Theft of Critical Information by Insiders

Theft of trade secrets and other business critical information by employees and other insiders is increasing at alarming rates and costing businesses billions of dollars annually. In one recent case, DuPont was awarded nearly $1 billion in damages after a former DuPont employee was found to have shared confidential information with a competitor. The theft was obviously a problem for DuPont, but the damages award quickly became a serious problem for the competitor as well. And, the former DuPont employee ended up in federal prison.

Protecting business critical information is not simple. It involves identifying which information is critical, designating that information confidential, establishing practices, procedures, and policies to maintain confidentiality, and then being prepared to address immediately any breaches that occur.

Each step implicates several areas of the law, including data security, privacy, intellectual property, white collar crime, employment, employee benefits, executive compensation, corporate and securities law, insurance coverage and crisis management.

Protecting business critical information requires understanding the benefits the law offers and the legal limits on protective measures, often across multiple jurisdictions. Advance planning is critical. Coordinating efforts to protect critical information therefore requires a comprehensive plan, and the responsibility could in most cases appropriately be placed on a company’s legal department.

A comprehensive plan to protect business critical information includes three related components: (1) preventing theft, (2) planning how to respond should a theft occur and (3) reducing risk of being accused of theft by others (e.g., through an insider who brings to your company business critical information from a competitor or former employer).

PREVENTING BREACHES

First, establish practices to keep business critical information confidential. In general, information is protected only if it is treated as confidential. For example, under the model Uniform Trade Secrets Act, widely adopted in the United States, information qualifies as a trade secret if, among other requirements, “reasonable efforts” are taken to keep the information secret.

Whether efforts are reasonable will depend on the type of information and its relative importance to the company. Practices to treat information as confidential include:

• Limiting access. A company must not only determine which personnel may access information, but it must specify how information may be used and stored. A company needs to consider the extent to which employees and other insiders may use personal devices to access and store information. Employees may store confidential information on personal devices, which can be more easily lost or become accessible to individuals outside the company. Moreover, a court in New York recently ruled that a company did not have the right to access a former employee’s personal iPhone during discovery in employment litigation, even though the employee stored the company’s customer information on the iPhone.

• Monitoring compliance. Protecting confidential information might include regular policing of intranet and document management systems and checking outgoing emails for keywords or word combinations related to trade secrets. It is important, however, to structure these efforts to comply with local privacy laws.

• Establishing and communicating confidentiality policies. Policies should reflect the importance of confidential information and the breadth of information meriting protection. Some laws, such as insider trading prohibitions, are well established in company policies, but companies need to confront new ways confidential information may be created, used and disseminated.

For example, business critical information may be carelessly shared in the course of employees’ daily posts on social media. Drafting confidentiality policies requires understanding the extent to which companies may limit the use of social media, at work or outside of work. Establishing robust confidentiality procedures for employees might not be sufficient unless the company also requires vendors and other third parties to treat business critical information as confidential. For example, vendor contracts could require third parties to store information on a separate server and not mingle it with information of other clients, who may well be competitors.

• Incentivizing compliance. Adding insult to injury, a company could be required to pay bonuses and incentive awards to a former employee even if that employee discloses the company’s business critical information. To avoid this result, and encourage compliance, employment agreements and incentive awards can be conditioned on compliance with confidentiality and restrictive covenants, such as covenants not to compete or solicit employees or customers.

However, in some cases, broad covenants not to compete or solicit could be invalidated under applicable law. Constructing effective restrictions involves careful analysis of local law. In addition, employment agreements can give a company the ability to protect more information than local laws by defining “confidential information” more broadly than the law defines trade secrets. Employment agreements are therefore an important source of protection.

Don’t overlook the issue of insurance. Coverage may be implicated under a variety of policies, including first-party property, third-party liability, cyber-risk, employee dishonesty, crime, and director’s and officer’s coverage. The time to consider whether and how to insure against losses from information theft is before an incident occurs.

RESPONDING TO INCIDENTS

While taking as many precautions as possible, companies should prepare for the worst. There is a need to act quickly in the event of a possible theft, so companies should develop a comprehensive incident response plan. It could include the following steps.

• Decide whether to investigate. Whether a theft occurred may not be clear initially, and companies must determine whether to investigate with that question unresolved. Investigation can be costly and bring unwanted attention to the loss or vulnerability.

Investigations can range from forensic computer searches to interviews with employees. A company might need to investigate to determine whether internal controls (which are sometimes imposed by law) are functioning. Many jurisdictions, including the U.K., may require investigation to ensure that subsequent employment action is procedurally fair and legally compliant. Thus, a plan  of action should address how to decide whether to investigate.

• Decide on employment action. If a company suspects theft by a current employee, it might consider whether to immediately terminate employment  or wait and investigate. Employment agreements and – particularly outside the United States – employment laws may limit the actions a company may take. Furthermore, a hasty termination may result in losing the ability to collect evidence and verify suspicions. On the other hand, immediate action may be required to prevent further loss. A plan of action should include a process to make immediate employment decisions and assess whether to bring in outside counsel and forensic experts to gather evidence quickly.

• Decide on disclosure. An incident response plan should include an approach to determine whether disclosure of a theft (or possible theft) is necessary or desirable, and to whom it would be disclosed. Several areas of the law may be implicated, including privacy, securities, and data breach laws. If customer data has been taken, the company might have a legal obligation to notify customers or regulatory agencies (e.g., the U.K. Information Commissioner’s Office).

Furthermore, the theft might violate criminal laws. For example, in the United States, the Economic Espionage Act of 1996 makes it a federal crime to attempt to take, or conspire to take, a trade secret. A company might therefore wish to involve federal investigators. For public companies, securities laws also might require disclosure.

• Notify insurers. When there is a loss, companies should notify potentially-implicated insurers immediately and consider retaining coverage counsel and other professionals to assist with navigating the claims process and ensuring that insurers honor policy obligations.

• Assess litigation. Although a costly remedy, companies may determine that civil prosecution is necessary to obtain an injunction or recover damages. Quick action may be required. Trade secret theft may result in civil and criminal proceedings, which will run on separate tracks with separate agendas. A plan of action would include identifying the process for assessing litigation options, including pursuing rights under employment agreements and trade secret laws.

• Avoid receipt of improperly taken information. A company may be liable if it receives confidential information taken by an individual from another company. A comprehensive plan would include procedures to address this possibility.

In 2006, Pepsi received a faxed letter from an individual claiming to be a top-level employee at Coca-Cola offering confidential information to the highest bidder. Pepsi responded by sending this letter to Coca-Cola, who then involved the FBI. The two individuals behind the scheme now face prison sentences. While Pepsi acted wisely to avoid liability, many incidents of receipt of trade secret theft may be subtler than a letter with an explicit offer. Companies should clearly state in employee policies and handbooks that receipt and use of another company’s trade secrets is prohibited.

Upon hire, new employees could be asked to acknowledge that they have not and will not bring in any trade secrets from another company. Employees do not always understand what information is confidential, and further probing may be necessary to determine whether the individual has anything at home or in electronic form that might belong to a former employer.

Finally, if information of a former employer is uploaded onto the new employer’s systems or otherwise shared, careful attention needs to be given to how to remedy the problem, whether and how to inform the prior employer, and how to return the information.

[colored_box color=”yellow”]Kurt Calia is a partner at Covington & Burling LLP, practicing in the areas of complex civil litigation, patent litigation, intellectual property, life sciences, and patent prosecution.  He is a former co-chair of the firm’s Patent Group, and he currently serves as the vice chair for the Trade Secrets Committee of the Intellectual Property Owner’s Association (IPO).

David Fagan is a partner at Covington & Burling LLP. His practice covers national security law, international trade and investment, cybersecurity, and global privacy and data security.  He has represented clients before government agencies and Congress in connection with regulatory approvals of international investments, national security-related criminal investigations, high-profile congressional investigations, cybersecurity matters, and federal and state regulatory and enforcement actions involving data security.

Richard Shea is a senior partner in Covington & Burling’s employee benefits and executive compensation practice. He is an authority on cash balance, pension equity, and other complex benefit plan designs. Before joining Covington in 1991, he served as Associate Benefits Tax Counsel at the Treasury.[/colored_box]