secret assets in these circumstances requires
emergency actions. Once lost, a trade secret is lost forever. The DTSA
requires that the plaintiff (the trade secret owner) file suit (with
verified pleadings and affidavits filed under seal) and successfully obtain
a DTSA ex parte seizure order before the defendants know the suit has been
filed. Otherwise, without the element of surprise, the defendants—often
with several clicks of a computer mouse—can transfer the trade secrets
outside the country and destroy the evidence of trade secret theft by
running data and file destruction software.
Therefore, to take advantage of the robust provision of the DTSA, the trade
secret owner must be able to move faster than the trade secret thief. This
will require a sea change since most companies have no internal trade
secret asset management policies, practices, or procedures in place.
Instead, most companies react after the fact by retaining outside counsel
to investigate and litigate a long-gone trade secret.
The DTSA creates a new paradigm. If management waits until the trade secret
theft occurs to identify what the trade secret is and investigate the
evidence of misappropriation, the actual trade secret assets will be long
gone before counsel can provide the U.S. district court with the proofs
necessary to obtain an ex parte seizure order. The result: if the losses
from the trade secret theft are severe, both the board of directors and
senior executives of the company will be charged with malfeasance,
including the willful failure to take reasonable measures to protect the
corporate trade secret assets from insider theft or foreign economic
espionage.
DTSA Application
What are the next steps in view of the DTSA? Every organization is
different. There are no one-size-fits-all solutions. Each trade secret
asset manager must audit existing approaches to protecting trade secret
assets, the resource allocations within the organization, and any budgeting
issues with protecting trade secrets. However, the catchphrase “we are
working on it” will no longer provide adequate cover now that there is a
federal civil cause of action specifically designed to protect the trade
secret assets of 21st Century, new economy companies.
A fundamental first step should be the creation of an internal trade secret
control committee (TSCC). The TSCC should be charged with the
responsibility to adopt policies and procedures for the identification,
classification, protection, and valuation of the company’s trade secret
assets. The next step should be the creation of an internal trade secret
registry (TSR). This is a trade secret asset management system that can be
deployed as a cloud-based solution, a corporate server, or a stand-alone
work station.
The TSR should operate like a library card catalogue storing necessary
trade secret asset information with hash codes and block chaining (a
database that sequences bits of encrypted information—blocks—with a key
that applies to the entire database) to ensure the authenticity of the data
stored in the TSR and to meet the required evidentiary standards in a trade
secret misappropriation lawsuit.
Another necessary step is trade secret asset classification, the foundation
of a successful trade secret asset management program. This allows trade
secret assets to be identified and ranked, so that the level of security
matches the level of importance of the trade secret asset. There are now
automated trade secret asset management tools available to assist companies
with the classification and ranking of trade secret assets. Security,
without identification and classification, is doomed to fail. In contrast,
securing data after identification and classification of the trade secret
assets makes it much easier for the internal security ecosystem to enforce
trade secret protection policies and to prohibit unauthorized access,
unauthorized disclosure, and unauthorized use.
Today, software tools can protect the company from mistakes that lead to
the forfeiture of classified trade secret assets. If a user attempts to
email a trade secret document to unauthorized recipients, the software
program will immediately alert the user so the mistake can be corrected.
Further, classified trade secret assets can be monitored. Administrators
can track abnormal or risky behavior that otherwise cannot be tracked until
the trade secret is compromised.
Developing a trade secret incident response plan (TSIRP) is another
critical requirement. The flow of trade secret assets throughout the
corporate enterprise should be tracked with built-in red flags, designed to
trigger the TSIRP and activate a designated outside counsel SWAT team to
proceed immediately to the courthouse to seek a DTSA ex parte seizure order
(and other necessary relief) before the bad actors can destroy the evidence
or transfer the stolen trade secret assets outside the court’s jurisdiction.
Employee Management
There are other best practices for trade secret assets now that companies
are focusing on the various stages of identification, classification,
protection, and valuation. Building a trade secret culture from the top
down, with required training and compliance with TSCC policies, practices,
and procedures, is at the top of the list. Companies must promote a trade
secret culture by prompting employees and users to stop, think, and
consider the business value of proprietary, internal information they are
creating, handling, an reviewing. A major loss of trade secret assets can
put the company out of business. Employees must understand that their jobs
depend upon the identification, classification, and protection of the
company’s trade secret assets. Onboarding procedures for new employees and
offboarding procedures for departing employees are also very important.
The new employee interview process should include protections to prevent
his or her former employer’s trade secrets from being exposed. This could
include an inquiry to determine if the potential new employee is subject to
post-employment restrictions with his or her former employer. If so, there
should be a separate review by the company’s intellectual property counsel
before the employee is hired.
Further, the new employee hiring process should include an investigation
and certification by the new employee that no proprietary, trade secret
information of any previous employer is being brought to the company or is
being stored electronically in his or her personal email system or other
electronic storage locations.
Finally, the prospective new employee should sign an employment agreement
with patent and trade secret assignment provisions. He or she should also
receive and review the company’s required trade secret policies and
procedures. When an employee leaves the company, off-boarding procedures
should include a mandatory trade secret exit interview. The interview
should be conducted under strict procedures adopted by the TSCC, including
execution of a trade secret acknowledgement at the conclusion of the
interview certifying that all company devices, documents, and materials,
including electronic copies, paper copies, and physical embodiments have
been returned. It should also certify that all proprietary and confidential
information, stored on any personal computer or mobile device, has been
identified and preserved, returned, or deleted under the company’s
instructions.
The enactment of the DTSA will usher in a new era. It requires trade secret
owners to identify, classify, and protect trade secret assets as property
assets. In time, the DTSA will become a precursor for new accounting
systems that will provide valuations for trade secret property assets.
This development will unleash the reservoir of untapped intellectual
property assets, which will fuel the growth of new economy companies in the
Information Age.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170619/19655f7f/attachment.html>
More information about the BreachExchange
mailing list