[BreachExchange] Three Lessons from the Conviction of Sinovel Wind Group for Trade Secret Theft

[Audrey McNeil]

https://www.lexology.com/library/detail.aspx?g=7e05975e-2973-456e-9086-
48c7f4b7f4f1

Chinese wind turbine manufacturer Sinovel Wind Group Co. Ltd. was convicted
last month of stealing software from AMSC Inc., a U.S.-based company
formerly known as American Superconductor Inc. The theft nearly destroyed
the American company, which lost substantial service contracts after the
theft and began to shed market capitalization, jobs, and facilities as a
result. With the conviction, Sinovel now awaits sentencing, scheduled for
June 2018, which could include more than $1 billion in fines and a
multi-year probationary period.

Sinovel and AMSC had a history of working together prior to the trade
secret theft. In 2005, the companies partnered on several large energy
infrastructure projects with Sinovel supplying wind turbines and AMSC
supplying software used to control the flow of electricity generated by the
turbines onto the electrical grid. AMSC’s software is directed to
technology known in the industry as Low Voltage Ride Though (LVRT), which
helps prevent damage to turbines and supporting equipment during electrical
transients on the grid. [Note 1].

By 2011, Sinovel and AMSC had entered into contracts worth hundreds of
millions of dollars. But that year, according to the criminal case, senior
managers at Sinovel convinced a disgruntled AMSC employee to download and
transfer AMSC’s LVRT software to Sinovel. Since a trade secret is any
commercially-valuable information subject to reasonable efforts to maintain
its secrecy, this software transfer to Sinovel constituted trade secret
theft. With AMSC’s software in hand, Sinovel then backed out of a number of
contracts with AMSC to avoid paying some $800 million in software fees.

Sinovel’s theft was not discovered until 2013, when the Chinese
manufacturer commissioned a Massachusetts-based company to construct new
turbines that incorporated the stolen software. That company alerted the
FBI to the presence of AMSC’s stolen software, and after an investigation
the FBI and U.S. Department of Justice brought criminal charges against
Sinovel. [Note 2].

The consequences of Sinovel’s trade secret theft were dramatic. AMSC lost a
staggering $1 billion in market capitalization as a core revenue stream –
its LVRT software contracts – dried up. On the other side, the actions of
two Sinovel employees have exposed the company to enormous scrutiny, bad
press, and fines. For those of us following from the sidelines, there are
three clear takeaways from this case:

1. The most serious threats to your company’s trade secrets are sometimes
internal rather than external.

When Sinovel decided to steal AMSC’s software, they didn’t hire a team of
hackers but rather turned to an AMSC employee. Although external threats
such as hacking and cyber espionage should be taken seriously, companies
also need to consider internal threats when designing protections for their
trade secrets. Those protections usually begin with restricting access to
only those with a genuine need to use the secret information. Companies
seeking to protect trade secrets should consider:

- Who currently has access to the secret? Do those employees truly need
access?
- What type of restrictions (physical, electronic) can be placed on access
to the secret without overly burdening productivity? Can access be
restricted by date, time, location, duration, etc.?
- To what extent does access with the secret co-mingle with personal
electronic devices such as USB drives, external hard drives, and
smartphones?
- What types of contractual protections such as confidentiality,
non-disclosure, and non-compete agreements can be used in relation to the
trade secret?
- How are current employees and new hires educated on the company’s trade
secrets, measures in place to protect those secrets, and the consequences
of public disclosure?

2. Cybersecurity protections should include monitoring functions.

It took months for AMSC to learn its software had been stolen, and even
then it only learned of the theft from the FBI. The LVRT software was a
“crown jewel” of AMSC’s business, yet AMSC appears to not have had
sufficient monitoring in place to realize that the software was stolen or
even to identify unusual activity. When AMSC began to lose contracts,
revenue, and market capitalization after the theft, it would have been
helpful to the company if it had the ability to review employee activity
for suspicious behavior.

At a minimum, companies need to maintain an activity log for sensitive data
files. Modern trade secrets like customer lists, algorithms, technical
plans, vendor lists, marketing strategies, and financial statements are
almost universally stored in electronic format. In addition to the access
restrictions discussed above, a strong protection regime monitors and logs
use of the trade secret. If possible, monitoring functions should be
implemented that seek to identify suspicious activity related to sensitive
data files.

Simply monitoring employees’ use can’t stop them from taking trade secrets,
but it can potentially deter such theft and help companies quickly mitigate
the damage following a theft.

3. Employee actions can lead to tremendous legal and financial exposure.

On the other side of this case, two Sinovel employees – the Deputy Director
of Research and a Technology Manager – conspired with an AMSC employee to
transfer AMSC’s software to Sinovel. From the actions of two employees,
Sinovel has been subjected to extensive investigation by U.S. law
enforcement authorities, convicted of trade secret theft, and now faces
extensive financial penalties. Although the conspiracy in Sinovel’s case
almost certainly reached to higher management in the company, the sobering
reality is that even a single employee can create substantial risk for a
company by misappropriating trade secrets.

In order to avoid misappropriating the trade secrets of other companies –
or even actions that can be construed as misappropriation – a company needs
to educate their workforce on the basics of trade secrets. Managers need to
be trained to identify potentially problematic behaviors of employees and
need to adequately supervise those employees when handling sensitive
matters.

One aspect of a business that is fraught with trade secret concerns is
hiring new workers. Many companies today will perform extensive due
diligence on potential new employees to identify any sensitive information
they may have had access to in previous jobs. In appropriate circumstances,
the new employee may be asked to sign a document memorializing their
agreement not to bring sensitive information from a previous job. In some
cases, a company may require that the new employee be walled off from
particularly sensitive projects to avoid concerns that the employee could
even inadvertently mix trade secrets from a previous job.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180215/e4efc128/attachment.html>