As then-Attorney General Eric Holder has explained, “There are only two categories of companies affected by trade-secret theft: those that know they’ve been compromised and those that don’t know yet.” Indeed, in today’s world, where corporate data is primarily stored electronically, and remote access capabilities (including the use of VPNs and cloud storage) are becoming commonplace, it is easier than ever for an employee to take and/or disseminate a company’s highly valuable confidential information or trade secrets. Thus, the issue for companies is becoming when will data theft occur rather than if it will occur. As a result, the questions companies need to be asking are: (1) how to minimize the chance and scope of any data theft; and (2) how to be in the best position to seek legal remedies after theft has occurred.
The Risk Is Real and Significant:
The risk of data theft is serious and growing. According to a recent study:
- 50% of employees who left or lost their jobs in the last 12 months kept confidential corporate data, and 40% planned to use it in their new jobs;
- 62% of employees believe it is acceptable to transfer work documents to personal computers, tablets, smartphones, or online file-sharing applications;
- 56% of employees do not believe it is a crime to use a competitor’s trade secret information; and
- 51% percent of employees think it is acceptable to take corporate data because their company does not strictly enforce policies.
Consistent with these statistics, the FBI has remarked that “[t]here are increased incidents of employees taking proprietary information when they believe they will be, or are, searching for a new job.” As a result, the FBI reported that, from 2009 to the end of 2013, the number of economic espionage and theft of trade secrets cases overseen by the Economic Espionage Unit increased by more than 60%. In fact, theft of trade secrets has been estimated to be approximately equal to 1% to 3% of the United States’ gross domestic product.
Notably, the risk of theft is not limited to certain industries nor to employees of a certain level. Winston has handled cases involving theft of trade secrets and/or confidential corporate data in a variety of industries, including medical devices, financial services, consumer goods, and communications.
The Risk of Data Theft Can Be Minimized:
There are ways a company can minimize the chance that an employee steals its data. For example:
- Drafting robust policies and utilizing employee agreements that not only prohibit the misappropriation of data but also clearly articulate the company’s property rights and limit employee use of cloud storage, virtual machines, and external storage devices.
- Limiting access to sensitive data to only those who have a business purpose for accessing that data.
- Implementing simple, un-intimidating mechanisms for employees to report suspicious conduct of other employees.
- Utilizing physical security measures (e.g., keycards to access the building, passwords to access computers or even particular files, preventing employees from being able to mount portable storage devices to their computers).
- Taking pro-active steps when an employee is terminated, such as cutting off access to any corporate network or server well in advance of termination to ensure this step has been completed and escorting the employee out of the office without allowing him to return to his work space.
- Setting up alerts for when an employee (particularly an employee who resigned but continues to work) initiates a large download of data.
- Considering whether “bring your own device” or remote access policies can be strengthened to better control access and use of corporate data.
- Assessing whether there are technological security measures that could be employed to protect the company’s crown jewels, such as utilizing programs that insert a homing beacon in certain files that alerts the company if such file is accessed outside of the corporate network, or adding key-logging programs to certain employees’ computers.
- Conducting an exit interview with an employee who resigned to try to determine if he may be disgruntled and/or may be going to work for a competitor.
If steps are not taken even before any theft occurs, and any theft is not responded to promptly and properly, a company may hinder—or even wholly undermine—its ability to seek civil and/or criminal remedies. For example:
- Reasonable steps must be taken to keep data confidential to ensure it meets the definition of a “trade secret,” a definition with nuanced variations under state and federal law.
- If an employee’s access to trade secret data is not limited through physical security measures and/or policies outlining acceptable use, it may be impossible to pursue a claim for “unauthorized access” under the Computer Fraud and Abuse Act, particularly in the Ninth Circuit.
- A company can strengthen its litigation position if it specifically discussed any policies and employment agreements with the employee during the on-boarding process, had the employee certify his understanding of any agreements during on-boarding, trained the employee periodically on the company policies, and conducted an exit interview, during which the employee was reminded of—and perhaps even acknowledged in writing—his obligations.
- Without explicit and robust provisions in the company handbook allowing the company to review the employee’s devices, cellphones, emails, artifacts of personal email or social media accounts accessed on corporate computers, cloud storage accounts, and items brought into the office—as well as policies that allow any findings to be shared with outside counsel or law enforcement—any investigation could be limited by privacy issues.
- If IT personnel are not trained on a protocol to collect and preserve employee devices immediately and in a forensically sound manner—and to not conduct their own investigation until a device has been imaged—key forensic artifacts may be lost and the integrity of any data found may become questionable. Maintaining the chain of custody is also important if a criminal prosecution may be an option.
- If a computer forensic expert is hired promptly, it significantly increases the chance that data will be properly preserved and that key evidence can be found because electronic evidence is often the lynchpin for civil and/or criminal liability (yet, it can be difficult to mine and is easily lost).
- If employees who are interviewed are not given proper Upjohn warnings (and their acknowledgment memorialized), the employers may not be able to use their statements against them.
- Privilege may be waived if the investigation team is not identified and limited, if employees do not work at the “direction of counsel,” if communications are not properly marked and only disseminated within the team, or if the company is not careful about how it shares information with law enforcement.