Data theft of trade secrets through the use of portable electronic storage devices is occurring more and more, as is theft through cloud storage, according to James D. Vaughn of iDiscovery Solutions. Seyfarth Shaw’s Robert B. Milligan, who chairs his firm’s Trade Secrets, Computer Fraud & Non-Competes practice group, notes that pervasive bring your own device (BYOD) policies perpetuate the risk. Here, Vaughn and Milligan discuss the intersection of corporate espionage in the context of employee privacy, employment policy implementation and dispute resolution. Their remarks have been edited for length and style.
MCC: Could you provide a brief snapshot of current trends in trade secret disputes? Do companies need to be more aware of the potential risks in this area?
Milligan: This BYOD movement can provide benefits to employees and employers, such as convenience, greater flexibility and productivity, as well as cost savings. However, BYOD programs can also create risks for employers. Companies need to be aware of potential data security issues, BYOD policies in a unionized workforce, employee privacy concerns and intellectual property issues. Moreover, the recovery of stolen information and workplace investigations can be hampered by employee-owned devices, not to mention challenges in litigation when trying to gain access to such devices where privacy considerations are often leveraged.
Additionally, attacks on reasonable secrecy measures – part of the definition of a trade secret – is also on the rise: One court recently ruled that password protection alone was not enough to demonstrate reasonable secrecy measures.
Vaughn: In addition to data theft of valuable company trade secrets through portable electronic storage devices and cloud storage, we are also seeing an increase in more sophisticated hacking of company networks to obtain proprietary data by organized crime and foreign companies or states. Technological tools and employee use of personal mobile devices, such as smartphones and tablets, have given rise to a parallel trend of employers allowing – or requiring – their employees to use their own personal mobile devices at work. All of these data points can leave traces of evidence that may prove to be valuable if one is trying to show or defend the alleged theft of sensitive data.
MCC: How severe is the threat of losing trade secrets to a departing employee or departing executive? What are some of the common scenarios in which trade secrets can be compromised in this manner? Does the threat level change based on the size of the company – small cap, mid cap, Fortune 50?
Milligan: Just look at recent headlines involving some of the world’s largest companies that have seen their proprietary information compromised by insiders and outsiders. The crown jewels of many companies are at risk, and millions of dollars are in play. Lack of market secrecy measures, sloppy practices – including poor supply-side protections, lack of employee education, and stale agreements and policies – are all frequently seen issues that put a company at risk.
Common scenarios in which trade secrets can be compromised include letting an employee take company data when he or she leaves or not utilizing noncompete or nondisclosure agreements. There can also be instances where the particular industry is highly competitive and competitors are willing to take the enhanced risks to acquire the business or technology. On these occasions, companies need to make sure they have in place appropriate on-boarding and off-boarding practices and procedures, and use the appropriate agreements to ensure that they are not exposed.
In our experience, the threat level does not necessarily change depending on the size of the company, but the magnitude of harm may increase. The larger the company, the more information to protect and employees or third parties to regulate and police. But small- and mid-cap companies have similar concerns because they oftentimes have innovative technology that competitors or other third parties want, so these companies can also be vulnerable.
Vaughn: In my experience, a majority of data that leaves a company is through departing employees, such as salespeople, for example. Aside from traditional means, it occurs in nontraditional ways, like taking customer invoices from online database systems or accessing contact lists through cloud email. That type of forensic evidence may not show up on a workstation, so the forensic examiner needs to know what other locations to check for this type of exfiltration. You also have to be aware of poor security and different standards for executives who say one thing and do another when it comes to protecting sensitive data.
MCC: In what ways is the technology now available to employees changing the playing field in terms of loss or theft of trade secrets?
Milligan: The constant evolution of technology – particularly in mobile devices, data storage and security, and social media – has created legal challenges for companies, and the playing field has changed tremendously. Companies definitely need to stay on top of social media. Given its rapid and somewhat haphazard growth, social media carries with it a set of issues that traditional avenues of trade secret disclosure do not. For instance, unlike the departing employee who knowingly takes with him a box of documents, the relaxed and nonprofessional environment of social media sites could lead to employees disclosing confidential information without even realizing they are doing so. Exposure of confidential company information and employee privacy rights are issues that companies are now struggling with.
Vaughn: Portable electronic storage devices, online data storage and personal email are available to employees for nominal to no expense and can provide the means to commit trade secret theft. Additionally, business leaders often want data and information immediately, and want to make it accessible to various constituents. However, companies don’t necessarily keep up with the latest in security in protecting such data, opening an all-too-easy path for theft. It’s vital in today’s environment that companies stay on top of technology, including the latest in data storage and security. Hacking of computers and mobile devices is a large concern these days, and more mobility for employees means more potential security issues for companies.
MCC: How can companies avoid trade secret misappropriation, and what should they do if they suspect it has occurred? What forensic investigation options might be available?
Milligan: Apart from civil liability, the Economic Espionage Act makes it a federal crime to steal trade secrets, and companies can be liable if they hire employees who misappropriate trade secrets for their new employers’ benefit. Make sure your executives know the importance of playing by the rules. Employers can best avoid trade secret misappropriation with solid hiring practices and strong off-boarding procedures that are calculated to protect trade secrets and honor lawful agreements, coupled with effective, ongoing employee training on trade secret protection and fair competition.
Protecting your company information is critical to avoid trade secret misappropriation, and companies should work with their outside counsel to create solid policies and agreements, and solutions for on-boarding, to avoid exposure on restrictive covenants and trade secrets. It’s also crucial to know your business partners, and have them vetted, so that they don’t expose your valuable trade secrets.
Critical to any trade secret matter is the thorough investigation of what, if any, wrongdoing occurred. Companies should work with legal counsel who are experienced in conducting such investigations. Comprehensive interviews and a review of relevant files, emails and workspaces are often the starting points of a competent investigation.
Vaughn: Collaborate with digital forensic experts and computer specialists to find out how secrets were taken, and by whom, and to preserve any evidence necessary to future litigation. It’s important to preserve data, review emails and other data sources, and to talk to relevant witnesses as quickly as possible after the detection to interpret the forensic data. A digital forensics examination often includes collecting and analyzing artifacts from the operating system, internet history, connected devices, short cuts showing files and folders being opened or accessed, and unallocated space. Routine e-discovery does not typically delve into questions about the source computer or storage device and ESI, although it may uncover the need to ask questions related to internet history, webmail, cloud storage, mobile devices, phone backups and removable devices.
MCC: In your experience, what should a company do if a trade secret dispute arises between it and a former employee?
Milligan and Vaughn: If a company suspects that valuable information has been improperly taken or compromised, you need to first assess the potential competitive threat to the company. It’s important to take fast, effective action and consider whether to pursue civil remedies or criminal intervention against the former employee. If litigation is anticipated with the departure of an employee, you should take the following precautionary steps immediately:
- Secure and establish a chain of custody for all items returned by the departing employee, including laptop computer, desktop computer, USB devices, tablets, and physical property.
- Secure and maintain a chain of custody of the employee’s office and the items in that office until it is searched.
- Retain outside counsel to investigate the departure and have them secure the services of a digital forensic investigation firm with a good reputation.
- If the employee is computer savvy, do an immediate search of the internet for relevant materials posted to social media sites including LinkedIn, Facebook, and Twitter.
MCC: In the battle against trade secret theft and related disputes, do companies place enough importance on the language and provisions contained in employment contracts? How can employment contracts be strengthened to either reduce trade secret theft or improve the company’s chances of reaching a successful outcome in a dispute?
Milligan: In our experience, companies should place more importance on their agreements with employees, vendors and business partners to protect trade secrets. Companies need to strengthen the language and provisions contained in such agreements, including clearer definitions of protectable trade secrets, return of company property provisions, appropriate restrictive covenants, and appropriate forum and choice of law provisions. Well-drafted agreements can reduce the risk of information being misappropriated. Such agreements should be updated annually, as needed, based on changes in the law, and companies should routinely audit their practices to make sure that each employee has an appropriate agreement. Companies should also make it an agreed requirement for employees to sit for an exit interview and return any of the company’s confidential information stored on any personal devices. Finally, agreements should include an attorneys’ fee provision for breach.
A thorough exit interview should be conducted at the time any employee separates, and as part of that exit interview process, each exiting employee should be given a written reminder of their ongoing trade secret, confidentiality and social networking obligations, and should be asked to sign the reminder acknowledging receipt and their agreement to comply with such obligations. The exit interview is also the time to get company property returned by the departing employee and make any arrangements for the return and remediation of company property on any personal devices.
Robert B. Milligan is a partner in the Los Angeles office of Seyfarth Shaw and co-chair of its national Trade Secrets, Computer Fraud & Non-Competes practice group. He can be reached at email@example.com.