Media Room

dedicated, diverse counsel helping you reach your goals

 

What We Can Learn from the LinkedIn Password Hack: Steps Employees and Employers Should Be Taking Now

 
by John Marsh 9. June 2012 17:35

On Thursday, LinkedIn announced that over 6.5 million of its members' passwords were taken and posted on a Russian hacker's site. If you were one of the 6.5 million (I was apparently one, according to the sites LeakedIn and Lastpass), you should know that ComputerWorld is reporting that more than 60% of the unique hashed passwords that were accessed and posted online this week have already been cracked, according to security firm Sophos. They have also been posted online for other hackers to exploit. 

What happened? LinkedIn’s user credentials were apparently compromised because it stored log-in information on its main Web servers instead of isolating those files on separate, secure machines whose only function would have been to verify log-in details. As ComputerWorld's report on the LinkedIn attack explains, there are multiple steps for hackers seeking to snatch and reveal users’ passwords. First, they must gain access to the passwords on a company’s computers. Once a hacker has gained access, he or she must overcome the next obstacle -- encryption, as most companies encrypt their passwords using protocols designed to protect users’ passwords from hackers’ incursions. 

That said, programs designed to defeat these protocols are ubiquitous. Once a hacker has his or her hands on the encrypted password bank, he or she merely uses the encryption breaking program to reveal the plain text of the passwords.

In order to defend against hackers and the encryption-defeating programs, organizations have developed a process known as “salting,” which strengthens the passwords before they are encrypted (by adding characters, for example), thus effectively creating a second layer of protection. It is at this stage that LinkedIn’s security methods are being criticized for being lax; rather than “salt” their passwords, LinkedIn apparently relied on a well-known encryption protocol that offered little resistance once the hackers had gained access to the passwords. 

This leak is not the first time that LinkedIn has been criticized for this kind of laxity. According to The Daily Mail, the LinkedIn mobile application was sending calendar entries, including phone numbers and passwords (when contained in the entry), to the LinkedIn servers without encrypting the data. 

Not suprisingly, criticism of LinkedIn continues to come from all quarters. For example, as a sign that LinkedIn does not take these security issues seriously enough, LinkedIn has been criticized because it does not have a C-level executive in charge of information or information security (it does have a Senior Vice-President, Operations).

Unfortunately, the perceived problem of weak corporate protection of users’ passwords is not unique to LinkedIn. According to the UK's International Business Times, the problem is endemic, particularly in softer targets like social networks. Throw in the rise of spearphishing and whaling (i.e., targeted cyberattacks that use social media and other publicly available information to deceive unwary users) and you have the proverbial witch's brew over the Internet.

What Should You Do?  If you are one of the 6.5 million:
 
1.  Change your LinkedIn password immediately.

2.  Change all of your other passwords. Yes, I know it is a hassle, but I began doing it after learning that my password was leaked. In fact, if you have used your LinkedIn password or a simple variation of that password for other accounts or sites, you can bet that someone has or will try to access that account using that password.
 
What Can You Do to Protect Yourself and Your Company? Even if your password was not breached, the LinkedIn incident serves as an important reminder of password protection. Here are some basic steps that we all should be taking:

1.  Change your passwords every three months. Make it part of your quarterly routine.

2.  Don't use the same password for sensitive accounts, for the reasons noted above.

3.  Don't use the dictionary for passwords and avoid simplicity. Avoid favorite sports teams, pet names and other information that might be easily gleaned from social media. Slate has a nice article detailing techniques for coming up with hard-to-crack phrases and ideas for passwords.

4.  Choose your security questions wisely. As I noted last fall, cyberthieves are willing to spend the time trolling through your social media pages and if you have revealed information (anniversary dates, high school mascot, etc.), the answers to typical security questions can be provided through this publicly-available information.

5.  Store your passwords safely, preferably through a password manager. With all this password activity, it will be tough to keep track of all of your ever-changing passwords, so you should consider using a password manager, which is password-protected software that enables you to store all your usernames and passwords in a single place. The New York Times Bits Blog article on the LinkedIn attack identifies a number of password managers that work across platforms, including Splash Data, which offers password-management software for Windows, Macs and mobile devices, and Agile Bits with its 1Password software. Also, see Top Ten Reviews which has reviews of password managers for PCs.

6.  For employers, encourage your employees to follow these guidelines and have your IT staff force employees to change their passwords quarterly or face getting locked out.

A special thanks to my colleague Michael Shoenfelt, who helped me assemble this information quickly for this post. 

Tags: , , ,

Cybersecurity | Social Media

 

The Erosion of Customer Lists As Trade Secrets: Are They Still Worth Protecting?

 
by John Marsh 16. January 2012 16:30

Is a customer list still protectable as a trade secret? Two recent cases suggest that, as a practical matter, it is getting tougher to protect this category of trade secret claims, and it is a valid question as to whether it is worth attempting to protect at all.

About 10 days ago, I wrote about the Eagle v. Morgan case in the Eastern District of Pennsylvania that addressed the ownership of a LinkedIn account. Given the buzz over who owns what in a social media account, this case has generated a tremendous amount of commentary within the blogosphere and merited coverage by the Wall Street Journal. 

The employer in that case, Edcomm, initially claimed that the LinkedIn contacts qualified as trade secrets, but later ceded that position during the course of a motion to dismiss. That was probably a prudent move, given what happened to the employer in Sasqua Group, Inc. v. Courtney, 2010 U.S. Dist. LEXIS 93442 (E.D.N.Y. Aug. 2, 2010), who made a similar claim and lost. In that case, the Eastern District of New York found that the customer list and information at issue did not qualify as a trade secret because it could be found on LinkedIn and other sites on the Internet, and as a result, was readily ascertainable. (For a more detailed analysis of this case, see my post from last year). In short, contact information displayed on LinkedIn probably won't qualify as a trade secret.

Another case out of the Tenth District Court of Appeals in Ohio reinforces the challenge in protecting customer lists as trade secrets, although from a more conventional approach. In Columbus Bookkeeping & Business Services, Inc. v. Ohio State Bookkeeping, Case No. 11AP-227 (Dec. 30 2011), the Tenth District reversed a preliminary injunction issued against several former employees who were alleged to have misappropriated the customer list in question. (A copy of the opinion is attached below). 

The Tenth District was unimpressed with the customer list at issue. It emphasized that "the evidence does not indicate that the client list consists of any information but the names of the entities that do business with plaintiff and perhaps a billing address" and that "[n]othing in the evidence suggests that any sensitive information, otherwise unavailable to the public, is included in the list." Reading between the lines, I suspect that the Tenth District was troubled by the absence of non-competes or other agreements and what it perceived to be an end-run effort to create them through a relatively weak trade secret claim. (For fellow trade secret geeks here in Ohio, this opinion reminds me of Hydrofarm, Inc. v. Orendorf, 180 Ohio App.3d 339 (10th Dist., Dec. 23, 2008), another Tenth District opinion troubled by the absence of a non-compete and rejecting an inevitable disclosure claim).

The future of customer lists remains a topic of debate within the trade secret community. For those active in LinkedIn, I would encourage you to join the Trade Secret Protection Group, where Dylan Wiseman, a trade secret lawyer with Littler Mendelson in California, has forcefully argued that protection of the customer list in California remains viable particularly because California's version of the Uniform Trade Secret Act (UTSA) does not have the "readily ascertainable" limitation. 

I remain a skeptic. In my experience, customer lists are among the more challenging trade secrets to protect.  There is the invariable argument likening them to phonebooks and they may appear, at times, to be thinly-disguised efforts to impose non-solicitation agreements when none exist. In the era of LinkedIn and the Internet, protecting customer lists will only be more difficult and good luck to the claimant that rushes into court with that as its only trade secret.

Columbus Bookkeeping v. Ohio State Bookkeeping.pdf (105.14 kb)

 

LinkedIn and Twitter: Who Owns the Account, the Employer or Employee?

 
by John Marsh 6. January 2012 10:00

LinkedIn, Twitter and other social media are in the news again. Three courts are now considering the question of who owns the social media accounts before them. While none of the cases, detailed below, have definitively resolved the ownership question, taken together, they do provide a road map to what a company should be doing to better protect itself. 
 
Let's start with the first of two decisions issued last Fall.  In Ardis Health, LLC v. Nankivell, Case No. 11 5013 (NRB) (Oct. 19, 2011, S.D.N.Y.), a former employee who was responsible for Ardis Health's social media and related websites refused to return the access information for those accounts. Relying on a Work Product Agreement that the employee signed, Ardis Health was able to secure a preliminary injunction compelling the return of the access information for those accounts. This decision was pretty straightforward as the employee had signed an agreement and there was no dispute over who owned the accounts.
 
In the second case, however, there is a genuine dispute over who owns the social media account. In PhoneDog v. Kravitz, Case No. 3:11-cv-03475 (MEJ) (N.D. Cal., Nov. 8, 2011), the employer, PhoneDog, brought an action against its former employee, Noah Kravitz, to recover the Twitter account "@PhoneDog_Noah", a substantial account with over 17,000 followers. Unlike Ardis Health, PhoneDog did not have an agreement or policy to establish ownership of the account (if it did, it was not raised or discussed in the opinion). 
 
The opinion in PhoneDog only addresses Kravitz's Motion to Dismiss, and therefore has limited value because it only found that PhoneDog presented cognizable claims. However, the district court did recognize that PhoneDog adequately presented claims for misappropriation of trade secrets (specifically, the password account) and conversion. (For a more thorough discussion of these two cases and links to the two opinions, see Russell Beck's fine post in the Fair Competition Blog). Frankly, from my vantage point, the trade secret claim appears to be pretty thin and if PhoneDog is going to prevail, it will have to be on the conversion claim.
 
The most recent decision, Eagle v. Morgan, Case No. 11-4303 (E.D. Pa., Dec. 22, 2011), involves a battle over who owns the plaintiff Dr. Linda Eagle's LinkedIn account. Dr. Eagle, who had built a business providing training for the financial services industry, sold her company, Edcomm, last year. In 2008, Dr. Eagle established an account with LinkedIn and she used her account to promote Edcomm's banking education services, build her own professional reputation, and build social and professional relationships. An employee of Edcomm helped her maintain her LinkedIn account and had access to her password. 
 
Last June, Dr. Eagle was terminated by the new owners of Edcomm, and she later discovered she could not access her LinkedIn account. When Edcomm refused to return the LinkedIn account, she filed a lawsuit claiming that she owned the account and that Edcomm was essentially misappropriating it. Of course, Edcomm and the new owners counterclaimed and alleged Edcomm owned the account. 
 
In support of Edcomm's claims, they alleged that Edcomm had policies that required employees to create and maintain LinkedIn accounts, that Dr. Eagle's account was used for Edcomm business, and that Edcomm employees assisted in developing her profile and maintaining her account. Notably, however, Edcomm did not identify an agreement or policy indicating that Edcomm owned the LinkedIn account.
 
When Dr. Eagle moved to dismiss the counterclaims, Edcomm withdrew its claim that the LinkedIn account was a trade secret (a wise decision) as well as its conversion claim (perhaps not so wise) and relied soley on a claim for misappropriation of an idea under Pennsylvania law. Based on the policies detailed above, the Eastern District of Pennsylvania concluded that Edcomm had presented a claim sufficient to survive dismissal at this early stage and that discovery would need to be conducted to determine who truly owned the account. (For further analysis, check out Eric Meyer's post on The Employer Handbook Blog and a copy of the opinion can be found here).
 
The takeaway? The importance of written agreements and policies establishing ownership. In Ardis Health, the employer was able to compel its former employee to turn over the access information for its social media accounts because there was a written agreement. 
 
In contrast, in PhoneDog and Eagle, while both employers survived motions to dismiss, both face uphill battles, in my view, in establishing that they own the accounts. This is because, in the absence of a clear written understanding between the employer and employee, a court will likely be heavily influenced by whatever the Twitter and LinkedIn User Agreements say. In the case of LinkedIn, for example, the account and agreement are almost certainly going to be with the individual.
 
This may not be a big deal for many companies who may decide that they are better served by having no agreements or policies on ownership because that will better promote and encourage individuals to network, to sell, and to build professional relationships unimpeded by a corporate policy. However, to the extent that employees are charged with overseeing the social media accounts for their employer, policies and agreements are critical as the Ardis Health case illustrates. Many small businesses rely heavily on their Facebook presence for their marketing, and it could be catastrophic if a disgruntled employee departs and refuses to provide the required access and account information or tries to modify or alter the Facebook site. 
 
At the end of the day, the culture and goals of the company should drive any policies or agreements, but it is important that the company at least considers the consequences if those agreements and policies are not created or implemented.
 

LinkedIn and Litigation: Social Media Continues to Transform Trade Secret Law

 
by John Marsh 1. July 2011 12:00

Many of us are still trying to get our minds around the transformative effect of social media sites on the workplace, on litigation and, for purposes of this post, the trade secret practice area.

 

Social media's impact has been both practical and substantive. On the practical side, when a a non-compete case comes through the door, one of the first things that I do is check to see if the potential defendant has a LinkedIn profile for background information. More often than not, my client has already scoped that profile out because the client remains "connected" to the former employee and can monitor, to some extent, the employee's contacts and connections. The Virginia Non-Compete Blog, whose clients are generally employees on the receiving end of non-compete disputes, has likened this curiosity to a form of "cyber-stalking," effectively using the analogy of a break-up and resulting matrimonial dispute to illustrate that point (it's a great example, as Facebook and other social media have become an evidentiary boon to the matrimonial bar). As a result, it counsels its clients to take a hiatus from social media sites to avoid potential disagreements during this period of high tension, which is good advice.

 

Substantively, LinkedIn continues to be a topic of discussion in the trade secret community. I wrote a post last month on the Sasqua Group decision out of the Eastern District of New York and its potential impact on the protection of customer lists. Another issue recently raised in the context of LinkedIn is who truly owns the connections information that is listed within LinkedIn's site. A case that was closely watched last year, TEKsystems, Inc. v. Hammernik, et al. (0:10-cv-00819-PJS-SRN) (D. Minn. 2010), addressed this issue -- namely, whether a defendant's use of LinkedIn was a violation of his non-solicitation agreements. 

 

In that case, TEKsystems accused one of the defendants of using LinkedIn to solicit TEKsystems’ contract employees and clients and identified approximately 20 TEKsystems contract employees that were solicited using LinkedIn. While that defendant admitted using LinkedIn to communicate with those individuals, he denied otherwise having communicated with them. He also argued that TEKsystems' and its employees' use of LinkedIn and Facebook for recruiting, promotional and other purposes voided any claim that any information posted on those sites was a trade secret or confidential.

 

No ruling was ever issued on the LinkedIn issues as the parties entered into a stipulated order enforcing the non-solicitation agreement and requiring the return of TEKsystems’ documents; however, the case generated tremendous interest as the first case to attempt to sort out these issues.

 

At the end of the day, the same fundamentals that apply to protecting trade secrets in other areas apply to the use of LinkedIn. First, to the extent that a company uses a non-solicitation or non-compete agreement, that agreement should specify that post-employment communications to customers made through an online social networking website including LinkedIn or Facebook constitute a violation of that agreement. This step will preserve the client's contractual remedy, whatever the trade secret status of the contact information.

 

Second, any employment or non-solicitation agreement should include a confidentiality provision that expressly defines confidential information to include client identities and contact information and that it is the property of the employer. That provision should unambiguously state that confidential information may not be used or disclosed for any purpose other than on behalf of the employer, including through the use of social media, and again, identifying LinkedIn. 

 

Finally, employers should develop, disseminate, and, if necessary, train employees on company policies addressing the use of social media. Through these policies, employers should make sure that their employees understand which information is considered confidential and what information constitutes a trade secret. This will require companies to be vigilant about their employees’ use of social media and that they monitor that use from time to time to ensure that employees are complying with their written agreements and the company’s policies. Many companies have already created social media officers who are responsible for ensuring the creation and implantation of these social media policies. In the absence of follow-through to ensure compliance, a court may deem that failure as proof that trade secrets do not exist or are not sufficiently important to warrant protection.

 

Social Media and Trade Secrets, Part I

 
by John Marsh 4. May 2011 21:18

The phenomena of social media and its near exponential growth has generated tremendous dialogue within the IP community about its impact. Facebook now has more than 640 million members, Twitter now has over 175 million users, and LinkedIn has more than 101 million users. Given these staggering numbers, and the inevitability that some users will eventually misuse or attempt to display confidential information or trade secrets of their employers, it makes sense to review the recent cases addressing trade secrets, as well as the steps a client can take to minimize that risk.

One of the first noteworthy cases comes from the Eastern District of New York and it illustrates the challenges that an employer may face when trying to protect a customer list in this new era.  In Sasqua Group, Inc. v. Courtney, 2010 U.S. Dist. LEXIS 93442 (E.D.N.Y. Aug. 2, 2010), affirmed, Sept. 7, 2010, the plaintiff, Sasqua, was a recruiting and search firm that built its niche in the area of executives for the financial services industry.  According to Sasqua, its founder, Christopher Tors, had worked for over 20 years as a precious metals and foreign currency trader for Goldman Sachs, AIG and UBS, and had used that experience to form Sasqua and compile a substantial client database. That client database included, among other things, client contact information, individual profiles, contact hiring preferences, employment backgrounds, descriptions of previous interactions with clients, and resumes. Tors claimed that he hired and trained his niece, Lori Courtney, as a recruiter for Sasqua. After Courtney left Sasqua to form a competing firm, Sasqua and Tors concluded that Courtney was using the contents of their client database, which they believed contained highly confidential information. 

Because Sasqua did not have a written non-competition or non-solicitation agreement with Courtney, they commenced an injunctive action for misappropriation of trade secrets. However, in a withering opinion rejecting that effort, the U.S. District Court Magistrate who presided over the injunction proceeding found that their customer database and the information contained within that database were not trade secrets. 

In particular, the Magistrate found it significant that Courtney was able to demonstrate in court how the information in Sasqua's database could be found through internet searches of websites such as FX Week, Google, Bloomberg.com, and LinkedIn. The Magistrate was impressed with Courtney’s testimony about “how such a search could be conducted on Linkedin, which [Courtney] described as being 'like Facebook but for business' and as being more searchable than Bloomberg 'because people put their whole profile on LinkedIn.'" (Sasqua Group, at p. 24). 

The Magistrate was not troubled by the fact that Courtney admitted she did not use the internet to get the information at issue and all but conceded that she had taken it from Sasqua. In holding that the information was not confidential information or a trade secret, the Magistrate noted how the internet had changed the business landscape:
 
"The information in Sasqua's database concerning the needs of its clients, their preferences, hiring practices, and business strategies, as well as Sasqua’s acquaintance with those decision-makers may well have been a protectable trade secret in the early years of Sasqua's existence when greater time, energy and resources may have been necessary to acquire the level of detailed information to build and retain the business relationships at issue here. However, for good or bad, the exponential proliferation of information made available through full-blown use of the Internet and the powerful tools it provides to access such information in 2010 is a very different story" (Sasqua Group, at p. 39). 

Three lessons can be drawn from the Sasqua Group decision. First, it is critical to have written non-competition, non-solicitation or confidentiality agreements with employees, contractors and vendors with whom confidential customer information may be shared.  Second, an employer needs to have agreements and policies that make clear that sensitive customer information gathered while an employee is the property of the employer and is to be protected. Such an acknowledgement would have necessarily bolstered Sasqua’s claim of proprietary information at the TRO and preliminary injunction stage. Third, an employer has to ensure that its confidential customer information does not find its way into social media websites. This means that that the employer must monitor its employees’ social media profiles, descriptions and blogs to ensure that they are complying with the employer’s policies and agreements.

About John Marsh

John Marsh Hahn Law AttorneyI’m a Columbus, Ohio-based attorney with a national legal practice in trade secret, non-compete, and emergency litigation. Thanks for visiting my blog. I invite you to join in the conversations here by leaving a comment or sending me an email at jmarsh@hahnlaw.com.

Disclaimer

The information in this blog is designed to make you aware of issues you might not have previously considered, but it should not be construed as legal advice, nor solely relied upon in making legal decisions. Statements made on this blog are solely those of the author and do not necessarily reflect the views of Hahn Loeser & Parks LLP. This blog material may be considered attorney advertising under certain rules of professional attorney conduct. Regardless, the hiring of a lawyer is an important decision that should not be based solely upon advertisements.

BlogRoll

Download OPML file OPML