On June 1, China’s new Cybersecurity law took effect. The new law applies not only to domestic Chinese companies but has wide-ranging implications for U.S. and other foreign companies doing business in China.
Companies should take three steps now to ensure use of the Defend Trade Secrets Act.
In May, President Barack Obama signed into law the Defend Trade Secrets Act that creates a federal civil cause of action for the misappropriation of trade secrets. This new law amends the Economic Espionage Act, which makes it a federal crime to steal and use trade secrets. Title 18 U.S.C. 1831, et. seq. For companies that depend on confidential information to provide them a competitive edge, there are several proactive steps they should take to ensure their use and the full benefits of this statute if their trade secrets are stolen.
Most significantly, the Defend Trade Secrets Act, unlike the state trade secrets laws, provides for an ex parte “order for the seizure of property necessary to prevent the propagation or dissemination of the trade secret,” upon a showing of “exceptional circumstance.” Traditional state court equitable remedies are limited to a temporary restraining order and a preliminary injunction. The law also makes the theft, possession and use of trade secrets a predicate act for the Racketeer Influenced and Corrupt Organizations Statue, which can form the basis of a civil RICO action for treble damages and attorney fees. (In the past, federal courts have been reluctant under most circumstances to find a RICO “pattern” for trade secrets theft as part of a scheme to defraud based on the mail and wire fraud statutes. See, e.g., Bro-Tech Corp. v. Thermax (E.D. Pa. 2009).
The White House and its top security advisors are regularly advised about cyberintrusions and as a result the “time has come for CEOs and Boards to take personal responsibility for improving their companies’ cyber security” according to Former White House Senior Director for Cybersecurity Sameer Bhalotra. In the recent report from LogRhythm entitled “The Cyber Threat Risk – Oversight Guidance for CEOs and Boards” Bhalotra went to say:
Global payment systems, private customer data, critical control systems, and core intellectual property are all at risk today.
As cyber criminals step up their game, government regulators get more involved, litigators and courts wade in deeper, and the public learns more about cyber risks, corporate leaders will have to step up accordingly.
While cybersecurity risks have increased, government regulation has traditionally lagged behind. Recently, some government entities have tried to catch up by mandating that companies take a proactive approach toward protecting personal and competitively sensitive data. The move is a departure from the traditional reactive response of simply notifying consumers after their personal data is breached.
With this shift in emphasis, companies are asking the obvious questions: “What are we expected to do and what is a proactive cybersecurity compliance program?”
Both on the state level and through federal regulatory agencies, the government is beginning to dictate a comprehensive compliance approach to data protection. Late last year, the U.S. Securities and Exchange Commission’ s Cybersecurity Examination Initiative directed broker-dealers to “further assess cybersecurity preparedness in the securities industry.” Thus, the SEC announced that it “will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.”
In December, a divided panel of the U.S. Court of Appeals for the Second Circuit in U.S. v. Valle interpreted the Computer Fraud and Abuse Act to exclude employees who access their employer’s computers. The upshot is that if you are an employee in the Second Circuit and steal data from your employer to commit identity theft or to provide it to a competitor, you cannot be prosecuted by the Department of Justice or sued by your employer under the CFAA.
By: Ron Moscona, a partner in Dorsey & Whitney’s London Office The Court of Justice of the European Union (“CJEU”) held yesterday, in its decision in Schrems v. Data Protection Commissioner, that the decision of the European Commission of July 2000 which provides the legal basis under EU law for the “Safe Harbor” scheme is… Read More
The recent decision in Allied Portables v. Youmans from the U.S. District Court for the Middle District of Florida underscores the need for businesses to establish explicit, well-advertised written policies identifying the scope of permissible employee access to company computers. Absent such policies, employers may be precluded from using the civil remedy in the federal computer crime statute, the Computer Fraud and Abuse Act, to sue employees who steal or destroy data from a company computers.
Allied properly recognized that for a CFAA claim to succeed, the plaintiff employer must be able to show the critical element that the defendant employee accessed a company computer by exceeding the authorized access to the computer.
Have your client companies’ policies kept
pace with changes in the law affecting
computer technology? New statutes and court
decisions relating to computer technology
affect every business. Many companies
overlook opportunities to respond to these
new laws by adopting robust policies to
take advantage of the protections they
afford and to minimize the risks they pose.
This article will review three critical areas
of computer technology that should be
addressed by company policies: theft of data,
social networking and cloud computing.
Two recent district court opinions add to the caselaw providing judicial guidance on how employers might update their corporate computer policies to be able to sue ex-employees for stealing company data based on the Computer Fraud and Abuse Act (“CFAA”), the federal computer crime statute. Title 18, U.S.C. §1030. This is a particularly significant problem… Read More
Last month I posted my article from the National Law Journal, entitled, “Time to Review Computer Policies,” discussing three recent cases, including LVRC Holdings LLC v. Brekka, 81 F.3d 1127, 1131 (9th Cir. 2009). I cited Brekka for the proposition that it is important to delineate the scope of an employee’s permissible access to the… Read More