Making a Federal Case Out of Employee Theft of Trade Secrets
Reprinted with permission of the authors and the Association of Corporate Counsel as it originally appeared: Mark Weller and Ronald Shaffer, "Making a Federal Case Out of Employee Theft of Trade Secrets" ACC Docket 26, no. 8 (October 2008): 86-94. Copyright © 2008 the Association of Corporate Counsel. All rights reserved. If you are interested in joining ACC, please go to www.acc.com, call 202.293.4103, ext. 360, or email firstname.lastname@example.org.
Imagine your CEO just hired a mid-level management employee from a competitor. Upon hire, the employee assured your CEO that he did not have a restrictive covenant. But before long, you’re served with a federal court subpoena, directing your entire computer system be made available to your competitor’s computer forensic expert for inspection and copying within 48 hours. The subpoena also includes company laptops for a number of executives—including you.
The subpoena was issued in a federal court case in which the brand-new employee is accused of stealing your competitor’s confidential, proprietary, and trade secret information prior to termination and transferring that information to his home desktop computer system via email. Although your company has not been sued, the court has issued a temporary restraining order against your new employee. That action was brought under the Federal Computer Fraud and Abuse Act. Although the employee denies taking any information, the complaint and injunction papers filed by your competitor state that a computer forensic expert has determined and confirmed that significant amounts of information were transferred by the employee prior to termination.
As CLO, you know that neither you nor your company sought to obtain any of this information from your new employee, and inform the lawyers for your competitor that you do not have any of the stolen information. But it’s not enough. The lawyers insist on confirming this for themselves through a forensic examination of your computers. They threaten contempt and sanctions if you fail to comply. But if you make your computers available, how can you avoid exposing your company’s own proprietary, confidential, and trade secret information to your competitor; or avoid producing personal, financial or other information from your laptop computer? Do you risk contempt? And how on earth can they make you turn over this information?
What do you do?
The advent of the internet, company computers, laptops, intranets, and inexpensive methods of copying vast quantities of electronically stored information has raised new issues and challenges for companies seeking to protect proprietary information and trade secrets. As more employees move between companies in the same industry, the temptation to copy proprietary information has increased, and the frequency with which former employees copy that information in electronic format has grown exponentially—thanks in part to increased sophistication of, access to, and affordability of the right technology.
Employees who are changing jobs may download or email information from an employer’s databases or company-owned laptops. Such transfer of information can be made to a personal home computer or to an external storage device such as a thumb drive or memory stick. The distinction between personal information, such as client contacts and company information, is often ignored or blurred.
For employers, protecting proprietary information when an employee changes jobs is critical to maintaining the competitive advantage and return on investment the company receives from its proprietary information. After all, companies literally spend tens of millions of dollars in product/ service research and development. Information such as pricing lists, formulae, contact information, marketing and strategic plans, client lists, costs, and financial information, just to name a few, now exist in electronic format and are easily accessible on company intranets—which makes it all the more portable to a disgruntled employee.
Electronic copying often occurs immediately before or after an employee announces a job change, but before the company-owned laptop is returned. Employees may wish only to copy and remove personal information contained on the company laptop. However, proprietary business information may be included in the transfer. It could be an innocent mistake, a need for a business “crutch” that will assist them in their new position, or a matter of simple negligence—or it may be an intentional transfer of proprietary and trade secret information to a new employer.
Although many employers routinely check company email servers to determine whether an employee has transferred or emailed proprietary information prior to termination, certain forms of transfer are more difficult to track. Memory sticks or external storage devices are becoming more popular, and copying to such devices is harder to identify, especially if an employee is determined to have deleted information or used new software to clean the computer’s hard drive. Many employers, even those with IT departments, lack the technology to determine if and when information from a company laptop has been downloaded and copied. In the absence of incriminating evidence, the employer often does not want to incur the expense of a forensic analysis to determine whether any proprietary or trade secret information has been improperly transferred, deleted, or copied from the company laptop.
Traditionally, lawsuits for theft of trade secrets against former employees have been brought in state courts under the common law of misappropriation, or theft of trade secrets. Most states possess statutes to protect trade secrets, often modeled after the uniform statute, and many states even make the theft of trade secrets a crime. In most jurisdictions, attorneys prefer to litigate in federal court, particularly since state court discovery rules can make discovery of computer systems or electronically stored information difficult and time consuming to obtain. In the absence of federal diversity jurisdiction, most theft of trade secret cases have been brought in state court. However, during the past several years, lawyers have been finding new ways to get these cases into federal court.
The Computer Fraud and Abuse Act
A little known federal criminal statute called the Computer Fraud & Abuse Act (CFAA), 18 U.S.C.A. § 1030, has become a new vehicle to file theft of trade secret cases involving computers and electronically stored information in federal court. Enacted in 1984, the CFAA was originally directed at protecting classified information on government computers, as well as financial records and credit information on government and financial institution computers. The statute also contains a civil enforcement provision. In 1996, the CFAA was amended to expand the definition of protected computers to include computers that function interstate. The amendments significantly expanded the scope and application of the federal statute. At first, no one noticed the implications of CFAA on theft of trade secrets from computer systems. Federal courts were reluctant to expand the CFAA into what otherwise might be called “garden variety” theft of trade secret cases. With the advent of the internet, however, virtually all computer use has become interstate in nature. Most internet-accessible company computers are now potentially covered by the CFAA, and information copied or downloaded from a company computer or over the internet may be subject to the CFAA.
To show a violation of the CFAA, a plaintiff must prove that:
- the defendant has accessed a “protected computer,”
- has done so “without authorization” or by “exceeding such authorization as was granted,”
- has done so knowingly and with the intent to defraud, and
- has furthered the intended fraud and obtained anything of value.
The CFAA allows a party who has suffered loss to recover compensatory damages, including costs of investigation.
The law regarding the CFAA continues to develop. Virtually every business computer system with internet access is a protected computer under the CFAA. Most of the developing case law addresses the requirement that access to the computer system be either without authorization or exceeded authorized access.
Access without Authorization
The first example, access without authorization, is trespassing on a computer system. If a non-employee hacks into a computer system or steals a password and enters the system, such access was clearly without authorization and would violate the CFAA. However, prior to resignation or termination, most employees are still authorized to access their employer’s computer systems or intranets, even from home. Those employees who access and copy (or transfer) information from their employer’s computer system prior to resignation, but while still employed, generally claim that they have not violated the CFAA because access was authorized. A number of courts have agreed and held that access during employment, if otherwise authorized, precludes a claim under the CFAA, even if the downloaded or copied information from the company’s computer system is intended to be improperly used and transferred to a new employer. This interpretation has been justified, in part, by the fact that the CFAA is a criminal statute and should be narrowly construed.
Some courts have rejected this rationale and have held that a disloyal employee can lose authorized access while still officially employed. These courts have used common law agency principles as analogies. An agent is required to act in the utmost good faith and with loyalty for the exclusive benefit of the principal-employer. An agent’s authority is limited to using information only for the advancement of the principal’s interest. An agent cannot acquire interests that are adverse to the principal. Thus, the courts have held that the authority of an agent [employee] to access a computer system terminates if, without the knowledge of the principal [employer], he or she acquires adverse interests or if he or she is otherwise guilty of a serious breach of loyalty to the principal. Although a person may still be technically employed, if computer access is obtained in anticipation of using the trade secrets to benefit a prospective new employer or competitor or to start a competing business, access may be deemed without authorization. A clear trend has not developed.
Exceeding Authorized Access
The CFAA distinguishes between the concept of initial authorized access to a computer system and the concept of exceeding authorized access. An employee who was authorized to access a computer may still be liable under the CFAA if he or she exceeds authorized access. One court has described the difference between the alternative statutory prerequisites of access without authorization and exceeding authorized access as paper-thin, though not quite invisible, in the 2006 case International Airport Centers, L.L.C. v. Citrin. Not surprisingly, case law is also divided regarding what activities constitute exceeding authorized access under the CFAA.
Some courts have held that an employee initially authorized to access an employer’s computer system during employment exceeds such authorization when information is copied, transferred, or downloaded with the intent to use or disclose it improperly after employment has ended. This argument sounds similar to the disloyal agency analysis employed by some courts regarding the lack of authorization for initial access.
Other courts have sought to limit application of the CFAA by interpreting exceeding authorized access narrowly to require that the specific information accessed and copied be beyond the employee’s permission, even if initial access to the computer system in general was authorized. That is, if sensitive information is downloaded and copied by an authorized employee during employment and then transferred after employment to a competitor, the CFAA will not apply if both initial access to the computer and access to the sensitive information was authorized at the time it was obtained.
When seeking to bring a claim to the CFAA, counsel should allege both alternatives, i.e., that access was both unauthorized and the former employee exceeded authorized access. Facts sufficient to avoid a motion to dismiss should be alleged, if possible, as to each alternative element. Courts have taken differing views, and the interpretation may depend on how egregious the former employee’s actions were regarding the trade secret and confidential information and what was done with it. The concepts tend to overlap and the same operative facts can be relevant to each alternative element.
Loss and Damages
Another area of ongoing development under the CFAA is the issue of damages that are recoverable. The CFAA speaks in terms of both loss and damages, and defines loss as “any reasonable cost to any victim, including the cost of responding to the offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Under the CFAA, the loss must aggregate at least $5,000 in any one year. The loss requirement has been described as jurisdictional in nature under the CFAA. That is, as an initial requirement, a claim under the CFAA requires a loss of more than $5,000 must be sustained and incurred. One of the defined types of loss is a damage assessment of the computer system. Many employers retain outside computer forensic consultants to analyze the hard drives of laptop computers as well to determine whether information has been downloaded or deleted. The cost of such forensic analysis and examination should be considered a damage assessment and will apply to the $5,000 annual loss requirement.
A plaintiff can also recover compensatory damages under the CFAA under certain circumstances. Injunctive relief is available as well. Damage is defined as “any impairment to the integrity or availability of data, a system, or information.” Some courts have interpreted the CFAA to permit recovery of compensatory damages for lost revenue only when connected to an interruption of service or damage caused to the information on the computer. Lost profits based upon the theft of trade secrets without a corresponding interruption or destruction of computer files or information, are not recoverable damages under the CFAA. As with other aspects of the CFAA, it is clear that some federal courts narrowly construe the statute in an effort to reduce the number of trade secret cases brought in federal court, at least in the absence of diversity jurisdiction. Some courts fear federalizing what traditionally has been state law misappropriation of trade secret cases. Yet, as more and more practitioners become aware of the CFAA and its potential, these issues will be decided. If a case is filed in federal court pursuant to the CFAA, an attorney must also assert the traditional state law claims such as misappropriation of trade secrets, breach of fiduciary duty, breach of contract, and potentially tortious interference with contractual relations under the federal court’s supplemental jurisdiction. Claims brought under the CFAA are not subject to the $75,000 amount in controversy requirement of diversity jurisdiction. Smaller dollar value cases can now be filed in federal court through the CFAA.
Electronically Stored Information
Some of the benefits of bringing the case in federal court are the speed at which federal courts hear cases, the familiarity of federal judges with business litigation, the individualized attention cases tend to receive, and the broad discovery permitted in federal court, including recent amendments relating to discovery of electronically stored information (ESI). Because much of the trade secret information maintained by companies is electronic, there is a direct correlation between the ability to obtain ESI in discovery and actions brought under the CFAA.
In December 2006, the Federal Rules of Civil Procedure were amended to better address the discovery of ESI. Traditionally, business information was in the form of documents. With the advent of electronic storage, email, databases, servers, intranets, back-up tapes, and related business information, new rules to provide discovery of ESI—which can be easily deleted and altered—were required. The old adage “out of sight, out of mind” applied to a party’s production of information not contained in “hard copy.” Searching through millions of electronically stored email messages and other documents can be overwhelming, and the potential for mischief is great. Moreover, the cost of retrieving, reviewing, and searching ESI can be prohibitive. The new rules have addressed many of the old rules’ deficiencies and have provided for the more efficient acquisition of ESI. Failure to comply with the new rules can result in severe sanctions against not only the client but also the lawyers, both inside and outside counsel.
The new rules have generated their own issues as well as potential unintended consequences. Typically, you must rely on the good faith of the opposing party to produce ESI. Many lawyers and clients do not trust the opposing party to conduct the thorough analysis and review of ESI necessary to determine what information is truly responsive to discovery requests in federal court cases. In the 2008 case Qualcomm, Inc. v. Broadcom Corp., the court stated that “[f]or the current ‘good faith’ discovery system to function in the electronic age, attorneys and their clients must work together to ensure that both understand how and where electronic documents, records, and emails are maintained and to determine how best to locate, review, and produce responsive documents. Attorneys must take responsibility for ensuring that their clients conduct a comprehensive and appropriate document search.” Many parties refuse to incur the substantial costs to retrieve, review, and search ESI requested by the other side, especially if the request is perceived—as it always is—as a “fishing expedition.” The amendments relating to ESI have spawned a cottage industry of litigation.
The discovery rules require that a party produce only ESI that is “reasonably accessible” in response to a request for production of documents. But of course, one person’s readily accessible ESI is another person’s “unreasonable and burdensome” request. Under the discovery rules, a party is not required to produce ESI that is not reasonably accessible because of the undue burden or cost. Frequently, such disputes surround the searching of back-up tapes and old computer systems no longer in use, but which still contain information relevant to a case.
Under Rule 26(b)(2), a party is required to identify the available sources of ESI that have not been searched or produced because of undue hardship, cost, or burden. A party refusing to produce ESI because of cost or burden has the burden of proof on the issue. Once raised, a court may impose reasonable conditions upon the producing party or shift the cost of retrieving and copying the information. The courts initially will consider whether the ESI is relevant or likely to lead to the discovery of admissible evidence. The courts will then determine whether production is burdensome, which turns primarily on whether the ESI is kept in an “accessible” or “inaccessible” format.
The courts now employ a seven-part test, first established in the 2003 Zublake v UBS Warburg line of cases out of New York Federal Court, to determine whether the cost of production should be shifted to the requesting party: (1) the extent to which the request is specifically tailored to discover relevant information; (2) the availability of such information from other sources; (3) the total cost of production, compared to the amount in controversy; (4) the total cost of production compared to the resources available to each party; (5) the relative ability of each party to control the costs and its incentive to do so; (6) the importance of the issues at stake in the litigation; and (7) the relative benefits to the parties of obtaining the information. If a court finds ESI relevant but burdensome or expensive to produce, it may condition production upon the requesting party paying for the cost of retrieving and copying the requested information.
Sampling, Testing, and Imaging
One of the little noticed changes to the federal rules now permits not only the copying and inspection of documents and ESI, but also the “sampling” and “testing” of ESI. That is, under the amendments, an attorney can ask the court to permit a testing or sampling of the computer systems from which ESI is extracted. This little-discussed expansion of the rules implicates serious issues of confidentiality and privacy. For example, if there is doubt as to whether all ESI is properly being produced out of a party’s computer system, the court may be asked to permit the inspection, testing, and sampling of the system itself to ensure a proper review and production.
Forensic computer experts have the ability to make what is called an “image” of any computer’s hard drive. Making an image of a computer’s hard drive is like taking a picture of all of the information contained on the computer at the time the image is taken. Once the image is taken, an exact copy of the computer hard drive and all of the information contained on it has been created for analysis and review. Taking an image of a computer’s hard drive may only take a few hours, depending on the size of the computer. The cost of taking an image can be as low as a few thousand dollars, depending on the size of the hard drive and the time it will take to perform the work. The implications of an opposing party’s computer forensic expert obtaining an exact copy of the hard drive of a client’s entire computer system are frightening. However, under the new rules, in certain circumstances federal courts are permitting parties to take and obtain images of an adversary’s computer hard drive so as to avoid issues regarding whether ESI is actually being produced or properly searched. However, most computers contain significant amounts of information having nothing to do with the lawsuit under which they are sought. The rules specifically state in the comments that such sampling and testing should not be a routine right of direct access to a party’s computer system.
The potential weapon of direct access to a computer is even more significant in the context of employee theft of trade secrets. Frequently, the former employee has surreptitiously copied and/or transferred ESI from the employer’s computer system to a personal laptop or more likely a home desktop computer used by the entire family. The need to obtain an image of the employee’s personal laptop or desktop computer is critical to determine whether trade secrets have been taken. In the cyber world, deleting information from a computer does not wipe the information off the computer. It merely moves it to other files or onto what is called unallocated space that can be retrieved and recreated. More importantly, taking a computer image is critical to determine whether the former employee has further transferred the trade secrets—perhaps even to a new employer or downloaded onto a memory stick or external storage device. The taking of an image is the only definitive way to determine what has been transferred and copied. To simply rely on the word of a disloyal former employee that he or she has reviewed their home computer and it does not contain any trade secrets is not realistic.
Many parties to a trade secret case do not appreciate the intrusion that the taking of an image of a person’s home computer or personal laptop may cause. Frequently, the home computer contains personal and family financial information, as well as vacation photographs, children’s homework, and even family recipes. This is certainly not the type of information that you expect will ever be exposed to a former employer’s lawyers or that has any real relevance to a lawsuit over trade secrets—only the potential for embarrassment. An image captures everything on the computer. It is a powerful and potentially disruptive tool. However, the courts are regularly approving the taking of computer images as part of discovery in many trade secret cases in federal court.
If a company discovers that a former employee has transferred trade secrets to a competitor or third party, the competitor may be subject to having its computer system imaged to determine whether the competitor has received, used or disclosed trade secrets. The prospect of having an entire company’s computer system ordered to be made available for imaging to the lawyers and computer forensic experts for a competitor is not unheard of, even if the company is not a party to the lawsuit. The new rules involving ESI and subpoenas provide for the potential seizure and imaging of business, personal, and even home computers. The courts are sensitive to the issues of confidentiality of personal and competitive business information. A traditional confidentiality agreement or stipulation between the parties is insufficient to satisfy the concerns of the producing party or person.
If the demand to allow the taking of computer images of business or personal computers arises, responding attorneys should consider a request for an independent or court appointed expert to take the image and to review the hard drive only for limited and relevant information. Pursuant to Federal Rule of Evidence 706, the court may on its own motion, or on the motion of a party, appoint an expert for purposes of a case. If confidential, proprietary, and trade secret information has been improperly obtained, used, or disclosed, it will be discovered. A court-appointed expert can sift through relevant personal or competitive business information, and determine information that may be responsive to a document request. This will avoid disclosing competitive, confidential, personal, and irrelevant information in a lawsuit. It also will not place custody of a company’s computer system in the hands of the attorneys for a competitor and their paid experts.
The new electronic discovery rules are spawning new disputes over the scope and procedure for the taking and analysis of an image, whether involving business or personal computers. The courts are in the process of attempting to balance the right to obtain ESI against legitimate privacy and confidentiality concerns. New procedures for protecting such information are being developed, such as court-appointed experts to review computer images to ensure that only relevant information is disclosed and privacy is protected. Courts are receptive to suggestions by counsel.
Take Action for Protection
When a company learns that one of its trusted employees with access to sensitive and proprietary business information is leaving to join one of its direct competitors, immediate action is critical. As soon as a company learns of the impending departure, the employee must be cut off from access to all computer business systems, including internet access and email. This will end authorized access to the company’s computer systems. If there is a notice of termination policy, it should be enforced. Companies should continue to pay the employee during the notice period and remind the employee that he or she is still technically employed, precluded from taking any action detrimental to the company, and precluded from joining the competitor until the end of the notice period. This period of time provides breathing room to investigate and determine whether there is a cause for concern. Typically, such notice periods extend from two weeks to 30 days.
An immediate review of all email sent or received by the employee for the past six months must be conducted. The employee’s company-owned laptop computer must be retrieved immediately and reviewed. Particular attention should be paid to email sent to the employee’s home computer or personal email account. Often, even companies with a sophisticated IT department are unable to detect improper copying of information or downloading without the use of sophisticated forensic computer software. If anything unusual has been detected, an outside computer forensic expert should be engaged to conduct a thorough analysis. Every time a computer is accessed, the data is changed. Computer forensic experts have the ability to locate deleted information, detect and specify when and how files were copied or transferred. Involving counsel at the earliest opportunity will assist in protecting valuable trade secret, proprietary, and confidential information. It will also serve to posture any subsequent lawsuit in a manner to maximize the likelihood of success.
If you are hiring a new employee, you should obtain confirmation that the new employee is not subject to any restrictive covenants or other agreement that would preclude the anticipated employment. Best practices include confirmation that the new employee does not have any confidential or trade secret information from the former employer. Frequently, employment agreements with new employers contain these types of representations regarding confidential or proprietary information of former employers. Many companies have codes of ethics that specifically state that it is against company policy to seek or obtain trade secret or confidential information from a former employee of a competitor. All of these policies and practices will decrease the possibility of litigation. Employment agreements should contain specific provisions regarding confidential information and the return of documents, information, and company property at the end of employment.
Easily accessed and transferred electronic business information, newly developing federal statutory claims such as the CFAA, and broad rules regarding electronic discovery are ushering in a new era of federal court litigation involving theft of trade secrets, an area traditionally reserved to state courts and state law claims. Like technological advancements, staying on top of these litigation trends is an integral part of protecting any company’s intellectual property and investment in knowledge.