Business Owners & the New Federal Claim for Trade Secret Misappropriation

On May 11, 2016, Pres. Obama signed into law the Defend Trade Secrets Act of 2016, S. 1890, 114th Congr. (2d Sess. 2016) (“DTSA“), which provides for the first time a federal private right of action to litigants for trade secrets violations. Most states – except for Massachusetts and New York – have enacted versions of the Uniform Trade Secrets Act (“UTSA“) but the DTSA provides additional remedies without preempting state laws or eliminating any of the protections offered by them. Business owners will need to take some actions in the short term in order to take advantage of some of the more powerful remedies created by the DTSA.

A Summary of the New Law:

The DTSA is a substantial revision to the Economic Espionage Act (18 U.S.C. §§ 1831-1839 and 18 U.S.C. § 1961), which previously only provided criminal penalties and was only enforceable by federal prosecutors. An individual trade secret owner’s right to sue for trade secret misappropriation related to a product or service used (or intended for use) in interstate commerce in federal court is, therefore, new. So are many of the remedies available to trade secret owners. Below is a summary of key provisions:

  1. Who Can Sue?
  2. Owners of trade secrets may file an action against those who “misappropriate” their trade secrets, provided that the trade secrets relate to products or services that are used in (or are intended for use in) interstate or foreign commerce. This means that trade secrets associated with products or services that only travel within a single state could not be enforced under this Act.

  3. What is “Misappropriation”?
  4. “Misappropriation” includes either (1) acquisition of a trade secret by someone who knew or should have known that the secret was obtained by “improper means” or (2) disclosure of such a secret by one who did not have express or implied consent to do so and knew or should have known that it was a secret or acquired by “improper means”.

  5. What Counts as “Improper Means”?
  6. “Improper means” includes theft, bribery, misappropriation, breach or inducement of breach of a duty to maintain secrecy or espionage through electronic or other means. More importantly, however, “improper means” expressly does not include reverse engineering, independent derivation or any other lawful means of acquisition.

  7. Available Remedies.
  8. Potential remedies include: (A) injunctions to prevent the actual or threatened misappropriation, (B) monetary damages for actual loss and for unjust enrichment, and, (C) if all other remedies are insufficient to make the trade secret owner whole, then the owner can recover a reasonable royalty. A reasonable royalty is not the preferred remedy, but instead should be a remedy of last resort. (See Senate Rep. 114-220 (Mar. 7, 2016) and House Rep. 114-529 (Apr. 26, 2016)).

  9. Enhanced Damages for Willful Misconduct.
  10. If a trade secret owner can prove that the trade secret thief misappropriated the trade secret “willfully and maliciously”, then the court may award exemplary damages (not more than two times the monetary damages awarded); and award attorney fees to the prevailing party. Such an award is within the sound discretion of the district court.

  11. Narrow Ex Parte Seizure Order.
  12. A trade secret owner’s ability to obtain an ex parte seizure order (which allows law enforcement officers to seize allegedly misappropriated trade secrets from a specific target without providing advanced notice to the target or permitting the target to be heard in opposition to an order prior to its issuance) is new under this law.

    Seizure is an extremely powerful tool, but has several potent limitations: (a) it is only available if the trade secret owner can demonstrate that a regular Rule 65 injunction would not be effective against this target because the target “would evade, avoid or otherwise not comply” with an injunction order, or “would destroy, move, hide or otherwise make such a matter inaccessible to the court”; (b) a seizure order will not be issued if the trade secret owner has publicized in any way that it is pursuing seizure; (c) the trade secret owner may not participate in the seizure (instead, this is handled by appropriate law enforcement personnel); (d) the trade secret owner does not receive the alleged trade secrets once they are seized from the target (instead, these are held in the custody of the court); (e) the trade secret owner must provide security (i.e., post a bond with the court) against the possibility of unlawful seizure; and (f) any seizure MUST minimize any interruption in the lawful business operations of the target.

  13. Sanctions for Bad Faith Claims or Wrongful Seizure.
  14. If the target proves by circumstantial evidence that the claim of misappropriation was made in bad faith, the court may award attorney’s fees to the target as a prevailing party.

    Further, if a trade secret owner wrongfully seizes materials that are later determined not to have been misappropriated, or if the owner sought an excessive seizure, the target may be entitled to the following: (1) “relief as may be appropriate” (which includes damages for lost profits, cost of materials, loss of good will and punitive damages); (2) reasonable attorney’s fee unless the court finds extenuating circumstances; and (3) prejudgment interest on any recovery (beginning on the date the trade secret owner applied for the seizure owner). In this case, the bond posted by the trade secret owner shall not constitute a cap on the available recovery.

  15. Federal Jurisdiction
  16. Trade secret owners are permitted to bring DTSA claims in federal district court, but they are not required to. Federal courts have original, but not exclusive, jurisdiction over these claims.

  17. Statute of Limitations
  18. Trade secret owners have three (3) years after the misappropriation was discovered (or through exercise of reasonable diligence should have been discovered) to commence a civil action asserting a claim of misappropriation under the DTSA.

    However, continuing misappropriation is considered a single act – not individual acts of misappropriation that could re-start the clock for purposes of the statute of limitations.

  19. Limitations on Claims against Employees (a.k.a. Employee Immunities)
  20. Employers can only obtain enhanced damages and attorneys’ fees from any employee who discloses its trade secrets IF the employer notified the employee in advance (either through an agreement or in certain employment policies if appropriately cross-referenced) of his/her immunity for liability under certain whistleblowing circumstances. “Employees” for these purposes include contractors and consultants.

  21. Effective Date
  22. This Act applies immediately to any misappropriation for which any action happens on or after the date of enactment (May 11, 2016).

What Should Business Owners Do Now?

First and foremost – employers should revise their form agreements to be used with any employee, contractor or consultant who will have access to the employer’s confidential information to provide the requisite notice of whistleblower rights. Without this notice, an employer cannot seek exemplary damages (up to twice the amount of actual damages awarded) or attorney’s fees if it proves the misappropriation was willful or malicious.

Second, trade secret owners need to take stock and identify clearly what their trade secrets are. In particular, if a trade secret owner pursues an ex parte seizure order against a competitor or an ex-employee’s new employer, the trade secret owner will have to articulate with some clarity what the trade secrets are that are alleged to have be misappropriated. This identification is intended to aid the law enforcement officers charged with executing the seizure order to know what to take, but also allows a trade secret owner to position itself better to avoid an allegation of wrongful seizure or a bad faith claim of misappropriation as the litigation develops. This identification will also aid businesses overall by necessitating the creation of tighter controls over those assets that are truly trade secrets to keep them from being unlawfully disseminated.

Finally, if a business becomes the target of an ex parte seizure order, know that a hearing must occur no later than seven (7) days after the seizure order was issued. Be prepared to argue that other injunction options may have been reasonably available to support the argument that a wrongful seizure occurred, entitling the target to damages. Even if the business only receives a threat of an ex parte seizure, consider whether the exceptional circumstances justifying an ex parte seizure were actually present in your case. Take any such threats seriously, and contact your attorney immediately if you receive a demand letter making this claim or if a seizure order is executed against you — because your time to respond in either case will be very short.

Copyright © 2016, Christina D. Frangiosa. All rights reserved.

Five Simple Things Businesses Can Do to Better Secure Their Data

News of data security breaches at one company or another has become so common that perhaps we are becoming immune to the significant impact these breaches can have on those whose information are affected. Not only can identity theft destroy an affected individual’s credit and limit his/her future buying choices, but also it is becoming clear that, philosophically, perhaps our private data really aren’t private anymore. Think of how easy it is to search public records online and find out personal details about a person well beyond what the phone book would have listed in days past. It is harder and harder to keep secrets when the Internet is involved.

Notwithstanding such developing immunity to the shock of a data breach at any particular company, data breaches are very serious events for a company – of any size. In the aftermath, it is not unusual to hear business executives announce that they “never want to go through that again.”

So, what can you do to minimize your company’s risk for data breach? Here are my top five recommendations:

  1. Hire the right people. Whether you rely on internal IT support staff or if you outsource to a third-party vendor, make sure you have the right resources in place to accomplish your goals. Discuss your expectations (particularly about data security) with these personnel at the beginning of the relationship and set realistic goals for achieving a secure system.
  2. Conduct the necessary due diligence. Before you hire that new IT security director internally or engage that new third-party vendor, be sure that they actually have the skills in place to accomplish the levels of data security you envision. Interview your candidates (whether individual or vendor) to determine that their services match your needs. Make sure you know what services you are signing up for. If you want a company to be actively testing your network for potential weaknesses, make sure that such services are covered by the fees you are paying; typically, they are more expensive than services that simply patch your existing software with newly-released security updates from the manufacturer.
  3. Pay Attention to Suspicious Conditions. Watch for signs that someone else may be making changes to your network. (For instance, user names and passwords suddenly not working, the appearance of new administrator accounts, system unavailability particularly for remote access, significant slowdown of processing speed during periods of regular use, etc.). Just like we are all being warned in public transportation venues that “if you see something, say something”, if you suspect that your data may not be secure, do not ignore that suspicion. Involve your IT personnel and be sure that you are effectively maintaining the security of your network.
  4. Update all Software as Recommended by the Manufacturer. Security patches are rolled out all the time, particularly after the manufacturer learns of potential weaknesses in security. If you keep your software updated with these patches as part of your regular routine, you decrease your risk of exposure. Same with anti-virus and anti-malware software: they are only as secure as that last update that was applied. Keep the virus and malware definitions up to date to reduce your risk of intrusion by known entities.
  5. Only Collect Information that You Absolutely Need. If you do not need access to customers’ credit card numbers, don’t ask for it. And, if you do need access, do not retain it any longer than necessary to complete the transaction. In particular, where credit card numbers are concerned, there are other regulations, standards and guidelines about what you can keep and for how long. See Payment Card Information Data Security Standards (“PCI DSS“) for more details. With respect to the data you decide to keep, maintain your sensitive data in encrypted form as much as you can to reduce the risk of third-party access. Once you decide not to maintain certain sensitive information any longer, be sure that you comply with federal, state and local laws governing the safe destruction of documents or electronic data that embody personally identifiable information (“PII”) or competitively sensitive data, such as trade secrets.

In general, businesses who are proactive about putting in place and maintaining effective data security protocols have a much better chance of avoiding the exposure that results from a data breach. Of course, there’s no guarantee that you might not be targeted by a malicious and very determined third party, but consider a thief’s potential options: (1) hack that network that is protected by multi-layer and multi-factor data security; or (2) walk through that open door provided by another company who is not managing their IT security effectively. If you were the thief presented with these options, wouldn’t you take the path that presents the least resistance? Don’t be the “open door.”

Mobile Device Security Policies for Employers – Small and Large

As a business owner, perhaps you have seen articles about setting ground rules for BYOD (a.k.a. employees bringing their own devices to work to use for work purposes). Placing restrictions on access to Company information, however, should not be limited only to those BYOD devices. Instead, if the Company issues Company-owned devices to employees for use on Company systems, similar ground rules should be put in place to set expectations and provide the backdrop for any disciplinary action that may be needed later if an employee misuses Company information or loses an unsecured device.

Here are some questions to keep in mind as you develop policies for Company-owned devices issued to employees:

  1. Do you have an “Acceptable Use” policy in place? Does it apply to both Company-owned and BYOD devices?
  2. Do you restrict the employee’s use of Company-owned devices? (E.g., to be used for business purposes only, avoid storing personal information on the device, all information on the device shall be considered “owned” by the Company)
  3. Have you retained the right to take back any equipment that an employee does not use properly? Similarly, do you ensure that Company-owned devices are surrendered upon termination?
  4. Do you require strong passwords to secure all portable devices (both BYOD and Company-owned)? (You should. See, e.g., Eric Griffith, “How to Create Strong Passwords,” PC Magazine, Nov. 29, 2011, for some good tips.). Once you require passwords, remind your employees not to tape them to the front of their devices – instead, suggest alternate ways of remembering the unique passwords they just created.
  5. What about using portable devices on public or unsecured networks? (For instance, at the coffee shop while waiting for that triple-shot latte.) Have you provided guidelines and training to your employees to avoid disclosing Company-sensitive information across such public networks? This is especially important if the information is mission critical or could destroy the Company’s tactical advantage if its competitor were to access it.
  6. Do you require employees to report immediately the theft or loss of a Company-owned device? Prompt reporting allows the Company to block potentially damaging intrusion attempts or to change the affected employee’s passwords to prevent unauthorized access. The Company’s hands will be tied if the employee does not report the loss until several days later.
  7. Do you provide rules about whether Company documents can be downloaded to external devices and under what circumstances? Consider mobile device management software to control the downloading of Company information to the device, to track the location of Company-owned devices and to enable remote wiping if the device is lost or stolen.
  8. Who handles the system updates to the device? The Company? (Probably, unless it’s a BYOD device.) The employee? (Probably only if the device is personally owned by the employee.) If it’s a Company obligation, then ensure that the device is accessible to the Company when needed (i.e., “on demand”) to fulfill this requirement.
  9. Will the employees’ family members be accessing the device? (More likely if it’s the only device in the house – less likely if there are other options available to the family.) Consider restricting use of Company-owned devices to employees only.
  10. Do you prohibit the downloading of unauthorized content to the device? Whether it’s pornography, another company’s trade secrets or pirated videos streaming the latest (copyrighted) episode of a favorite show, none of these things belong on most companies’ business equipment and could expose the Company to liability from a third-party who owns the rights to the content.
  11. Do you require encryption or password-protection when transmitting particularly sensitive Company information to outsiders? If not, you should. Take everyone opportunity to protect the Company’s trade secrets and try to keep them from public dissemination. Having a reliable system in place increases the changes that a court would conclude that the Company’s trade secrets are deserving of such protection in the event of a breach.
    • Notably, in the 2012 Target data breach, the large, well-funded entity (Target) was not the source of the leak that allowed hackers to steal thousands of customer credit card numbers. Instead, it was the HVAC servicing company that had minimal security protocols in place and effectively acted as the front door to enable the hackers to steal the data over a surprisingly long period of time.
  12. Does the Company have record-keeping requirements (statutory, regulatory, etc.) that would apply to an employee’s use of a portable device? Are employees who work remotely required to keep Company records and maintain certain Company files? If so, consider implementing rules identifying when such record keeping should occur and provide guidelines for destroying extra copies or other pages that the employee might otherwise throw out in the trash at a remote site. (Some states have “safe destruction of documents” laws intended to reduce the likelihood of identity theft or other unauthorized access of personally-identifiable information.)

A few closing thoughts – take every precaution to keep Company data secure. Always require the installation and use of anti-malware/anti-virus and other security tools to limit a potential thief’s ability to misuse the Company’s data or to leave code behind that continues to collect the data even after the potential thief has appeared to withdraw.

The more conscientious you are about keeping Company data secure, the more likely you are to avoid severe consequences (or at least reduce them) in the event of a data breach – whether the breach is caused by the concerted efforts of outsiders or by wrongful conduct of your own employees or by unintentional mishaps (such as the employee leaving the device in the back of a cab during a hectic business trip). Watching the doors is always worthwhile.

Common Questions – What’s Involved in Registering a US Trademark?

So, you’ve decided to launch a brand name in the U.S. and are contemplating registering it in the U.S. Patent & Trademark Office (“PTO“). What can you expect? Not every application is the same, so there will be variations in exactly what happens in the prosecution of your application, but hopefully this will serve as a “Trademark 101 Primer” to describe the basic process overall.  (Note – this post is for general information purposes only and does not provide any specific legal advice.  Contact your trademark attorney to discuss any areas of specific concern.)

BASICS

What is a Trademark? It’s a word, phrase, symbol or design, or a combination of words, phrases or designs, that identifies and distinguishes the source of the goods of one party from those of others. A service mark performs the same function as a trademark, but applies to the source of a service rather than of a product. (For simplicity, this post refers to trademarks and service marks collectively as “trademarks.”)

How Valuable is a Good Trademark? The value of a good trademark lies in its ability to convey to the public the source of a particular good or service. The key is to develop a mark unique enough that customers associate it with your goods or services – and only your goods and services. While temptingly simple, choosing a mark that describes your goods and services will not create any trademark value. Customers won’t know to distinguish your goods from others in the same market.

Can  Rights Develop Based on Use? Federal registration is not a requirement to protect trademarks in the U.S. – instead, rights in a particular trademark can be established simply based on use in connection with particular goods or services in the marketplace (aka “common law trademark rights”). Nevertheless, federal registration offers more comprehensive protection than reliance upon common law rights, including providing nationwide notice of the owner’s claim to the mark.

TRADEMARK APPLICATION PROCESS

Is Pre-Application Searching Required? No, it’s not required, but it’s a good idea for a variety of reasons. See my prior post on Common Questions – Benefits of Trademark Searching for more details.

Overview of the Application Process. The chart below gives a birds-eye view of each application track (Use-Based vs. Intent to Use-Based; both are described below).

Timeline-US Trademark Application Process

Components of the Initial Application for Registration
Continue reading

California Enacts Electronic Communications Privacy Act (CalECPA)

On October 8, 2015, California Governor Jerry Brown signed the California Electronic Communications Privacy Act (CalECPA) into law. This law basically prevents the government from accessing private electronic communications or electronic data without a warrant, subpoena or wiretap order, or without consent of the appropriate individual. State Senator Mark Leno explained the impetus for seeking to pass this legislation: “For what logical reason should a handwritten letter stored in a desk drawer enjoy more protection from warrantless government surveillance than an email sent to a colleague or a text message to a loved one?” Kim Zetter, “California Now Has the Nation’s Best Digital Privacy Law,” WIRED Magazine, Oct. 8, 2015.

As the Electronic Frontier Foundation summarized, “CalECPA protects Californians by requiring a warrant for digital records including emails and texts, as well as a user’s geographical location.” Dave Maass, “Victory in California! Gov. Brown signs CalECPA, Requiring Police to Get a Warrant Before Accessing Your Data,” Electronic Frontier Foundation, Oct. 8, 2015.

The law focuses on two kinds of data sets: “electronic communication information” and “electronic device information.” 2015 Cal. Stat. Ch.651.

“Electronic Communication Information” is

any information about an electronic communication or the use of an electronic communication service, including, but not limited to, the contents, sender, recipients, format, or location of the sender or recipients at any point during the communication, the time or date the communication was created, sent, or received, or any information pertaining to any individual or device participating in the communication, including, but not limited to, an IP address. Electronic communication information does not include subscriber information as defined in this chapter.

“Electronic Device Information” is

any information stored on or generated through the operation of an electronic device, including the current and prior locations of the device.

(Emphasis added.)

Under this new statute, law enforcement agencies cannot compel the “production of or access to electronic communication information or electronic device information . . . without a search warrant, wiretap order, order for electronic reader records or a subpoena issued pursuant under specified conditions, except for [defined] emergency situations.” Id. (Legislative Counsel’s Digest at (1)).

Any warrant for electronic information of either kind must do the following:

(1) Provide a specific description (“describe with particularity”) the information to be seized, including applicable time periods, the target individuals or accounts, the apps or services covered, and the types of information sought.

(2) Require that any information obtained due to the search warrant that is unrelated to the objective of the search warrant “shall be sealed and not subject to further review, use or disclosure without a court order.”

(3) Comply with other California and federal laws.

(4) Require that service providers that produce such information “verify the authenticity of the electronic information that it products” through an affidavit that complies with Section 1561 of the California Evidence Code.

The law also requires that the government agency MUST destroy the electronic information it receives pursuant to this process within a specified period of time, in general, “as soon as feasible after the termination of the current investigation and any related investigations or proceedings.” Id. (§ 1546.1(e)(2)). In most cases, this period is within ninety (90) days after the agency receives the information.

This law only applies in California, although Maine (Subchapter 10: Portable Electronic Device Content Information in 2013) and Utah (Location Privacy for Electronic Devices in 2014) passed similar legislation. Proponents of the California law have suggested that it be used to form the basis for similar legislation in other states.