One would think that a civil jury award of $1.3 billion (even one that may be subsequently reduced by a judge to $272 million) would provide sufficient warning to companies about the perils of trade secret litigation. But, as the long-running dispute between SAP AG and Oracle Corporation makes clear, defendants should be concerned not just about the possibility of an adverse civil judgment, but also the possibility that matters can get much worse. To wit, earlier this month, SAP pleaded guilty to numerous criminal charges stemming from its trade secret dispute with Oracle.
The SAP plea agreement may be a harbinger of things to come in trade secret litigation. The civil case was particularly noteworthy in that prosecutors from the U.S. Department of Justice attended and closely monitored the trial. A week after the jury found SAP liable for misappropriating Oracle’s trade secrets, the federal prosecutors – with the advantage of having observed the testimony and computer forensics evidence presented at trial – charged a now-defunct unit of SAP AG, TomorrowNow, Inc., with 11 counts of unauthorized access to an Oracle computer in violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030 et seq., as well as one count of criminal copyright infringement.
The dispute originated from SAP’s acquisition of TomorrowNow, which provided third-party maintenance and product support services to companies using software licensed from Oracle. In the plea agreement, SAP acknowledged that, among other things, TomorrowNow employees used log-in credentials assigned to other companies to access Oracle’s computer system in order to download software updates and supporting materials. SAP agreed to a $20 million penalty; however, the plea agreement does not limit the government from pursuing the individual employees of TomorrowNow.
The degree of wrongdoing presented in the SAP/Oracle litigation arguably marks this case as an outlier. But the underlying allegations and basic facts do not depart significantly from those presented in many other trade secret disputes. In this era of connectivity, it has become increasingly easier for former employees (or soon to depart employees) to misappropriate trade secrets with a few mouse clicks and to bring those trade secrets along with them to a competitor. While such violations of non-compete agreements and/or trade secret misappropriations were traditionally dealt with by filing breach-of-contract and unfair competition claims, the more expansive interpretation given by courts to the CFAA now gives both civil litigants and, more recently, aggressive prosecutors another useful tool to wield in cases involving allegations of trade secret theft.
Originally passed in 1986 as a criminal statute designed to address the emerging problem of computer hackers, the CFAA was amended in 1994 to allow for private causes of action against those who accessed confidential information “without authorization” or “in excess of authorization.” At least initially, courts were hesitant to apply the CFAA to employees who were authorized to access confidential information as part of their employment duties, but who subsequently misused or misappropriated that confidential information. More recently, however, several courts – most notably the 9th Circuit in U.S. v. Nosal – have held that employees exceed authorized access under the CFAA when they engage in computer-related activities prohibited by an employer’s written policies and guidelines. Thus, employees who might violate any number of company policies by electronically accessing, copying, or forwarding their employer’s trade secrets could be subject not only to a civil claim under the CFAA, but they could also face criminal charges under the same statute.
The dual civil/criminal nature of the CFAA, coupled with the more expansive interpretation of what it means to exceed authorization under the statute, makes trade secret litigation even more risky for defendants. A prosecutor may observe the civil trial from the gallery, allow the plaintiff and its computer forensics experts to develop evidence of CFAA violations, gauge the outcome of the trial, and only then decide to bring charges. As the SAP/Oracle dispute amply demonstrates, the threat of an adverse civil judgment is not necessarily the end game. It could also be the beginning of criminal plea negotiations.