trade secrets and cybersecurity: protecting intellectual...
TRANSCRIPT
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
Trade Secrets and Cybersecurity: Protecting
Intellectual Property, Mitigating Loss and
Navigating Legal Responses
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
THURSDAY, SEPTEMBER 24, 2015
Kevin A. Cranman, Senior Group Legal Counsel, Ericsson, Atlanta
Peggy Daley, Managing Director, Berkeley Research Group, Chicago
R. Mark Halligan, FisherBroyles, Chicago
Matthew F. Prewitt, Partner, Schiff Hardin, Chicago
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-871-8924 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
Our Panelists
Kevin A. Cranman
Senior Group Legal Counsel
Ericsson, Atlanta
For over 20 years Mr. Cranman has led technology and IP matters for organizations including
the Georgia Institute of Technology, BellSouth (now AT&T) Intellectual Property, Panasonic
Mobile Communications, and Ericsson. He has been instrumental in developing and
successfully leading programs to protect IP, confidential information and trade secrets. Mr.
Cranman is a frequent presenter and author on topics including protecting confidential
information and trade secrets, privacy and security, and employment issues.
Margaret (Peggy) Daley
Managing Director
Berkeley Research Group, Chicago
Ms. Daley has over 25 years of experience in investigations, data analytics, dispute resolution,
and regulatory compliance for multinational corporations in a variety of industries. She has
conducted fraud, money laundering, and trade theft investigations on behalf of boards of
directors and outside counsel, typically under circumstances requiring disclosure to relevant
regulatory and law enforcement authorities. Before joining the firm, Ms. Daley was a
corporate defense attorney at prominent national law firms. She also served as general
counsel at a global security and litigation consulting firm.
Our Panelists
R. Mark Halligan
FisherBroyles, Chicago
Mr. Halligan focuses his practice on IP litigation and complex commercial litigation. He
has successfully represented both individuals and corporations as plaintiffs and
defendants in federal and state courts throughout the U.S. In recent years, Mr. Halligan
has been at the forefront of international developments in IP law and is a recognized
thought leader in the ever-growing area of trade secrets law, having spoken worldwide
to organizations and corporations on the topic.
Matthew F. Prewitt
Partner
Schiff Hardin, Chicago
Mr. Prewitt is Chair of the firm’s Cybersecurity and Data Privacy Team and Co-Chair of
the firm’s Trade Secrets and Employee Mobility Team. He is a trial lawyer with a
national practice in trade secrets litigation and disputes arising from nondisclosure and
noncompetition agreements. As lead trial counsel, Mr. Prewitt has obtained injunctive
relief in expedited proceedings in more than a dozen states.
Introduction:
Why is Cybersecurity a Game-
Changer for
Trade Secrets?
© Schiff Hardin LLP. All rights reserved | schiffhardin.com
Matthew F. Prewitt
Schiff Hardin LLP
Uniform Trade Secrets Act, § 1
"Trade secret" means information,
including a formula, pattern,
compilation, program, device, method,
technique, or process, that:
8
Uniform Trade Secrets Act, § 1
(i) derives independent economic value,
actual or potential, from not being generally
known to, and not being readily
ascertainable by proper means by, other
persons who can obtain economic value
from its disclosure or use, and
9
Uniform Trade Secrets Act, § 1
(ii) is the subject of efforts that are
reasonable under the
circumstances to maintain its
secrecy.
10
Who Is Watching Your Company’s Efforts to Protect Its Trade Secrets?
• Competitors
• Authorized
Insiders
• Courts
11
DuPont v. Christopher, 5th Cir. 1970
[A]ll information indicates that the third party
has gained this knowledge solely by taking it
from DuPont at a time when DuPont was
making reasonable efforts to preserve its secrecy.
12
DuPont v. Christopher, 5th Cir. 1970
Perhaps ordinary fences and roofs must be built
to shut out incursive eyes, but we need not
require the discoverer of a trade secret to guard
against the unanticipated, the undetectable, or
the unpreventable methods of espionage now
available.
13
New Technologies Challenge Past Expectations of Security.
14
Topics for Today’s Discussion
• Identifying Your Trade Secrets
• Managing Insider Risk
• Working with Data Security Consultants
• Managing Litigation Risk
• Collaborating with Law Enforcement
15
Place image here
Size: 2.75h” x 2.6w”
Trade Secret Asset
Management and Cybersecurity
R. Mark Halligan, Esq.
Partner, FisherBroyles, LLP
17
The Modern Definition of a Trade Secret
Restatement Third Unfair Competition:
“A trade secret is any information that can be used in the
operation of a business or other enterprise and that is
sufficiently valuable and secret to afford an actual or potential
economic advantage over others.” [Section 39]
18
What is a Trade Secret?
The Illinois Trade Secrets Act:
“Trade secret” means information, including but not limited to,
technical or non-technical data, a formula, pattern,
compilation program, device, method, technique, drawing,
process, financial data, or list of actual or potential customers
or suppliers…….
19
What is a Data Breach?
A data breach is an incident in which sensitive, protected or
confidential data has potentially been viewed, stolen or used
by an individual unauthorized to do so. Data breaches may
involve personal health information (PHI), personally
identifiable information (PII), trade secrets or intellectual
property.
20
Two sides of the Same Coin
DATA………………………………………………………BREACH
TRADE SECRET………......………….MISAPPROPRIATION
21
Two Ships Passing in the Night
Non-public personal information
Non-public proprietary and confidential information
Lot’s of attention to privacy and data breaches
Very little attention to the management of trade secret
information
22
What is Cybersecurity?
• Cybersecurity is the body of technologies, processes and
practices designed to protect networks, computers, programs
and data from attack, damage or unauthorized access. In a
computing context, the term security implies cybersecurity.
• For a trade secrets lawyer—cybersecurity means trade
secrets “in motion” by and through computer systems and
digital media.
23
The Life Cycle of a Trade Secret
• “The birth of every patent starts out as a trade secret.”
• There are 4 distinct stages in the Trade Secret Life Cycle:
1. Identification
2. Classification
3. Protection
4. Valuation
24
TRADE SECRET ASSET MANAGEMENT
• TRADE SECRET??
• What is “IT” that is alleged to be a “TRADE SECRET”?
• This is the starting point and ending point of all of trade
secrets law.
• Everyone starts with security/protective measures BEFORE
the identification and classification stages.
25
Identification: The Key First Step
• To secure trade secrets, one must know what they are, where
they are, and how they are being used
› Without proper security, trade secret rights are in danger of
forfeiture for failure to take “reasonable measures to maintain
their secrecy”
• To defend trade secret rights in court, one must “identify with
particularity and specificity” the trade secrets alleged to be
misappropriated and the security measures taken.
26
No Value Without Identification
Appropriate security relies on identification
+
Failure to properly secure trade secrets
results in forfeiture of rights
=
Unidentified and unprotected trade secrets
result in a zero economic valuation
27
SFPs
• An SFP is a trade secret identification tool and card
catalogue:
• [Subject] [Format] for [Product]
› Subject: the department or functional area within the company or
division
› Format: the form of the trade secret itself, such as a method,
design, plan, forecast [etc.]
› Product: the product or family of products to which the trade
secret applies.
28
Defining the Space
• The SFPs form a three-
dimensional space within which
all the company’s trade secrets
can be mapped
• Each trade secret lies within one
SFP
29
SFPs - Examples
• Manufacturing Process for Transmissions
› Subject Format Product
• Research Test Results for Non-Flammable Plastics
› Subject Format Product
• Advertising Roll-out Strategy for New Cola
› Subject Format Product
• Purchasing Vendor List for MP3 Cell Phone
› Subject Format Product
• Software Source Code for Operating System
› Subject Format Product
30
The Trade Secret Audit
• Trade secrets cannot be audited without input from
production-level employees
› Employees create trade secrets continuously
› Employees know in lay terms what the trade secrets are and they
know how they are used
› No “star chamber” plan isolated from the employees can succeed
at identification
• The trade secret audit must include interviews with employees
who have knowledge of the trade secrets
31
Valuation – Core Principles
• If the information cannot be defended as a trade secret in
court, it can be copied and used by anyone and its economic
value to the company is zero
• The economic value of a viable trade secret is the net present
value of future cash flows it provides.
› This method is preferred in FASB rules
• The NPV of future cash flows does not include all revenues
for the product, but only those dependent on the secrecy of
the information
32
Valuation – The Six Factors
• The First Restatement of Torts provides six factors for courts
to consider in determining existence of a trade secret:
1. How widely is the trade secret known within the company?
2. How widely is the trade secret known within the industry?
3. How much has been invested to develop this trade secret?
4. What is the economic benefit of the trade secret?
5. How hard would it be to independently reproduce the trade
secret?
6. What security measures have been taken to protect the trade
secret?
33
Applying The Six Factors
• The greater the compliance with the six factors, the more
likely a court will find that the information qualifies for trade
secret protection.
• In practice, the most valuable trade secrets in the company
have high compliance with the six factors.
About FisherBroyles, LLP
Founded in 2002, FisherBroyles LLP was the first national, full-service, cloud-based law firm in the country. Our Next
Generation Law Firm® has grown to over 115 attorneys in 17 offices nationwide. The FisherBroyles model leverages
technology to offer a more cost-effective solution to clients without sacrificing Big Law quality by eliminating unnecessary
overhead that does not add value to clients.
© 2015 FisherBroyles LLP.
Disclaimer
The materials on the FisherBroyles website are for informational purposes only. They are not intended to provide legal
advice for a specific situation or create an attorney-client relationship. You should not act upon the information provided on
this presentation without seeking advice from a lawyer licensed in your own state or country. Under rules applicable to the
professional conduct of attorneys in various jurisdictions, content on this website may be considered advertising material.
The choice of a lawyer is an important decision and should not be based solely upon advertisements. Where case studies
are provided, previous results are not a guarantee of similar outcomes for other clients.
Legal Notices
All text, graphics, photographs, trademarks, logos, artwork and computer code (collectively, “Content”), including but not
limited to the design, structure, selection, coordination, expression, “look and feel” and arrangement of such Content,
contained on this site is owned, controlled or licensed by or to FisherBroyles, LLP and is protected by trade dress,
copyright, patent and trademark laws, and various other intellectual property rights.
36
37
38
39
40
41
42
43
44
45
46
47
Trade Secrets and Cybersecurity: Protecting
Intellectual Property, Mitigating Loss and Navigating
Legal Responses
Margaret (Peggy) Daley
Berkeley Research Group
Working with Data Security
Consultants
Outside consultants are called upon in three
distinct circumstances:
Proactive: Assisting corporate IT
develop, implement and maintain data
security plans
Reactive: Incident Response – internal
trade secret theft detected; notification
of outside intrusion
Testimonial: Expert witnesses at trial
49
Proactive Enterprise Security
Services
• Design
– Enterprise security design
– Security architecture
– Security product evaluation
and selection
• Implement
– Perimeter defense
– Network defense
– Host defense
– Software defense
• Assess
– Vulnerability assessments
(Data and applications)
– Continuous monitoring
– Penetration testing
• Remediate
– Security control design
– Security remediation
assistance
– Security awareness
training
• Assure
– Compliance
– Audit
50
Reactive Data Security Services
• Incident Response
– Identify source and scope of threat
– Shut the threat down
– Document the threat investigation and all findings and actions
taken
– Identify weaknesses in system or policies which contributed to the
threat’s success
– Draft recommendations for security plan improvements
– Consultant should have existing relationships with law
enforcement
– Should have proper certifications to deal with sensitive data such
as HIPAA, credit card data or government clearance where
necessary
51
Expert Witnesses
• Should be heavily credentialed
and experienced as they must
withstand Daubert and other
challenges to their expertise.
• They can be the same team that
does the Incident Response but
not always. – In some cases you will want a wall
between the incident response work
and the expert witness.
• Is the expert “hands on” or
someone that has teams that
writes reports?
• Get budgets and document
additional work requests.
52
Examples of Certifications
53
Retaining a Data Security Expert
• Master Services Agreements by corporations for proactive and reactive work
are the best bet economically. It is difficult to retain expert witnesses in
advance as it could be seen as impacting their independence. Reactive
investigators often become fact witnesses.
• Outside counsel typically chose expert testifying witnesses.
• Pricing goes up in a crisis. Negotiate investigative rates BEFORE you need it
and put it out for competitive bidding.
• Require in writing that all persons working on the engagement are properly
licensed. Some states require PI licensing for computer forensic work.
• Require that any subcontracting be disclosed in writing and in advance.
• Require that the company have appropriate insurance.
• Make sure they are qualified for the work at hand. Computer forensic experts
are not necessarily network security experts and vice versa.
• Give your retained team some small items to work on so they get to know IT
staff and systems before any significant crisis occurs.
54
Using Internal IT Resources
• Deploying Internal IT resources can be an economical
and valuable use of resources during
investigations. Their knowledge of company IT
systems is critical. Consultants can often “piggy
back” on their work in order to reduce overall costs.
• Issues arise when:
– IT resources without appropriate qualifications or experience are used for
forensic work;
– Participation in investigation makes them fact witnesses vulnerable to
deposition;
– The work requires independence due to outside regulatory interest or
litigation;
– IT is defensive of their work when systems are compromised; or
– IT is territorial and obstructs the work of investigators.
• Investigations work better when IT and outside consultants have worked together
before and develop trust.
55
Maintaining Privileges
• Keep counsel in the
communication loop.
• Have a lawyer retain the
consultant and sign the
engagement letter.
• Keep emails to a
minimum – pick up the
phone!
• Assume that all communications will be disclosed and
act accordingly.
• Ask about how the consultant trains staff about privilege.
56
Cybersecurity 2.0:
Proving It’s Not Our Fault
57
Who Poses the Greater Cyber-
Liability Threat?
58
Good cybersecurity includes protection
against wrongful accusations, and not
just wrongful intrusions.
59
Matthew F. Prewitt
Cybersecurity as Litigation Avoidance
• Did your organization fail to prevent a
foreseeable cyber theft?
• Is your organization a cyber thief?
60
DuPont v. Christopher, 5th Cir. 1970
Perhaps ordinary fences and roofs must be built
to shut out incursive eyes, but we need not
require the discoverer of a trade secret to guard
against the unanticipated, the undetectable, or
the unpreventable methods of espionage now
available.
61
Anticipating Claims of Inadequate Trade Secret
Protection
• Shareholder rights
• Joint ventures and joint development agreements
• Customers and vendors
62
What is reasonable cybersecurity?
Vague contract standards –
“At least the same”
Or a judicially-created standard
Reasonable business judgment
63
Vague Standards Require Proactive
Planning and Documentation
64
Choosing and Applying Your Own
Cybersecurity Benchmarks
• Evaluate
• Communicate
• Document
• Comply
65
A Pathogen Model of Trade Secret Exposure:
When One Vice President Sneezes, the Entire
Company Catches Cold
66
The Four D’s of Corporate Due Diligence Data
Risk Management
• Data rooms
• Deal teams
• Defining restricted data
• Documenting receipt, use, and
disposition
67
Mitigating Litigation Risk in Employee
Recruitment
• Train hiring managers
• Counsel candidates
• Utilize privilege
• Manage litigation hold triggers
68
Mitigating Litigation Risk in Employee
Onboarding
• Employment agreement
• Employee counseling
• Manager counseling
69
Mitigating Litigation Risk in Employee
Departures
• Employment agreement
• Exit interviews
• Preservation and investigation protocol
70
Working as a Team
• Team members should be in-house
counsel, in-house IT representative,
outside counsel and outside consultant
• Keep all team members advised of facts as
they develop
– Hold regular status calls
• No one should be treated as an “order
taker”
– Get input and lean on everyone’s experience
and knowledge 71
Defining the Investigative Scope
The Goldilocks Principle
• Assess the situation
• Design the investigative tasks to cover a
situation larger/more complex than
currently identified, but not too much larger
• Iterative process: as facts become known
ratchet the investigation down or up as
appropriate
• All decisions will be second guessed so
document all decision making on scope
• Must take a reasonable approach
72
Common Mistakes by Companies
Conducting Investigations
• Failing to adequately
forensically preserve electronic
evidence
• Leaping to conclusions based
upon preliminary investigative
results
• Rushing into court without
conducting a thorough
investigation
• Relying upon witness
statements alone and not
confirming through forensic
review.
• Inadequate documentation
• Improper scope
– Too expansive is expensive
– Too narrow and the scope of loss and players remain unknown
• Failing to remediate inadequate internal controls or IT security failings
• Delay
73
Now What?
Three avenues: 1. Eat the loss
2. Criminal referral
3. Civil litigation TRO/Preliminary Injunction
Considerations • Damage done – material or
necessary to disclose?
• Potential loss of business relationships
• Potential for embarrassment
• Sending a message
• Legal obligations – disclosure of data breach, disclosure to shareholders?
• Nature of offender
– Insider
– Competitor
– Hacker
• Potential for repeated attacks
• Strength of case
• Lack of defenses
74
Civil Litigation: Good News
• Immediate action
• TRO
• Injunction
• Recovery of property
• Control retained
• Recovery of property through injunction
• Attorney-Client privilege covers inquiry
• Sophisticated investigative services available
• Court orders can shut down competitors and ex-employees
• Expensive for defendants to defend against
75
Civil Litigation: Bad News
• Litigating is expensive
– Attorneys fees
– Consultant fees
– Expert Witnesses
– Loss of employee time
• Results are uncertain
• Litigating a case can take years to resolve
76
Criminal Referral: Good News
• Law enforcement
investigates and
prosecutes free of charge
• Law enforcement cybersecurity
experts have deep knowledge of
current threat landscape
• Risk of jail, immunity and subpoena powers are powerful
tools not available to civil litigant
• Fines and jail time not available to civil litigations
• “Carrot” of immunity and “stick” of jail time can incent bad
actors to “flip” and cooperate
77
Criminal Referral: Bad News
• Loss of control
• SEC or other disclosures may
be required
• Proceedings are public and
more likely to result in adverse publicity
• Exposes corporation inner workings to law
enforcement
• If it’s not a “heater” case it can languish until
statute of limitations get close
78