Confidential Information

A federal judge in Chicago recently taught a painful lesson to an Illinois employer: even if information is sufficiently sensitive and valuable that it could qualify as a “trade secret,” it won’t unless the owner of the information took adequate steps to protect its secrecy.

In a thorough opinion issued in the case, Abrasic 90 Inc., d/b/a CGW Camel Grinding Wheels, USA v. Weldcote Metals, Inc., Joseph O’Mera and Colleen Cervencik, U.S. District Judge John J. Tharp, Jr. of the Northern District of Illinois explained that “there are two basic elements to the analysis” of whether information qualifies as a “trade secret”: (1) the information “must have been sufficiently secret to impart economic value because of its relative secrecy” and (2) the owner “must have made reasonable efforts to maintain the secrecy of the information” (internal quotation omitted).

According to Judge Sharp’s opinion in Abrasic 90 Inc., when the long-time president of grinding disc manufacturer CGW Camel Grinding Wheels (“CGW”) left CGW to start a competing business, Weldcote Metals, Inc. (“Weldcote”), he took with him a flash drive with information about CGW’s pricing, customers, and suppliers. He later hired another former CGW employee to join him at Weldcote and she, too, brought with her CGW information that she believed “might be helpful to her at Weldcote.” Some of this CGW information was uploaded to Weldcote’s computers and used “as a general reference point and a benchmark when determining some of Weldcote’s initial needs,” and some of the CGW information was shared with Weldcote sales reps, who were “instructed” to “target key CGW distributors.”

With these facts, CGW no doubt thought it had a compelling claim for trade secret misappropriation and that it was likely to receive injunctive relief. But Judge Tharp denied CGW’s request for a preliminary injunction under the federal Defend Trade Secrets Act and the Illinois Trade Secrets Act, in large part because he found that CGW had taken “almost no measures to safeguard the information that it now maintains was invaluable to its competitors.” In fact, Judge Sharp wrote that CGW’s data security “was so lacking that it is difficult to identify the most significant shortcoming.”

According to Judge Sharp, the following were among the data security measures that CGW could have taken, but did not:

  • entering into non-disclosure and confidentiality agreements with employees;
  • enacting a policy regarding the confidentiality of business information “beyond a vague, generalized admonition about not discussing CGW business outside of work”;
  • training “employees as to their obligation to keep certain categories of information confidential”;
  • asking departing employees whether they possessed any confidential company information, and if they do, instructing them to return or delete it;
  • adequately training CGW’s IT manager about data security practices;
  • restricting access to sensitive information on a need-to-know basis; and
  • as appropriate, labelling documents “proprietary” or “confidential.”

And so, the moral of this story is that if a company wants to claim that its information is a statutory trade secret, it needs to employ information security measures reasonably consistent with that claim. Companies which ignore the lesson taught by Judge Sharp do so at their own peril.

Consider the following scenario: your organization holds an annual meeting with all Research & Development employees for the purpose of having an open discussion between thought leaders and R&D regarding product-development capabilities. This year’s meeting is scheduled outside the United States and next year’s will be within the U.S. with all non-U.S. R&D employees traveling into the U.S. to attend. For each meeting, your employees may be subject to a search of their electronic devices, including any laptop that may contain your company’s trade secrets. Pursuant to a new directive issued in January 2018 by the U.S. Custom and Border Protection (“CBP”), the electronic devices of all individuals, including U.S. citizens and U.S. residents, may be subject to search upon entry into (or leaving) the U.S. by the CBP. CBP Directive No. 3340-049A (Jan. 4, 2018).

The directive allows for the warrantless border search of electronic devices without a showing of reasonable suspicion. It differentiates between a basic search and an advanced search. A basic search allows officers, with or without suspicion, to examine an electronic device, including an examination of the information that is resident and accessible on the device. Information that is solely stored remotely may not be accessed. An advanced search is one in which the officer connects external equipment, through a wired or wireless connection, to an electronic device in order to “review, copy, and/or analyze” the contents of the electronic device. Advanced searches are permitted where there is a “reasonable suspicion” of criminal activity or for national security concerns. While the directive states that “[m]any factors” may create a reasonable suspicion or a national security concern warranting an advanced search, it articulates examples particularly aimed at national security concerns but does not provide much color as to what may constitute reasonable suspicion of criminal activity.

By issuing the directive, the CBP appears to align its position with that of the majority of federal courts that held reasonable suspicion is not required for border searches of electronic devices. See, e.g., United States v. Ickes, 393 F.3d 501, 506-07 (4th Cir. 2005) (rejecting reasonable suspicion requirement for laptop computer searches at the border); United States v. Linarez-Delgado, 259 Fed. Appx. 506, 508 (3d Cir. 2007) (rejecting reasonable suspicion requirement for border search of electronic data). Thus, the CBP may have also sought to reject the statements by at least one other court suggesting a requirement for a showing of reasonable suspicion before search of an electronic device. See, e.g., United States v. Cotterman, 709 F.3d 952 (9th Cir. 2013) (implying that officers need reasonable suspicion to conduct a border search of complex personal computing devices).

Can’t your employees just encrypt everything before international travel? Under the directive, travelers are required to present the electronic device (and the information contained within the device) in a condition that allows for the inspection of the device and its contents. Therefore, under the directive, officers may request an individual’s assistance in accessing the device if it is encrypted or password protected, and officers are authorized to detain a device pending a determination as to its admissibility in to the U.S.; they may also exclude a device if access to it is prevented by encryption or password protection.

The directive provides officers with instructions regarding the handling of certain sensitive materials, including business information, medical records, and information protected under the attorney-client privilege. Upon encountering business or commercial information resulting from a search, such as confidential business information, officers are required to “protect that information from unauthorized disclosure[.]” Such confidential business information may only be shared with agencies or entities that have mechanisms in place to protect the information.

Companies should alert employees of the requirements under the new directive. Certain preventative steps should be considered to minimize the potential for disclosure of confidential information at the border, including: (1) minimizing the number of electronic devices with trade secret or confidential information; (2) minimizing the amount of confidential information on a device; (3) to the extent possible, using electronic devices that do not contain confidential information when international travel is required; and (4) considering whether confidential information on the device should be encrypted but with the knowledge that CBP may request that the device be unlocked. Companies should also be cognizant of other issues relating to encrypted devices, including U.S. export control requirements for traveling to certain countries and licenses that may be required for individuals traveling into certain countries with an encrypted device.

In the event of an inspection request by an officer, your employees should be prepared to alert the officer that the device contains confidential business information in order to protect against its disclosure. Employees should also carry company business cards to show officers requesting an inspection that they are an employee of your company.

In a very thorough analysis following a 3 day Preliminary Injunction hearing Judge Jed Rakoff declined to issue injunctive relief to a former employer seeking to enjoin four former employees and their new employer from competing or from soliciting clients or employees. The decision is far ranging in the employee movement context touching upon inadvertent retention of confidential information, the propriety of new employers providing broad indemnifications and large signing bonuses to the recruits,  and the scope of allowable “preparatory conduct” in a one year non-compete period, among other issues presented in the context of a group of employees in the eDiscovery services space collectively on the move.

Four senior sales executives of plaintiff Document Technologies Inc (“DTI”) collectively decided to leave DTI and signed new employment agreements with LDiscovery. LDiscovery provided the four with agreements that indemnified them from claims of improper conduct by DTI as well as significant signing bonuses to make up for lost compensation during the one year non-compete period they agreed to abide by. The Court found nothing wrong with these agreements and also that accepting employment and engaging in preparatory meetings and analysis of the marketplace were permissible preparatory acts and do not violate the non-competition prohibitions in their agreements with DTI. The Court also found that there was no breach of the employee non-solicit where the four employees coordinated their job search since they had each individually resolved to leave DTI in advance of coming together. Collectively reaching the conclusion to seek alternative employment was found not to be a breach of the employee non-solicit provisions each had in their agreement with DTI. The Court was skeptical that where the employees were all “at will” versus subject to a term contract, that the three prong test of enforceability under BDO Seidman could be met. The fact that they marketed themselves as a “package” deal was not unfair competition supporting a finding of breach. Similarly, LDiscovery could not be held liable for tortious interference by recruiting the team, providing them with signing bonuses and by indemnifying them.

This decision provides a good framework for legal analysis when determining the propriety of a team move and whether certain conduct of the employees and their new employer warrant injunctive relief.

The Manhattan District Attorney’s office last week prevailed over Sergey Aleynikov, the former Goldman Sachs high frequency trading programmer accused of stealing computer source code from the bank, on just one count of the three of which he was charged.  It is somewhat hard to imagine how one might be found guilty of “unlawful use of secret scientific material” (N.Y. Penal Law § 165.07 as defined in § 155.00(6)), yet not get convicted for “unlawful duplication of computer related material” (N.Y. Penal Law § 156.30).

With Mr. Aleynikov previously avoiding federal charges of theft of trade secrets under the Economic Espionage Act and National Stolen Property Act, state prosecutors tried their hand on somewhat equivalent state statutes concerning computer crimes.  Whether the split decision will withstand review by the trial court judge and ultimately on appeal remains to be seen.

The underlying facts were not challenged at trial.  Mr. Aleynikov essentially admitted that he downloaded Goldman source code and attempted to cover his tracks by deleting the history of commands on his computer.  The focus of his defense was that he did not acquire a “major portion” of the economic value of the source code as required by the New York Penal Code Section at issue.  Also, he argued that he did not make a “tangible” reproduction of the files, another element required for proving unlawful use of secret scientific material.

That the jury took nearly a week to deliberate and required the jury instructions to be re-read and eventually provided in writing is indicative of how difficult it can be to try and prove any case involving the theft or unauthorized use of computer source code.  Given the ease with which such crimes can be accomplished, we are sure to see more developments of the law in this area in the immediate future.

Employers looking to protect their intellectual property and proprietary information, and wondering whether they can punish the departing employees that ignore demands to return laptops and other transportable electronic devices that hold such data, may now have a newly invigorated weapon at their disposal — the Computer Fraud and Abuse Act.  A recent federal district court decision found that an employer establishes the required “loss” and “damage” elements of a CFAA claim against a former employee by showing that such employees “refused to return their computers” when requested, that such employees “deleted information from their computers,” and that the employer “had to perform a forensic investigation to determine what information was deleted from” these laptops. Because the CFAA provides a statutory claim that applies to all electronically stored information (confidential or not), provides for federal court subject matter and allows for the recovery of a variety of damages and costs, including those related to expert fees, employers and intellectual property owners may find it attractive. For further details and analysis of these issues, see, by clicking here, the May 5, 2009 article by Jim Flynn appearing in IP Law 360 and Employment Law 360.