Menu

Mission Impossible?: In Today’s Digital Age, Is It Really Possible to Keep Corporate Data Safe? And What Happens When Sensitive Information Gets Into The Wrong Hands?

On February 23, 2009, Symantec Corp. and The Ponemon Institute, a leading privacy and information management research firm, announced the findings of a joint survey of almost 1,000 employees who had lost or left their jobs in 2008.

On February 23, 2009, Symantec Corp. and The Ponemon Institute, a leading privacy and information management research firm, announced the findings of a joint survey of almost 1,000 employees who had lost or left their jobs in 2008.

The survey revealed that 59 percent of the ex-employees admitted to stealing confidential company information, such as customer contact lists, e-mail lists, employee records, customer information and contact lists, and non-financial information. The survey also found that 53 percent of respondents downloaded information onto a CD or DVD; 42 percent downloaded data onto a USB drive, and 38 percent sent attachments to a personal e-mail account.*

Not so long ago, if a company suspected that important trade secrets had been compromised, the telltale signs might have been missing paper files, or perhaps a sudden, excessive and unexplained use of the copier by an employee. Those days are long gone. In the past two decades, we have seen most information, often including a company’s trade secrets, sales data or even sensitive financial records, increasingly being stored on computers.

Today, the equivalent of many thousands of pages of documents can be copied and stored on a device no bigger than your thumb. Devices such as flash drives, portable hard drives, CDs and DVDs clearly make life easier for companies and their employees, but one major downside of this new portability of data is that the risk of confidential or sensitive corporate information finding its way into the wrong hands substantially increases — a fact substantiated by the Symantec survey, which also showed that 79 percent of respondents took data without an employer’s permission.

That so many employees take confidential corporate information with them when they leave is clearly a worrisome statistic, but perhaps even more concerning is the fact that 82 percent of the survey respondents said their former employers did not perform an audit or review of paper or electronic documents before the employees left their jobs, while 24 percent said they still had access to their employer’s computer system or network after their departure from the company.

With this in mind, it is vital that companies remain up-to-date with best practices in safeguarding information, and keep abreast of the legal landscape for the protection of their assets.

Corporate assets, such as patents, trademarks and copyrights, are protected by federal law. Claims arising under these laws can be brought in the federal courts. Trade secret law, however, falls under state law. Unless there is a federal claim or diversity of citizenship between the plaintiff and the defendant, a claim of misappropriation of trade secrets must be brought in the state courts.

SECRETS AND MISAPPROPRIATION

The Uniform Trade Secrets Act (USTA) was approved in 1979 by the National Conference of Commissioners on Uniform State Laws. Almost all states have adopted versions of the USTA. In keeping with the USTA, state laws generally define a trade secret as information, including a formula, pattern, compilation, program, and confidential commercial information such as financial data and customer lists, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

“Misappropriation” is the wrongful acquisition, disclosure or use of a trade secret when the trade secret (i) has been acquired improperly, such as by theft; or (ii) if acquired properly — for example, during employment — was acquired under an obligation not to disclose or use it. Misappropriation also exists when one has obtained the trade secret from someone who had an obligation not to disclose it, such as when a former employee takes it to a new job. The USTA imposes civil liability for misappropriation of trade secrets and creates a private cause of action for the victim. Remedies include injunctions, damages and, in cases of bad faith or willful and malicious misappropriation, reasonable attorneys’ fees.

THE COMPUTER FRAUD AND ABUSE ACT

Given a choice, most litigants would rather be in federal court than state court. Federal judges are appointed for life and cases are governed by the Federal Rules of Civil Procedure, whose time constraints generally enable cases to progress in a more orderly fashion.

In recent years, litigants have found a way to enforce their trade secret rights in the federal courts, rather than the state courts, by appending their state law claims of misappropriation of trade secrets with a federal claim alleging violation of the Computer Fraud and Abuse Act (CFAA).

The CFAA is not a new law. In 1984, Congress enacted the CFAA to combat the problem of hackers and primarily to protect the integrity of financial-institution and government computers. The law has been amended several times since its passage and, since 1994, the CFAA has provided a private right of action for the violation of certain of its provisions. For the CFAA to apply, there must be access to a “protected computer” that causes “damage,” and “loss . . . aggregating at least $5,000 in value” and the access has to have “exceeded authorized access.”

Meeting the element of having a “protected computer” has not been problematic in the case law. A protected computer is one that is “used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” “Damage” and “loss” are narrowly defined and limit the plaintiff from pleading consequential damages or, importantly, the value of any information that was copied or stolen. The “loss” to meet the statute’s requirement is the cost of fixing the data breach.

The element of the CFAA that is most problematic, and is causing a split of authority in the courts, is the concept of “authorization,” a term that is not defined in the statute. On the question of authorization, three distinct lines of cases have emerged:

(1) Broad interpretation: actions taken by an employee that are contrary to the interests of his employer are without authorization. For example, an employee who e-mails sensitive company data to a personal e‑mail account in anticipation of resigning and working for a competitor will be found liable under this interpretation of the CFAA, even if the employee had permission to access such data as part of his regular job duties.

(2) Narrow interpretation: an employee’s access to his employer’s computer systems becomes unauthorized only if the employee bypasses security measures. Under this interpretation, an employee can be found liable only if he circumvented security measures, such as by stealing a co-worker’s password, in order to gain access to the company’s trade secrets.

(3) Middle ground: here, the focus is on the employee’s intent at the time he or she accessed the computer and whether the employee violated a nondisclosure or other legal obligation. Courts adopting this standard have often looked to employee handbooks or employment agreements to determine the boundaries of authorized access and the employee’s subsequent use of the company’s trade secrets. Employees who have violated explicit contractual terms or company policies have been found liable under the CFAA.

*SOURCE: symantec.com/about/news/release/article.jsp?prid=20090223_01chtml?c=89422&p=roil-newsArticle&ID=1258795)

Share via
Copy link
Powered by Social Snap