December 17, 2017

Big News: Federal Civil Trade Secrets Bill is Introduced

Big News! After years of speculation and talking, it’s finally happened.  Congress is seriously considering amending the criminal theft of trade secrets law (referred to as the Economic Espionage Act) to include a private cause of action.  Soon, you too may be able to sue for theft of trade secrets in federal courts.

Last week, Senators Herb Kohl (D-Wis) and Christopher  Coons (D-DE) introduced an amendment to the Currency Exchange Rat Oversight Reform Act that would amend the Economic Espionage Act to include a provision that would give private litigants the right to sue in federal court for the theft of trade secrets.  Currently, the EEA is strictly a criminal statute and civil claims for trade secret theft must be brought in state courts, unless there is another basis for asserting federal jurisdiction.  Since the EEA was enacted in October of 1996, the federal government has brought approximately 60 cases under the EEA.  The amendment would enable victims of trade secret theft to seek injunctive relief and compensation for actual damages.

The proposed bill would amend 18 U.S.C. section 1836 to provide that “[a]ny person aggrieved by a violation of section 1832(a) may bring a civil action under this subsection.’   In turn, in order to prove a violation of section 1832 as it presently reads, the government must prove (1) the defendant stole or without authorization of the owner, obtained, destroyed, or conveyed information; (2) the defendant knew this information was proprietary; (3) the information was in fact a trade secret; (4) that the defendant acted with intent to convert a trade secret to the economic benefit of a third party; and (5)  that the defendant act intending or knowing that the offense will injure any owner of that trade secret.  To read a copy of the bill, please click on the following link for the Civil EEA.

My book, Intellectual Property & Computer Crimes,”  (Law Journal Press 2003) contains a very detailed and up to-date analysis of the EEA, including a description of all cases that the government has brought to-date.  (To purchase my book click here).   In addition, as a federal prosecutor with the Computer Crime & Intellectual Property Section of the United States Department of Justice in the 1990s, I advised Congress on the EEA and my law review article, The Prosecution of Trade Secrets Thefts Under Federal Law, 22 Pepperdine L.Rev. 59 (1994), was cited in the legislative history in support of the EEA.  Finally, I also was the lead prosecutor in one of the first cases, United States v. Four Pillars, ever brought under the EEA.

Please post a comment about what you think of the proposed law.

 

When to Report a Computer Hack: Timing is Everything

Have you ever been concerned about when to report a computer intrusion?  Since my original post, I have had a number of questions about whether and when a company must or should notify its customers that personal identifiable information or credit card information has been stolen.  This is an important question for all companies that store customer information and are connected to the Internet.  In addition, according to a recent study by the Ponemon Institute, which specializes in computer and privacy issues, data theft is growing “more frequent, more severe, and harder to detect and and stop.”  In other words, there are more bad guys on the Internet than ever before.

The easy answer as to when a company should inform its customers is for a company to send out notifications  as soon as possible so the affected individuals can take prompt action to protect their information such as by notifying their credit card companies or changing their user passwords.  However, as two recent cases suggest, the easy answer is not always the best answer.  On June 13, 2011, a federal court held Conamerica liable for data breach losses even though it notified its customers and stopped all account activity within six hours.  Conversely, Citibank may have been justified in waiting nearly a month to begin notifying 360,000 customers of a breach.

According to court records, the trouble in Conamerica began when a controller of a small company responded to what appeared to be an email from the bank by providing confidential login information.  The information allowed the bad guys to steal almost $1.9 million out of the company’s account and transfer the money into accounts in China, Estonia, Finland, Russia, and Scotland.  It took the bank 6 hours to notice the fraudulent transactions, notify the customer and stop the transfers.  Despite the relatively quick action by Conamerica, the court held that the bank was responsible for the $560,000 that was not recovered because the bank didn’t act in “good faith.”  The court stated that “a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.”

[Read more…]

Answers To The Most 5 Frequently Asked Questions Regarding Data Protection in the United States

1. Are there any database protection rights in the United States? If so, could these be used to protect information such as sports fixture lists, timetables or other collections of data? Are there any decisions on the scope of protection and/or what can be protected?

2. Could such information be protected under copyright law and if so how? Has this protection been tested in any cases?

In the United States, database protection rights exist in only a few limited areas, including the protection of semiconductor chips and boat hulls.  Currently, no law exists that explicitly provides protection to databases and collections of data.  Although legislators have introduced bills in the United States Congress to protect databases, Congress has never enacted any of these bills into law.  Without these type of rights, collections of data only receive protection under if they can be protected under copyright law. Among other requirements to be protected under copyright law, the work has to be “original” which means that the work is independently created and not copied from other works.  (See 17 U.S.C. § 102(a).)  The copyright in a compilation or derivative work extends only to the material contributed by the author of such work, as distinguished from the preexisting material employed in the work, and does not imply any exclusive right in the preexisting material.  Thus, there is no copyright protection in the underlying facts or data in a compilation.  In addition, the United States Copyright Office has issued regulations prohibiting the use of copyright to protect “information that is common property containing no original authorship,” such as “schedules of sporting events[] and lists or tables taken from public documents or other common sources.”  (22 C.F.R. § 202.1(e).) [Read more…]

Avoiding/Reducing Corporate Criminal Exposure for IP Violations

All it takes are the acts of one rogue employee for the federal government to open a criminal investigation of the company.  In the intellectual property arena, companies have found themselves to be the subject of a federal investigation, for example, by  hiring employees from a competitor and who bring with them to their new company the trade secrets and other confidential information from their old company.  Avoiding exposure to liability for criminal theft of trade secrets under the Economic Espionage Act requires that businesses take a close look at all their procedures involving confidential information.  Standards of contracting authority and rules for entering into nondisclosure agreements should be reviewed to control the process of assuming, tracking, and enforcing confidentiality obligations to third parties.  Hiring practices should be reviewed to avoid hiring tainted employees and consultants and to emphasize respect for intellectual property rights as part of a company’s training program.  Perhaps most importantly, a company must examine its business relationships to determine the procedures and behaviors of those who may create vicarious liability under the EEA.
[Read more…]

Are You Ready To Be Hacked?

A number of the largest ever computer security breaches have occurred over the past several months.  For example, at the end of March, computer hackers stole the names and email addresses of customers of Barclayscard US, Capital One and other large firms from the email provider Epsilon.  Then in April, 2011, reports suggest that hackers obtained credit card information and other personal identifiable information of potentially 77 million Sony Playstation users in 59 countries.  There have also been a number of other large scale attacks since then. While it is extremely difficult to measure with precision the total costs and damages caused by a security breach, especially for ones as large as these, it is estimated that Epsilon and Sony may be out tens of millions of dollars.  According to one estimate, the average cost to respond to a breach in 2010 was more than $300 per affected customer.  Thus, if the estimates are correct, Sony could be facing a bill of more than $20 billion just for notifying affected customers.
[Read more…]