Whether it’s the secret recipe for your gourmet cupcakes or a unique process for manufacturing your best-selling product, trade secrets are valuable company assets. When an employee leaves, there’s a risk they will take your trade secrets with them to a competitor or to start their own business. So what relief is available if you’re a victim of trade secret theft? Hawai‘i companies already can seek relief from the Hawaii Uniform Trade Secrets Act, but now there’s another tool to combat trade secret theft. On May 11, 2016, President Obama signed the Defend Trade Secrets Act (DTSA) into law, which adds a federal layer of protection for trade secrets.
Here are the highlights of the new law:
What does DTSA do? The DTSA creates a new federal remedy for trade secret misappropriation. Prior federal trade secrets law only criminalized certain misappropriations of trade secrets. The DTSA allows victims of trade secret misappropriation to sue in federal court.
Is the DTSA my exclusive remedy? No. The DTSA creates a national standard of trade secret law and gives you more options for seeking relief, but it doesn’t pre-empt state law. You may still take advantage of trade secret protections under state laws like the Hawaii Uniform Trade Secrets Act.
What’s so special about the DTSA? One feature of the DTSA is that it allows a court to grant an “ex parte seizure order.” This new remedy lets trade secret owners seek a court order to seize allegedly stolen trade secret items in the accused wrongdoer’s possession without first giving them notice. Seizure orders are granted only in “extraordinary circumstances.” To safeguard against abuse of seizure orders, the DTSA entitles victims of wrongful seizure to damages, punitive damages in cases of bad faith, and attorneys’ fees. It remains to be seen how courts will apply the ex parte seizure provisions of the DTSA and how often the remedy will be used.
What do employers need to know about the DTSA? Injunctive relief granted under the DTSA may not “prevent a person from entering into an employment relationship” and must be consistent with state law “prohibiting restraints on the practice of a lawful profession, trade, or business.” In other words, the DTSA does not override state law governing non-compete covenants. Claims under state law may need to be included in the lawsuit to enforce non-compete provisions in an employment agreement.
The DTSA also provides immunity for whistleblower employees (which the DTSA defines broadly to include independent contractors and consultants) who disclose trade secrets to any government official solely for the purpose of reporting or investigating a suspected violation of law or in a court filing made under seal. Notice of the whistleblower immunity provisions must be given in every agreement entered into after May 11, 2016 that restricts the employee’s use of a trade secret or other confidential information. The notice requirement may be satisfied by referencing the immunity provisions in a policy document (like an employee manual) rather than inserting the provisions into each employment agreement.
For more specific information on how the DTSA affects you, consult experienced legal counsel.
Your employees may return to the office after the holidays with new gadgets strapped to their wrist. Wearable devices like the Apple Watch, Android Wear smart watch, and FitBit are some of the hottest holiday gifts of 2015. Or maybe your company gave wearable devices as gifts to its employees. Either way, wearables are showing up more and more in the office. With that trend come a slew of legal concerns. Here are some of the legal issues created by wearables to be aware of:
Wearable devices make it easier to violate privacy rights. If the wearable device is employer-issued, it could be used to track and monitor employees. Be sure to give notice to employees before doing that, and obtain their written consent to having their activity monitored. Employees should be told what information the company collects and how it will be used. If your workforce is unionized, use of wearables for monitoring purposes may be a point for collective bargaining.
Then there’s the privacy of co-workers. Some wearables can record audio and video, but they’re generally less detectable than smartphones and cameras. An employees’ ability to record interactions with co-workers and customers without their knowledge raises a variety of legal challenges. Workplace policies should explain the circumstances under which certain categories may or may not be used and describe the kind of notice employees who use wearables in the workplace must give to co-workers and customers.
If a wearable device is allowed access to the company network, it should be subject to BYOD policies like use of encryption, strong password requirements, device locks, etc. Don’t let wearables be an undetected hole in your network’s security. Also be sure to preserve the right to collect work-related information stored on your employees’ wearable devices, as such access might be necessary to comply with information requests in an investigation or litigation.
Smartphones and web browsers already give employees plenty of opportunities to engage in distractions that kill productivity, and wearables make that problem even more challenging. Consider modifying your workplace policies to address the use of company resources and company time to engage in personal activity using wearables.
The National Labor Relations Board (NLRB) recently took the unprecedented position that an employer violated federal law by failing to engage its employees’ union in collective bargaining regarding its response to a data breach. The U.S. Postal Service (USPS) was the target of a 2014 data breach affecting over 800,000 of its current and former employees. The NLRB filed complaints against the USPS claiming that it executed its response to the breach without engaging in collective bargaining with the union. That’s a violation of National Labor Relations Act (NLRA) provisions mandating collective bargaining for any issue that relates to the “wages, hours, and other terms and conditions of employment,” the NLRA alleged.
The NLRB complaints specifically allege that the USPS violated the NLRA by failing to collectively bargain with the union about the impact of the breach on union members. The USPS also allegedly violated the NLRA by unilaterally providing a remedy for the breach (one year of credit monitoring services and fraud insurance at no cost to employees) without giving prior notice to the union and providing it with an opportunity to negotiate the remedy. The NLRB complaints arose from charges filed by the American Postal Workers Union and the National Rural Letter Carriers’ Association regarding the manner in which the USPS handled the breach.
This marks the first time the NLRB has suggested that data breach response and notification measures affecting employees relate “to the wages, hours, and other terms and conditions of employment” under the NLRA. If the NLRB’s position is found to have merit, that potentially makes the breach response process more complicated and costly for unionized organizations. Union negotiations would need to be conducted at the same time the organization is dealing with fallout from the data breach, such as repairing damage to internal systems, investigating the breach, and complying with breach notification laws. Union negotiations could put tremendous pressure on organizations trying to comply with data breach laws that require notification within a short time period after discovery of the breach. There is also a heightened risk of leaks to the press if organizations must notify unions before giving formal notification as required by law.
The NLRB’s complaints against the USPS reinforce the urgency of developing well-crafted breach response plans. Union organizations might wish to add items to their response plans that engage employee unions in the response process. Another precautionary measure is to solicit the input of the union in developing acceptable breach response protocols before a breach occurs rather than in the midst of a crisis situation.
The New York Times recently reported that Hillary Rodham Clinton used a personal email address for work and personal matters while she served as Secretary of State. Many employees could probably appreciate why Ms. Clinton chose to use a private email address for work purposes. She enjoyed the convenience of carrying one mobile device instead of two. That’s the same reason the Bring Your Own Device movement has been rapidly gaining momentum.
The convenience of commingling professional and personal online accounts comes at a price. One danger is unauthorized disclosure of confidential information. Work-related information stored in an employee’s personal online account is not subject to security measures like firewalls, anti-virus software, and metadata scrubbing programs. Private online accounts may be vulnerable to cyberattacks, putting the confidentiality of their contents at risk. While such records might not concern national security matters as in the Clinton controversy, they could contain personnel information, medical history, or trade secrets, the disclosure of which could violate data privacy laws like HIPAA and the Sarbanes-Oxley Act, not to mention hurting a company’s competitive edge or creating a public relations debacle.
Another risk is noncompliance with recordkeeping policies. Work rules dictating how long work files are kept before they’re disposed help organizations manage the task of responding to information inquiries like discovery requests in litigation. In some jurisdictions, an organization’s failure to produce a document in discovery because it was destroyed in compliance with the organization’s document retention policy generally is not considered unlawful destruction of evidence. (Note: Hawaii’s court rules were amended this year to recognize such a defense). But spotty enforcement of a document retention policy could destroy that defense. Popular ways of transferring work files include forwarding them to a personal email address or uploading them to a personal cloud storage account. Such practices could result in work files being kept beyond their authorized retention period, thus casting doubt on whether an organization actually follows its document retention policy.
Managing these risks begins with adopting a formal policy on use of personal accounts for work purposes and training employees to follow the policy. Without a policy in place, employees might have few qualms about using their personal accounts for work. Consult with a lawyer with data privacy experience to ensure that your policy manages legal risks.
If your company decides to prohibit the transfer of work data to external locations, enforce that policy diligently. Work with your IT department or outside vendors to implement physical and software safeguards against unauthorized transfers. Conduct audits to ensure compliance with the policy.
Another strategy is to offer solutions that allow employees to work outside of the office conveniently without having to use their personal accounts. Consider hosting a private cloud storage site where employees can share files in a secured environment under your control. Also popular is virtual desktop software that allows employees to access their workstation remotely in a controlled environment.
Don’t wait until your employees’ data handling practices make the headlines before taking action to protect the confidentiality of your work files.
The FTC released two guides on the privacy and security issues related to the Internet of Things. The first is a staff report based on discussions in an FTC-hosted workshop on the subject held on November 19, 2013. In addition to summarizing the workshop discussions, the report contains staff’s recommendations in the IoT space. This prompted a FTC Commissioner (Joshua Wright) to dissent from the decision to issue the report. In Commissioner Wright’s view, it is premature to publish staff recommendations in this area without further research, data, and analysis. The dissenting statement can be found here.
The report discusses the benefits of IoT as well as three risks:
- enabling unauthorized access and misuse of personal information;
- facilitating attacks on other systems; and
- creating risks to personal safety
The report also discusses Fair Information Practice Principles including security, data minimization, notice, and choice. Click here to read the full report.
Along with the staff report, the FTC issued a guide called “Careful Connections” that provides recommendations on building security into IoT applications. Download the guide here.