Computer Fraud / Data Protection » Computer Crime

Economic Espionage Act

Nick Akerman — Wed, 02 Dec 2009 22:01:44 +0000

FOR CORPORATE America, the Economic Espionage Act is a double-edged sword. It can be used to protect a company’s intellectual property by prosecuting dishonest competitors who steal a company’s trade secrets, but it can also be used against a company that finds itself with trade secrets belonging to a competitor.

Congress enacted the Economic Espionage Act in 1996, making it a federal crime to steal trade secrets. 18 U.S.C. 1831 et seq. The definition of trade secrets in the statute mirrors the broad definition in state trade secret laws to include “all forms and types of financial, business, scientific, technical, economic, or engineering information” that “derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means, by the public.” 18 U.S.C. 1839(3). The maximum penalty for violating the statute is 15 years in prison, a $500,000 fine and a maximum corporate fine of $10 million.

United States v. Lange, 312 F.3d 263 (7th Cir. 2002), is a classic example of using the statute to protect a victim company. There, Replacement Aircraft Parts Co. (RAPCO), a manufacturer of aircraft parts, learned that Matthew R. Lange, a disgruntled former employee, had been offering to sell its secret manufacturing processes to third parties. RAPCO reported Lange to the FBI, and the FBI arrested him in a “sting operation” in which Lange negotiated with an undercover FBI agent for a data copy of RAPCO’s manufacturing processes. Lange was convicted and sentenced to 30 months in prison.

The risks posed by hiring competitors’ employees

A company, however, can expose itself to potential criminal liability under the Economic Espionage Act when it hires an employee from a competitor for the purpose of gaining access to its competitor’s trade secrets. A criminal complaint filed in June charged two former managers of Boeing Co., Kenneth Branch and William Erskine, with stealing more than 25,000 pages of trade secret-protected pricing information belonging to its chief competitor, Lockheed Martin Corp. Erskine, a Boeing engineer in 1996, had recruited Branch, a Lockheed Martin engineer, to leave Lockheed Martin to work for Boeing. Branch was allegedly lured to Boeing with the offer of a higher salary in return for his inside information on Lockheed Martin’s pricing.

Armed with this pricing information, Boeing was able to outbid Lockheed Martin on 19 of 28 Air Force contracts relating to rocket launching vehicles worth approximately $2 billion. Another Boeing employee reported this conduct to Boeing management, which immediately conducted an internal investigation and discharged both Branch and Erskine. While Boeing itself has not been criminally prosecuted, the Air Force has canceled approximately $1 billion in rocket contracts with Boeing and has suspended it from performing future rocket contracts.

The RAPCO and Boeing cases highlight three issues for companies to consider in relation to the Economic Espionage Act. Under what circumstances should a company report the theft of intellectual property to the FBI? What steps can a company take to make it more likely that a theft will be investigated and prosecuted by the Department of Justice (DOJ)? What steps can it take to avoid criminal liability when new hires bring their former employers’ trade secrets into the workplace?

When a company finds itself the victim of a trade secrets theft, it has three active options. First, it can handle the matter itself through a civil lawsuit seeking an injunction under the applicable state trade secret law to have a court enjoin the thief from using or disclosing the trade secrets and ordering the immediate return of the stolen information to the company. Second, it can report the matter to the FBI for criminal prosecution under the Economic Espionage Act. Or, third, it can do both. Which option a company should choose depends on the circumstances of the theft and an understanding of the advantages and limitations of each option.

The first option has the obvious advantage of quick action at a time and place to be chosen by the company. This option also allows the company to maintain total control over the matter. Conversely, the second option has the disadvantage of ceding total control to the government in the hope that the FBI will investigate the matter immediately and present it to the local U.S. attorney’s office, which will then decide to prosecute. There is no guarantee that the overworked local FBI and U.S. attorney’s offices will have the time or inclination to prosecute the matter over other pressing matters. For that reason, the third option of bringing a civil case while simultaneously pressing for criminal prosecution may often result in the U.S. attorney declining prosecution on the theory that the victim has an adequate civil remedy.

The circumstances, however, change dramatically when the thieves are outsiders and the company cannot readily identify them. For example, in United States v. Hsu, 40 Supp. 2d 623 (E.D. Pa. 1999), an organized ring was prosecuted for attempting to steal a company’s research and development information by secretly bribing a company employee. Private employers are generally not well equipped to prosecute such third-party thieves. They do not have the ability short of a civil suit to subpoena witnesses and records. Likewise, they never have the investigative option to wiretap telephones or grant individuals immunity.

Despite the egregiousness of a particular theft, the DOJ will not be interested in prosecuting a case on behalf of a private company unless it can meet the requirement of the Economic Espionage Act that “the owner…[of the trade secrets] has taken reasonable measures to keep such information secret.” 18 U.S.C. 1839(3)(A). DOJ guidelines make this factor a key consideration in whether to prosecute a case: “[P]rosecutors should determine the extent of the security used to protect the trade secret, including physical security and computer security, as well as the company’s policies on sharing information with third-parties, including sub-contractors and licensed vendors.” See www.usdoj.gov/criminal/cybercrime/ ipmanual/08ipma.htm#VIII.B.2.

The court’s finding in United States v. Lange, 312 F.3d at 266, that “RAPCO took ‘reasonable measures to keep such information secret’ ” is instructive to understanding this legal standard. The factors relied upon by the court were:

* The trade secrets in question were physically secured. ”RAPCO stores all of its drawings and manufacturing data in its [computer-assisted drawing] room, which is protected by a special lock, an alarm system, and a motion detector.” Id.

* Documentation describing the secrets was limited. ”The number of copies of sensitive information is kept to a minimum; surplus copies are shredded.” Id.

* The number of employees with access to the secrets was limited. ”Some information in the plans is coded, and few people know the key to these codes.” Id.

* Employees were notified they were working with confidential information and warnings were placed on trade secret information. ”Drawings and other manufacturing information contain warnings of RAPCO’s intellectual-property rights; every employee receives a notice that the information with which he works is confidential.” Id.

* Vendors were provided with only partial information of the trade secrets. ”[B]y dividing the work among vendors, RAPCO ensures that none can replicate the product.” Id.

This listing is of course not exhaustive, and other measures such as confidentiality agreements, employee training programs and dissemination of the confidential information on a “need to know” basis are traditionally relied upon by the courts in finding reasonable measures in the civil trade secret context and apply with equal force to the Economic Espionage Act. These measures must be taken before a theft occurs, however; otherwise a major theft becomes a losing prosecution in the eyes of the DOJ.

Policies to prevent the use of competitors’ trade secrets

While it is important to be proactive to take advantage of the statute, it is equally important to establish company policies and procedures to prevent an employee from infecting the workplace with his former employer’s trade secrets. The company should impress upon all new employees who are hired from a competitor that they are being hired for their general background, education and expertise and not because they are knowledgeable about confidential information belonging to their former employers. Such a company policy should be memorialized in offer letters, recruiting brochures and new employee training programs as well as the company’s code of ethics.

Special care should be taken to ensure that new employees who come from a competitor will not be placed in a position or given an assignment that could be interpreted as an effort to steal the competitor’s confidential information. New employees should be specifically instructed that they are not to use or disclose any confidential information from their former employer. They should also ask the company’s legal counsel or human resources professional-not the businesspeople who could benefit from receiving the information-whether particular information would be considered confidential information belonging to their former employer.

As part of the company’s compliance and training programs, all officers and employees should be sensitized to the problems that can arise from hiring someone from a competitor and the care that must be taken to find the appropriate position for such an employee to prevent the employee from using his former employer’s confidential information.

Finally, employees must be encouraged to report potential violations so they can be investigated and resolved promptly. There can be little doubt that a major factor in Boeing not being charged was its immediate investigation and subsequent remedial action. Again, advance planning is critical to sound defensive policies to avoid liability under the Economic Espionage Act.

Nick Akerman,
Akerman.Nick@dorsey.com

CFAA Criminal Prosecutions

Nick Akerman — Sat, 03 Oct 2009 03:33:57 +0000

Early in 2007, three separate circuit courts-the 5th U.S. Circuit court of Appeals in U.S. v. Phillips, 477 F.3d 215 (5th Cir. 2007); the 8th Circuit in U.S. v. Trotter, 478 F.3d 918 (8th Cir. 2007); and the 10th Circuit in U.S. v. Willis, 476 F.3d 1121 (10th Cir. 2007)-affirmed criminal convictions for violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030. While the CFAA is primarily a criminal statute, it provides for a private right of action for injunctive relief and compensatory damages for anyone “who suffers damage or loss by reason of a violation of” the statute. 18 U.S.C. 1030(g).

In rejecting the defendants’ challenges to their criminal convictions, these opinions provide an expansive view of the CFAA that enhances the ability of companies to use the statute’s civil remedy to combat computer crime. Such a proactive, self-help approach of prosecuting a civil action is more likely in many instances to produce quicker and more certain relief than a criminal prosecution brought by the U.S. Department of Justice. This article will review these three circuit decisions and their impact on a company’s ability to use the CFAA to retrieve stolen data, enjoin illegal access to company data and obtain compensatory damages for the theft and destruction of company data.

8th Circuit rejected narrow interpretation in ‘Trotter’

In Trotter, the defendant, John Trotter, was a disgruntled former Salvation Army employee who had been discharged from his position as an information technology supervisor. Shortly after his discharge, the defendant accessed the Salvation Army’s computer network and deleted files, “shut down” the “computer-operated phone system” and “inserted several files with obscenities directed towards the Salvation Army.” 478 F.3d at 919. Trotter was convicted of violating ß 1030(5)(A)(i) of the CFAA for causing damage to the Salvation Army computer network. Trotter, arguing for a narrow interpretation of the CFAA, claimed that “the Salvation Army’s computer network was not a ‘protected computer,’ ” and that because all computers “[these] days are used someway in interstate commerce through the [I]nternet or private networks,” the CFAA “cannot possibly be so broad as to cover the computer network of a not-for-profit organization like the Salvation Army.” Id. at 921.

The 8th Circuit rejected Trotter’s challenge to the CFAA, holding that “[t]he Salvation Army’s status as a not-for-profit entity has no bearing” on the scope of the statute but “it is the characteristics of the computer or computer network, not the entity using the network, that is the focus of the statute.” Id. Because the Salvation Army’s computer was connected to the Internet, which is an “instrumentality and channel of interstate commerce,” the court held that “Congress has the power to protect it.” Id. at 921-22. The court further held that whether the defendant’s actions in violating the CFAA were wholly intrastate was of no legal significance. ”Once the computer is used in interstate commerce, Congress has the power to protect it from a local hammer blow, or from a local data packet that sends it haywire.” Id. at 922, quoting U.S. v. Mitra, 405 F.3d 492, 496 (7th Cir. 2005).

Willis, rather than addressing a constitutional challenge to the CFAA, interpreted the language of the statute to apply to the theft of company data used to perpetrate identity theft. The defendant, Todd Willis, was employed by a debt-collection agency “as a small claims supervisor” with “significant responsibility for the computers.” 476 F.3d at 1123. Willis, in exchange for drugs, had provided an associate of his drug dealer with “access to individuals’ addresses, social security numbers, dates of birth, etc” from the company’s computers. These stolen data were “used to make false identity documents, open instant store credit at various retailers, and…purchase goods that were later sold for cash.” Id. Willis was convicted of aiding and abetting a violation of ß 1030(a)(C)(2) for intentionally accessing his employer’s computer network without authorization to obtain information from the computer in which his conduct involved an interstate communication.

Willis argued on appeal that for him to aid and abet a violation of this specific CFAA section, the government must prove that he had an “intent to defraud,” and because he did not know that the information obtained from his employer’s computer would be used “to commit identity theft,” there was insufficient proof that he had an intent to defraud. Id. at 1125. The 10th Circuit rejected Willis’ argument that the “intent to defraud” element of ß 1030(a)(4) of the CFAA should be imputed to ß1030(a)(2)(C), the section of the CFAA for which he had been convicted. The court explained that “[a] plain reading of the statute reveals that the requisite intent to prove a violation of ß 1030(a)(2)(C) is not an intent to defraud (as it is under (a)(4)), it is the intent to obtain unauthorized access of a protected computer.” Id. Thus, the court concluded that “[t]he government need not also prove…the information was used to any particular ends.” Id. The court emphasized “that each subsection of ß 1030 [of the CFAA] addresses a different type of harm” requiring proof of different elements. Id. at 1126.

Also interpreting the language of the statute, the 5th Circuit in Phillips provided the most expansive meaning to date of the statutory term “without authorization,” a critical element of five of the seven violations in the CFAA that can form the basis for a civil suit.

Christopher Phillips was a student in the Department of Computer Sciences at the University of Texas and as such, signed U.T.’s acceptable-use computer policy, in which he agreed not to perform certain scans on his university computer account that would permit him to search for vulnerabilities to hack into and attack the network. The principal action for which Phillips was prosecuted was his hacking into a U.T. secure server that only allowed access to an authorized user through a password which was the user’s Social Security number. Phillips hacked into the network through what is known as a ” ‘brute-force attack’ program, which automatically transmitted to the website as many as six Social Security numbers per second, at least some of which would correspond to those of authorized… users.” 477 F.3d at 218. This program allowed Phillips “[o]ver a fourteen-month period” to gain “access to a mother lode of data about more than 45,000 current and prospective students, donors, and alumni.” Id.

Phillips was convicted of violating ß 1030(a)(5)(A)(ii) of the CFAA for knowingly accessing the U.T. network without authorization and recklessly causing damage to the network. On appeal, Phillips claimed that the government had failed to prove his access to the computer network was “without authorization.” The court summarized the recent law that “authorized access typically arises only out of contractual or agency relationship.” Id. at 221. In doing so, the court cited with approval two CFAA civil cases-the 7th Circuit’s opinion in Int’l Airport Ctrs. LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), which held that an employee’s authorization to the company computers is governed by the law of agency, and the 1st Circuit’s opinion in EF Cultural Travel B.V. v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001), where the “confidentiality agreement defined authorized access to [the plaintiff] travel company’s computerized pricing information.” 477 F.3d at 221 n.5.

The court, however, expanded the definition of “without authorization” beyond the rulings of the 1st and 7th circuits and held that “the scope of a user’s authorization to access a protected computer” under the CFAA may be determined based “on…the expected norms of intended use” of the computer. Id. at 219. The court not only found that Phillips’ activities were not authorized by U.T.’s acceptable-use computer policy that he had signed, but that “Phillips’s brute-force attack program was not an intended use of the UT network within the understanding of any reasonable computer user and constitutes a method of obtaining unauthorized access to computerized data that he was not permitted to view or use.” Id. at 220.

The court’s intended-use test was based on the 2d Circuit’s opinion in U.S. v. Morris, 928 F.2d 504, 510 (2d Cir. 1991), where the court “determined that conduct, like ‘password guessing’ or finding ‘holes in… programs,’ that uses computer systems not ‘in any way related to their intended function’ amounts to obtaining unauthorized access.” 477 F.3d at 220.

The Phillips court also relied on dicta in Explorica, mentioning “the district court’s observation of a ‘default rule’ that conduct is unauthorized for ß 1030 purposes ‘if it is not in line with reasonable expectations of the website owner and its users.” Id. The court, however, overlooked a subsequent and related 1st Circuit case that expressly rejected the “reasonable expectations” test, labeling it as a “highly imprecise, litigation-spawning standard.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003).

Principles set in these cases will apply to civil cases, too

In sum, the following principles established in these three criminal appellate decisions directly affect the civil arena for a company choosing to use the CFAA to remedy criminal acts directed at its computer data: First, the CFAA applies to all companies, whether for profit or not for profit and all computers as long as they are connected to the Internet. Second, the CFAA contains seven separate violations with distinct and separate elements that can predicate a civil suit that can reach a wide variety of computer crime. Third, depending on which circuit governs the jurisdiction where the case is filed, the lack of authorization can be alleged and proven based on a breach of the agency relationship; a breach of an employment contract such as a violation of company rules; or a use of the computer that exceeds expected norms of intended use.

Nick Akerman,
Akerman.Nick@dorsey.com