Taking a Bite Out of Cyber Crime
Last week, U.S. Attorney General Eric Holder announced that the U.S. government would continue to make investigations and prosecutions of intellectual property crimes a top priority for the Department of Justice. Holder said the U.S. would work with like-minded governments to tackle offenders using trade restrictions and criminal prosecutions, and there would be a 120-day review to see whether new legislation is necessary. Holders statement followed an executive order signed in the lead-up to President Barack Obamas State of the Union Address, outlining a process that allows government agencies to work with private industry to combat cyber threats.
Cyber crime illustrates the two defining business trends of the modern dayglobalization and technology. When these crimes are committed by third parties outside of companies or by insiders who steal company secrets, years of investment in research and development of IP are placed in jeopardy, a companys competitive advantage is at risk, and jobs can be lost. And it may be impossible to undo the damage to the companys IP.
Corporate data security cases also implicate national security. Holders announcement came on the heels of a New York Times article revealing that hackers traced back to Chinese military installations have systematically infiltrated the computer systems of U.S. companies. As law firms and other service providers develop data security practice groups to focus on protecting computer infrastructure and IP from attacks from inside and outside the company, in-house lawyers must educate themselves on how to protect their client from this emerging threat.
The Economic Espionage Act (EAA) was passed in 1996 and outlaws economic espionage and theft of trade secrets. The EAA prohibits knowingly obtaining trade secrets without authorization (such as theft); the unauthorized transmission, copying, or altering of a trade secret; or receiving a trade secret, knowing it was stolen or obtained without permission, in interstate or foreign commerce. If the violation benefits a foreign government, instrumentality, or agent, it is economic espionage. Otherwise, if the defendant merely intended to benefit someone else and harm the owner, it is a theft of trade secret.
The EAA was not a prosecution priority for the Justice Department until 2010, when the DOJ created the National Intellectual Property Rights Coordination Center and added a number of line prosecutor and FBI special agent positions to investigate intellectual property violations. In 2011, the FBI opened 235 new IP crime investigations with a 29 percent increase in trade secret investigations over the course of 2010. That year, federal prosecutors received more than 300 referrals for IP prosecutions and charged 215 defendants in 168 separate cases.
Recent prosecutions over the last two years have involved IP thefts ranging from theft of proprietary computer code from Goldman Sachs (U.S. v. Aleynikov in New York) to the prosecution of theft of proprietary information about specialty values in the oil and gas industry (U.S. v. Stancil in Houston). In December 2012, President Obama signed into law the Theft of Trade Secrets Clarification Act, which makes it clear that EAA protection extends to wholly internal proprietary information. This clarification was necessary after the Second Circuits decision in U.S. v. Aleynikov, 676 F.3d 71 (2d Cir. 2012).
The first line of defense starts with the company. In-house counsel must understand the potential threats, appropriate data security measures, and appropriate responses to incidents. Many of todays security threats are to information stored on electronic devices, although companies must not forget that information can go out the door on old-fashioned paper. Compare U.S. v. Aleynikovsecrets surreptitiously uploaded to a server in Germany prior to resignation then accessed after resignationwith U.S. v. Agrawal in New Yorksecrets printed out and taken home a few pages per day. (The case is U.S. v. Agrawal, 2nd U.S. Circuit Court of Appeals, No. 11-1074. The lower court case was U.S. v. Agrawal, U.S. District Court, Southern District of New York, No. 10-417.)
Data security measures that companies can implement include a secure firewall, controlled access to sensitive IP, secure passwords, secure hardware, restrictions on use of devices not issued by the company, and employee education about security risks. There are a number of software solutions available as well. If theft of IP or a cyber attack is uncovered, in-house lawyers must act quickly to evaluate the intrusion or theft, preserve evidence, and consider steps to remedy the breach, including seeking a temporary restraining order and consulting with law enforcement.
The governments renewed focus on IP theft is laudable. Unlike many of the high-profile cases involving foreign bribery that have captured headlines and space at numerous seminars, the impact of IP theft on shareholders and employees of U.S. companies is direct and profoundall the more reason in-house counsel must understand the risks of data theft and the available tools to prevent and respond to incidents.
Ryan McConnell is a partner at Morgan Lewis and a former federal prosecutor. He also teaches corporate compliance and criminal procedure at the University of Houston Law Center. Tim McInturf is the executive vice president and general counsel at Quantlab Financial and a frequent author and speaker on data security and IP protection issues. McInturf is the co-author of Keeping Your Secrets Secret: an Employer's Primer on Trade Secret Protection, Noncompetition Agreements, and Unfair Competition in Texas (44 Tex. J. Bus. Law 231, 2012) and a contributor to M. Scott McDonalds Drafting and Litigating Covenants Not to Compete (BNA Books 2009). McInturf will speak on data security at the University of Houstons Second Annual Ethics and Compliance Conference in Houston Texas on June 6, 2013.