Best Practices to Prevent Theft of Trade Secrets
This presentation discusses best practices to prevent theft of trade secrets, including identifying when to panic, triage steps to differentiate smoke from fire, defining wins upfront, recognizing trade secrets, restrictive covenants, evidence preservation, forensic analysis, smartphone evidence considerations, privacy concerns, attorney-client communication security, and civil subpoenas for call records.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Theft of Trade Secrets Best Practices <DATE> Presented to: Presenters: Larry Lieb, CCPA, FEXE, OSFCE, CBE, Managing Director HAYSTACKID LLC
Decisions Discovery Depositions
Class Ground Rules Class content is for educational purposes only and does not constitute legal advice. Questions posed by and opinions offered by class participants are for the sole purpose of improving today s class s educational value and do not constitute legal advice. There are no bad questions, so please raise your hand and interrupt the presenter with your questions as they come up rather than waiting for the end of the class.
Larry Lieb, CCPA, FEXE, OSFCE, CBE Michigan P.I. License #3701206704 Cellebrite Certified Physical Analyst (CCPA) Certified Forensic Explorer Examiner (FEXE) OSForensics Certified Examiner (OSFCE) Certified BlackLight Examiner (CBE) Fluent in Japanese. Performed Forensic Collections in Japan. Worked in Computer Forensics and Electronic Discovery since 1998 Qualified as a computer forensic expert in both Federal and State courts 2016 Cook County, Illinois Domestic Violence Legal Clinic Champion of Justice award winner
Agenda Defining When One Should Reasonably Panic Reasonable Triage Steps to Take in Order to Identify if There is Only Smoke or an Actual Fire The Importance of Defining Win Upfront and the Avoidance of Mission Creep Definition and Identification of trade secrets Improper Misappropriation as Defined By 18 U.S.C. 1839(5) (A) and (6)(B) Restrictive Covenants and Departing Employees Evidence Mapping and Preservation Reasonable Forensic Analysis Steps Special Considerations Regarding Smartphone Based Evidence Agreed Orders To Address Privacy Concerns Reasonable Attorney-Client Communication Security Measures Civil Subpoena for Carrier Call and Text Message Records
Defining When One Should Reasonably Panic
Triage Steps to Take in Order to Identify if There is Only Smoke or an Actual Fire Triage Step #1. Identify and Preserve Electronic evidence is extremely ephemeral in nature: ripe fruit must be picked from the vine and properly preserved before it withers away and dies. Document and take reasonable steps to identify and preserve, or have preserved, sources of potentially relevant evidence from which smoke signals have been identified. Reasonable identification and preservation steps meeting will be discussed later in detail in the Evidence Mapping section of the class
Is My Chest Pain Due to Simple Indigestion or The Onset of Heart Failure? Triage Step #2. Engagement of Specialized Outside Counsel and Computer Forensic Expert Consider the paradigm of outside counsel as lead surgeon/head physician and 3rd party computer forensic expert as emergency room doctor. When a patient arrives at the emergency room, standard reasonable tests are run irrespective of as well as in response to a patient s specific complaints. Similarly, a competent computer forensic expert will perform standard analysis steps to identify low hanging fruit indicators of significant problems. Just as a physician s interpretation of medical tests might call for the patient to take an antacid and be released, or immediately be directed towards surgery, outside counsel s interpretation of a computer forensic professional s analysis results might call for a simple demand letter, or the filing of temporary injunction request.
The Importance of Defining Win Upfront and the Avoidance of Mission Creep
Example Definitions of Win Plaintiff Perspective: Business Protection Achieved: Plaintiff retains all customer relationships, trade secrets, monies, protectable and significant interests, owned by the Plaintiff, which were under threat of theft by former employee, now Defendant. Defendant Perspective: Closure Achieved: A clearly defined No Go customer list, geographical territory and time frame governing the prohibition, which enables the Plaintiff to move forward and operate freely without fear of further litigation. Are these Wins diametrically opposed or actually a Win-Win resolution?
A Trade Secret as Defined by Defend Trade Secrets Act of 2016 - S.1890 The DTSA was enacted in to law in May 11, 2016 to provide, inter alia, a method and vehicle to address the protection of trade secrets in Federal Court (3)the term trade secret means all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if (A)the owner thereof has taken reasonable measures to keep such information secret; and (B)the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information;
Improper Misappropriation as Defined By 18 U.S.C. 1839(5) (A) and (6)(B) (5) the term misappropriation means (A) acquisition of a trade secret of another by a person who knows or has reason to know that the trade secret was acquired by improper means (6) the term improper means (A) includes theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means; and (B) does not include reverse engineering, independent derivation, or any other lawful means of acquisition Later we will examine how evidence mapping and computer forensic analysis can uncover improper misappropriation
18 USC 1030: Fraud and related activity in connection with computers When authorized becomes unauthorized access and reasonably showing the transgressor s intent to cause material harm or deprive the victim of significant financial value. For example, evidence that a former employee, notwithstanding their former employer s reasonable steps taken to protect company information, took steps to access sections of their former employer s R&D server to which the employee was not officially provided access, created copies of the company s future prototype drawings, and then deleted the company s only copies of the prototype drawings could be construed as actionable under 18 USC 1030. http://uscode.house.gov/view.xhtml?req=(title:18%20section:1030%20edition: prelim)
Win in the Form of Injunctive Relief Temporary or Preventative Injunction / TRO to stem the bleeding or prevent foreseeable harm while facts at issue are gathered and assessed Mandatory Injunction / Specific Performance to restrain or remediate a threatened harm Permanent Injunction The existence of an enforceable restrictive covenant can improve the chances of achieving a permanent injunction. Oftentimes restrictive covenants are found to be non-enforceable due non- compliance with state laws where the employee works versus the state laws where the corporate parent is located. Review existing restrictive covenants to confirm each covenant complies with state laws and make appropriate revisions.
Restrictive Covenants / Departing Employees Restrictive covenants (as it relates to employment) typically address one or more of three primary areas: Non-compete, enjoining the former employee from working for a direct competitor in the same or similar capacity as his/her prior role Non-solicitation, precluding the employee to solicit others to depart the organization Non-disclosure, preventing the unauthorized release of confidential, proprietary or otherwise protected information Illinois, for example, considers whether a legitimate business interest exists based on the totality of the facts and circumstances of the individual case. Factors to be considered are: The near-permanence of customer relationships The employee s acquisition of confidential information through his employment Time and place restrictions Reliable Fire Equipment Co. v. Arredondo, 2011 IL 111871. If forensic analysis reveals evidence of improper misappropriation of significant trade secrets, a lack of a pre-existing restrictive covenant does not mean a potential plaintiff is without other avenues of potential relief.
With Win Defined, Now it is Time to Take Steps to Identify Custodians of Evidence Potentially Relevant to the Dispute
An Ounce of Prevention it should be abundantly clear that the duty to preserve means what it says and that a failure to preserve and to search in the right places will inevitably result in spoliation. Pension Committee v. Banc of America Securities (2010 WL 184312 [S.D. N.Y., Jan. 15, 2010]). 18
Step #1: Identify Dispute-Specific Custodians of Evidence A Custodian of Evidence may be defined as: Person or person(s) with direct knowledge and/or control of evidence potentially relevant to the underlying matter. IT Custodian: The IT employee(s) of the Plaintiff and/or Defendant s organization who can identify and help preserve evidence potentially relevant to the underlying matter Individual Custodian: Person or person(s) directly involved in the dispute such as a Defendant former employee suspected of misappropriating trade secrets. Track All Custodians in the Provided Class Evidence Map
The Importance and Timing of Issuing an Upjohn Letter At the start of an internal investigation and before custodial interviews begin, an UpjohnLetter should be provided to the potential subjects of interviews explaining. The underlying case is Upjohn Company v. United States, 449 U.S. 383 (1981) An UpjohnLetter should inform the people being interviewed that in-house counsel represents the employer, not the employee, and that the company may choose to, at its sole discretion, reveal the results of employee interviews to a government agency or any other third party. Interviews may reasonably identify employees personal devices and accounts as sources of evidence relevant to a given dispute. A class handout example Upjohn Letter is provided
The Investigation Evidence Map
Investigation Evidence Mapping Philosophy A major threat to all litigants is the cost of litigation itself. Identifying and tracking all critical aspects and qualities of a given dispute s evidence in a single Map, can inform and enable one to control and forecast costs. After IT and/or Individual Custodians interviews are complete, Counsel can then pinpoint specific evidence to investigate as the evidence may relate to the Law. Example: Judges will calculate the financial impact on plaintiff, defendant and 3rd Parties (and the effect on the public at large if an injunction was not applied) to determine if an permanent injunction is called for. Therefore identifying and preserving Accounting records would be important and informative to an injunction. A True War Story: The IT Custodian interview identified QuickBooks online as the Defendant s new competing entity s sole accounting system. Forensic expert was provided with user name and password to forensically preserve all financial data, reports and logs possible. An analysis of the QuickBooks accounting records showed that the Defendants had not been doing any business with Plaintiff s customers or requested restricted geographical region.
Critical Dates To Confirm and Track In The Map Defendant s last official date of employment at Plaintiff organization Defendant s first official date of employment at new Defendant organization Date and time former employee turned in company phone and computer Forensic analysis of electronic evidence will reveal timelines of human activities performed on computers and phones. Knowing the last date and time a former employee had control over a computer will allow the computer forensic investigator to efficiently focus in on activities performed by the former employee on the former employee s last day of control over the computer.
Questions to Ask Knowledgeable IT Custodians and Record in Evidence Map s IT QUESTIONS Tab Are USB ports enabled on workstations? Are workstations running virtual machines? Are hard drives encrypted? Is Mobile Device Management Software being used on smartphones What specific business systems and accounts does/did an employee have access to? What Email Server is the organization using? An internally managed Microsoft Exchange Server or Office365 in the Cloud? Does IT policy allow for employees to export and save email in the form of PST files? What Cloud storage services is the organization using such as iCloud, Drobox, Google Drive, OneDrive, SharePoint, QuickBooks Online? What are the dates and times, and by whom, has IT changed all passwords for each internal and cloud based business systems former employee had access to? Has IT identified systems which allow for User Activity reporting, which can show user activities such as dates and times of accessing a system, exporting of reports and/or data from system?
Individual Custodian Interviews Custodial interviews should be scheduled immediately following the initial IT interviews, targeting the known resources whose work / communications intersected with the target of the investigation. Individual custodian interviews typically require 30 to 45 minutes to complete Concurrently, IT interviews can continue with an examination of structured data sources, such as network shares, accounting systems, CRM and ERP platforms, etc. All responses should be thoroughly documented in the provided Evidence Map. Based upon the results of individual custodial interviews, client, counsel and forensic expert may plan for preservation of all appropriate sources.
Immediate Steps For Evidence Preservation Immediate Steps to take with Laptops: Normally power down the device IT should seize the device into their keeping IT should sequester the device in a secure location specifically designated for devices under a hold If deemed necessary or prudent, IT should remove the hard drive (if possible) Immediate Steps to take with Mobile Device: If the mobile device is powered on and you know the access code, power down the device normally but keep it plugged into a charger and secure it with IT If the device is powered on and you do not know the access / unlock code, switch it into airplane mode or put it into a sealed metal container (like a paint can) and secure it with IT If the device is powered down already, plug it into a charger to avoid battery loss, and secure it with IT Immediate Steps to take with Email and other Business System Accounts: Turn on litigation hold capabilities where they exist such as Microsoft s Office365 and Google s Business service offer Change passwords to all business systems former employee had access to in order to prevent improper misappropriation activities RESIST THE TEMPTATION TO INVESTIGATE ELECTRONIC EVIDENCE AS SIGNIFICANT SPOLIATION CAN EASILY OCCUR
Physical Forensic Imaging of Computers For all internal investigations and theft of trade secret matters, laptop and desktop personal computer hard drives must be imaged in what is known as a Physical Forensic Image . A Physical Forensic Image : Meets the criminal standard of evidence preservation by capturing all possible zeroes and ones on the surface of a given hard drive. A unique Hash value is calculated, recorded and compared between the original evidence and the resulting Physical Forensic Image in order to confirm if a copy is a true forensic copy of the original evidence. Allows for recovery of deleted files and other deleted evidence of human activity. Requires specialty write-blocking hardware employed by computer forensic experts.
Chain of Custody COC Chain of custody in the most basic sense means control . COC documentation creates a written record of when control of and over a specific piece of evidence began and ended. A COC document such as the one provided as a class handout should be used for each piece of evidence being transferred from a client to their outside counsel or computer forensic expert.
Departed Employee Analysis Steps to Identify Fire Identification and Reporting of: All User Accounts, such as email accounts, existing on computer or smartphone All software installed on computer or smartphone All external devices connected to a computer, including the dates and times of connection, and the make/model/serial numbers of the connected devices Activities of file copying to external devices Activities of file copying to unauthorized cloud storage services Activities of transmission of files via personal email accounts Activities of file deletion Activities of recent file access from external devices on work computer Estimated Cost: $3,000.00 Per Employee to Create Handout Report
Special Considerations for Treatment of Smartphones
All Smartphones Contain 10 Basic Cabinet Drawers 1. Contacts 2. Call Records 3. Voice Messages 4. Email and Text Messages 5. Documents 6. Calendar 7. Internet Browsing History 8. Songs, Photographs and Movies 9. WiFi History 10. Social Media (Facebook, Instagram et al)
By Default, Some Cabinet Drawers are Locked Apple and Google sell their phones with inaccessible- to-the-end-user locked drawers as a security measure. Only Google or Apple own and have access to the keys that can unlock your phone s locked drawers. Some end-users choose to remove this security measure by Jail Breaking or Rooting their phones. Jail Breaking/Rooting is the process of changing all of the locks and keys to your phone which will allow one to access all locked cabinet drawers.
Contents of the Locked Drawers Sensitive information such as passwords and credit card information. Some categories of deleted information. System files that support the normal usage of the smartphone. Jailbreaking or Rooting a phone can allow a malicious application to access the content of these formerly locked drawers!
Some Deleted Evidence Can Be Recovered From The Unlocked Drawers iPhones store incoming and outgoing SMS text and iMessage messages in a file called SMS.db. The SMS.db file is stored in one of the iPhone s unlocked drawers. When an end user deletes an iMessage, the deleted message is not destroyed, but simply made invisible to the end user. Forensic tools can recover these deleted messages easily.
Practice Point Laptop and desktop computer hard drives do not come from the factory with locked and inaccessible to the end user drawers. This allows for forensic search and recovery of all possible deleted information. Smartphones come with inaccessible locked drawers as security measures to protect the phone owners. The amount of evidence, such as some deleted information, that can be recovered with forensic tools is more limited with smartphones.
Three Locations From Which Smartphone Evidence Can Be Recovered: The Device Itself, Mobile Backups on Personal Computers and Mobile Backups in The Cloud
A Complete Backup of Ones iPhone in iTunes or Apples iCloud If an ex-employee created a Mobile Backup of their personal iPhone on a company laptop using iTunes, the company will have access to the entire contents of the physical phone itself as of the date the Mobile Backup was created. iDevices are backed up to Apple s iCloud storage by default. iTunes file cabinet drawer locations on computers: Mac: ~/Library/Application Support/MobileSync/Backup/ Windows XP: \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\ Windows Vista, Windows 7, Windows 8 & Windows 10: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
Examples of Evidence Stored in iTunes and iCloud Mobile Backups Photos, Contacts, Calendar, Internet Browsing History, Notes, Call history, Messages (iMessage and carrier SMS or MMS pictures and videos), Voice memos, Network settings (saved Wi-Fi hotspots, VPN settings, and network preferences), Email account passwords, Wi-Fi passwords, and passwords you enter into websites and some apps, Map bookmarks, recent searches, and the current location displayed in Maps. (http://support.apple.com/kb/ht4946)
Practice Point Even if your client s former employee took their personal iPhone and/or iPad with them when they left to work for a competitor, if the employee synchronized their personal iDevice with your client s computer while working for your client, you have access to that iDevice; no subpoena required! Forensic software can recover deleted voice messages as well as deleted text messages from Mobile Backups.
Leveraging Location Based Evidence
44 Photos and Facebook Message Locations
Location Based Evidence War Story Investigation of client s former employee s iPhone revealed multiple meetings at opponent s headquarters in the months prior to former employee s resignation. Signing into a Wifi network creates a time/date/location stamp on a workstation
Leveraging Timelines & Critical Date Analysis
Timelines Generated From Smartphone Evidence Smartphone forensic software automatically sorts all human activity performed on a given smartphone, such as making calls, receiving text messages, sending emails, or taking pictures in chronological order. Focusing on critical dates identified in the Evidence Map can be very informative and an efficient, targeted method of analysis
The Significant Threat of BYOA: Bring Your Own Applications
The Bring Your Own Application (BYOA) Phenomenon Many organizations allow employees to use their own smartphones for work purposes (BYOD). BYOD can presents difficulties when content on BYOD phones become subject to legal holds. BYOA represents a greater threat than BYOD as most employees will not disclose the use of a non-approved application. Some organizations prevent employees from installing non-corporate approved communication applications on company issued smartphones.
BYOA: Content is Primarily Stored as SQLite Database Files Skype chat messages, incoming and outgoing call records, and file transfers made by a Skype account is stored in a file called main.db : C:\Users\*Username*\AppData\Roaming\Skype\main.db Kik contacts, messages, and contacts: For iPhones: /root/var/mobile/Applications/com.kik.chat/Documents/kik.s qlite For Android: /data/data/kik.android/databases/kikdatabase.db Forensic tools can recover and provide SQLite content for easy review.