securing trade secrets and intellectual property against cyberattack

Speaker Firms and Organization:

Gordon Feinblatt LLCGeorge F. Ritchie

Member

Thank you for logging into today’s event. Please note we are in standby mode. All Microphones will be muted until the event starts. We will be back with speaker instructions @ 02:55pm. Any Questions? Please email: [email protected] Group Registration Policy

Please note ALL participants must be registered or they will not be able to access the event. If you have more than one person from your company attending, you must fill out the group registration form. We reserve the right to disconnect any unauthorized users from this event and to deny violators admission to future events.

To obtain a group registration please send a note to [email protected] or call 646.202.9344.

Presented By:

October 26, 20161

Partner Firms:

Burr & Forman LLPWilliam "Chip" Collins Jr.

Partner

Center for Responsible Enterprise And Trade (CREATe.org)

Pamela PassmanPresident and CEO

BDO USA, LLPBud Conner

Director - Forensic Technology Solutions

mailto:[email protected]


October 26, 20162

Please note the FAQ.HELP TAB located to the right of the main presentation. On this page you will find answers to the top questions asked by attendees during webcast such as how to fix audio issues, where to download the slides and what to do if you miss a secret word. To access this tab, click the FAQ.HELP Tab to the right of the main presentation when you’re done click the tab of the main presentation to get back.

For those viewing the webcast on a mobile device, please note:

o These instructions are for Apple and Android devices only. If you are using a Windows tablet, please follow the instructions for viewing the webcast on a PC.

o The FAQ.HELP TAB will not be visible on mobile devices.o You will receive the frequently asked questions & other pertinent info through the apps chat window function on your device. o On Apple devices you must tap the screen anywhere to see the task bar which will show up as a blue bar across the top of the screen.

Click the chat icon then click the chat with all to access the FAQ’s.o Feel free to submit questions by using the “questions” function built-in to the app on your device.o You may use your device’s “pinch to zoom function” to enlarge the slide images on your screen.o Headphones are highly recommended. In the event of audio difficulties, a dial-in number is available and will be provided via the app’s

chat function on your device.

October 26, 20163

Follow us on Twitter, that’s @Know_Group to receive updates for this event as well as other news and pertinent info.

If you experience any technical difficulties during today’s WebEx session, please contact our Technical Support @ 866-779-3239. We will post the dial information in the chat window to the right shortly and it’s available in the FAQ.Help Tab on the right. Please redial into the webcast in case of connectivity issue where we have to restart the Webex event.

You may ask a question at anytime throughout the presentation today via the chat window on the lower right hand side of your screen. Questions will be aggregated and addressed during the Q&A segment.

Please note, this call is being recorded for playback purposes.

If anyone was unable to log in to the online webcast and needs to download a copy of the PowerPoint presentation for today’s event, please send an email to: [email protected]. If you’re already logged in to the online Webcast, we will post a link to download the files shortly and it’s available in the FAQ.Help Tab

https://twitter.com/know_group


October 26, 20164

If you are listening on a laptop, you may need to use headphones as some laptops speakers are not sufficiently amplified enough to hear the presentations. If you do not have headphones and cannot hear the webcast send an email to [email protected] and we will send you the dial in phone number.

About an hour or so after the event, you'll be sent a survey via email asking you for your feedback on your experience with this event today - it's

designed to take less than two minutes to complete, and it helps us to understand how to wisely invest your time in future events. Your feedback is

greatly appreciated. If you are applying for continuing education credit, completions of the surveys are mandatory as per your state boards and

bars. 6 secret words (3 for each credit hour) will be given throughout the presentation. We will ask you to fill these words into the survey as proof

of your attendance. Please stay tuned for the secret word. If you miss a secret word please refer to the FAQ.Help tab to the right.

Speakers, I will be giving out the secret words at randomly selected times. I may have to break into your presentation briefly to read the secret

word. Pardon the interruption.


Partner Firms:

October 26, 20165

Gordon Feinblatt is a full-service law firm with more than 60 attorneys and over 20 paralegals. Our size assures proficiency in virtually every area of the law without sacrificing personalized attention to our clients. Each of the Firm’s Practice Group Chairs and many of our other attorneys are among the State’s leading practitioners. Twenty-five of our attorneys are listed in Woodward & White’s Best Lawyers in America® 2017and four of our lawyers have been designated “Lawyer of the Year” in Baltimore by Best Lawyers. Eighteen attorneys are named in Maryland Super Lawyers 2016. We present our clients with innovative solutions applicable to their unique problems and circumstances, providing a legal advantage to people doing business in Maryland.

BDO is the brand name for BDO USA, LLP, a U.S. Professional services firm providing assurance, tax, financial advisory and consulting services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through 60 offices and more than 400 independent alliance firm locations nationwide. As an independent member firm of BDO international limited, BDO serves multinational clients through a global network of over 1,400 offices in more than 154 countries. BDO USA, LLP, a Delaware limited liability partnership, is the U.S. Member of BDO international limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO member firms.

Partner Firms:

October 26, 20166

The Center for Responsible Enterprise And Trade (CREATe.org) helps organizations and their third parties address governance, risk and compliance requirements associated with the prevention of corruption and the protection of intellectual property (IP) and trade secrets from cyber and other risks. Our mission is to make leading practices in IP protection and anti-corruption achievable for all companies. To achieve this mission, we have developed CREATe Leading Practices, a service that measures the maturity of business processes in place and guides prioritization and improvements to help companies embed controls to mitigate risks. CREATe Leading Practices is deployed in multiple languages by organizations operating globally.

Burr & Forman’s experienced legal team serves clients with local, national, and international legal needs. With particular industry strengths in the financial institutions, health care and manufacturing sectors, our attorneys draw from a diverse range of backgrounds and experience to serve as trusted business advisors and legal counsel to help clients achieve their goals. Burr & Forman is a Southeast regional firm with nearly 300 attorneys and 10 offices in Alabama, Florida, Georgia, Mississippi, and Tennessee.

Brief Speaker Bios:

October 26, 20167

George F. Ritchie

George Ritchie is a trial lawyer and adviser with over 20 years of experience handling high stakes litigation matters and other strategic challenges facing private and public companies. His practice focuses on intellectual property, environmental, employment and related corporate matters. He also counsels clients on risk avoidance, crisis management, and company-sensitive issues across a broad spectrum of industries. He represents domestic and international clients in cases in state and federal courts across the country, and in various arbitral forums.

Bud Conner

Bud Conner is a Director in the Forensic Technology Services practice of BDO Consulting. Combining legal, technology, and information governance expertise, Bud helps organizations find cost effective solutions for managing and protecting enterprise data and information. From data creation through storage and retrieval, Bud advises corporations and law firms in policy and process implementation, and in identifying and deploying the appropriate technologies and services to harmonize enterprise operations, improve processes, and realize a true return on investment.

Brief Speaker Bios:

Pamela Passman

Pamela Passman is President and CEO of the Center for Responsible Enterprise and Trade (CREATe.org), an organization dedicated to helping companies and their third parties effectively address governance, risk and compliance requirements through the benchmarking and implementation of business processes across an enterprise. Prior to founding CREATe in October 2011, Passman was the Corporate Vice President and Deputy General Counsel, Global Corporate and Regulatory Affairs, Microsoft Corporation. Since 2002, Passman led Microsoft’s regulatory compliance work across 100 countries and addressing a range of issues, including privacy, security, law enforcement, telecommunications and other issues related to cloud computing.

October 26, 20168

► For more information about the speakers, you can visit: https://theknowledgegroup.org/event-homepage/?event_id=1724

William "Chip" Collins Jr.

Chip Collins is a partner and business litigator in the Atlanta office of Burr & Forman LLP. His practice is largely focused on litigating and arbitrating non-compete and trade secret disputes, counseling employers and executives on unfair competition issues, and drafting employment and severance agreements. Chip is a frequent commentator on non-compete and trade secret issues, having been featured in publications including the Atlanta Business Chronicle, Attorney at Law, andBusiness to Business, and he started his firm’s unfair competition blog (noncompetetradesecretslaw.com), to which he is a regular contributor.

https://theknowledgegroup.org/event-homepage/?event_id=1724

The rise in cyber threats is putting companies at risk of losing trade secrets and other intellectual property assets that are integral to competitive edge, revenues and reputation. Many companies, however, are unsure about how to shore up their IP and trade secret protection programs to thwart potential risks and losses.

In this two-hour LIVE Webcast, a panel of distinguished professionals and thought leaders organized by The Knowledge Group will help the audience understand the important aspects of Securing Trade Secrets and Intellectual Property Against Cyberattack. They will provide an in-depth discussion of the critical issues and best practices with respect to this noteworthy topic. Speakers will also share helpful tips in developing and implementing data security programs while ensuring compliance with applicable laws.

Some of the major topics that will be covered in this course are:

• IP and Trade Secrets Protection• Key Challenges and Vulnerabilities• Data Security Policies• Risk Identification and Mitigation• Best Regulatory Remedies

October 26, 20169

Featured Speakers:

October 26, 201610

SEGMENT 4:

William "Chip" Collins Jr.PartnerBurr & Forman LLP

SEGMENT 2:

George F. RitchieMemberGordon Feinblatt LLC

SEGMENT 3:

Pamela PassmanPresident and CEOCenter for Responsible Enterprise And Trade (CREATe.org)

SEGMENT 1:

Bud ConnerDirector - Forensic Technology SolutionsBDO USA, LLP

Introduction

Bud Conner is a Director in the Forensic Technology Services practice of BDO Consulting. Combining legal, technology,

and information governance expertise, Bud helps organizations find cost effective solutions for managing and protecting

enterprise data and information. From data creation through storage and retrieval, Bud advises corporations and law firms

in policy and process implementation, and in identifying and deploying the appropriate technologies and services to

harmonize enterprise operations, improve processes, and realize a true return on investment.

Bud began his professional career as an intellectual property attorney, and is a registered patent attorney before the United

States Patent & Trademark Office. He is also an ARMA-certified Information Governance Professional. Protecting

intellectual property and sensitive information has been a constant objective of his work.

Bud is a graduate of the Case Western Reserve School of Law, and holds a BS in Biochemistry from Indiana University.

October 26, 201611

SEGMENT 1:


TRADE Secrets, IP (and Other Valuable Data)in the CYBER AGE

The Big Picture for Protecting Digital Assets

October 26, 201612

SEGMENT 1:


A TRADE SECRET IS:information, including a formula, pattern, compilation, program device, method, technique, or process, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. (Uniform Trade Secrets Act)

Examples of trade secrets can include:• engineering information; methods, processes, and know-how; • tolerances and formulas; • business and financial information; • computer programs (particularly source code) and related information; • pending, unpublished patent applications; • business plans, budgets, methods of calculating costs and pricing; customer and supplier information; • other information relating to a company's business.

October 26, 201613

SEGMENT 1:


The Information Hierarchy:All Trade Secrets constitute Confidential Information, but:

Not all Confidential Information rises to the Level of Trade Secret, and:

All Confidential Information is Proprietary Information, but not all Proprietary Information is Confidential.

For example, patented inventions and copyrighted materials are known to the public, but they are proprietary to their owner.

Some companies view anything they do or create as proprietary.

October 26, 201614

SEGMENT 1:


WHERE ARE YOU GOING WITH THIS?This is a Cyber seminar

• “Cyber” is defined as “of, relating to, or involving computers or computer networks.”

As a practical matter, most enterprise computer networks constitute a single data lake, wherein all information (proprietary, confidential, trade secret, and garbage) co-exists.

The Information does not self-segregate in the data lake, so absent efforts to isolate trade secrets or other valuable data, protecting that data requires protecting the whole lake.

For a lot of reasons, that’s really hard to do (more on this later).

October 26, 201615

SEGMENT 1:


GOING FISHING (OR PHISHING)

October 26, 201616

SEGMENT 1:


WHAT ELSE IS IN THE LAKE?Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”)

• Names and addresses • Social security numbers, drivers’ license numbers, and passport numbers/other government identifiers • Bank account information and credit card numbers• Usernames and passwords• Compensation and other related employment information (including benefits, retirement and

termination plans and previous work history)• Health Claims appeals information • Diagnosis, disability code and member ID numbers of employees/dependents• Health/medical information provided outside of company health plan

October 26, 201617

SEGMENT 1:


PROTECTING INFORMATION: THAT WHICH YOU WANT TO AND THAT WHICH YOU HAVE TO

You want to keep your Trade Secrets out of the public’s hands. You have to keep PII and PHI out of the public’s hands.

Examples of laws related to different types of PII

• HIPAA/HITECH - Health related information• GLBA - Financial information• Privacy Act - Fair Information Practices for PII held by Federal Agencies• COPPA - Protects children’s privacy by allowing parents to control what information is collected• FERPA - Student’s personal information• FCRA - Collection and use of consumer information

October 26, 201618

SEGMENT 1:


AGAIN, WHERE ARE YOU GOING WITH THIS?A variety of information types have value to hackers.

Most enterprise data lives in the same place, and the information types are generally intermingled with each other.

Total protection against hacking or breach is impossible.

Therefore, protection strategy should be based on prioritizing data types based on value to the company, value to hackers, legal/regulatory obligations, and cost of breach.

So, with respect to Trade Secrets—the primary reason we’re here—the protection strategy should be a consideration under the greater data security/data breach philosophy. That is, if you are going to undertake to protect trade secrets, it will be most effective if the enterprise undertakes a holistic protection strategy at the same time.

October 26, 201619

SEGMENT 1:


A HOLISTIC ENTERPRISE DATA SECURITY STRATEGY

October 26, 201620

SEGMENT 1:


PROTECTING TRADE SECRETS IN THE CYBER AGEA multi-functional endeavor

Identify valuable information

Identify risk

Policy considerations

Behavioral considerations

Technology considerations

October 26, 201621

SEGMENT 1:


Introduction

George Ritchie is a trial lawyer and adviser with over 20 years of experience handling high stakes litigation matters and

other strategic challenges facing private and public companies. His practice focuses on intellectual property, environmental,

employment and related corporate matters. He also counsels clients on risk avoidance, crisis management, and company-

sensitive issues across a broad spectrum of industries. He represents domestic and international clients in cases in state

and federal courts across the country, and in various arbitral forums.

In addition to his courtroom work, George also has substantial experience in representing companies and individuals

involved in government investigations, including matters involving securities and accounting fraud, alleged mislabeling of

food products under USDA regulations and consumer protection violations. George regularly provides pre-litigation analysis

and advice to clients, and has lectured extensively on the importance of pre-litigation planning and expert witness

development.

October 26, 201622

SEGMENT 2:


Defending Trade Secrets From Cyber Attack

October 26, 201623

SEGMENT 2:


Defining the Problem: What is a Trade Secret? USTA:

1) “Information . . . that . . . derives independent economic value, actual or potential

2) from not being generally known [to other persons who can obtain economic value from its disclosure or use]

3) and not being readily ascertainable by proper means by other persons who can obtain economic value from its disclosure or use, and

4) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.”

Similar Concepts under the Restatement and Defend Trade Secrets Act (DTSA)

October 26, 201624

SEGMENT 2:


Defining the Problem: The Importance ofReasonable Efforts to Maintain Secrecy

This is the factor where most trade secrets cases are likely to fail

Lapses in security, failure to treat information as secret, and inadvertent disclosure are enough to destroy trade secret status

Omega Optical, Inc. v. Chroma Technology Corp., 174 Vt. 10, 800 A.2d1064 (2002): No evidence of policy of confidentiality within company and company had taken no steps to

protect technology from disclosure Court ruled that company could not claim trade secret status of technology and entire portfolio

was lost to a competitor

October 26, 201625

SEGMENT 2:


Defining the Problem: CommonScenarios in Loss of Trade Secrets

Who is the company protecting the trade secrets from: outside competitors, inside employees (loyal and not loyal), the general public

Common Scenarios for trade secret “loss” -

◦ Loss of trade secrets through inadvertent disclosure: trade show, conference speech, sales call

◦ Loss of trade secrets through unprotected disclosure: “preliminary discussions,” simultaneous disclosure, unprotected disclosure within NDA

◦ Loss of Trade Secrets through hostile actions: departing employees, corporate spies

October 26, 201626

SEGMENT 2:


Addressing the Problem:Goals For Trade Secret Security Programs

Focus of efforts must be what is “reasonable under the circumstances”

Courts will ask: what is the standard of care in the industry? Has company suffered information losses before? Were procedures tightened in response? How big is corporation? Does it have “big corporation” security measures, or is “Mom and Pop” approach enough?

Two Goals: 1) Prevent Information Loss through security measures; 2) ensure favorable result in trade secret litigation

October 26, 201627

SEGMENT 2:


Addressing the Problem: TypicalSolutions for Non-Cyber Threats

Dealing with the Insider:

◦ Employment Agreements w/Restrictive Covenants and Confidentiality Clauses◦ Compartmentalization of trade secrets – access on a “need to know” basis◦ Access tracking within the company◦ Computer passwords, encryption◦ Employee Handbook and periodic employee training◦ The exit interview and “trade secret statement”◦ Provision of equipment – limit to company-issued and demand return

October 26, 201628

SEGMENT 2:


Addressing the Problem: Dealingwith Outside Threats

Preventing Access through Fraud

Preventing Access through Trespass

Preventing Access Through Inducement to Breach

Proper use of NDAs

◦ 11th Cir. Decision in Warehouse Solutions v. Integrated Logistics, 2015 WL 2151757 (11 th Cir. May 8, 2015)

Counsel reviews of sales presentations, research articles, trade show materials

October 26, 201629

SEGMENT 2:


Reasonable Efforts: Cyber Security Take-away from cases interpreting “reasonable efforts” – cost benefit analysis, which varies in each

case based on the costs of protective measures relative to the attendant benefits of protection.

How to apply to Cyber Attack scenarios?◦ Look to FTC Complaints and Consent Decrees on protection of consumer data for guidance◦ Password protocols and policies foundational to data security◦ Use of encryption, segmentation of servers from unauthorized access, firewalls and monitoring of

access

October 26, 201630

SEGMENT 2:


Reasonable Efforts: Cyber Security Additional FTC Guidance:

◦ Companies should monitor and regulate outgoing traffic on the network◦ Have protocols in place for dealing with detected security breaches◦ Websites should have separate employee and consumer login pages◦ Deletion of old, unused information on server◦ Put in place adequate risk assessment plans, including trade secret and security audits◦ Installation of proper antivirus and anti-spying programs

October 26, 201631

SEGMENT 2:


Reasonable Efforts: Cyber Security Adoption of NIST Framework

October 26, 201632

SEGMENT 2:


Introduction

Pamela Passman is President and CEO of the Center for Responsible Enterprise and Trade (CREATe.org), an organization

dedicated to helping companies and their third parties effectively address governance, risk and compliance requirements

through the benchmarking and implementation of business processes across an enterprise. Prior to founding CREATe in

October 2011, Passman was the Corporate Vice President and Deputy General Counsel, Global Corporate and Regulatory

Affairs, Microsoft Corporation. Since 2002, Passman led Microsoft’s regulatory compliance work across 100 countries and

addressing a range of issues, including privacy, security, law enforcement, telecommunications and other issues related to

cloud computing. She worked closely with business leaders and research and development teams to advance Microsoft’s

businesses in China and other emerging markets. She first joined Microsoft in 1996 and until 2002, led the Legal and

Corporate Affairs organization in Asia, based in Tokyo, with a focus on Japan, Korea and the People’s Republic of China.

Prior to joining Microsoft, Ms. Passman practiced law with Covington & Burling in Washington, D.C. and Nagashima &

Ohno in Tokyo, Japan. Passman was recognized as one of the ‘Most Influential People in Security 2014’ by Security

Magazine.

October 26, 201633

SEGMENT 3:


What are Reasonable Efforts’ for Cybersecurity?• Reasonable efforts / reasonable steps

X̵ Remains a key test for whether information gets trade secret protection

• Needed cybersecurity protections have been mentioned in trade secrets cases:

October 26, 201634

SEGMENT 3:


X̵ Password protectionX̵ ‘Need to know’ accessX̵ Segregated server

storageX̵ FirewallsX̵ Data encryption

X̵ Website blocking

X̵ Internet use monitoringX̵ Pop-up warningsX̵ Prohibitions on printingX̵ USB use restrictions

Industry Trend: Enterprise Risk Management (ERM)• Cybersecurity: not just an IT issue

X̵ Managing people and processes also vitalX̵ NIST and industry best practices: evolving towards integrated risk management throughout the

enterprise

• Some trade secret cases touch on ERM issues:X̵ Corporate policies and proceduresX̵ Internal and third party agreementsX̵ HR practicesX̵ Trade secret registryX̵ Physical securityX̵ Employee training and awarenessX̵ Management responsibilitiesX̵ Security monitoringX̵ Prompt corrective actions

October 26, 201635

SEGMENT 3:


Embedding Cybersecurity into Business Operations

Benefits:• Builds awareness throughout the company• Communicates clear expectations • Preventative, proactive• Builds on management systems used for other business operations

October 26, 201636

SEGMENT 3:


A Management-Systems Approach

October 26, 201637

SEGMENT 3:


Policies, Procedures & Records

Security & Confidentiality Management

Management of Third Parties

Corrective Actions & Improvements

Cross-Functional IP Compliance Team

Training & Capacity Building

Monitoring & Measurement

Risk Assessment

Effective management involves people, process and technology

Risk Assessment

Sample processes that should be in place:

Trade secret registry Assess potential risks to trade secrets Assessment of likelihood and severity of potential risks Risk mitigation plan

October 26, 201638

SEGMENT 3:









Risk Assessment

Policies, Procedures and Records


Company, staff and third-party policies Trade secrets specific procedures Marking and segregation procedures Standard confidentiality and usage provisions Standard NDA Inventory and other documentation

October 26, 201639

SEGMENT 3:









Risk Assessment



Identity and access management Data security measures Perimeter and network defense Physical security

October 26, 201640

SEGMENT 3:









Risk Assessment


October 26, 201641

SEGMENT 3:









Risk Assessment


Due diligence Third-party communications Written nondisclosure and other agreement terms Regular reviews

Information Protection Team

October 26, 201642

SEGMENT 3:









Risk Assessment


Risk analysis Responsible executive Cross-functional coordination Authority and budget Comprehensive oversight

Training and Capacity Building

October 26, 201643

SEGMENT 3:









Risk Assessment


Initial staff training Ongoing training Supply chain training Specialized training


October 26, 201644

SEGMENT 3:









Risk Assessment


Regular reviews of internal protections Regular reviews of third-party protections Benchmarking


October 26, 201645

SEGMENT 3:









Risk Assessment


Rapid response Response plan Root-cause analysis Tracking Regular review and protection program update

Industry Trend: Approach to Managing Cyber Risk

• Voluntary framework, five main functions

X̵ Analysis of technical and management capabilities

• Trade-secrets impact? X̵ “The Framework may become the de facto

standard … and may impact legal definitions and enforcement guidelines for cybersecurity moving forward.” PwC

October 26, 201646

SEGMENT 3:


NIST Cybersecurity Framework Function Category

IDENTIFY (ID) Asset Management. Business Environment. Governance. Risk Assessment. Risk Management Strategy.

PROTECT (PR) Access Control. Awareness and Training. Data Security.

Information Protection Processes and Procedures.

Maintenance. Protective Technology.

DETECT (DE) Anomalies and Events. Security Continuous Monitoring. Detection Processes.

RESPOND (RS) Response Planning. Communications. Analysis. Mitigation. Improvements.

RECOVER (RC) Recovery Planning. Improvements.

Communications.

Introduction

Chip Collins is a partner and business litigator in the Atlanta office of Burr & Forman LLP. His practice is largely focused on

litigating and arbitrating non-compete and trade secret disputes, counseling employers and executives on unfair

competition issues, and drafting employment and severance agreements. Chip is a frequent commentator on non-compete

and trade secret issues, having been featured in publications including the Atlanta Business Chronicle, Attorney at Law,

andBusiness to Business, and he started his firm’s unfair competition blog (noncompetetradesecretslaw.com), to which he

is a regular contributor. He has presented seminars on trade secret and non-compete law for ICLE in Georgia and The

Knowledge Group and has been a guest lecturer on trade secret issues at the Emory University School of Law for the last

two years. Chip has been involved in the creation of both the noncompete/trade secrets and cybersecurity service groups

at his firm.

October 26, 201647

SEGMENT 4:


When the Genie Gets Out of the Bottle

Rights and Remedies for Trade Secret Owners in the Aftermath of a Cyber Attack

October 26, 201648

SEGMENT 4:


Why me?Reasons trade secrets may be subject to cyber attack:• Competitor seeking competitive advantage • Thrill seeker looking to expose vulnerabilities and gain notoriety/bragging rights in hacker

community• “Hacktivist” seeking to publicize information for political or public interest purposes • Disgruntled employee, customer, or other “malicious insider” seeking to embarrass or damage a

business

October 26, 201649

SEGMENT 4:


Is my Trade Secret still a “secret” if it gets posted on the Internet?

“Widespread, anonymous publication of the information over the Internet may destroy its status as a trade secret. The concern is whether the information has retained its value to the creator in spite of the publication.”

DVD Copy Control Assoc. Inc. v. Bunner, 116 Cal. App. 4th 241, 251 (Cal. Ct. App. 2004) (citing Religious Tech. Center v. NetCom On-Line Comm, 923 F. Supp. 1231, 1256 (N.D. Cal. 1995), Religious Tech. Center v. NetCom On-Line Comm., 907 F. Supp. 1361 (N.D. Cal. 1995), and Rest.3d Unfair Competition, §39, com. f, p. 431).

October 26, 201650

SEGMENT 4:


Is my Trade Secret still a “secret” if it gets posted on the Internet?Publication of a trade secret on the Internet does not necessarily destroy trade secret status if the publication is sufficiently:

• obscure; • transient; or • otherwise limited so that it does not become generally known to the relevant people, i.e., potential

competitors or other persons to whom the information would have some economic value.

DVD Copy Control Assoc. Inc. v. Bunner, 116 Cal. App. 4th 241, 251 (Cal. Ct. App. 2004) (internal citations omitted). See also Syncsort Inc. v. Innovative Routines, Int.’l, Inc., No. 04-3623 (WHW), 2011 WL 3651331, at *13 (D.N.J. Aug. 18, 2011).

October 26, 201651

SEGMENT 4:


The Need for Speed: Move Fast When Trade Secrets Have Been Exposed in a Cyber Attack

After a cyber attack, trade secret owners must immediately:• Identify and remediate the source of the breach• Identify what trade secrets have been compromised• Identify the misappropriator (if possible) • Determine where trade secrets have been exposed, published ,or otherwise made available to the

public (if possible) • Attempt to have exposed trade secrets removed/deleted from websites or other public sources as

quickly as possible • Work to prevent further loss, dissemination, or publication of compromised trade secrets to protect

trade secret status• Preserve evidence for use in a potential civil or criminal action• Evaluate and pursue civil and criminal remedies

October 26, 201652

SEGMENT 4:


Civil Remedies for Trade Secret Misappropriation Defend Trade Secrets Act of 2016: 18 U.S.C. §1836

• Provides a private civil cause of action for misappropriation of trade secrets and confidential information (BUT does not preempt existing state laws)

• Promotes uniformity in trade secret law, which previously was governed by state laws adopting differing versions of the Uniform Trade Secrets Act

• Provides original federal subject matter jurisdiction for misappropriation claims• Broad definition of trade secret and broader protections for employers (i.e., no confidentiality

agreement or restrictive covenant required to enforce protections) • Provides ex parte seizure remedy which allows for the immediate seizure of misappropriated

trade secrets without requiring advance notice to the party holding the trade secrets where TRO or other remedies are inadequate

• Allows injunctive relief, recovery of actual damages, recovery of reasonable royalty and/or unjust enrichment, and exemplary damages of 2x the damages award and attorneys’ fees for willful or malicious misappropriation

• Provides whistleblower immunity and anti-retaliation provisions• Rejects “inevitable disclosure” doctrine

October 26, 201653

SEGMENT 4:


Civil Remedies for Trade Secret MisappropriationComputer Fraud and Abuse Act: 18 U.S.C. §1030• Anti-hacking statute that makes it a crime to access information on a computer without, or in excess

of, authorization • Provides for a private civil right of action where an individual or company may bring a civil lawsuit if

actual damages in one year exceed $5,000• Plaintiff can obtain injunctive relief and recover actual/compensatory damages attributable to

violation• Civil case must be brought within 2 years of the date of the violation or the date of the discovery of

the damage • BUT: CFAA’s applicability to trade secrets has been called into question – See United States v.

Nosal, 676 F.3d 854 (9th Cir. 2012) (finding that the “general purpose [of the CFAA] is to punish hacking – the circumvention of technological access barriers – not misappropriation of trade secrets . . .”).

See JOHN VILLASENOR, Corporate Cybersecurity Realism: Managing Trade Secrets in a World Where Breaches Occur, AM. INTELL. PROP. L. ASS’N. Q. J., VOLUME 43, NUMBERS 2/3. (Aug. 1, 2005).

October 26, 201654

SEGMENT 4:


Civil Remedies for Trade Secret MisappropriationState Laws - most states have adopted a version of the Uniform Trade Secrets Act, which allows:

• Injunctive relief for actual or threatened misappropriation• Recovery of actual damages caused by misappropriation • Unjust enrichment and/or reasonable royalty• Exemplary damages of 2x any award of actual damages • Attorneys’ fees for willful or malicious misappropriation OR for claims of misappropriation

made in bad faith • Preempts “conflicting tort, restitutionary, and other laws providing civil remedies for

misappropriation of trade secrets” To the extent not preempted by state statutes, trade secret owners may have common law claims for:

• unfair competition• deceptive trade practices• Conversion, trespass, invasion of privacy, replevin• Violations of RICO statutes• Breach of fiduciary duty and/or duty of loyalty/confidentiality • Breach of contract (involving NDAs, restrictive covenants, etc.)

October 26, 201655

SEGMENT 4:


Criminal Remedies for Trade Secret MisappropriationEconomic Espionage Act of 1996 18 U.S.C. §1831, et. seq..

• Criminalizes economic espionage and theft of trade secrets. • Attorney General may bring civil action to enjoin violations• Violations are punishable by fines and/or imprisonment of up to 10 years for theft of trade

secrets • No preemption of other civil or criminal remedies • Expansive federal jurisdiction is beneficial in cases involving multi-jurisdictional internet

prosecutions • No private civil cause of action • BUT: EEA does not apply to those who do not intend to benefit financially from the disclosure,

so may not apply to hacker whose only intent is to destroy secrecy

2 GABRIEL M. RAMSEY, ET AL., INTERNET LAW AND PRACTICE § 18.37 (2016); 2 JOHN J. FALVEY, JR. & AMY M. MCCALLEN, INTERNET LAW AND PRACTICE § 26.13 (2016).

October 26, 201656

SEGMENT 4:


Criminal Remedies for Trade Secret Misappropriation Computer Fraud and Abuse Act: 18 U.S.C. §1030• Anti-hacking statute that makes it a crime for anyone to access information on a computer without,

or in excess of, authorization • Violations are punishable by imprisonment and/or civil forfeiture of personal property used or

intended to be used to commit the violation• Civil cases comprise largest percentage of opinions construing the CFAA• Section 1030(g) authorizes private right of action for compensatory damages and

injunctive/equitable relief by any person who suffers a loss resulting from a statutory violation, if the loss during any one-year period is at least $5,000

• No preemption of other laws governing computer crimes

4 E-COMMERCE AND INTERNET LAW 44.08[1] (2015).

October 26, 201657

SEGMENT 4:


Criminal Prosecution or Civil Lawsuit?Advantages to criminal prosecution:• Government search and seizure orders are broader in scope than civil TROs/injunctions, and

search warrants may be more easily obtained due to lower probable cause standard • Prosecuting agency covers costs• Deterrent effect of hefty fines and potential imprisonment• Government agencies face less jurisdictional barriers

4 E-COMMERCE AND INTERNET LAW 43.06-07 (2015).

October 26, 201658

SEGMENT 4:


Criminal Prosecution or Civil Lawsuit?Disadvantages to criminal prosecution:• Trade secret owner loses control of case/outcome

• Prosecutors decide whether to pursue and with what crimes to charge• Prosecuting agencies with limited resources may delay/decline prosecution, and inadequate

security systems may result in more risk of compromise/exposure of trade secrets• Higher burden of proof (beyond a reasonable doubt) and more procedural advantages available to

defendants in criminal cases • Restitutionary recovery may be less than recoverable civil damages


October 26, 201659

SEGMENT 4:


Criminal Prosecution or Civil Lawsuit?Advantages to Civil Lawsuit:• Trade secret owner controls case, can shape relief sought can better control publicity, and can

more directly impact outcome• Lower burden of proof (preponderance standard) makes it easier for plaintiffs to prevail • Potential for recovery of damages

• Actual/compensatory damages• Treble damages• Punitive damages • Attorneys’ fees and costs of litigation

• Injunctive Relief, if available, can help to protect trade secret status and prevent further loss/dissemination of trade secrets


October 26, 201660

SEGMENT 4:


Criminal Prosecution or Civil Lawsuit?Disadvantages to Civil Lawsuit:• Difficulty in identifying anonymous or pseudonymous defendants• Obtaining injunction can be too slow to protect trade secret status • Judgment collection – Religious Tech. Ctr. v. Netcom On-Line Comm’n Servs., Inc., 923 F. Supp.

1231, 1256 (N.D. Cal. 1995) (“The anonymous (or judgment proof) defendant can permanently destroy trade valuable trade secrets, leaving no one to hold liable for the misappropriation.”).

• First Amendment concerns – Ford Motor Co. v Lane, 67 F. Supp. 2d 745 (E.D. Mi. 1999) (declining to enjoin Defendant’s threatened “publication of Ford’s trade secrets and other internal documents” upon finding that “[i]n the absence of a confidentiality agreement or fiduciary duty between the parties, Ford’s commercial interest in its trade secrets and Lane’s alleged improper conduct in obtaining the trade secrets are not grounds for issuing a prior restraint”)

October 26, 201661

SEGMENT 4:


Who do I sue?• “John Doe” lawsuits may be filed against anonymous or pseudonymous hackers. The Republic of

Kazakhstan v. Does 1-100, No. 15 Civ. 1900(ER), 2015 WL 6473016 (S.D.N.Y. Oct. 27, 2015) (action for injunctive relief and damages under CFAA against anonymous hackers that posted confidential government documents on internet).

• Once suit is filed, seek expedited discovery and serve subpoenas on internet service providers or website owners to compel production of identifying information for the persons that posted the trade secrets online.

• Consider whether ISPs or other third parties may be liable for negligence if trade secrets not removed from site upon request

See 2 E-COMMERCE AND INTERNET LAW §§10.12 and 10.18 (2015); RICHARD G. SANDERS & ROBB S. HARVEY, Unmasking Anonymous and Pseudonymous Online Posters, 21 NO. 2 PRAC. LITIGATOR 35 (2010).

October 26, 201662

SEGMENT 4:


October 26, 201663

Contact Info:


E: [email protected] T: 404.685.4266


E: [email protected]: 202.842.4701









► You may ask a question at anytime throughout the presentation today. Simply click on the question mark icon located on the floating tool bar on the bottom right side of your screen. Type your

question in the box that appears and click send.

► Questions will be answered in the order they are received.

Q&A:

October 26, 201664

SEGMENT 4:


SEGMENT 2:


SEGMENT 3:


SEGMENT 1:


October 26, 201665

ABOUT THE KNOWLEDGE GROUP

The Knowledge Group is an organization that produces live webcasts which examine regulatory

changes and their impacts across a variety of industries. “We bring together the world's leading

authorities and industry participants through informative two-hour webcasts to study the impact of

changing regulations.”

If you would like to be informed of other upcoming events, please click here.

Disclaimer:

The Knowledge Group is producing this event for information purposes only. We do not intend to provide or offer business advice. The contents of this event are based upon the opinions of our speakers. The Knowledge Group does not warrant their accuracy and completeness. The statements made by them are based on their independent opinions and does not necessarily reflect that of The Knowledge Group‘s views. In no event shall The Knowledge Group be liable to any person or business entity for any special, direct, indirect, punitive, incidental or consequential damages as a result of any information gathered from this webcast.

Certain images and/or photos on this page are the copyrighted property of 123RF Limited, their Contributors or Licensed Partners and are being used with permission under license. These images and/or photos may not be copied or downloaded without permission from 123RF Limited

http://theknowledgegroup.org/

http://theknowledgegroup.org/all-events-list/

securing trade secrets and intellectual property against cyberattack

Education