A Mark Tatley ostensibly sent the email at issue from his Yahoo email address to a competitor of SolarBridge. The competitor responsibly notified SolarBridge of the receipt of the email. In response SolarBridge conducted its own investigation into the email, including an effort to locate Mark Tatley through the Yahoo email address and a search of public records and concluded that there was “no real individual named “Mark Tatley” and that the email address was created anonymously with fake information.” Id. at *1. Having exhausted all means to identify the person who had stolen its competitively sensitive data, SolarBridge filed a John Doe lawsuit alleging, among other things, violations of the Computer Fraud and Abuse Act (“CFAA”) and asked the court for limited discovery so it could identify the proper defendant to be served in the action.

While recognizing that “[t]he practice of suing Doe defendants is generally disfavored in the Ninth Circuit,” the court stated that “where the identity of the alleged defendant will not be known prior to the filing of a lawsuit, ‘the plaintiff should be given an opportunity through discovery to identify the unknown defendants, unless it is clear that discovery would not uncover the identities, or that the complaint would be dismissed on other grounds.’” Wakefield v. Thompson, 177 F.3d 1160, 1163 (9th Cir.1999) (quoting Gillespie v. Civiletti, 629 F.2d 637, 642 (9th Cir.1980)).

Thus, the court stated that limited discovery to identify “an anonymous Internet user” is permitted when the plaintiff:

(1) identifies the missing party with sufficient specificity such that the court can determine that defendant is a real person or entity who could be sued in federal court;
 (2) identifies all previous steps taken to locate the elusive defendant;
 (3) establishes to the court’s satisfaction that the lawsuit against defendant could withstand a motion to dismiss; and
 (4) states reasons justifying the specific discovery requested, and identifies a limited number of persons or entities upon whom discovery might be served and for which there is a reasonable likelihood that the discovery will lead to identifying information about defendant that would make service of process possible.

The court concluded that SolarBridge had met its burden –
1) John Doe “is an individual or entity that accessed SolarBridge’s confidential information and disclosed that information to one of its competitors, and the email sent by Defendant is associated with San Jose-based company Yahoo!, Inc,”
2) SolarBridge had “undertaken a diligent investigation to identify Defendant without the use of third party discovery, to no avail,”
3) “SolarBridge’s action would likely withstand a motion to dismiss, as it appears to have sufficiently alleged claims for violations of the CFAA” and other causes of action, and
4) “SolarBridge has shown that there is a reasonable likelihood that its requested discovery will lead to information to identify Defendant and make service on Defendant possible.” Id. at *2.

When a hacker strikes, the procedures outlined in SolarBridge should be considered as a proactive option to sue the perpetrator for damages and an injunction to prevent further intrusions into the company computers. Every hacker leaves behind an IP address or a trail of IP addresses. It is virtually impossible, however, to identify the owner of an IP address from the public record. Given privacy concerns, companies like Yahoo and Google are harder to penetrate than a Swiss bank and will not voluntarily turn over the identities or records associated with IP or email addresses unless subpoenaed or ordered to do so by a court. Thus, as I have found in my own practice, a well-planned John Doe lawsuit, like that in SolarBridge, can provide a powerful strategic tool to retrieve stolen data and prevent its dissemination.

Both courts acknowledged that the underlying facts for each claim set forth violations of the CFAA.  The CFAA violation in Costar Realty Information, Inc. related to unauthorized access to Costar’s website that “enables its users to find property for sale or rent” and includes information gathered by its field researchers along with photographs. Costar sells licenses to authorized users who were provided with a user and name and password to access the database. Costar Realty Information, Inc. at *1. The defendants were alleged to have accessed the database or to have allowed others to access the database on multiple occasions without having purchased the proper licensees.

On one of the defendants’ motion for summary judgment the court found Costar had “presented sufficient evidence to demonstrate a material dispute of fact as to” CFAA liability.’ Id. at 10. Another defendant did not even “dispute that his actions establish a violation of the CFAA.” Id. at 13. In M-I LLC the defendants, ex-employees, had left M-I LLC, an oilfield contractor, to join a contractor. Before leaving M-I LLC one of the employees had used an “external memory device” to transfer files of confidential and trade secret protected information from a company laptop. M-I LLC at *11.

In both cases the plaintiffs made the fatal error of simply alleging lost profits as their basis for the $5,000 jurisdictional loss. In Costar Realty Information, Inc. the plaintiff claimed that its $5,000 in loss consisted of the$300,000 license fees the defendants would have paid Costar for access to the database.  Costar Realty Information, Inc. at *10. In M-I LLC the plaintiff alleged damages “to its business in the form of lost profits, loss of customers and loss of future business opportunities.” M-I LLC at *12.

Both courts correctly pointed out that lost profits can only constitute “loss” under the statutory definition of “loss” in the CFAA when the lost profits are “incurred because of interruption of service.” Title 18, U.S.C. §  1030(e)(11). If either of these plaintiffs had hired a forensic computer examiner to respond to the offense, to conduct “a damage assessment” or in the case of M-I LLC to restore “the data, program, system, or information to its condition prior to the offense,” their CFAA claims would have qualified for federal subject matter jurisdiction. Id.

In reviewing the indictment the court observed that it “as factually and legally deficient as any the court has seen in its experience.” Id. This deficiency stemmed from the fact that the indictment charged 34 felony counts of Title 18, U.S.C., § 1030(a)(2)(c) of the CFAA for intentionally accessing a computer without authorization or exceeding authorized access and obtaining information. However, this section of the CFAA is a misdemeanor unless the government establishes pursuant to § 1030(c)(2)(B) that

(I) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $5,000

The felony/misdemeanor distinction is significant since a felony carries a maximum sentence of 5 years in prison as opposed to 1 year for a misdemeanor.

The court held that the indictment failed to invoke this felony provision by alleging the requisite tortious or criminal conduct. Id. The court viewed this failure as an obvious oversight “for which the government, at the hearing on the motion, had no explanation.” Id. Thus, the court concluded that the indictment filed against Gregory only alleged misdemeanors as opposed to felonies and gave the government 30 days to “inform defendant and the court whether it intends to seek a superseding indictment or proceed on the remaining thirty-four misdemeanor counts for violations of the CFAA.” Id. at *2.

Applies to Business, Processor and Vendor

This law applies to a business that (i) processes more than six million credit card and debit card transactions annually and (ii) provides, offers or sells goods or services to Washington residents. These typically are merchants that have the highest level of compliance obligations among businesses that process credit cards.

This law also applies to a processor that directly processes or transmits account information for or on behalf of another person as part of a payment processing service and a vendor that (i) manufactures and sells software or equipment designed to process, transmit or store account information or (ii) maintains account information that it does not own.
Account information means: (i) the full, unencrypted magnetic stripe of a credit card or debit card; (ii) the full, unencrypted account information contained on an identification device; or (iii) the unencrypted primary account number on a credit card or debit card or identification device, plus cardholder name, expiration date or service code, if not encrypted.
Encrypted means enciphered or encoded using standards reasonable for the breached business or processor taking into account the business or processor’s size and the number of transactions processed annually.

Liability for Data Breach

A business or processor is liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards incurred by the financial institution to mitigate potential current or future damages to its credit card and debit card holders resulting from a data breach (even if the financial institution has not suffered a physical injury) if: (i) a business or processor fails to take reasonable care to guard against unauthorized access to account information in its possession or under its control and (ii) this failure is found to be the proximate cause of a data breach. The prevailing party is entitled to reasonable attorneys fees and costs incurred in connection with the legal action.
A vendor is liable to a financial institution for the foregoing damages: (i) to the extent that the damages were proximately caused by the vendor’s negligence and (ii) if the claim is not limited or foreclosed by another provision of law or by a contract to which the financial institution is a party.

A data breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by a business.2 Personal information means an individual’s name together with any of the following elements, when both the name and element are not encrypted: (i) Social Security Number, (ii) Washington driver’s license number or identification card number or (iii) account number, credit card number or debit card number, together with any required security code, access code or password permitting access to their financial account.3

Encryption

A business, processor or vendor is not liable if: (i) the account information was encrypted at the time of the data breach or (ii) the business, processor or vendor was certified compliant with the payment card industry data security standards, as adopted by the payment card security standards council (including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc.) and in force at the time of the data breach. The payment card industry data security standard include requirements for security management, policies, procedures, network architecture, software design and other critical protective measures and are intended to help organizations proactively protect consumer account data.
A business, processor or vendor will be considered compliant if its payment card industry data security compliance was validated by an annual security assessment and this assessment took place no more than one year before the time of the data breach (for this purpose, this security assessment of compliance is nonrevocable).

By: Melissa J. Krasnow and Brett Atwood

1 Wash. H.B. 1149.
2 RCW § 19.255.10(4).
3 RCW § 19.255.10(5).



EU Data Protection Directive

By way of background, a company that transfers personal data from the EEA to the United States must comply with the EU Data Protection Directive (95/46/EC). Personal data means information about any identified or identifiable natural person (e.g., a person’s address, credit card number and bank statements). Transfers include sending paper documents via post or electronic documents via e-mail. In general, transfers of personal data from the EEA to the U.S. are prohibited unless they qualify for one of the following exceptions: (i) the data subject freely and unambiguously provides specific consent, (ii) the transfer is necessary on various grounds (i.e., performance or conclusion of a contract, legally required for the public interest or legal claims or protection of the vital interests of the data subject) or (iii) the transfer is made from a register intended to provide information to the public in accordance with law. If no exception is available, a company may utilize one of the following methods to comply with the Directive: (A) uses a model contract signed by both the EU data exporter and U.S. data importer, (B) adopts binding corporate rules approved by the EU countries from which personal data is to be transferred or (C) self-certifies to the U.S. Department of Commerce under the Safe Harbor framework initially and thereafter self-certifies on an annual basis. The FTC serves as a backstop enforcement authority for the Safe Harbor framework.

Self-Certification under the Safe Harbor Framework

To self-certify under the Safe Harbor framework, a company agrees to develop and publicly disclose a privacy policy that entails complying with seven Safe Harbor principles (i.e., notice, choice, onward transfer, access, security, data integrity and enforcement). In addition, a company must establish and implement an independent recourse mechanism (i.e., cooperate and comply with EU Data Protection Authorities or utilize a private sector dispute resolution program). A company also must accept the jurisdiction of the FTC (or the U.S. Department of Transportation in the case of air carriers and ticket agents). Finally, a company must submit a self-certification to the U.S. Department of Commerce. Not less than annually, Safe Harbor compliance must be monitored and verified (including reviewing policies and procedures) and a new self-certification must be submitted to the U.S. Department of Commerce.

FTC Enforcement Actions

In July 2009, the FTC brought its first enforcement action, obtaining a temporary restraining order against a U.S. company – Balls of Kryptonite – that advertised on its websites that it had self-certified, where there was no record of its participation in the Safe Harbor, in violation of Section 5 of the Federal Trade Commission Act. The order prohibited this company from misrepresenting the extent to which it was a member of, adhered to, complied with, was certified by, was endorsed by or otherwise participated in any privacy, security or other compliance program sponsored by any government or third party. According to the FTC, it ultimately stipulated to a preliminary injunction against this company.

The FTC subsequently brought enforcement actions against six other U.S. companies – World Innovators, ExpatEdge Partners (a Minnesota company), Onyx Graphics, Directors Desk, Collectify and Progressive Gaitways. The FTC issued consent orders in November 2009 and in January 2010 settling charges that these companies falsely claimed to have complied with the Safe Harbor framework in violation of Section 5 of the Federal Trade Commission Act. Each company previously had self-certified under the Safe Harbor framework. However, although each company had failed to self-certify annually as required by the Safe Harbor framework, it represented through privacy policies and statements on its website that it was a current participant in the Safe Harbor. These orders, which are in effect for approximately 20 years, require that the companies in question (i) not misrepresent expressly or by implication the extent to which they are a member of, adhere to, comply with, are certified by, are endorsed by or otherwise participate in any privacy, security or other compliance program sponsored by the government or any other third party; (ii) file with the FTC written reports regarding the manner and form of their compliance with the orders and (iii) maintain and upon request make available to the FTC copies of all documents relating to compliance with the orders for 5 years. The companies also could be subject to civil penalties if they engage in any such misrepresentations going forward.

Conclusion

U.S. companies need to be careful with the language they use in their privacy statements and other public documents regarding their self-certification status or compliance with the Safe Harbor or the seven Safe Harbor principles. Before representing that they adhere to the Safe Harbor framework, U.S. companies should ensure that they have in fact self-certified with the U.S. Department of Commerce and formally renewed their Safe Harbor compliance registration each year.

By: Melissa Krasnow, Partner, Dorsey Minneapolis Office; Barry D. Glazer, Partner Co-head of Dorsey London Office; and Harriet Bildsten Associate, Minneapolis Office

Social media, including Facebook, Twitter, YouTube, etc., is an evolving and growing means of communication. According to some reports, people have been spending more time using social media sites than e-mail since February 2009. See “A World of Connections,” The Economist, Jan. 28, 2010. For companies, social media presents both opportunities and risks. These risks include reputational, brand, legal, regulatory and security concerns. This article outlines some approaches that companies are taking to manage the risks, including: 1) reviewing existing company compliance policies and preparing social media policies as warranted; 2) restricting workplace access to social media; 3) utilizing social media monitoring tools; 4) taking into account actual social media business issues; and 5) reviewing insurance coverage.

Company Compliance Policies And Social Media Policies

According to a recent survey by Manpower, 29% of companies in the Americas and 20% of companies worldwide have a social media policy. See “Social Networks vs. Management? Harness the Power of Social Media, Manpower, January 2010. Companies that do not have social media policies likely are preparing them or at least considering them. While there are social media policies, other company compliance policies (e.g., codes of conduct, codes of ethics, confidentiality obligations, privacy policies, intellectual property policies, etc.) often cover aspects of social media use. The starting point is for a company to review existing policies, determine whether they cover aspects of social media and revise or update them as necessary or appropriate and prepare a social media policy as warranted. A new social media policy should be drafted to be consistent and integrated with other company compliance policies.

By way of example, a company record retention policy and legal hold could be implicated by social media use. Information on a company’s social networking site is considered to be electronically stored information. As soon as a company is reasonably aware of the possibility of litigation, audit or investigation, it must take steps to preserve all records that may be relevant to the matter, including electronically stored information. If information on the social networking site may be relevant, the company must take appropriate steps to preserve it. Accordingly, a company’s record retention policy and legal hold should be reviewed regarding social media and revised and updated if necessary or appropriate. Any new social media policy should be drafted to work together with the record retention policy and legal hold.

Social media policies typically are tailored to a particular company’s circumstances, including the many different ways that companies use social media. Many social media policies are not publicly available. Based on a review of the social media policies of Sun (which was acquired by Oracle in early 2010), Yahoo, IBM, Edelman, Cisco and Dell, following are some of the common elements of these policies:

• Identify yourself and make it clear when you are speaking on behalf of or about the company;
• Use common sense and judgment; • Know that there is personally liability for content;
• Understand that disclaimers are advisable, but not a shield from liability;
• Realize that disclosed information should be accurate;
• Seek advice from the legal department or management when necessary (e.g., when unsure about posting or for permission to comment on work-related legal matters);
• Do not disclose confidential or financial information or material, non-public information about the company; and
• Follow established company guidelines, policies and codes.

Social media policies often involve different areas of a company (e.g., human resources, marketing, legal, communications, etc.). A number of different laws could potentially apply, including without limitation employment, intellectual property, privacy and securities law. In some cases, there may be additional regulation (e.g., Federal Trade Commission, Financial Industry Regulatory Authority, Food and Drug Administration, etc.). As a result, a multi-disciplinary business and legal team frequently is assembled to prepare a social media policy. As with other company compliance policies, a social media policy needs to be implemented and enforced consistently.

Restricting Workplace Access To Social Media

According to a survey by Robert Half, 54% of U.S. workplaces completely block access to social networks, whereas 19% permit access solely for business purposes, 16% permit limited personal use and 10% permit any personal use of social networks. See “Whistle — But Don’t Tweet — While You Work,” Robert Half, October 2009.

Social Media Monitoring Tools

Social media monitoring tools encompass analytics software for tracking and analysis (e.g., traffic, keywords, trends, etc.), including Web software tools like Webtrends, Omniture and Google Analytics. In addition, there are URL shorteners, including Bit.ly and Ow.ly, which track information like clicks from different traffic sources. There also are tools that collect metrics on Twitter — Twittersearch, Twitrratr, Twinfluence and Tweetstats. Company employees could engage in monitoring behalf of the company. Moreover, there are third-party paid monitoring options, which can be domestic global in scope. These include Radian6 (owned by Webtrends), Sysomos and Buzzlogic. These tools track the activity of a brand in social media and provide insights about the tone of the dialogue (i.e., “sentiment analysis”).

Considering Actual Social Media Business Issues

Certain business issues are arising through the use of social media. Examples of these include an impostor establishing an impostor site, pretending to be another person (e.g., Twitter impostors in the case of celebrities and executives) and whether Facebook’s terms of use can be modified. Once aware of these issues, a company can work to devise protections and solutions (e.g., how to deter impostor sites and how shut them down).

Reviewing Insurance Coverage

A company should review the particular terms of its existing insurance coverage and determine whether any social media use or aspects covered.

Conclusion

Addressing the risks of social media should not necessarily outweigh realizing the opportunities. Companies must recognize and encourage the opportunities offered by social media communication, relationship-building and reputation and brand enhancement, among other things.

Melissa J. Krasnow is a partner in the Minneapolis office of Dorsey & Whitney LLP whose practice focuses on privacy, social media, corporate and securities law. For additional information please visit www.dorsey.com/krasnow_melissa/. She may be reached at krasnow.melissa@dorsey.com.

Contributed by: Melissa J. Krasnow, Dorsey & Whitney LLP

The Massachusetts Office of Consumer Affairs and Business Regulation (“MOCABR”) recently issued the final version of the Massachusetts privacy regulation (Regulation).  This article provides a summary of this Regulation, which applies to each person or entity that owns or licenses personal information about a Massachusetts resident (Covered Entity)  “Owns or licenses” means receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.  “Personal information” means a Massachusetts resident’s first and last name or first initial and last name in combination with a (i) Social Security Number; (ii) driver’s license or state-issued identification card number or (iii) financial account number.  According to the MOCABR, this Regulation is not preempted if a Covered Entity complies with the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act requirements. Consequently, this Regulation could apply to any type of business.

A Covered Entity must be in full compliance with this Regulation on or before March 1, 2010, including developing, implementing and maintaining a comprehensive, written information security program applicable to records containing personal information (Program).

This Regulation establishes minimum standards for safeguarding personal information in paper and electronic records.  The Program must be written in one or more readily accessible parts and contain administrative, technical and physical safeguards consistent with the safeguards for protection of personal information and information of a similar character in any state or federal regulations to which the Covered Entity may be regulated.

The safeguards must be appropriate to (i) the size, scope and type of business of the Covered Entity; (ii) the amount of resources available to the Covered Entity; (iii) the amount of stored data and (iv) the need for security and confidentiality of both consumer and employee information.

The Regulation requires a Covered Entity to take the following action:

1.  Designate one or more employees to maintain the Program;

2.  Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality or integrity of any electronic, paper or other records containing personal information, and evaluate and improve, where necessary, the effectiveness of the current safeguards for limiting these risks (e.g., ongoing temporary, contract and regular employee training, employee compliance with policies and procedures and means for detecting and preventing security system failures);

3.  Develop security policies for employees relating to the storage, access and transport of records containing personal information outside of business premises;

4.  Impose disciplinary measures for violations of the Program;

5.  Prevent terminated employees from accessing records containing personal information;

6.  Take reasonable steps to select and retain third-party service providers (i.e., any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a Covered Entity) that are capable of maintaining appropriate security measures to protect such personal information consistent with this Regulation and any applicable federal regulations;

7.  Require third-party service providers by contract to implement and maintain appropriate security measures for personal information (though a contract a Covered Entity has entered into no later than March 1, 2010 with a third-party service provider satisfies this provision even if the contract does not include a requirement that the third-party service provider maintain such appropriate safeguards, until March 1, 2012);

8.  Implement reasonable restrictions on physical access to records containing personal information and store the records and data in locked facilities, storage areas or containers;

9.  Regularly monitor to ensure that the Program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information and upgrade information safeguards as necessary to limit risks;

10.  Review the scope of the security measures at least annually or when there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information;

11.  Document responsive actions taken when a data security breach incident occurs and conduct a mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to the protection of personal information; and

12.  Establish and maintain a security system, covering its computers and any wireless system, for a Covered Entity, which, at a minimum and to the extent technically feasible (i.e., if there are reasonable means through technology to accomplish a required result):

a.)  secures user authentication protocols, including (i) control of user IDs and other identifiers; (ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies (e.g., biometrics or token devices); (iii) control of data security passwords to ensure that these passwords are kept in a location or format that does not compromise the security of the data they protect; (iv) restricting access to active users and active user accounts only and (v) blocking access to user identification after multiple unsuccessful attempts to gain access or limiting access for the particular system;

b.)  has secure access control measures that (i) restrict access to records and files containing personal information to those who need personal information to perform their job duties and (ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

c.)  encrypts (i.e., transforms data into a form in which meaning cannot be assigned without the use of a confidential process or key) all transmitted records and files containing personal information that will travel across public networks, and encrypts all data to be transmitted wirelessly;

d.)  has reasonable monitoring of systems for unauthorized use of or access to personal information;

e.) encrypts all personal information stored on laptops or other portable devices;

f.)  includes reasonably up-to-date firewall protection and operating system security patches for files containing personal information on a system that is connected to the Internet, reasonably designed to maintain the integrity of the personal information;

g.)  has reasonably up-to-date versions of system security agent software, which includes malware protection and reasonably up-to-date patches and virus definitions or a version of this software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis; and

h.)  educates and trains employees on the proper use of the computer security system and the importance of personal information security.

The statute under which this Regulation was issued provides for enforcement by the Massachusetts Attorney General.

Companies that are developing or have developed comprehensive, written information security programs need to revisit what they have done thus far to make sure it complies with the Regulation, and whether it is subject to the Nevada encryption law.  Under the Nevada encryption law, a company (except for a telecommunications provider) doing business in Nevada that deals with personal information must comply with specific encryption requirements if it does not accept a payment card (a credit card or similar card) in connection with a sale of goods or services.  This law also requires that a company that does accept payment cards in connection with a sale of goods or services comply with the current version of the Payment Card Industry Data Security Standard (PCI DSS).  PCI DSS is an industry security standard developed by the PCI Security Standards Council (including American Express, Discover, JCB, MasterCard and Visa) for the protection of customer account data.  The compliance deadline for the Nevada encryption law is January 1, 2010.

Other companies immediately need to determine whether they are covered by the Regulation.  Their compliance efforts should begin now if they determine that they are covered.  Finally, companies that determine that they are not covered typically prepare a written summary of their determination.

Technology poses a special risk to companies whose businesses depend on such valuable competitive data. With just a couple of mouse clicks or through the use of a thumb drive that can be slipped into a pocket, an employee can easily remove from the workplace what amounts to multiple file cabinets worth of documents. Last year, for example, I represented a client where the data at issue was worth more than $1 billion in business to the company. The employees in that case removed the data from the company by simply downloading it to several compact disks and e-mailing it to their home e-mail addresses. I also represented a company in a case involving the theft of data relating to government contracts worth hundreds of millions of dollars where the stolen data was used to divert the business to a major competitor. The data in that case was removed on floppy disks. In addition to traditional lawsuits that can last a year or two through discovery and trial, a major part of my practice is filing emergency court actions for injunctive relief—temporary restraining orders and preliminary injunctions—to seek the immediate return of competitively sensitive data that is stolen from a company. In those cases, the client suddenly discovers that a trusted employee has taken valuable data to a competitor. In response, I go into action marshalling the evidence, drafting the necessary court papers, and within a day or two find myself appearing before a judge asking for the immediate return of the data. These actions are important to my clients who cannot afford to have their competitive positions in the marketplace undermined by a competitor using their key information.