Cyber attack (Shutterstock)
Cyberattacks are an unfortunate reality of today’s business environment. Theft by hacking of confidential consumer information and the legal fallout has been well-reported—some of the higher-profile victims include Target, Home Depot and the notorious Ashley Madison website. In addition to consumer information, a company’s trade secrets invariably get caught up in the cyberbandits’ web. As a result, businesses should be just as concerned about the compromise of these important business assets by way of cyberattacks.
The key to effectively addressing computer-based theft of confidential trade secrets actually begins prior to the hacking. Almost all businesses have trade secrets, which include things like customer lists and information, formulas and unique business processes. To obtain the legal protections afforded to trade secrets by federal and state law, however, a company must be able to show that the information is in fact confidential and that the business has taken reasonable measures to maintain that secrecy.
The first step to protecting trade secrets is to identify exactly what your trade secrets are. Too many companies take the approach that their trade secrets consist of “everything” or “the way we do business,” without being able to articulate exactly what is unique or proprietary about the information. Companies should conduct a trade secret audit every year seeking input from key management and IT personnel, as well as legal counsel. Once the trade secrets are identified, they should be logged, and the list should be reviewed and updated every year. Only when something is quantified can adequate steps be taken to protect it.
Having identified its trade secrets, a business must make reasonable efforts to protect the secrecy of the information. Such steps will ideally include nondisclosure agreements executed by all employees, physical and virtual barriers to access to the materials, adherence to current best practices (usually with input from an IT consultant) for guarding computer systems from attack and the development of incident response procedures to be implemented in the event of an attack. While it is impossible to completely prevent theft of trade secrets from an outside hacker, taking reasonable steps for prevention of theft is required for obtaining legal remedies after an incident.
Despite best efforts at prevention, a breach of computer systems by an anonymous hacker can happen, and theft of trade secrets may occur as a result. To mitigate damage and try to preserve the protected status of the trade secrets, businesses must act fast. Hopefully, an incident response team will already exist, and that team can go to work to identify and remediate the source of the breach and further identify what trade secrets have been affected.
Identifying the anonymous trade secret thief is usually very difficult. The investigation will necessarily involve internet service providers, who may not be willing to cooperate without a subpoena. Thus, a victimized business may need to file a lawsuit against a John Doe defendant, which will then provide the avenue for the issuance of subpoenas for documents and information.
The biggest risk from a cyber trade secret theft, of course, is that the secrets get exposed to competitors and the public, thus losing their value as business assets. If the wrongdoer can be quickly identified, a combination of civil and criminal remedies should be initiated to try and stop the individual from further use or disclosure of the secrets.
State and federal trade secret and computer fraud laws allow for immediate temporary restraining orders to be imposed against the hackers. Additionally, the new federal Defend Trade Secrets Act of 2016 provides, in certain circumstances, for the immediate seizure without notice of misappropriated trade secrets and the devices containing them.
When trade secrets are stolen through a cyberattack, criminal remedies should be pursued in tandem with the civil actions. Computer-enabled theft of trade secrets is a crime under both state and federal laws, and there are multiple agencies who have the jurisdiction to investigate such thefts, including the FBI, Secret Service, ICE, U.S. Postal Inspection Service, ATF and local law enforcement agencies (although the locals are the least likely to have the resources available and inclination to investigate).
The advantages to a criminal investigation over a civil lawsuit include the government’s broader investigative powers, the lower expense to the business, and a greater deterrent effect on the wrongdoer and any prospective cyber thieves. The disadvantage is that the victimized business does not have the same input and control over the pace of the process and outcome that it has in a civil lawsuit, thus making a dual civil/criminal track the best approach for an effective mitigation of the trade secret theft.
The victim of trade secret theft will also need to consider actions against third parties who are not necessarily the trade secret thieves, but who are unfairly using or disclosing the improperly obtained information. In those circumstances, the trade secret owner should demand that the third-party cease and desist from any further use or disclosure (such as posting the secrets on a website), and that the party destroy or return the stolen information. There are defenses that a third party may have that are not available to the wrongdoer himself, but the effort to stop the use should still be made. If the disclosure of the information has been minimal, there is at least a chance that its legal status as a trade secret, and the protection afforded thereby, can be preserved by fast and aggressive action.
The risk of theft of trade secrets by cyberattack cannot be eliminated, but advance preparation for such an attack—and swift and effective responses to them when they occur—can help minimize the damage to and preserve the high value of this class of intellectual property.