Privacy and Cybersecurity

On January 25, 2019, the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp. ruled unanimously that plaintiffs do not need to allege “some actual injury or adverse effect” in order to challenge alleged violations of Illinois’ Biometric Information Privacy Act (BIPA). In so doing, the Supreme Court expressly held that the loss of an individual’s right to control her “biometric privacy” is a “real and significant” injury on its own – whether or not that loss has any real-world effect.

What might the decision’s far-reaching implications for companies that collect and retain biometric data from their consumer or employees be?

Click here to read the full version of this alert, authored by Crowell & Moring Partner Jeff Poston, Counsel Josh Foust, and Associate Brandon Ge.

The Freedom of Information Act (FOIA) Exemption 4 provides that “trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential” can be withheld when responding to a FOIA request. But what does this exemption mean? Many district courts and circuit courts have ruled on this issue but the rulings have been inconsistent regarding the standard to justify withholding information.

On January 11, 2019, the Supreme Court granted certiorari in the case of Food Marketing Institute v. Argus Leader Media, 889 F.3rd 914 (8th Cir. 2018), cert. granted, 2019 WL 166877 (Jan. 11, 2019). The question raised is whether FOIA Exemption 4 applied to individual Supplemental Nutrition Assistance Program (SNAP) retailer redemption data. Argus Leader Media, a South Dakota newspaper, had submitted a FOIA request to the USDA for annual SNAP redemption totals for stores that participate in the SNAP program. The USDA issues SNAP participants a card (like a debit card) to use to buy food from participating retailers. When a participant buys food using their SNAP redemption, the USDA receives a record of that transaction, which is called a SNAP redemption. The USDA refused to produce the SNAP data, citing several FOIA exemptions, which includes trade secrets and commercial information.

For the first time, the Supreme Court will address when the federal government may withhold information from a FOIA request based on the contention that responsive information is confidential or a trade secret. This decision will be critical for companies who submit sensitive information to the government.

Stay tuned.

Following the high-profile trade secrets litigation and settlement between Waymo and Uber in February 2018, covered previously in this blog, a defamation claim was filed by four Uber employees against Uber’s former global intelligence manager, Richard Jacobs. The case alleges that Jacobs defamed the four plaintiffs by accusing them — initially in an intra-office email, which was later broadcast to the world as part of the now-settled Waymo v. Uber case — of wiretapping, trade secret theft, and hacking.

The plaintiffs filed a motion earlier this month asking the federal judge hearing the matter to relate the defamation suit to the initial trade secret case, arguing that Jacobs’ statements received substantial attention in that matter. Jacobs responded by filing an opposition to this motion last week, arguing that there was no reason for the plaintiffs to have waited several months to file the motion, that the cases involve different facts, and that relating the cases would unnecessarily complicate matters. Whether the court agrees remains to be seen.

On November 2, 2017, Foltz Welding LTD filed a motion for preliminary injunction against its former employee and operations manager in the United Stated District Court Southern District of Illinois. The company filed a nine-count complaint against its former employee and requested injunctive relief and damages. Foltz Welding claimed that the former employee may have trade secrets on his personal computers or iCloud storage that could be given to his new employer.

On February 12, 2018, the Court granted Foltz’s motion for preliminary injunction, ordering that the former employee allow a computer expert that Foltz chooses. Specifically, the Court noted that the expert would be allowed to go through the former employee’s personal home computer, his daughter’s laptop, his iCloud storage, any other electronic device and any other data storage and be permitted to remove any emails or files.

The Court noted that the files being searched for could include “Foltz’s trade secrets or other proprietary data consisting of bidding strategies, bid files, project estimation files, project pricing files, project cost information, project construction specifications and as-built construction information, pricing strategies, labor or equipment rate sheets, customer lists, profit margins and financial relationships with its suppliers and customers, sales strategies and competitive bidding.strategies.”

Fera Pharmaceuticals LLC, Akorn Inc., and Perrigo Co. PLC have settled a $100 million trade secrets case three weeks before trial was set to begin in the U.S. District Court for the Southern District of New York.  The case primarily involved trade secrets related to the production of erythromycin.  In its lawsuit filed in 2012, the plaintiff, Fera, alleged that defendant Akorn misappropriated trade secrets received from Fera under the guise of needing that information to fulfill a contract between the parties, in which Akorn was a supplier and manufacturer for Fera.  The complaint further alleged that Akorn used the trade secrets to begin its own production of erythromycin and that Akorn began selling the medicine in direct competition to Fera.  In its complaint, Fera sought compensatory damages in excess of $100 million, as well as punitive damages.

In 2015, Akorn filed counterclaims against Fera as well as Perrigo, alleging that those two entities had engaged in a conspiracy to keep Akorn out of the market for a separate Bacitracin ophthalmic ointment.  Had the parties not settled the matter, trial on all claims would have begun on February 20, 2018.

According to a letter submitted to the district court by legal counsel for Perrigo, the parties “reached an agreement in principle for a global resolution of all claims,” though the terms of the settlement were not disclosed.

On January 18, 2018, a former software developer for IBM Corp. was sentenced to five years in prison after he had pleaded guilty of theft of a trade secret and economic espionage.  As part of his work for IBM, Xu Jiaquiang had access to proprietary source code which facilitates faster computer performance by coordinating work among multiple servers.  Despite IBM’s precautions in place to protect the secrecy of the code, including a firewall and express authorization required for any employee to obtain access, Xu stole and used portions of the code as part of an attempt to sell the code to undercover FBI agents.

Xu pleaded guilty to the charges on May 19, 2017.  The Department of Justice’s press release from that same day provides further details regarding the circumstances of the FBI’s investigation and the allegations against Xu.  That press release is publicly available here.

Fig cookiesThe Criminal Court of Mechelen (Belgium) ruled in favor of Bofin Biscuits against a former production assistant accused of having stolen the assistant director of the cookie baker’s laptop. The laptop allegedly contained the secret recipes of all the cookies produced by Bofin Biscuits. This case is interesting because of the nature of the secrets and also when compared to that of the “fig spread”-case discussed here two weeks ago. It also confirms that trade secret misappropriation cases do not necessary only involve complex matters on state of the art technology owned by large multinationals.

The facts of the case are rather straight-forward. On November 12, 2013 the assistant-director of Bofin Biscuits noticed that his laptop had gone missing during his absence from November 6 to November 11. Images from the surveillance video system of Bofin Biscuits showed that the actual taking of the laptop had not been filmed. The camera hanging outside the assistant-director’s office did show a production assistant walking down the hallway where the office was located, entering it and leaving with something clearly hidden under his coat. During the trial the production-assistant did not contradict that he was the person that had been filmed, but he denied that he had taken the laptop. When asked what he then was hiding under his coat, he claimed not to recall anything.

For the public prosecutor this was a clear cut case and he requested the court to sentence the former production assistant to a six month effective prison sentence and a 4.800 EUR fine. Bofin Biscuits, who had joined the proceedings by suing its now ex-employee for civil injury, requested 1.500 EUR for the still missing laptop, 2.500 EUR for the time spent on recovering the information stored on the laptop, 500 EUR moral damages and a provisional damages amount of 25.000 EUR for having stolen the secret cookie recipes.

Continue Reading Employee Who Stole the Cookie Recipe From the Cookie Jar Fined €1 (Yes, that’s one single Euro)

Last week, government contractor Advanced Fluid Systems Inc. wrapped up its summary judgment briefing in a case loaded with trade secrets trends.  In June, Advanced sought summary judgment in the Middle District of Pennsylvania on its claims for misappropriation of trade secrets, and aiding and abetting breach of fiduciary duty.  Advanced had sued a former employee, the company that the employee then founded, and another rival firm – arguing that the defendants had teamed up to steal and exploit Advanced’s proprietary designs for hydraulic systems.  According to Advanced, the result was a $2 million subcontract for work at a NASA launch site, which went to the employee’s new company instead of Advanced.

At the heart of Advanced’s allegations is the charge that, while still working at Advanced, the former employee downloaded “virtually all files” from Advanced’s servers, including sensitive drawings regarding its hydraulic technology.  Advanced argued that, just days later, the employee’s start-up company began attaching its name to some of those drawings and ultimately submitted them as part of their bid on the subcontract.

Whatever the court’s determination on the briefs, the underlying fact pattern is an all too common one.  The case highlights the need to remain ever-vigilant with respect to those employees who have access to a company’s crown jewels, as well as the potential benefits of data loss prevention (or “DLP”) technology.

On Friday, September 9, the U.S. Chamber of Commerce urged the Obama Administration to take more action against the theft of trade secrets and other intellectual property.  The Chamber did so in response to a Request for Information issued by the National Institute of Standards and Technology (NIST), seeking industry input regarding various cybersecurity issues, including the economic consequences of hacking.

The Chamber explained that “IP-related industries generate 35 percent of America’s economic output and are responsible for two-thirds of all exports and more than 40 million jobs” and that the “threat of trade secrets theft is of increasing concern to U.S. economic well-being and job creation.”  Noting that it had previously called on Congress to pass federal civil legislation, it praised the passage of the Defend Trade Secrets Act as a step in the right direction.

Underlying the Chamber’s emphasis on trade secrets protection was its broader goal of establishing norms and deterrence to “heighten the costs on sophisticated attackers that would willfully hack America’s private sector for illicit purposes.”  This was one of only three “top” cybersecurity issues that the Chamber chose to address, along with standards and information sharing, and that it urged the executive branch to prioritize.

These and other comments submitted will help inform the new Commission on Enhancing National Cybersecurity, which President Obama recently convened.  The Commission will then craft recommendations to the President for improving cybersecurity – and possibly trade secrets protection – across the public and private sectors.

On July 5, 2016, the Ninth Circuit affirmed the conviction of David Nosal, an ex-employee of Korn/Ferry, an executive search firm, who left to start a competing firm. With Nosal’s knowledge and encouragement, two other former employees of Korn/Ferry used a current employee’s credentials to gain access to the Korn/Ferry database and take confidential information. U.S. v. Nosal, No. 14-10037, 2016 WL 3608752 at 6 (9th Cir. July 5, 2016).

The prosecutors charged Nosal with violating section 1030 (a)(4) of the Computer Fraud and Abuse Act (“CFAA”), which criminalizes “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing]authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value.”1 Having failed to state an offense that Nosal “exceeded authorized access” by violating the company’s internal use restrictions (decided in Nosal I), the government filed a superseding indictment alleging Nosal violated the “without authorization” prong of the CFAA after his login credentials were revoked through his co-conspirators’ use of his former executive assistant’s login information to access Korn/Ferry’s database.

The jury convicted Nosal on all counts. On appeal, the Ninth Circuit analyzed the meaning of the words “without authorization.” The Court held that the phrase was unambiguous and its plain meaning encompassed the situation in this case where the employer rescinded permission to access a computer and the defendant accessed the computer anyway.

Continue Reading United States v. Nosal: Keep Your Friends Close, but Your Passwords Even Closer