If your company electronically stores or transmits trade secrets, they are at risk. Cybercrime is, after all, its own industry now. The corporate world has entered an age of cyber espionage far beyond unsophisticated phishing emails and run-of-the-mill malware. And a new era of IP-focused data breach litigation is not far behind.
Against that background, this article examines an important tool for understanding the cybersecurity standard that a company will need to meet in a litigation environment, and also for fighting back. It is none other than old-fashioned trade secret law.
Background on Cybertheft of Intellectual Property
While most of the media attention on data breaches is directed at personal and health information affecting consumers, cyber espionage directed at corporate intellectual property could quietly be even more significant. Victimized companies are not generally required or otherwise inclined to publicize IP cybertheft unrelated to customer privacy; and even if they were, these companies may not even know they have been victimized when the hacker is skilled and careful to cover electronic tracks. Still, U.S. Army General Keith B. Alexander, Commander of the U.S. Cyber Command, was able to state in 2012 that the “ongoing cyberthefts from the networks of public and private organizations, including Fortune 500 companies, represent the greatest transfer of wealth in human history.”
Consider, for example, the recent revelations about a sophisticated cyberespionage gang known as Butterfly. Information security firm Symantec reported in July that it had discovered this group attempting to infiltrate major corporations over the last three years. Symantec’s report concludes that Butterfly’s “motivation is very likely to be financial gain and given that they have been active for at least three years, they must be successful at monetizing their operation.” The report further surmises that the group likely comprised “a small team that steals data either as a service to another client or to monetize it themselves through insider trading,” and that so far its attackers “represent a threat to organizations involved in technology, pharmaceutical, law, investment, energy and natural resources.”
Guidance from the National Institute of Standards and Technology (NIST) and others can help a company think through and implement a program to deter and remediate a data breach through technical defenses, policies and planning. Yet even those in the cybersecurity business are stressing that they cannot provide complete protection. They rightly emphasize a holistic approach, including multiple layers of protection based on an assessment of data value and vulnerabilities, dynamic network monitoring and detection systems and incident response planning.
Assessing Cyberdefense with a Litigation Perspective
The natural conclusion is that companies should understand that their computer systems will inevitably be breached and should position themselves to defend their security practices in litigation. For this, the key is “reasonable” security.
For cybersecurity, a discipline that can be so technically complex and nuanced, having a vague standard like “reasonableness” may be ironic. But this is effectively the standard that courts and regulators apply in a variety of contexts. It is a fundamental concept both when a company and its officers are defending themselves—from shareholders, business partners, customers or regulators—and when the company has taken the offensive to pursue the hacker and the stolen data.
So how can you know whether your cybersecurity is reasonable in the eyes of the law? Allegations in Federal Trade Commission (FTC) and class action complaints are useful for a sense of what plaintiffs might think. But actual court decisions would be preferred.
In the search for relevant court decisions, however, the problem is that data breach litigation is in its infancy. Numerous lawsuits—typically FTC or consumer class actions—have received popular press in recent years, but few if any have proceeded far enough to reach the merits of the underlying cybersecurity facts. Most have been dismissed or settled before a judge or jury could weigh in with their views of what is reasonable.
Enter trade secret misappropriation law. Well-established and largely uniform trade secret law provides a potentially superior offensive weapon following a cyber breach, and it offers precedent helpful to understanding how the reasonableness of cybersecurity measures is assessed in court.
The Uniform Trade Secrets Act as a Cyberespionage Counter-Punch
In response to a data breach, there is no shortage of defensive measures on the corporate to-do list. But for many, counter-offensive responses may be a priority. If an energy company, for example, learns that its seismic data or land and lease files have been compromised, the company will no doubt scramble to chase down the thief and the data.
Offensive measures may include contacting law enforcement, typically the Federal Bureau of Investigation or the U.S. Secret Service. These agencies can pursue violations of federal criminal laws such as the Economic Espionage Act (EEA) and the Computer Fraud and Abuse Act (CFAA). EEA coverage includes misappropriating trade secrets related to a product or service intended for use in interstate or foreign commerce (18 U.S.C. §§ 1831-1839). And CFAA coverage includes accessing a computer without authorization or exceeding authorized access to obtain information from a protected computer.
Only the CFAA, however, includes a civil right of action (18 U.S.C. § 1030). Thus, a CFAA civil action can be useful, but it has its limitations. Typically the action can be brought only against the violator and those who conspired with him to access the computer without authorization. And only compensatory damages and injunctive relief are specifically prescribed as remedies.
The Uniform Trade Secrets Act (UTSA), on the other hand, explicitly provides for exemplary damages and attorney fees, and for actions against those downstream who acquire and use the stolen data, even if they were not involved in the hacking. The Texas version of the UTSA, for example, defines proscribed misappropriation to include “use” of a trade secret by a person who “knew or had reason to know that the person’s knowledge of the trade secret was [ ] derived from or through a person who had utilized improper means to acquire it.” And “improper means,” conveniently, includes “espionage through electronic or other means.” Thus, a company can use the UTSA to pursue a competitor, for example, who acquires the company’s trade secrets under suspicious circumstances, downstream from a cybercriminal.
Assessing ‘Reasonable’ Security Measures in Court
Still, there is no escaping the reasonableness standard for cybersecurity. For a company’s data even to be protected under the UTSA, it must be information that
(A) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and (B) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.
Because this reasonableness standard has a much longer history than many cybersecurity-specific rules and policies, a survey of trade secret case law gives a useful perspective on what to expect as corporate data breach cases begin to reach the merits.
Trade secret misappropriation cases often involve electronically stored business information that has ended up in the hands of a departed employee of the plaintiff. A review of a dozen or more of these cases in a variety of American jurisdictions, largely from the last decade or two, reveals several overarching concepts related to securing electronic data.
The most commonly discussed concept in the survey of cases was password protection. Password protection for sensitive data is standard and certainly works in favor of finding reasonable efforts, but the devil is in the details. Where passwords were literally shouted across the office and written on paper notes attached to office computers, security measures were found to fall short. In another case, the court found it unreasonable that a company had sold computers to a competitor without deleting password-protected data, particularly given that the company inadvertently included the passwords in documentation accompanying the sale. These may be extreme examples, but the point is that passwords themselves must be secure.
Other technical security measures were also important, with courts favorably noting firewalls, encryption and effective network monitoring. Segregated data and segmented networks were particularly helpful in a couple of cases, including one where a TV show production company used segmented computer networks and limited access to the database with its most sensitive research files.
In addition to technical measures, policies were often critical in these cases. Most compelling seemed to be the policy of restricting data access, both internally and externally, on a need-to-know basis. A loan company, for example, restricted its loan originators’ computer access to only their own customers’ information, and required customer information to be stored only in the protected database.
Courts also considered policies on remote access, use of personal devices and employee training. They noted favorably policies requiring the company to control the setup of any remote access by employees; periodic bulletins to employees reminding them of confidentiality issues; company training on how to remove confidential information from tablet computers; annual reviews of confidentiality policies with employees; a requirement for employees to acknowledge confidentiality each time they access the computer system; and a policy requiring employees to encrypt data before copying it onto laptops.
Finally, some of the detailed requirements of reasonable security depended on specific security issues the company knew about. Where a software development company sought to have technical personnel sign nondisclosure agreements but was rebuffed, for instance, the court concluded that the company was thereby on notice that its intellectual property was vulnerable, and ultimately determined that the company had not used reasonable security measures. Another court commented on a deposition services company’s failure to close “known security holes.”
Cybersecurity practices will no doubt become more sophisticated as the industry matures and security risks are more widely appreciated. Still, the basic concepts of reasonable security seen in trade secrets cases will likely continue to carry weight. Indeed, considerations cited in these cases map reasonably well to aspects of the increasingly popular NIST cybersecurity framework published on February 12, 2014.
Meeting the basic requirements of reasonable security under the Uniform Trade Secrets Act is at least a good first step to satisfying the reasonableness standards of regulators and data protection statutes. And it is a necessary step for using the UTSA as an offensive weapon to chase down data and unauthorized users after a significant cyber espionage event.
For these reasons, companies should consider a complete assessment of their cybersecurity, led by outside counsel working with a cybersecurity consulting firm under the protection of the attorney-client privilege. They should consider a security program that: