October 23, 2018

How to Avoid Losing Your Trade Secrets When Moving To the Cloud

A company’s decision to move the storage of its data and information to the cloud is not without business and legal risks and should not be taken lightly.  One of the legal issues that has not figured prominently in a discussion of the risks is whether and how the storage of confidential information on the cloud may affect its classification as a trade secret.  Given the importance of trade secrets to many companies’ bottom line, this issue should not be overlooked in deciding whether to move to the cloud.

The crucial issue in many trade secret litigations is whether the trade secret owner has undertaken “reasonable efforts” under the circumstances to maintain secrecy.   So long as secrecy is maintained, the trade secret remains protectable under trade-secret law. This means that unlike other forms of intellectual property, trade secrets can remain protected indefinitely. Conversely, public or other inadvertent disclosure of the trade secret results in the loss of its protection.

The test of what constitutes a “reasonable effort,” focuses primarily on the actions of the trade secret owner and the value of the trade secret.   There are literally hundreds of decisions discussing what does and what does not constitute a reasonable measure when undertaken by the trade secret owner.  However, there is little or no guidance as to what happens when an owner gives up control and protection of the trade secret to a third party, for example, by contracting with a vendor to store their confidential information in the cloud. The issue is no longer whether the trade secret owner has undertaken reasonable efforts to protect the trade secrets, but whether the trade secret owner has hired a third party who is required to adequately protect the confidential information and does, in fact, do so.

Although there have been no reported decisions addressing this issue, the test to determine whether the trade secret owner has employed reasonable measures would seem to involve a two-part inquiry, whether the trade secret owner (1) has hired a vendor who claims to use reasonable measures; and (2) has conducted sufficient due diligence that makes it reasonable to believe that the cloud vendor actually does employ such measures.  In other words, the test involves both objective and subjective components.

First, with regard to the protective measures claimed by the cloud vendor, it is essential for the trade secret owner to understand the technical details of how the cloud vendor processes, transmits, and destroys customer data.  In particular, and at a minimum, a trade secret owner should ensure that its data is kept separate from other customers, that it is encrypted using a robust encryption standard, that the servers storing the data are physically protected and that when the customer no longer needs the information that it is actually deleted from all of the systems.

Second, it is not enough for the trade secret owner to simply rely on the representations of the cloud vendor, but the trade secret owner must be satisfied that the cloud vendor actually does follow the claimed protective measures. In that respect, the vendor should warrant to the protective steps it undertakes, and that the confidentiality terms should extend beyond the termination of the agreement.  In addition, the vendor must accept responsibility for its employees, agents and subcontractors and, trade secret owners should consider requiring the cloud vendor to have insurance covering all types of events leading to the loss in value of the information at levels that reflect the value of the information being stored.

How a court will determine under what circumstances information stored in the cloud will lose its trade secret status has yet to be determined. However, by being aware of the issue, and undertaking the steps described above, a company should be in a better position should it have to convince that it took reasonable steps to maintain the secrecy of its trade secret stored in the cloud.

 

Powerful New Tool to Fight Theft of Trade Secrets

Federal Circuit Provides U.S. Companies with New Tool to Fight Theft of Trade Secrets

The United States Federal Circuit Court of Appeals (“CAFC”) in TianRui Group Company Ltd. v. Int’l Trade Commission provided a significant domestic remedy for U.S. companies whose manufacturing processes are misappropriated overseas.

Under Section 337 of the Tariff Act of 1930, the International Trade Commission (“ITC”) is authorized to exclude imports when it finds “[u]nfair methods of competition and unfair acts in the importation of [those] articles.”  In TianRui Group, a U.S. company (Amstead) complained that TianRui Group had obtained its trade secret process for the manufacture of cast steel railway wheels from former employees of an Amstead Chinese licensee, who went to work for TianRui. The employees were privy to Amstead’s trade secrets and were subject to an agreement not to disclose any confidential information.  Amstead alleged in the ITC that TiranRui Group used the trade secrets in a manufacturing process for cast steel railway wheels and imported the wheels into the U.S.  The ITC administrative law judge first rejected TianRui Group’s attempt to terminate the proceedings on the ground that Congress did not intend for section 337 to be applied extraterritorially.  Then after a ten day hearing, the judge found that TianRui Group had misappropriated over 100 trade secrets belonging to Amstead.

On appeal, the CAFC held that a product manufactured outside the United States with the assistance of a stolen trade secret owned by a U.S. based company can be barred from importation into the United States under section 337, even if the theft of the trade secret occurred entirely outside of the U.S.  In reaching this conclusion, the court reviewed the principles that apply to federal statutes that create causes of action based in part on conduct that occurs overseas.

[Read more…]

Supremes Debate the Limits of Patentability

Background

The United States Supreme Court on December 7, 2011, heard oral argument in Prometheus Laboratories v. Mayo Collaborative Services, U.S. No. 10-1150, 12/7/2011, which addressed the issue, in general, of when natural phenomena becomes patentable under Section 101 of the Patent Act.  Just last year, the Supreme Court in Bilski v. Kappos, 130 S.Ct. 3218 (2010), addressed the related issue of what constitutes an abstract idea  under Section 101.

Prometheus Laboratories sued Mayo Medical Laboratories for infringing its patent on a diagnostic method for treating Crohn’s disease. The Federal Circuit in 2009 reversed a summary judgment that the claimed method is ineligible for patent protection under 35 U.S.C. Section 101, and Mayo sought Supreme Court review. The case was remanded to the Federal Circuit for reconsideration in light of the Supreme Court’s ruling in Bilski.  

The Federal Circuit then held that claims reciting the application of naturally occurring correlations between metabolite levels and efficacy or toxicity, and the method of calibrating proper dosage of drugs to treat autoimmune diseases are patentable.  In particular, the claims state that a level less than 230 “indicates” a need to increase the medicine, and that a level greater than 400 “indicates” a need to decrease the medicine.

The Federal Circuit rejected Mayo’s assertion that the patent impermissibly claims natural phenomena and, thus, should be rejected under Section 101 of the Patent Act.  According to the court, the claims “recite specific treatment steps, not just the correlations themselves.  And the steps involve a particular application of the natural correlations: the treatment of a specific disease by administering specific drugs and measuring specific metabolites.  As such, and contrary to [defendant’s] assertions, the claims do not preempt all uses of the natural correlations; they utilize them in a series of specific steps.”

[Read more…]

Report: “Foreign Spies Stealing US Economic Secrets In CyberSpace”

The Federal Government just released a report that found that “Foreign economic collection and industrial espionage against the United States represent significant and growing threats to the nation’s prosperity and security.”

The Report,  “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011,” finds that foreign agents collect sensitive economic information from U.S. companies and are able to operate in cyberspace with little chance of detection.  The report paints a grim picture of the threat to the United States posed by “foreign economic collection and industrial espionage” stating that it represents “significant and growing threats to the nation’s prosperity and security.  Cyberspace—where most business activity and development of new ideas now takes place—amplifies these threats by making it possible for malicious actors, whether they are corrupted insiders or foreign intelligence services (FIS), to quickly steal and transfer massive quantities of data while remaining anonymous and hard to detect.”

The Report further states that: “Economic espionage inflicts costs on companies that range from loss of unique intellectual property to outlays for remediation, but no reliable estimates of the monetary value of these costs exist.  Many companies are unaware when their sensitive data is pilfered, and those that find out are often reluctant to report the loss, fearing potential damage to their reputation with investors, customers, and employees.  Moreover, victims of trade secret theft use different methods to estimate their losses: some base estimates on the actual costs of developing the stolen information, while others, project the loss of future revenues and profits.”

The Report specifically identifies China and Russia as being the most “active and persistent perpetrators of economic espionage” and details recent insider thefts of corporate trade secrets with a link to China.  Note: that the Report does not mention that a former Motorola employee, Hanjuan Jin, has been charged in a plot to steal cellular telephone technology from Motorola and to provide it to a Chinese competitor looking to work with the Chinese military.  A bench trial on these charges began on November 7, 2011, in Chicago.  The court is expected to issue its decision in December.

The obvious issues arising from the Report are whether Congress will provide U.S. companies with additional tools to fight economic espionage by enacting, for example, a civil economic espionage act with broad jurisdiction, and, even if Congress does act, will U.S. companies begin to do more to protect their intellectual property?

My book, Intellectual Property Computer Crimes,”  (Law Journal Press 2003) contains a very detailed and up to-date analysis of the EEA, including a description of all cases that the government has brought to-date.  (To purchase my book click here).

The Coming Social Gaming Patent Wars?

The battle over smart phone patents has been widely reported in the media, as industry giants, such as Apple and Samsung, battle for dominance, but as I describe, another technology could be poised for a similar patent battle – Social Gaming.  Only a few years ago hardly anyone knew what Social Gaming was, now the Social Gaming market will surpass $1 billion in sales this year with millions of  Americans expected to be playing games such as “Farmville” and “Zuma Blitz.”  While still a fraction of the overall $25 billion video game industry, the lower costs and increased accessibility on smart phones present a bright future for online gaming companies.  Based on the rising number of users and advertisers, and willingness of players to purchase virtual items that enhance the gaming experience, most people think that the industry will continue to grow rapidly.  However, a number of smaller companies are suing the industry leaders for patent infringement.  In what could be a lesson for other companies striving to be the leader in a competitive high technology field, sales are important, but so is a strong patent portfolio that can be used for both offensive and defensive purposes. The industry leader in Social Gaming, Zynga, may be learning this lesson the hard way.

If you’re interested in learning about recent developments in smart phone patent litigation and how they may be an indicator of coming patent battles in the Social Gaming arena, please listen to my podcast:

http://legalcurrent.com/2011/11/01/podcast-november-2011/

Court Introduces Alternative to Markman Hearings

A “Markman” hearing refers to the hearing held by a district court to determine the meaning and scope of the claims at issue in a patent litigation.  As every patent litigator will tell you, the outcome of the Markman hearing often, if not, usually determines the outcome of the case.  Cases are won or lost based on how the court construes key claim terms. Now, former Chief Judge Crabb of the Western District of Wisconsin has instituted a fundamental change in how and when a court will construe a patent claim’s terms.  Indeed, she has done away with stand alone Markman hearings and will construe terms as part of summary judgment motion practice.  If this practice is followed by other courts, it will result in a sea change in the patent litigation process.

The court in Dashwire v Synchronoss  for “reasons that are irrelevant to this order and not subject to input from counsel” changed the procedures for construing claims and deciding summary judgment motions in patent lawsuits.  If this change is followed by other district courts it could have a major impact on patent litigation.  In particular, Judge Crabb will now construe terms as part of summary judgment motions practice.  The court will not hold a stand-alone claims construction hearing and will not issue an order construing claims.  Instead, if any party wants the court to construe a claim, it must make that request and offer its proposed construction as part of its motion for summary judgment.   In order to accommodate this procedure, the court moved its long-standing summary judgment motion one month forward, so that it will fall about seven months before trial.  The Order also provided that the court will decide whether to schedule oral argument in a particular case, and each party must include in its summary judgment pleadings which topics it is requesting for oral argument.  The Order also provided guidelines on how long and what topics could be presented during oral argument.

Please let me know on what you think about J. Crabb’s decision to make claim construction part of summary judgment motions.

Big News: Federal Civil Trade Secrets Bill is Introduced

Big News! After years of speculation and talking, it’s finally happened.  Congress is seriously considering amending the criminal theft of trade secrets law (referred to as the Economic Espionage Act) to include a private cause of action.  Soon, you too may be able to sue for theft of trade secrets in federal courts.

Last week, Senators Herb Kohl (D-Wis) and Christopher  Coons (D-DE) introduced an amendment to the Currency Exchange Rat Oversight Reform Act that would amend the Economic Espionage Act to include a provision that would give private litigants the right to sue in federal court for the theft of trade secrets.  Currently, the EEA is strictly a criminal statute and civil claims for trade secret theft must be brought in state courts, unless there is another basis for asserting federal jurisdiction.  Since the EEA was enacted in October of 1996, the federal government has brought approximately 60 cases under the EEA.  The amendment would enable victims of trade secret theft to seek injunctive relief and compensation for actual damages.

The proposed bill would amend 18 U.S.C. section 1836 to provide that “[a]ny person aggrieved by a violation of section 1832(a) may bring a civil action under this subsection.’   In turn, in order to prove a violation of section 1832 as it presently reads, the government must prove (1) the defendant stole or without authorization of the owner, obtained, destroyed, or conveyed information; (2) the defendant knew this information was proprietary; (3) the information was in fact a trade secret; (4) that the defendant acted with intent to convert a trade secret to the economic benefit of a third party; and (5)  that the defendant act intending or knowing that the offense will injure any owner of that trade secret.  To read a copy of the bill, please click on the following link for the Civil EEA.

My book, Intellectual Property & Computer Crimes,”  (Law Journal Press 2003) contains a very detailed and up to-date analysis of the EEA, including a description of all cases that the government has brought to-date.  (To purchase my book click here).   In addition, as a federal prosecutor with the Computer Crime & Intellectual Property Section of the United States Department of Justice in the 1990s, I advised Congress on the EEA and my law review article, The Prosecution of Trade Secrets Thefts Under Federal Law, 22 Pepperdine L.Rev. 59 (1994), was cited in the legislative history in support of the EEA.  Finally, I also was the lead prosecutor in one of the first cases, United States v. Four Pillars, ever brought under the EEA.

Please post a comment about what you think of the proposed law.

 

When to Report a Computer Hack: Timing is Everything

Have you ever been concerned about when to report a computer intrusion?  Since my original post, I have had a number of questions about whether and when a company must or should notify its customers that personal identifiable information or credit card information has been stolen.  This is an important question for all companies that store customer information and are connected to the Internet.  In addition, according to a recent study by the Ponemon Institute, which specializes in computer and privacy issues, data theft is growing “more frequent, more severe, and harder to detect and and stop.”  In other words, there are more bad guys on the Internet than ever before.

The easy answer as to when a company should inform its customers is for a company to send out notifications  as soon as possible so the affected individuals can take prompt action to protect their information such as by notifying their credit card companies or changing their user passwords.  However, as two recent cases suggest, the easy answer is not always the best answer.  On June 13, 2011, a federal court held Conamerica liable for data breach losses even though it notified its customers and stopped all account activity within six hours.  Conversely, Citibank may have been justified in waiting nearly a month to begin notifying 360,000 customers of a breach.

According to court records, the trouble in Conamerica began when a controller of a small company responded to what appeared to be an email from the bank by providing confidential login information.  The information allowed the bad guys to steal almost $1.9 million out of the company’s account and transfer the money into accounts in China, Estonia, Finland, Russia, and Scotland.  It took the bank 6 hours to notice the fraudulent transactions, notify the customer and stop the transfers.  Despite the relatively quick action by Conamerica, the court held that the bank was responsible for the $560,000 that was not recovered because the bank didn’t act in “good faith.”  The court stated that “a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.”

[Read more…]

Answers To The Most 5 Frequently Asked Questions Regarding Data Protection in the United States

1. Are there any database protection rights in the United States? If so, could these be used to protect information such as sports fixture lists, timetables or other collections of data? Are there any decisions on the scope of protection and/or what can be protected?

2. Could such information be protected under copyright law and if so how? Has this protection been tested in any cases?

In the United States, database protection rights exist in only a few limited areas, including the protection of semiconductor chips and boat hulls.  Currently, no law exists that explicitly provides protection to databases and collections of data.  Although legislators have introduced bills in the United States Congress to protect databases, Congress has never enacted any of these bills into law.  Without these type of rights, collections of data only receive protection under if they can be protected under copyright law. Among other requirements to be protected under copyright law, the work has to be “original” which means that the work is independently created and not copied from other works.  (See 17 U.S.C. § 102(a).)  The copyright in a compilation or derivative work extends only to the material contributed by the author of such work, as distinguished from the preexisting material employed in the work, and does not imply any exclusive right in the preexisting material.  Thus, there is no copyright protection in the underlying facts or data in a compilation.  In addition, the United States Copyright Office has issued regulations prohibiting the use of copyright to protect “information that is common property containing no original authorship,” such as “schedules of sporting events[] and lists or tables taken from public documents or other common sources.”  (22 C.F.R. § 202.1(e).) [Read more…]

Patent Reform and Tech Transfer

There are presently two bills pending in Congress, S 73 and HR 1249 that would significantly change patent law in the United States.   Much has been written about the proposed adoption of the first inventor to file requirement that would bring the United States closer to harmonization with all other countries,  however, very little has been written about how this change would impact public universities which have become increasingly aware of how a large patent portfolio can generate significant revenue.  The first provision that has been generally overlooked is that the proposed law includes an exception to the first to file rule for university inventors. The second is a change in the importance of lab notebooks.  Third, would be changes in the fee structure, and, fourth is the expansion of prior user rights.
[Read more…]