Chinese wind turbine manufacturer Sinovel Wind Group Co. Ltd. was convicted last month of stealing software from AMSC Inc., a U.S.-based company formerly known as American Superconductor Inc. The theft nearly destroyed the American company, which lost substantial service contracts after the theft and began to shed market capitalization, jobs, and facilities as a result. With the conviction, Sinovel now awaits sentencing, scheduled for June 2018, which could include more than $1 billion in fines and a multi-year probationary period.
Sinovel and AMSC had a history of working together prior to the trade secret theft. In 2005, the companies partnered on several large energy infrastructure projects with Sinovel supplying wind turbines and AMSC supplying software used to control the flow of electricity generated by the turbines onto the electrical grid. AMSC’s software is directed to technology known in the industry as Low Voltage Ride Though (LVRT), which helps prevent damage to turbines and supporting equipment during electrical transients on the grid. [Note 1].
By 2011, Sinovel and AMSC had entered into contracts worth hundreds of millions of dollars. But that year, according to the criminal case, senior managers at Sinovel convinced a disgruntled AMSC employee to download and transfer AMSC’s LVRT software to Sinovel. Since a trade secret is any commercially-valuable information subject to reasonable efforts to maintain its secrecy, this software transfer to Sinovel constituted trade secret theft. With AMSC’s software in hand, Sinovel then backed out of a number of contracts with AMSC to avoid paying some $800 million in software fees.
Sinovel’s theft was not discovered until 2013, when the Chinese manufacturer commissioned a Massachusetts-based company to construct new turbines that incorporated the stolen software. That company alerted the FBI to the presence of AMSC’s stolen software, and after an investigation the FBI and U.S. Department of Justice brought criminal charges against Sinovel. [Note 2].
The consequences of Sinovel’s trade secret theft were dramatic. AMSC lost a staggering $1 billion in market capitalization as a core revenue stream – its LVRT software contracts – dried up. On the other side, the actions of two Sinovel employees have exposed the company to enormous scrutiny, bad press, and fines. For those of us following from the sidelines, there are three clear takeaways from this case:
- The most serious threats to your company’s trade secrets are sometimes internal rather than external.
When Sinovel decided to steal AMSC’s software, they didn’t hire a team of hackers but rather turned to an AMSC employee. Although external threats such as hacking and cyber espionage should be taken seriously, companies also need to consider internal threats when designing protections for their trade secrets. Those protections usually begin with restricting access to only those with a genuine need to use the secret information. Companies seeking to protect trade secrets should consider:
- Who currently has access to the secret? Do those employees truly need access?
- What type of restrictions (physical, electronic) can be placed on access to the secret without overly burdening productivity? Can access be restricted by date, time, location, duration, etc.?
- To what extent does access with the secret co-mingle with personal electronic devices such as USB drives, external hard drives, and smartphones?
- What types of contractual protections such as confidentiality, non-disclosure, and non-compete agreements can be used in relation to the trade secret?
- How are current employees and new hires educated on the company’s trade secrets, measures in place to protect those secrets, and the consequences of public disclosure?
- Cybersecurity protections should include monitoring functions.
It took months for AMSC to learn its software had been stolen, and even then it only learned of the theft from the FBI. The LVRT software was a “crown jewel” of AMSC’s business, yet AMSC appears to not have had sufficient monitoring in place to realize that the software was stolen or even to identify unusual activity. When AMSC began to lose contracts, revenue, and market capitalization after the theft, it would have been helpful to the company if it had the ability to review employee activity for suspicious behavior.
At a minimum, companies need to maintain an activity log for sensitive data files. Modern trade secrets like customer lists, algorithms, technical plans, vendor lists, marketing strategies, and financial statements are almost universally stored in electronic format. In addition to the access restrictions discussed above, a strong protection regime monitors and logs use of the trade secret. If possible, monitoring functions should be implemented that seek to identify suspicious activity related to sensitive data files.
Simply monitoring employees’ use can’t stop them from taking trade secrets, but it can potentially deter such theft and help companies quickly mitigate the damage following a theft.
- Employee actions can lead to tremendous legal and financial exposure.
On the other side of this case, two Sinovel employees – the Deputy Director of Research and a Technology Manager – conspired with an AMSC employee to transfer AMSC’s software to Sinovel. From the actions of two employees, Sinovel has been subjected to extensive investigation by U.S. law enforcement authorities, convicted of trade secret theft, and now faces extensive financial penalties. Although the conspiracy in Sinovel’s case almost certainly reached to higher management in the company, the sobering reality is that even a single employee can create substantial risk for a company by misappropriating trade secrets.
In order to avoid misappropriating the trade secrets of other companies – or even actions that can be construed as misappropriation – a company needs to educate their workforce on the basics of trade secrets. Managers need to be trained to identify potentially problematic behaviors of employees and need to adequately supervise those employees when handling sensitive matters.
One aspect of a business that is fraught with trade secret concerns is hiring new workers. Many companies today will perform extensive due diligence on potential new employees to identify any sensitive information they may have had access to in previous jobs. In appropriate circumstances, the new employee may be asked to sign a document memorializing their agreement not to bring sensitive information from a previous job. In some cases, a company may require that the new employee be walled off from particularly sensitive projects to avoid concerns that the employee could even inadvertently mix trade secrets from a previous job.