Discontinuing the Blog

Dear Readers,

I have decided to formally transfer this blog over to the WordPress site described earlier in this blog.  (See Moving to WordPress!)   We have now worked out the kinks!

Please join me over at http://www.privacyandiplawblog.com for continued commentary and legal analysis.

Of course, please reach out if you have any questions or comments about the move.

Best wishes,
Christina Frangiosa
Publisher, Privacy & IP Law Blog

TEMPORARY HIATUS

Dear Readers:

I am pleased to announce that I have joined the IP practice of the law firm, Eckert Seamans Cherin & Mellott, LLC, in its Philadelphia Office.  While I’m getting settled, I will not be in a position to post updates to this blog.  However, this interruption will only be temporary and I hope to resume posting on new developments in the IP world again shortly – either here or on a blog to be created within the firm.  Please stay tuned.  If you need to reach me in the meantime, please email me directly.

 
Best,
Christina Frangiosa
Privacy and IP Law Blog

Business Owners & the New Federal Claim for Trade Secret Misappropriation

On May 11, 2016, Pres. Obama signed into law the Defend Trade Secrets Act of 2016, S. 1890, 114th Congr. (2d Sess. 2016) (“DTSA”), which provides for the first time a federal private right of action to litigants for trade secrets violations.  Most states – except for Massachusetts and New York – have enacted versions of the Uniform Trade Secrets Act (“UTSA”) but the DTSA provides additional remedies without preempting state laws or eliminating any of the protections offered by them.  Business owners will need to take some actions in the short term in order to take advantage of some of the more powerful remedies created by the DTSA.

A Summary of the New Law: 

The DTSA is a substantial revision to the Economic Espionage Act (18 U.S.C. §§ 1831-1839 and 18 U.S.C. § 1961), which previously only provided criminal penalties and was only enforceable by federal prosecutors.  An individual trade secret owner’s right to sue for trade secret misappropriation related to a product or service used (or intended for use) in interstate commerce in federal court is, therefore, new.  So are many of the remedies available to trade secret owners.  Below is a summary of key provisions:

1.       Who Can Sue? 

Owners of trade secrets may file an action against those who “misappropriate” their trade secrets, provided that the trade secrets relate to products or services that are used in (or are intended for use in) interstate or foreign commerce.  This means that trade secrets associated with products or services that only travel within a single state could not be enforced under this Act.    

2.       What is “Misappropriation”? 

“Misappropriation” includes either  (1) acquisition of a trade secret by someone who knew or should have known that the secret was obtained by “improper means” or (2) disclosure of such a secret by one who did not have express or implied consent to do so and knew or should have known that it was a secret or acquired by “improper means”.

3.       What Counts as “Improper Means”?

“Improper means” includes theft, bribery, misappropriation, breach or inducement of breach of a duty to maintain secrecy or espionage through electronic or other means.  More importantly, however, “improper means” expressly does not include reverse engineering, independent derivation or any other lawful means of acquisition.

4.       Available Remedies. 

Potential remedies include: (A) injunctions to prevent the actual or threatened misappropriation, (B) monetary damages for actual loss and for unjust enrichment, and, (C) if all other remedies are insufficient to make the trade secret owner whole, then the owner can recover a reasonable royalty.    A reasonable royalty is not the preferred remedy, but instead should be a remedy of last resort.  (See Senate Rep. 114-220 (Mar. 7, 2016) and House Rep. 114-529 (Apr. 26, 2016)).

5.       Enhanced Damages for Willful Misconduct. 

If a trade secret owner can prove that the trade secret thief misappropriated the trade secret “willfully and maliciously”, then the court may award exemplary damages (not more than two times the monetary damages awarded); and award attorney fees to the prevailing party.  Such an award is within the sound discretion of the district court.

6.       Narrow Ex Parte Seizure Order. 

A trade secret owner’s ability to obtain an ex parte seizure order (which allows law enforcement officers to seize allegedly misappropriated trade secrets from a specific target without providing advanced notice to the target or permitting the target to be heard in opposition to an order prior to its issuance) is new under this law.

                Seizure is an extremely powerful tool, but has several potent limitations: (a) it is only available if the trade secret owner can demonstrate that a regular Rule 65 injunction would not be effective against this target because the target “would evade, avoid or otherwise not comply” with an injunction order, or “would destroy, move, hide or otherwise make such a matter inaccessible to the court”; (b) a seizure order will not be issued if the trade secret owner has publicized in any way that it is pursuing seizure; (c) the trade secret owner may not participate in the seizure (instead, this is handled by appropriate law enforcement personnel); (d) the trade secret owner does not receive the alleged trade secrets once they are seized from the target (instead, these are held in the custody of the court); (e) the trade secret owner must provide security (i.e., post a bond with the court) against the possibility of unlawful seizure; and (f) any seizure MUST minimize any interruption in the lawful business operations of the target.

7.       Sanctions for Bad Faith Claims or Wrongful Seizure. 

If the target proves by circumstantial evidence that the claim of misappropriation was made in bad faith, the court may award attorney’s fees to the target as a prevailing party.

                Further, if a trade secret owner wrongfully seizes materials that are later determined not to have been misappropriated, or if the owner sought an excessive seizure, the target may be entitled to the following:  (1) “relief as may be appropriate” (which includes damages for lost profits, cost of materials, loss of good will and punitive damages); (2) reasonable attorney’s fee unless the court finds extenuating circumstances; and (3) prejudgment interest on any recovery (beginning on the date the trade secret owner applied for the seizure owner).  In this case, the bond posted by the trade secret owner shall not constitute a cap on the available recovery.

8.       Federal Jurisdiction

Trade secret owners are permitted to bring DTSA claims in federal district court, but they are not required to.  Federal courts have original, but not exclusive, jurisdiction over these claims.

9.       Statute of Limitations

Trade secret owners have three (3) years after the misappropriation was discovered (or through exercise of reasonable diligence should have been discovered) to commence a civil action asserting a claim of misappropriation under the DTSA.

                However, continuing misappropriation is considered a single act – not individual acts of misappropriation that could re-start the clock for purposes of the statute of limitations.

10.   Limitations on Claims against Employees (a.k.a. Employee Immunities)

Employers can only obtain enhanced damages and attorneys’ fees from any employee who discloses its trade secrets IF the employer notified the employee in advance (either through an agreement or in certain employment policies if appropriately cross-referenced) of his/her immunity for liability under certain whistleblowing circumstances.  “Employees” for these purposes include contractors and consultants.

11.   Effective Date

This Act applies immediately to any misappropriation for which any action happens on or after the date of enactment (May 11, 2016). 

What Should Business Owners Do Now?

First and foremost – employers should revise their form agreements to be used with any employee, contractor or consultant who will have access to the employer’s confidential information to provide the requisite notice of whistleblower rights.  Without this notice, an employer cannot seek exemplary damages (up to twice the amount of actual damages awarded) or attorney’s fees if it proves the misappropriation was willful or malicious. 

Second, trade secret owners need to take stock and identify clearly what their trade secrets are.  In particular, if a trade secret owner pursues an ex parte seizure order against a competitor or an ex-employee’s new employer, the trade secret owner will have to articulate with some clarity what the trade secrets are that are alleged to have be misappropriated.  This identification is intended to aid the law enforcement officers charged with executing the seizure order to know what to take, but also allows a trade secret owner to position itself better to avoid an allegation of wrongful seizure or a bad faith claim of misappropriation as the litigation develops.  This identification will also aid businesses overall by necessitating the creation of tighter controls over those assets that are truly trade secrets to keep them from being unlawfully disseminated.

Finally, if a business becomes the target of an ex parte seizure order, know that a hearing must occur no later than seven (7) days after the seizure order was issued. Be prepared to argue that other injunction options may have been reasonably available to support the argument that a wrongful seizure occurred, entitling the target to damages. Even if the business only receives a threat of an ex parte seizure, consider whether the exceptional circumstances justifying an ex parte seizure were actually present in your case. Take any such threats seriously, and contact your attorney immediately if you receive a demand letter making this claim or if a seizure order is executed against you -- because your time to respond in either case will be very short.

Copyright © 2016, Christina D. Frangiosa.  All rights reserved.

Five Simple Things Businesses Can Do to Better Secure Their Data

News of data security breaches at one company or another has become so common that perhaps we are becoming immune to the significant impact these breaches can have on those whose information are affected. Not only can identity theft destroy an affected individual's credit and limit his/her future buying choices, but also it is becoming clear that, philosophically, perhaps our private data really aren't private anymore. Think of how easy it is to search public records online and find out personal details about a person well beyond what the phone book would have listed in days past. It is harder and harder to keep secrets when the Internet is involved.

Notwithstanding such developing immunity to the shock of a data breach at any particular company, data breaches are very serious events for a company – of any size. In the aftermath, it is not unusual to hear business executives announce that they "never want to go through that again."

So, what can you do to minimize your company's risk for data breach? Here are my top five recommendations:

1. Hire the right people. Whether you rely on internal IT support staff or if you outsource to a third-party vendor, make sure you have the right resources in place to accomplish your goals. Discuss your expectations (particularly about data security) with these personnel at the beginning of the relationship and set realistic goals for achieving a secure system.
2. Conduct the necessary due diligence. Before you hire that new IT security director internally or engage that new third-party vendor, be sure that they actually have the skills in place to accomplish the levels of data security you envision. Interview your candidates (whether individual or vendor) to determine that their services match your needs. Make sure you know what services you are signing up for. If you want a company to be actively testing your network for potential weaknesses, make sure that such services are covered by the fees you are paying; typically, they are more expensive than services that simply patch your existing software with newly-released security updates from the manufacturer.
3. Pay Attention to Suspicious Conditions. Watch for signs that someone else may be making changes to your network. (For instance, user names and passwords suddenly not working, the appearance of new administrator accounts, system unavailability particularly for remote access, significant slowdown of processing speed during periods of regular use, etc.). Just like we are all being warned in public transportation venues that "if you see something, say something", if you suspect that your data may not be secure, do not ignore that suspicion. Involve your IT personnel and be sure that you are effectively maintaining the security of your network.
4. Update all Software as Recommended by the Manufacturer. Security patches are rolled out all the time, particularly after the manufacturer learns of potential weaknesses in security. If you keep your software updated with these patches as part of your regular routine, you decrease your risk of exposure. Same with anti-virus and anti-malware software: they are only as secure as that last update that was applied. Keep the virus and malware definitions up to date to reduce your risk of intrusion by known entities.
5. Only Collect Information that You Absolutely Need. If you do not need access to customers' credit card numbers, don't ask for it. And, if you do need access, do not retain it any longer than necessary to complete the transaction. In particular, where credit card numbers are concerned, there are other regulations, standards and guidelines about what you can keep and for how long. See Payment Card Information Data Security Standards ("PCI DSS") for more details. With respect to the data you decide to keep, maintain your sensitive data in encrypted form as much as you can to reduce the risk of third-party access. Once you decide not to maintain certain sensitive information any longer, be sure that you comply with federal, state and local laws governing the safe destruction of documents or electronic data that embody personally identifiable information ("PII") or competitively sensitive data, such as trade secrets.

In general, businesses who are proactive about putting in place and maintaining effective data security protocols have a much better chance of avoiding the exposure that results from a data breach. Of course, there's no guarantee that you might not be targeted by a malicious and very determined third party, but consider a thief's potential options: (1) hack that network that is protected by multi-layer and multi-factor data security; or (2) walk through that open door provided by another company who is not managing their IT security effectively. If you were the thief presented with these options, wouldn't you take the path that presents the least resistance? Don't be the "open door."

Copyright (c) 2016, Christina D. Frangiosa, All Rights Reserved.

Mobile Device Security Policies for Employers – Small and Large

As a business owner, perhaps you have seen articles about setting ground rules for BYOD (a.k.a. employees bringing their own devices to work to use for work purposes).  Placing restrictions on access to Company information, however, should not be limited only to those BYOD devices.  Instead, if the Company issues Company-owned devices to employees for use on Company systems, similar ground rules should be put in place to set expectations and provide the backdrop for any disciplinary action that may be needed later if an employee misuses Company information or loses an unsecured device.

Here are some questions to keep in mind as you develop policies for Company-owned devices issued to employees:

1.     Do you have an “Acceptable Use” policy in place?  Does it apply to both Company-owned and BYOD devices?

2.     Do you restrict the employee’s use of Company-owned devices?  (E.g., to be used for business purposes only, avoid storing personal information on the device, all information on the device shall be considered “owned” by the Company)

3.     Have you retained the right to take back any equipment that an employee does not use properly?  Similarly, do you ensure that Company-owned devices are surrendered upon termination?

4.     Do you require strong passwords to secure all portable devices (both BYOD and Company-owned)?  (You should.  See, e.g., Eric Griffith, “How to Create Strong Passwords,” PC Magazine, Nov. 29, 2011, for some good tips.).  Once you require passwords, remind your employees not to tape them to the front of their devices – instead, suggest alternate ways of remembering the unique passwords they just created.

5.     What about using portable devices on public or unsecured networks? (For instance, at the coffee shop while waiting for that triple-shot latte.)  Have you provided guidelines and training to your employees to avoid disclosing Company-sensitive information across such public networks?  This is especially important if the information is mission critical or could destroy the Company’s tactical advantage if its competitor were to access it.

6.      Do you require employees to report immediately the theft or loss of a Company-owned device?  Prompt reporting allows the Company to block potentially damaging intrusion attempts or to change the affected employee’s passwords to prevent unauthorized access.  The Company’s hands will be tied if the employee does not report the loss until several days later.

7.     Do you provide rules about whether Company documents can be downloaded to external devices and under what circumstances?  Consider mobile device management software to control the downloading of Company information to the device, to track the location of Company-owned devices and to enable remote wiping if the device is lost or stolen.

8.     Who handles the system updates to the device?  The Company?  (Probably, unless it’s a BYOD device.)  The employee?  (Probably only if the device is personally owned by the employee.)  If it’s a Company obligation, then ensure that the device is accessible to the Company when needed (i.e., “on demand”) to fulfill this requirement.

9.     Will the employees’ family members be accessing the device?  (More likely if it’s the only device in the house – less likely if there are other options available to the family.)  Consider restricting use of Company-owned devices to employees only.

10.  Do you prohibit the downloading of unauthorized content to the device?  Whether it’s pornography, another company’s trade secrets or pirated videos streaming the latest (copyrighted) episode of a favorite show, none of these things belong on most companies’ business equipment and could expose the Company to liability from a third-party who owns the rights to the content.

11.  Do you require encryption or password-protection when transmitting particularly sensitive Company information to outsiders?  If not, you should.  Take everyone opportunity to protect the Company’s trade secrets and try to keep them from public dissemination.  Having a reliable system in place increases the changes that a court would conclude that the Company’s trade secrets are deserving of such protection in the event of a breach.

·       Notably, in the 2012 Target data breach, the large, well-funded entity (Target) was not the source of the leak that allowed hackers to steal thousands of customer credit card numbers.  Instead, it was the HVAC servicing company that had minimal security protocols in place and effectively acted as the front door to enable the hackers to steal the data over a surprisingly long period of time. 

12.  Does the Company have record-keeping requirements (statutory, regulatory, etc.) that would apply to an employee’s use of a portable device?  Are employees who work remotely required to keep Company records and maintain certain Company files?  If so, consider implementing rules identifying when such record keeping should occur and provide guidelines for destroying extra copies or other pages that the employee might otherwise throw out in the trash at a remote site.  (Some states have “safe destruction of documents” laws intended to reduce the likelihood of identity theft or other unauthorized access of personally-identifiable information.)

A few closing thoughts – take every precaution to keep Company data secure.  Always require the installation and use of anti-malware/anti-virus and other security tools to limit a potential thief’s ability to misuse the Company’s data or to leave code behind that continues to collect the data even after the potential thief has appeared to withdraw. 

The more conscientious you are about keeping Company data secure, the more likely you are to avoid severe consequences (or at least reduce them) in the event of a data breach – whether the breach is caused by the concerted efforts of outsiders or by wrongful conduct of your own employees or by unintentional mishaps (such as the employee leaving the device in the back of a cab during a hectic business trip).  Watching the doors is always worthwhile.

Copyright (c) 2016, Christina D. Frangiosa, All Rights Reserved.