Do You Know Who Has Your Proprietary Information?

Friday, June 1, 2007 - 01:00

Editor: Please give our readers an overview of your practice area.

Williamson: My practice is limited to labor and employment litigation issues, which span all areas of labor and employment law - claims of wrongful termination, harassment, breach of contract, wage and hour claims. Recently, a great portion of my practice has extended into the area of unfair competition, which includes claims involving thefts of trade secrets and other confidential and proprietary information from an employer, breaches of non-compete agreements, and the raiding of an employer's employees on behalf of another employer. It also includes advice and assistance to employers when they are having a substantial labor force reduction, which triggers possible WARN Act claims. I assist employers with the protection of their ERISA plans and litigating/defending claims brought by current or former employees for benefits under those plans. When it comes to wrongful termination or harassment claims my practice is generally limited to defending employers or the employees who are accused of the wrongful conduct or harassment. When representing clients in unfair competition cases, I may represent either the plaintiff or defendant, but either way, I typically represent the business rather than individuals.

Editor: Describe what you have named "corporate espionage" as compared with "industrial espionage"?

Williamson: We are seeing an expansion of corporate espionage - which is a company's use of a competitor's current or former employees to steal confidential and proprietary information or trade secrets. I believe we are seeing an expansion of that conduct and those claims because of the ease in obtaining information from the electronic systems of businesses by use of electronic means or devices such as thumb drives, electronic mail transfers, or the downloading of electronic information onto a CD or DVD. We are seeing an increase in the number of those employees who have access to sensitive information, taking that information and giving it to their new employer (a competitor), or using the stolen information even without the new employer's knowledge so as to give the employee or employees an advantage in their career with the new employer.

Editor: Would this apply as well if they were starting their own business?

Williamson: In fact, that is where it benefits them the most - when they are starting their own businesses and they need this proprietary information or trade secrets to give them a leg up. Sometimes they do not use this confidential information in a way in which they actually earn a profit from the use. Rather, they many times are using it in a manner to avoid the development costs associated with starting a new business or certain aspects of the new business.

Editor: What about taking customers from a former employer?

Williamson: Unless there is a non-compete agreement, there may or may not be a legal problem with customers moving with the former employees to a new business. If you have an enforceable non-compete agreement, there are limits on what a former employee can do in terms of contacting those customers and in terms of conducting business with those customers. If the employee takes confidential lists of customers that contain the details of the customer's business and the customer's contact information, even without a non-compete agreement, the employee and the new employer could end up finding themselves in litigation with the old employer under common law unfair competition theories and various tort claims.

Editor: In addition to recent headline-making cases involving theft of thousands of credit-card numbers and personal data, on a smaller scale, what has the incidence been of data theft cases involving trade secrets and proprietary corporate data?

Williamson: It's difficult to say. Many times employers stumble onto the thefts of their current or former employees, so it makes you wonder how many thefts go unnoticed. Typically, a company's concern about loss of sensitive information grows out of some tell-tale clues that arise around the time an employee has departed. In those situations, I will typically first recommend that we examine the activities that have taken place on the employee's computer. With the computer forensic experts we can identify whether an employee has used a thumb drive or burned CDs, the information electronically transferred, and we gather a lot of information from the email transfers that have taken place on the computer and electronic system.

Editor: Are there technical protections that an employer can implement to prevent employees from engaging in these activities?

Williamson: One large USA corporation is filling in the ports or slots on all their employee computers such that the employee is not able to insert a thumb drive or burn CDs and DVDs - a step that, on the one hand, could lead to some inconvenience on the part of the employees in his or her legitimate day-to-day work, but on the other hand will prevent employees from downloading massive amounts of sensitive information for unauthorized purposes. I have seen some employees go so far as to buy a number of external hard drives and download massive amounts of information in a few hours from the victim company's server thereby allowing the dishonest employee to later sift through the information at his leisure and upload onto a competitor's server or computers the information of importance. Employers can disable those ports or devices so as to prevent employees from downloading massive amounts of information. Firewalls can be put up so that only certain people have access to sensitive information. Most sophisticated businesses, whether large or small, will already have put in place steps to prevent most employees from gaining access into sensitive data areas to which they have no authorization. However, you are always going to have people who know how to side-step these protections.

Editor: What sanctions can be applied against employees who steal?

Williamson: We seek injunctions against those employees who we determined have engaged in suspicious conduct and ask the courts to prevent them from removing or erasing information from their computers and the systems of the competitors. If they have stolen our client's information, they and any company that has used this information in any way may be responsible for damages. We are seeing a number of situations where employees or the companies that have obtained information illegally try to erase that information from their computers or try to hide the external devices that store that information. In those situations, the courts are able to issue significant sanctions, whether monetary or striking the defenses of the dishonest competitor or former employee. There are also helpful statutes for pursuing these claims such as the Federal Computer Fraud and Abuse Act that sets forth both criminal and civil sanctions for the unauthorized transfer of information to a company or person not entitled to that information. Once an employee takes the information for improper usage, he has violated the Act. Civil sanctions include an award to the victim company of its attorneys' fees, expert fees and the damages that the victim company establishes. If the new employer is the beneficiary of this information and condones or encourages the theft, then it will be responsible for the damages suffered by the victimized company.

Editor: Please describe the liability that an aggrieved employer may be subject to for failure to prevent data theft.

Williamson: If sensitive information is stolen by a current employee, there will be some review of the employer's processes to protect that information. Employers are not going to let everyone in the company have access to sensitive personnel or consumer data information. If you are a healthcare provider, there are federal statutes that protect patients from the disclosure of their identities and other sensitive information. As an employer, you would want to take the steps necessary to protect patient information. It is something that employers and businesses are very conscious of and are taking steps to prevent because there is potential liability, depending on the circumstances and information stolen. Consumers might sue, patients might sue, the authorities might become involved, and of course, companies who fail to protect their confidential proprietary information run the risk of losing competitive advantages.

Editor: Doesn't an employer that finds out that this information has been stolen have an obligation to notify persons whose sensitive information has been taken?

Williamson: Absolutely. In my opinion the best thing to do is to notify those individuals whose information may have been taken as soon as possible so that they can take the steps they need to take to protect themselves. For example, last year the University of Texas immediately notified parents of its students when it discovered that student information may have been taken and then later confirmed that it was in fact taken - a quick response that was welcomed by the parents and students alike, I believe. There are also problems with people's laptops being stolen. While one can have a sense of confidence if data is password-protected on a computer, thieves, nevertheless, are able to remove the hard drive and put it into another computer to side-step the password. Therein lies a huge risk and potential liability of businesses who fail to adequately protect their customers' sensitive information.

Editor: What advice do you offer to employers in terms of educating employees to the grave risk they face if they engage in unauthorized use of company information, even if it is not passed along to another employer?

Williamson: The degree of shock and surprise that an employer undergoes when it discovers that an employee may have taken sensitive information always amazes me. Most employers do not take any steps to warn their employees of the consequences of unauthorized use of or access to the electronic information until they are the victims of the crimes. While most sophisticated employers require employees to sign confidentiality agreements wherein the employees agree they will not take or use sensitive information, those agreements are as good as the paper they are written on. I have seen employers, after the fact, issue notices and warnings to their existing employees that there has been a theft of electronic information, that the company has brought a lawsuit against those who engaged in the wrongdoing, and that they are considering turning this information over to the authorities for prosecution. It is far better to warn employees up front that theft of trade secrets could lead to civil and criminal sanctions rather than waiting until there has been a theft of sensitive information. All of us understand that you cannot go into a store and take jewelry, but I do not think that a lot of employees recognize the seriousness of downloading or transferring confidential information until they are hit with a lawsuit and possible criminal sanctions. Trade secrets are the life blood of an organization.

Editor: Do you have any thoughts about how we as a nation can better protect our data security since much of the theft may be coming from abroad as well as at home?

Williamson: As individuals we can be careful about the information we disclose over the Internet. We can be careful about the protection of our laptops. We should also make sure that our mobile communication devices have passwords on them so that if we lose them, no one can come in and read the information. For example, I have attorney-client communications on my laptop and Blackberry, but both are password protected, and I make sure I know where both are at all times.

As a nation we need to look at this from an individual standpoint and try to take steps to protect ourselves. From a corporate standpoint we need to take steps to prevent those who should not have access to this information from gaining it.

These are the areas that are so important for businesses and individuals to be thinking about at this moment because I do see data theft on the increase. It is creating a great deal of concern for businesses, and it is costing them so much money, first to hire the experts to identify and find what was lost and then to pay attorneys' fees to follow up and prosecute these matters.

Please email the interviewee at hwilliamson@akingump.com with questions about this interview.