Media Room

dedicated, diverse counsel helping you reach your goals

 

Survey on American Attitudes on Confidential Information: Prepare to be Depressed and Keep a Close Eye on Those Millenials

 
by John Marsh 24. April 2012 16:30

A recent survey by Harris Interactive for security software provider FileTrek has some discouraging findings regarding American attitudes about confidential information in the workplace. Here are the particulars:

Although most adults (79%) agree that taking confidential files outside the office is grounds for termination, a majority of Americans (90%) nevertheless believe people remove confidential documents from the workplace. Most adults surveyed said that if they were going to risk taking confidential documents, they would use a USB drive (55%).

Not surprisingly, the study also found a "generational gap" in attitudes about confidential information in the workplace. While a solid majority (68%) of the so-called Millennial generation (those between the ages of 18-34) believe it is acceptable to remove confidential files out of the office, only 50% of the 55+ age group believe the same.  In addition, adults 55 and older are more likely to believe someone should be fired for taking confidential information than their younger counterparts (86% vs. 74% of those ages 18-54).

Though 40% of adults surveyed said it is never acceptable to remove confidential company information out of the office, the report found there are circumstances for which they believe it is acceptable:

  • 48% - when boss says it’s okay to do so;
  • 32% - to finish a late night project from home instead of having to stay at the office;
  • 30% - to work over the weekend or while on vacation;
  • 16% - when it is confidential information about themselves;
  •  2% - when it can be brought back to the office before the boss knows it was gone;
  •  2% - to show something to family or friends who promise to keep it confidential (my personal favorite).

FileTrek's CEO, Dale Quayle, interprets the survey's results to mean that “[t]oday’s workforce believes information is an asset to be shared, and while companies have benefited from this collaborative attitude with new technologies and increased productivity, there are risks too.” 

The takeaway? Employers need to be prepared to address these attitudes with better education and training to make sure that employees fully understand the importance of preserving the confidentiality of trade secrets and other proprietary data. As I wrote a couple of months ago, building and reinforcing a culture of security is the first and most important step. And unfortunately, if the message does not get through, they may need to be prepared to use litigation to protect themselves. (Thanks to Jon Hyman's excellent Ohio Employers Law Blog, which had a post about the study this month).

 

The Year in Review: The 10 Decisions That Shaped Trade Secret and Non-Compete Law in 2011 (Nos. 4 through 6)

 
by John Marsh 31. December 2011 14:00

Today's post features Nos. 4 through 6 of the Top Ten Trade Secret and Non-Compete Decisions of 2011. They are:

6. IBM v. Visentin (U.S. District Court for the Southern District of New York and U.S. Court Appeals for the Second Circuit) and Aspect Software v. Barnett (U.S. District Court for Massachusetts)
These two cases presented the same issue -- to what extent should a non-compete be enforced when the new employer and former employee have put safeguards in place to protect the plaintiff's trade secrets and customer relationships. Both of these cases provide a fine example of what a company should do if it wants to hire an employee with a non-compete but minimize potential entanglements with the former employer (see my previous blog post on the Aspect Software case  where the former employee and new employer incorporated 8 steps to safeguard the plaintiff's interests).
 
However, taken together, these two cases also reinforce another feature of non-compete and trade secret cases -- their unpredictability.  In Visentin, the Southern District of New York (and later, the Second Circuit) found that the former employee and the new employer (HP) had acted reasonably to protect the business interests of the former employer (IBM) and that the non-compete should not be enforced to prevent the employee's new job with HP.  In contrast, in Aspect Software, although the district court commended the former employee and his new employer, Avaya, for "the scrupulous steps" they took to safeguard the plaintiff's trade secrets and customer relationships, it still enforced the non-compete because of concerns that the employee would inevitably use his former employer's trade secrets.  

As increased employee mobility and a poor economy continue into 2012, look for more cases like Visentin and Aspect Software.  Courts will be forced to balance the interests of all parties and still protect the legitimate interests of the former employer.  These cases may have a profound impact on the viability of the inevitable disclosure doctrine, the traditional counterweight to an employee's assurances about his or her good faith efforts to protect the former employer's trade secrets.

5. Mattel v. MGA (U.S. District Court for the Southern District of California, Los Angeles)
Will it ever end? 

When I first started putting this list together, I thought about using movie titles to highlight the key qualities of each case.  When it came to selecting a title for this bitter case, plenty came to mind -- "There Will Be Blood" and "Drag Me to Hell" certainly would have captured it nicely.  However, the most fitting title is probably "Reversal of Fortune" as this epic lawsuit, at least in its most recent round, has swung decisively in favor of MGA.

If you are reading this post, you are likely familiar with the history of this dispute which began in 2003, when Mattel first sued MGA for stealing the idea for the pouty-lipped Bratz Line through a former Mattel employee.  In 2008, Mattel won a $100 million jury verdict, only to see that judgment reversed by the Ninth Circuit.  Then, in April 2011, MGA prevailed during the second jury trial, not only persuading the jury to reject Mattel's claims but also to award MGA $83 million on its trade secret counterclaims.  That award swelled to $310 million when the district court imposed exemplary damages and attorneys fees in post-trial proceedings.
 
What will the next ruling bring?  No one really knows, as the trade secret version of Jarndyce and Jarndyce continues to work its way through California's federal courts.

4. U.S. v. Nosal (U.S. Court of Appeals for the Ninth Circuit)
The scope of the Computer Fraud and Abuse Act (CFAA) continues to beguile litigants and courts alike, and no CFAA case raised more eyebrows in 2011 than the Ninth Circuit's decision in U.S. v. Nosal, 642 F.3d 781 (9th Cir. Apr. 28, 2011). In Nosal, the Ninth Circuit held that the violation of a computer use policy that placed "clear and conspicuous restrictions on the employees’ access” to the employer’s computer system and the specific data at issue could be enough to qualify as conduct that exceeded authorized access, a necesssary element of a CFAA claim. 

Given this taffy-like definition of the critical "accessed without authorization" requirement, Nosal's holding has been applied broadly in other contexts. For example, in September, the Northern District of California applied Nosal's reasoning to online agreements in a civil dispute between commercial parties.  In Facebook v. MaxBounty, Case No. CV-10-4712-JF (N.D. Cal, Sept. 14, 2011), that district court found that a violation of Facebook's terms of use could qualify as access without authorization under the CFAA.
 
Nosal has generated more critical commentary than any other CFAA case in recent memory. While it was initially welcomed by many in the trade secret community because it would bolster employers' protections under the CFAA, libertarian groups such as the Electronic Frontier Foundation argued that Nosal could criminalize the very acts outlined above as violations of broadly written Terms of Service.
 
Perhaps as a result of this uproar, the Ninth Circuit indicated on October 27, 2011 that it would rehear Nosal en banc and advised district courts that Nosal was not to be used as precedent in the meantime.  Oral argument was heard on December 15, 2011 and even those reading the tea leaves left in the wake of that argument are having difficulty divining what the Ninth Circuit will do.

We will reveal our top three cases next week, so please stay tuned. In the meantime, have a safe and happy new year.

 

The Great Debate: Protecting Your Trade Secrets and Managing Personal Devices in a Dangerous World (Part II)

 
by John Marsh 13. December 2011 16:30

In the first installment of this post last week, we looked at the emerging BYOD (Bring your own device to work) movement and the IT community's concerns about security. This week, in Part II of that post, we drill down on those security issues and look at what others are doing to address them.

Security concerns: The first and greatest security concern arises from the complication of retrieving confidential information and trade secrets before an employee resigns or is terminated. If an employee has copied, transferred or downloaded that information into his or her personal device, the risk that everything has not been returned, deleted or destroyed increases significantly. 
 
The second concern is carelessness: in a widely reported story earlier this year, an Apple employee apparently left his unreleased iPhone 5 prototype at a bar, causing understandable angst within Apple.  
 
The third concern, as we noted last Friday, is the fact that mobile devices and employees are increasingly being targeted by cyberthieves. As Symantec reports, one third of data breaches in 2010 occurred through mobile devices. A popular means of penetration is using Trojans that pose as legitimate apps, which are then uploaded to mobile app marketplaces in the hopes that an employee may download and install them into them their phones, which will then in turn allow malicious code to enter into the employer's infrastructure. This means of attack, coupled with the target efforts at individuals because of the ability of crooks to gather information about them through social media, will only likely increase.
 
So what can a company do? The first step before implementing a new policy should be to find out who is accessing the company's servers and what devices the employees are using. Until that audit is conducted, the company literally has no idea who is tapping in to its servers.  Once it understands what devices are being used and by which employees, it can evaulate the type of policy that may fit its business.

Not surprisingly, the degree to which an employer imposes a personal device policy depends largely on what type of “work” the employee will be performing on his or her device.  An employee’s use of his personal smartphone or laptop to access email will likely face little opposition from the employer, so long as the email is accessed through a web-based program such as Webmail. Because Webmail is Internet-based and allows the employee to access their email account from literally any computer in the world, accessing email from the employee’s personal device is of little consequence. The company already has internal security measures in place to protect the access of email on the Webmail server (through, among other things, the use of an https:// address).

Security is of greater concern, however, where the employee seeks to “tap in” to an employer’s exchange or other internal server. If not blocked, that access is easy for the employee, with even the iPhone or Droid default email program allowing access to the exchange server with just the simple input of the employee’s username and password. 

Companies that elect to allow their employees to access exchange servers or other databases which house sensitive or confidential information should consider requiring those employees to download a program or application onto their device which gives the IT department the ability to monitor the employee’s use of the server and “wipe” the device should it become lost or compromised. Of course, employees may be more reluctant to allow their IT departments access to their personal devices, the same ones on which they store photos of their children, their favorite music, and applications which access personal Facebook or Twitter accounts. For personal devices, employees obviously have a greater expectation of privacy than the work-issued laptop that they might also use for personal reasons.

Marisa Viveros, a VP for Security at IBM, recently outlined the following practical steps a company and its employees can take right now to protect their work and personal data:

  • Make sure you protect access to your device with a password or PIN to keep intruders out if the device is lost or stolen.
  • Only download applications from well-known, trusted sites.
  • Make sure you install system updates and run anti-malware as prompted.
  • Back up your data on a regular basis.
  • Have the ability to track your phone and remotely wipe all its data if it is stolen. You can easily find an app that will allow you to do this.

Finally, an employer who wants to err on the side of extreme caution when it comes to protecting its confidential information (including trade secrets) should either: (a) not allow employees to use personal devices for work purposes at all; or (b) require those employees to install on whatever security measures are necessary to protect the information on those personal devices. Its employees might not be happy about being given such an ultimatum, but those employers should also be prepared to offer a work-issued device to the employee if they are expected to be “available” after 5:00 p.m. If you don’t want your employees using their personal devices to access the email exchange server, then you may have no choice but to give them (and pay for a data plan for) a Blackberry or comparable device. 

As they have in the past, employers and employees will eventually figure out how to balance the competing concerns of convenience and security and shape a policy that best fits that company. In the meantime, there will invariably be bumps along the road as they figure out how best to integrate these technological issues into the workplace. (A special shout-out to my colleague Phil Eckenrode, a vocal member of the BYOD community, for his hard work and assistance with this post.)

 

The Great Debate: What to Do about the Use of Personal Devices and Trade Secrets (Part I)?

 
by John Marsh 8. December 2011 11:00

One of the more important debates percolating within the trade secret community, as well as society at large, is what to do about the use of personal electronic devices. The colliding realities of today's 24/7 workplace and the increasing security risks posed by the use of devices outside the protective sphere of a company's infrastructure are bringing this issue into focus.  IT managers and CIOs are not the only ones talking about this issue; national media, including Forbes, the New York Times and the Wall Street Journal, have noted the tension betwen these forces in many recent articles.

To give this topic the attention it deserves, I am going to divide it into two posts. Part I will address the data and issues that are driving this problem to the front of the desks of many in-house lawyers, HR managers, CIOs and IT managers; Part II will address the security issues and what companies are doing, and can do, to reduce or eliminate this security risk.

The Facts Driving the Debate: One thing is clear, and that is that employees want to be able to use their personal devices for work. According to a survey, 35% of IT managers say they are under increased pressure from employees to offer greater flexibility for the use of personal devices. 

The reasons why employees want to use their personal devices for work are straightforward: (1) an individual employee is much more likely to keep up with ever-changing technology, as opposed to the employer, who as a matter of practical economic reality cannot match that pace (on average, companies upgrade their computers and other devices only once every three years); (2) employees, who are going to own their own devices regardless of their employer’s policy, don’t want to have to carry two smart phones, two laptops, etc.; (3) employees are expected to perform more work from home and many times after 5 p.m., so they do not want to be saddled with what they perceive as relatively “outdated” office technology while on (what was previously) their personal time; and (4) employees simply prefer working from a device with which they are comfortable and familiar, a fact reflected in their purchase of that device. These facts are unlikely to change anytime soon.

Those advocating the increased use of employee devices have coined the phrase “BYOD” (Bring Your Own Device) for those companies and firms that allow for greater use of employee devices.  Proponents claim that BYOD benefits the employer as well because it saves the company money, increases employee morale, and allows their employees to be more available after hours. However, as one opponent of BYOD commented, after identifying the legal, security, and logistical problems that accompany employees’ use of personal devices: “BYOD, you say? Better follow it up with BYOB, because you’ll want something to dull the pain.” (See Erik Sherman's recent take in the Wall Street Journal article, "Should Employees be Permitted to Use Their Own Devices for Work?"  John Parkinson presents a nice defense of the BYOD position in the same article, some of which is incorporated above).

The Great Unknown:  Now for the frightening part:  recent research and surveys suggest that few companies and IT departments are adequately prepared – let alone adequately educated – to address the relevant issues head-on. According to a November 21, 2011 Citrix press release, a recent global survey by Citrix revealed that 62% of small and medium-sized businesses have no internal IT controls in place to manage employee-purchased smartphones, tablets, laptops, and other devices.  

Even more alarming, the Citrix survey found that 45% of the IT managers surveyed were unaware of all the devices being used to access their servers.  I am going to repeat that statistic -- nearly half of those IT managers could not identify all of the devices that were accessing their servers.  Probably for that very reason, 57% of IT managers polled are most concerned about the security implications of employees using personal devices to conduct business.

We've confronted the issue and the facts on the ground.  Now, in next week's Part II of this post, we will look at the practical consequences and what companies are doing, or can do, to protect themselves. 

 

Hooters v. La Cima: Closing the Electronic Door Before the Executive Can Escape

 
by John Marsh 5. October 2011 19:01

Last week, the iconic restaurant chain Hooters sued an emerging rival, La Cima Restaurants, for claims under the Uniform Trade Secrets Act and Computer Fraud and Abuse Act. Hooters, the self-proclaimed "beach-themed establishment" with waitresses who present "an all-American cheerleader image," claims that La Cima has entered into a series of franchise development agreements to operate the aptly-named competitor Twin Peaks Restaurants throughout the Southeast. I am not making this up. The Non-Compete News Blog has a thoroughly entertaining post on the complaint in greater detail for those interested.

La Cima hired a former executive of Hooters, Joseph W. Hummel, as well as a number of other former executives this summer. According to Hooters' Complaint, Hooters discovered that in the weeks leading up to his resignation, Hummel downloaded and transmitted to his private e-mail account a substantial number of highly confidential and sensitive documents including, among other things, Hooter's distribution infrastructures, sales figures, and plans to capitalize on internal market forecasts. 

Other sensitive documents were accessed from Hooter's computer servers after his last day, which Hooters blames on the circumstances of Hummel's abrupt departure. Hummel is alleged to have accessed the server at least five times after his departure to secure some of the trade secrets in question. Curiously, Hooters has elected not to sue Hummel or the other individuals, at least at this time.

The key lesson from this case? The importance of stopping further electronic access of a critical employee or executive upon learning that he or she is leaving to join a competitor. At least as of the time of this post, Hooters has not requested a temporary restraining order, and one can't help but wonder whether its apparent laxity in safeguarding that information may have contributed to the decision not to pursue what would otherwise be critical relief. 

About John Marsh

John Marsh Hahn Law AttorneyI’m a Columbus, Ohio-based attorney with a national legal practice in trade secret, non-compete, and emergency litigation. Thanks for visiting my blog. I invite you to join in the conversations here by leaving a comment or sending me an email at jmarsh@hahnlaw.com.

Disclaimer

The information in this blog is designed to make you aware of issues you might not have previously considered, but it should not be construed as legal advice, nor solely relied upon in making legal decisions. Statements made on this blog are solely those of the author and do not necessarily reflect the views of Hahn Loeser & Parks LLP. This blog material may be considered attorney advertising under certain rules of professional attorney conduct. Regardless, the hiring of a lawyer is an important decision that should not be based solely upon advertisements.

BlogRoll

Download OPML file OPML