On Thursday, LinkedIn announced that over 6.5 million of its members' passwords were taken and posted on a Russian hacker's site. If you were one of the 6.5 million (I was apparently one, according to the sites LeakedIn and Lastpass), you should know that ComputerWorld is reporting that more than 60% of the unique hashed passwords that were accessed and posted online this week have already been cracked, according to security firm Sophos. They have also been posted online for other hackers to exploit.
What happened? LinkedIn’s user credentials were apparently compromised because it stored log-in information on its main Web servers instead of isolating those files on separate, secure machines whose only function would have been to verify log-in details. As ComputerWorld's report on the LinkedIn attack explains, there are multiple steps for hackers seeking to snatch and reveal users’ passwords. First, they must gain access to the passwords on a company’s computers. Once a hacker has gained access, he or she must overcome the next obstacle -- encryption, as most companies encrypt their passwords using protocols designed to protect users’ passwords from hackers’ incursions.
That said, programs designed to defeat these protocols are ubiquitous. Once a hacker has his or her hands on the encrypted password bank, he or she merely uses the encryption breaking program to reveal the plain text of the passwords.
In order to defend against hackers and the encryption-defeating programs, organizations have developed a process known as “salting,” which strengthens the passwords before they are encrypted (by adding characters, for example), thus effectively creating a second layer of protection. It is at this stage that LinkedIn’s security methods are being criticized for being lax; rather than “salt” their passwords, LinkedIn apparently relied on a well-known encryption protocol that offered little resistance once the hackers had gained access to the passwords.
This leak is not the first time that LinkedIn has been criticized for this kind of laxity. According to The Daily Mail, the LinkedIn mobile application was sending calendar entries, including phone numbers and passwords (when contained in the entry), to the LinkedIn servers without encrypting the data.
Not suprisingly, criticism of LinkedIn continues to come from all quarters. For example, as a sign that LinkedIn does not take these security issues seriously enough, LinkedIn has been criticized because it does not have a C-level executive in charge of information or information security (it does have a Senior Vice-President, Operations).
Unfortunately, the perceived problem of weak corporate protection of users’ passwords is not unique to LinkedIn. According to the UK's International Business Times, the problem is endemic, particularly in softer targets like social networks. Throw in the rise of spearphishing and whaling (i.e., targeted cyberattacks that use social media and other publicly available information to deceive unwary users) and you have the proverbial witch's brew over the Internet.
What Should You Do? If you are one of the 6.5 million: 1. Change your LinkedIn password immediately.
2. Change all of your other passwords. Yes, I know it is a hassle, but I began doing it after learning that my password was leaked. In fact, if you have used your LinkedIn password or a simple variation of that password for other accounts or sites, you can bet that someone has or will try to access that account using that password. What Can You Do to Protect Yourself and Your Company? Even if your password was not breached, the LinkedIn incident serves as an important reminder of password protection. Here are some basic steps that we all should be taking:
1. Change your passwords every three months. Make it part of your quarterly routine.
2. Don't use the same password for sensitive accounts, for the reasons noted above.
3. Don't use the dictionary for passwords and avoid simplicity. Avoid favorite sports teams, pet names and other information that might be easily gleaned from social media. Slate has a nice article detailing techniques for coming up with hard-to-crack phrases and ideas for passwords.
4. Choose your security questions wisely. As I noted last fall, cyberthieves are willing to spend the time trolling through your social media pages and if you have revealed information (anniversary dates, high school mascot, etc.), the answers to typical security questions can be provided through this publicly-available information.
5. Store your passwords safely, preferably through a password manager. With all this password activity, it will be tough to keep track of all of your ever-changing passwords, so you should consider using a password manager, which is password-protected software that enables you to store all your usernames and passwords in a single place. The New York Times Bits Blog article on the LinkedIn attack identifies a number of password managers that work across platforms, including Splash Data, which offers password-management software for Windows, Macs and mobile devices, and Agile Bits with its 1Password software. Also, see Top Ten Reviews which has reviews of password managers for PCs.
6. For employers, encourage your employees to follow these guidelines and have your IT staff force employees to change their passwords quarterly or face getting locked out.
A special thanks to my colleague Michael Shoenfelt, who helped me assemble this information quickly for this post.
Tags: LinkedIn, hacking, password protection, cybersecurity
Cybersecurity | Social Media
Is a customer list still protectable as a trade secret? Two recent cases suggest that, as a practical matter, it is getting tougher to protect this category of trade secret claims, and it is a valid question as to whether it is worth attempting to protect at all.
About 10 days ago, I wrote about the Eagle v. Morgan case in the Eastern District of Pennsylvania that addressed the ownership of a LinkedIn account. Given the buzz over who owns what in a social media account, this case has generated a tremendous amount of commentary within the blogosphere and merited coverage by the Wall Street Journal.
The employer in that case, Edcomm, initially claimed that the LinkedIn contacts qualified as trade secrets, but later ceded that position during the course of a motion to dismiss. That was probably a prudent move, given what happened to the employer in Sasqua Group, Inc. v. Courtney, 2010 U.S. Dist. LEXIS 93442 (E.D.N.Y. Aug. 2, 2010), who made a similar claim and lost. In that case, the Eastern District of New York found that the customer list and information at issue did not qualify as a trade secret because it could be found on LinkedIn and other sites on the Internet, and as a result, was readily ascertainable. (For a more detailed analysis of this case, see my post from last year). In short, contact information displayed on LinkedIn probably won't qualify as a trade secret.
Another case out of the Tenth District Court of Appeals in Ohio reinforces the challenge in protecting customer lists as trade secrets, although from a more conventional approach. In Columbus Bookkeeping & Business Services, Inc. v. Ohio State Bookkeeping, Case No. 11AP-227 (Dec. 30 2011), the Tenth District reversed a preliminary injunction issued against several former employees who were alleged to have misappropriated the customer list in question. (A copy of the opinion is attached below).
The Tenth District was unimpressed with the customer list at issue. It emphasized that "the evidence does not indicate that the client list consists of any information but the names of the entities that do business with plaintiff and perhaps a billing address" and that "[n]othing in the evidence suggests that any sensitive information, otherwise unavailable to the public, is included in the list." Reading between the lines, I suspect that the Tenth District was troubled by the absence of non-competes or other agreements and what it perceived to be an end-run effort to create them through a relatively weak trade secret claim. (For fellow trade secret geeks here in Ohio, this opinion reminds me of Hydrofarm, Inc. v. Orendorf, 180 Ohio App.3d 339 (10th Dist., Dec. 23, 2008), another Tenth District opinion troubled by the absence of a non-compete and rejecting an inevitable disclosure claim).
The future of customer lists remains a topic of debate within the trade secret community. For those active in LinkedIn, I would encourage you to join the Trade Secret Protection Group, where Dylan Wiseman, a trade secret lawyer with Littler Mendelson in California, has forcefully argued that protection of the customer list in California remains viable particularly because California's version of the Uniform Trade Secret Act (UTSA) does not have the "readily ascertainable" limitation.
I remain a skeptic. In my experience, customer lists are among the more challenging trade secrets to protect. There is the invariable argument likening them to phonebooks and they may appear, at times, to be thinly-disguised efforts to impose non-solicitation agreements when none exist. In the era of LinkedIn and the Internet, protecting customer lists will only be more difficult and good luck to the claimant that rushes into court with that as its only trade secret.
Columbus Bookkeeping v. Ohio State Bookkeeping.pdf (105.14 kb)
Tags: trade secrets, customer lists, Eagle v. Morgan, LinkedIn, Columbus Bookkeeping, Ohio State Bookkeeping, client list, Uniform Trade Secrets Act, UTSA, readily ascertainable
General | Intellectual Property | IP Litigation | New York | Ohio | Trade Secrets
Tags: social media, Twitter, LinkedIn, Facebook, trade secrets, owns, employer, employee
California | Intellectual Property | IP Litigation | Licensing | New York | Pennsylvania | Social Media | Trade Secrets
Many of us are still trying to get our minds around the transformative effect of social media sites on the workplace, on litigation and, for purposes of this post, the trade secret practice area.
Social media's impact has been both practical and substantive. On the practical side, when a a non-compete case comes through the door, one of the first things that I do is check to see if the potential defendant has a LinkedIn profile for background information. More often than not, my client has already scoped that profile out because the client remains "connected" to the former employee and can monitor, to some extent, the employee's contacts and connections. The Virginia Non-Compete Blog, whose clients are generally employees on the receiving end of non-compete disputes, has likened this curiosity to a form of "cyber-stalking," effectively using the analogy of a break-up and resulting matrimonial dispute to illustrate that point (it's a great example, as Facebook and other social media have become an evidentiary boon to the matrimonial bar). As a result, it counsels its clients to take a hiatus from social media sites to avoid potential disagreements during this period of high tension, which is good advice.
Substantively, LinkedIn continues to be a topic of discussion in the trade secret community. I wrote a post last month on the Sasqua Group decision out of the Eastern District of New York and its potential impact on the protection of customer lists. Another issue recently raised in the context of LinkedIn is who truly owns the connections information that is listed within LinkedIn's site. A case that was closely watched last year, TEKsystems, Inc. v. Hammernik, et al. (0:10-cv-00819-PJS-SRN) (D. Minn. 2010), addressed this issue -- namely, whether a defendant's use of LinkedIn was a violation of his non-solicitation agreements.
In that case, TEKsystems accused one of the defendants of using LinkedIn to solicit TEKsystems’ contract employees and clients and identified approximately 20 TEKsystems contract employees that were solicited using LinkedIn. While that defendant admitted using LinkedIn to communicate with those individuals, he denied otherwise having communicated with them. He also argued that TEKsystems' and its employees' use of LinkedIn and Facebook for recruiting, promotional and other purposes voided any claim that any information posted on those sites was a trade secret or confidential.
No ruling was ever issued on the LinkedIn issues as the parties entered into a stipulated order enforcing the non-solicitation agreement and requiring the return of TEKsystems’ documents; however, the case generated tremendous interest as the first case to attempt to sort out these issues.
At the end of the day, the same fundamentals that apply to protecting trade secrets in other areas apply to the use of LinkedIn. First, to the extent that a company uses a non-solicitation or non-compete agreement, that agreement should specify that post-employment communications to customers made through an online social networking website including LinkedIn or Facebook constitute a violation of that agreement. This step will preserve the client's contractual remedy, whatever the trade secret status of the contact information.
Second, any employment or non-solicitation agreement should include a confidentiality provision that expressly defines confidential information to include client identities and contact information and that it is the property of the employer. That provision should unambiguously state that confidential information may not be used or disclosed for any purpose other than on behalf of the employer, including through the use of social media, and again, identifying LinkedIn.
Finally, employers should develop, disseminate, and, if necessary, train employees on company policies addressing the use of social media. Through these policies, employers should make sure that their employees understand which information is considered confidential and what information constitutes a trade secret. This will require companies to be vigilant about their employees’ use of social media and that they monitor that use from time to time to ensure that employees are complying with their written agreements and the company’s policies. Many companies have already created social media officers who are responsible for ensuring the creation and implantation of these social media policies. In the absence of follow-through to ensure compliance, a court may deem that failure as proof that trade secrets do not exist or are not sufficiently important to warrant protection.
Tags: LinkedIn, Facebook, trade secret, trade secrets, non-solicitation, TEKsystems, Sasqua, social media, non-compete
General | Intellectual Property | IP Litigation | Non-Compete Enforceability | Non-Disclosure Agreements | Non-Solicitation Agreements | Restrictive Covenants | Social Media | Trade Secrets
The phenomena of social media and its near exponential growth has generated tremendous dialogue within the IP community about its impact. Facebook now has more than 640 million members, Twitter now has over 175 million users, and LinkedIn has more than 101 million users. Given these staggering numbers, and the inevitability that some users will eventually misuse or attempt to display confidential information or trade secrets of their employers, it makes sense to review the recent cases addressing trade secrets, as well as the steps a client can take to minimize that risk.
One of the first noteworthy cases comes from the Eastern District of New York and it illustrates the challenges that an employer may face when trying to protect a customer list in this new era. In Sasqua Group, Inc. v. Courtney, 2010 U.S. Dist. LEXIS 93442 (E.D.N.Y. Aug. 2, 2010), affirmed, Sept. 7, 2010, the plaintiff, Sasqua, was a recruiting and search firm that built its niche in the area of executives for the financial services industry. According to Sasqua, its founder, Christopher Tors, had worked for over 20 years as a precious metals and foreign currency trader for Goldman Sachs, AIG and UBS, and had used that experience to form Sasqua and compile a substantial client database. That client database included, among other things, client contact information, individual profiles, contact hiring preferences, employment backgrounds, descriptions of previous interactions with clients, and resumes. Tors claimed that he hired and trained his niece, Lori Courtney, as a recruiter for Sasqua. After Courtney left Sasqua to form a competing firm, Sasqua and Tors concluded that Courtney was using the contents of their client database, which they believed contained highly confidential information.
Because Sasqua did not have a written non-competition or non-solicitation agreement with Courtney, they commenced an injunctive action for misappropriation of trade secrets. However, in a withering opinion rejecting that effort, the U.S. District Court Magistrate who presided over the injunction proceeding found that their customer database and the information contained within that database were not trade secrets.
In particular, the Magistrate found it significant that Courtney was able to demonstrate in court how the information in Sasqua's database could be found through internet searches of websites such as FX Week, Google, Bloomberg.com, and LinkedIn. The Magistrate was impressed with Courtney’s testimony about “how such a search could be conducted on Linkedin, which [Courtney] described as being 'like Facebook but for business' and as being more searchable than Bloomberg 'because people put their whole profile on LinkedIn.'" (Sasqua Group, at p. 24).
The Magistrate was not troubled by the fact that Courtney admitted she did not use the internet to get the information at issue and all but conceded that she had taken it from Sasqua. In holding that the information was not confidential information or a trade secret, the Magistrate noted how the internet had changed the business landscape: "The information in Sasqua's database concerning the needs of its clients, their preferences, hiring practices, and business strategies, as well as Sasqua’s acquaintance with those decision-makers may well have been a protectable trade secret in the early years of Sasqua's existence when greater time, energy and resources may have been necessary to acquire the level of detailed information to build and retain the business relationships at issue here. However, for good or bad, the exponential proliferation of information made available through full-blown use of the Internet and the powerful tools it provides to access such information in 2010 is a very different story" (Sasqua Group, at p. 39).
Three lessons can be drawn from the Sasqua Group decision. First, it is critical to have written non-competition, non-solicitation or confidentiality agreements with employees, contractors and vendors with whom confidential customer information may be shared. Second, an employer needs to have agreements and policies that make clear that sensitive customer information gathered while an employee is the property of the employer and is to be protected. Such an acknowledgement would have necessarily bolstered Sasqua’s claim of proprietary information at the TRO and preliminary injunction stage. Third, an employer has to ensure that its confidential customer information does not find its way into social media websites. This means that that the employer must monitor its employees’ social media profiles, descriptions and blogs to ensure that they are complying with the employer’s policies and agreements.
Tags: Social media, trade secrets, customer list, non-compete agreement, non-disclosure agreement, Facebook, LinkedIn, Twitter
General | Intellectual Property | IP Litigation | Licensing | New York | Social Media | Trade Secrets
Powered by BlogEngine.NET 188.8.131.52
Theme by Mads Kristensen
Join me on Linked In!
The information in this blog is designed to make you aware of issues you might not have previously considered, but it should not be construed as legal advice, nor solely relied upon in making legal decisions. Statements made on this blog are solely those of the author and do not necessarily reflect the views of Hahn Loeser & Parks LLP. This blog material may be considered attorney advertising under certain rules of professional attorney conduct. Regardless, the hiring of a lawyer is an important decision that should not be based solely upon advertisements.
© 2011 Hahn Loeser & Parks LLP
The material available on this site is for information purposes only and does not constitute legal advice, nor is it intended as a substitute for legal counsel.