By Austin J. McGuigan and Jennifer J. Weitz-Clancy
I. THE PROBLEM
It comes as no surprise that intellectual property crimes are on the rise in the United States. A recent survey conducted by the American Society for Industrial Security (ASIS) and PricewaterhouseCoopers, released in April, 1999, identified a dramatic increase in theft of proprietary information over previous years. Fortune 1000 firms reportedly sustained intellectual property losses of more than $45 billion during 1999 alone, with company insiders posing the greatest threat. The manufacturing sector reported losses of almost $900 million, making them the hardest-hit sector of all those surveyed.
Opportunities to steal trade secrets are likely to continue as society becomes increasingly reliant on technological methods of research, development, storage and transmission of ideas, designs and prototypes that are commercially advantageous. The problem is complicated further by the desire of many companies to obtain information about competitor's product strategies and by a transient workforce subscribing less to notions of company loyalty than workforces of the past.
II. THE PRIME OFFENDERS
Warnings to anticipate foreign and national theft of proprietary information have proliferated in the media over recent years. Annette Haddad, Scott Doggett, Global Savvy in Industrial Spy Cases, It's Those Americans That You Have to Watch, Los Angeles Times (Oct. 25, 1999), C2. The National Counterintelligence Center, made up of counterintelligence experts from 13 United States agencies, has warned that industrial espionage against U.S. - based businesses by foreign entities, including governments, is threatening U.S. competitiveness in the global market. Yet, the FBI warns that despite the threat of foreign corporate espionage, residents of the United States pose a greater, more immediate, threat. Insiders, for reasons of greed, revenge, ego and/or diminished loyalty typically provide the means by which confidential information is misappropriated.
To understand the parameters of legal and illegal business conduct, it is important to understand the meaning of terms frequently used in association with economic espionage. Competitive Intelligence is one or more techniques employed by a business to lawfully and ethically obtain information about other businesses. John A. Nolan, III, Competitive Intelligence, 20 J. Bus. Strategy 11 (Nov. 1, 1999). Large corporations may have staff devoted to this practice and/or may instruct sales and marketing staff to pursue information through business contacts, observations in the field, business journals and other sources of public information. Businesses may also hire investigators to develop and manage one-time or ongoing company-specific competitive intelligence plans. The small proprietor will perform many of these tasks herself. A solid competitive intelligence program will have well-defined objectives, methods, reporting, analyses, monitoring and company oversight.
Why engage in competitive intelligence? There can be great commercial advantage to getting a particular product into the market first, to producing an equivalent product at lower cost or securing patent or other rights before a competitor does. The advantages are so substantial that they have led to the generation of an entire industry of competitive intelligence professionals. Competitive advantage may be deemed unfair advantage if the methods employed to obtain information fall outside legal boundaries.
Likewise, Business Counterintelligence is the set of proactive measures taken by a business to identify and neutralize actual and potential disclosures of intellectual property assets through employees (including former employees, temporary employees, consultants and others with temporal legitimate access to company information) or by means of another company or government's competitive intelligence program. A solid program of counterintelligence will include a well-developed understanding of what needs to be protected, for how long, from whom and what the business' vulnerabilities may be. This requires learning what competitors are interested in and may include using knowledge of a competitor's intelligence gathering plan to plant a red herring that will impair or delay the plan's success.
In short, people steal business' most valuable information and plans to counter such theft must be proportionate to that value.
III. THE LAW
A. Civil Remedies
Recognizing the commercial value of intellectual property and the need to safeguard it consistent with safeguards constructed to protect tangible property, most states have adopted versions of the Uniform Trade Secrets Act (the "Act"). The Act provides civil remedies such as injunctive relief and compensatory damage as well as punitive damage awards for willful and malicious misappropriation of trade secrets. See e.g., Connecticut General Statutes §35-51 et seq. and Elm City Cheese Co. v. Federico, 251 Conn. 59 (1999) (affirming the trial court's treatment of customer and supplier lists, financial information, product pricing and cheesemaking processes as trade secrets under the Act and affirming that court's grant of injunctive relief and punitive damages).
B. Criminal Prosecution
The Economic Espionage Act (the "EEA"), while enabling the U.S. Attorney General to obtain injunctive relief; 18 U.S.C.A. §1836; is a criminal statute conferring no right of action on private citizens. Boyd v. University of Illinois, Case No. 96 Civ. 9327 (TPG) (U.S. District Court, S.D. N.Y.) (Sept. 30, 1999) (1999 WL 782492). See Appendix A for the full text of the statute. As a criminal statute, the EEA takes trade secret protection to another level, recognizing a connection between corporate well being and national security as well as the inadequacy of civil remedies that can only be prosecuted at substantial cost to plaintiffs or inadequately funded state governments. S. Rep. No. 104-359, at 11 (1996). United States v. Hsu, 155 F.3d 189 n.7 (1998). "The EEA became law in October 1996 against a backdrop of increasing threats to corporate security and a rising tide of international and domestic economic espionage. The end of the Cold War sent government spies scurrying to the private sector to perform illicit work for businesses and corporations . . . and by 1996, studies revealed that nearly $24 billion of corporate intellectual property was being stolen each year. Richard Heffernan & Dan T. Swartwood, Trends in Intellectual Property Loss 4, 15 (1996). * * * The problem was augmented by the absence of any comprehensive federal remedy targeting the theft of trade secrets . . . ." Id. 155 F.3d at 194.
The absence of appropriate legislation required the government to either avoid prosecuting those who stole intangible property or to try to conform facts sounding in trade secret theft to fit within existing statutes designed to serve other purposes, such as the National Stolen Property Act, 18 U.S.C. § 2314, or the mail or wire fraud statutes, 18 U.S.C. §§ 1341 and 1343. Id.
Pursuant to the EEA, a wide range of conduct may be treated by U.S. prosecutors as criminal. The statute protects trade secrets including "all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if . . . (A) the owner thereof has taken reasonable measures to keep such information secret; and (B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public." 18 U.S.C. § 1839.
Punishment under the EEA may be imposed on individuals and on businesses that engage in corporate espionage. Individuals acting within the context of a local violation, one not intended to benefit a foreign government, may be sentenced to ten years in prison and/or fined $250,000 for a violation; organizations can be fined as much as $5 million for such an offense. 18 U.S.C. § 1832. Espionage on behalf of a foreign government may exact greater punishment including imprisonment of up to fifteen years and/or fines of up to $500,000 for individuals and fines of up to $10 million for organizations. Courts are further empowered to impose injunctive relief and compel criminal forfeiture under either circumstance. 18 U.S.C. §§ 1834 and 1836(a).
To date, as many as twenty cases have been prosecuted under the EEA. And approximately eight hundred cases are being considered by the Department of Justice for additional prosecutions. Richard V. Weibusch, Vincent I. Parrett and Marion Eichert, U.S.: A Case Study: A U.S. and a German CEO React to Theft of Trade Secrets, Mondaq Business Briefing (Nov. 17, 1999) (1999 WL 8711662). The number has been necessarily low during the first years after the EEA's enactment. This is due, in part, to a pledge by Attorney General Janet Reno that for the five years after the EEA's passage, the government would not pursue charges without first having obtained personal approval to proceed by the Attorney General or her designee. The five-year window ends in October 2001, and it is expected that prosecutions will increase substantially thereafter.
IV. REALITY CHECK: LIMITATIONS OF THE ECONOMIC ESPIONAGE ACT AS A TOOL FOR PRIVATE ENTITIES
Although its enactment clearly enhanced the government's ability to halt, to punish and to deter misappropriations of trade secrets, the Economic Espionage Act has weaknesses. First, the Act is not a tool available at the discretion of a business. Rather, whether specific violations of the EEA will be prosecuted is a matter currently decided by the Attorney General and therefore the act of reporting a suspected crime will not necessarily result in prosecution. Second, even if the government is willing to take up the cause, businesses may not want to rely on the government, whose duty runs to the public generally, to prosecute the matter. Likewise, depending on the facts of each situation, a business may not want the burden of cooperating with governmental investigations and/or sting operations. Third, where a complaint alleges actual theft of trade secrets, the court may compel disclosure of the very information that a business has sought to keep secret. This may occur where the evidence is considered material such as where a defendant asserts a defense of impossibility or any other defense that raises the issue of whether the information identified qualifies as a trade secret or not within the meaning of the EEA. U.S. v. Hsu, supra, 155 F.3d at 205-206. Fourth, although prosecutors to date have been successful at obtaining guilty pleas, the statute, as written, embodies several substantial defenses that must be overcome relating to proof of intent. See Joseph F. Savage, Jr., Carol E. Didget, The Economic Espionage Act: A Promise Unfulfilled?, Intellectual Property Law Weekly (November 12, 1999).
Lastly, a business that reports trade secret theft to the government must anticipate that the trade secret loss will become public information over which the business has no control. Disclosure of such a loss may thereafter effect public and investor confidence in the business, its management and its products. For these reasons, businesses are best advised to consult, in confidence, with counsel before reporting suspected losses to the U.S. Attorney or F.B.I.
V. THE PRACTICALITIES
A. PROTECT YOUR INTELLECTUAL PROPERTY ASSETS
Notwithstanding the fact that criminal and civil laws now exist to deter and punish trade secret theft, businesses are best advised to actively protect their intangible assets against loss. Preventive steps are also necessary to ensure that, if misappropriation does occur, statutory protection will be available. To qualify for protection under the Economic Espionage Act or the Uniform Trade Secret Act, for example, businesses must be able to demonstrate that, before suffering a loss, they employed "reasonable measures" to restrict access and prevent unauthorized disclosure of the confidential information at issue. The following discussion provides a framework for satisfying the reasonable measure standard.
1. Develop a Trade Secret Protection Plan (TSPP)
The obvious first step in developing a TSPP is to assign or employ one or more coordinators to be responsible for the plan's development and oversight. These coordinators should be worthy of your utmost trust and loyalty, appreciate your business' big picture and the need for keeping certain information confidential, and be willing to commit to the task of developing the TSPP for at least one year. Once your coordinators are selected, organization should be your underlying theme.
Coordinators must identify information that the business does, or should, deem worthy of protection. Such information may relate to marketing plans (the business does not want competitors to know the date the product will hit the market, the identity of its independent salespeople, its customer or prospective customer list, its list of suppliers etc.). It may be found in research and development records including notes, photographs, computer codes, computer storage, email, in draft patent applications or in the minds of company researchers. Coordinators must educate themselves at this stage of the plan's development.
Knowing what needs to be protected, coordinators should then establish a budget for the further development and then implementation of the TSPP. A security plan for confidential information is a necessary adjunct to security systems in place to protect tangible property. The budget should reflect the fact that no protection or deficient protection may result in substantial business losses, and, in some cases, loss of one's business in its entirety. Investors, insurers and others with financial interests in a business should insist that a TSPP be implemented, particularly in businesses dependent on research and development and first-to-market success.
Coordinators must then investigate business vulnerabilities to loss of confidential information. Review may be made of access logs and employee records to determine whether patterns of access and use suggest possible breaches of company policy or security. This vulnerability audit may also require the assistance of an outside firm that conducts such investigations and may even include an outside firm's staging of attacks designed to penetrate security systems already in place.
The TSPP should identify specific measures that can and will be followed to decrease the business' vulnerability to loss. Human resources personnel and others involved in recruitment should be informed as to what subject matter the business considers sensitive and methods for keeping it confidential during the recruitment and hiring process. They should learn special techniques for screening candidates to assess whether candidates have confidential information from former employers that may be disclosed to your staff after hiring and for which your business may become liable. Hypotheticals involving sensitive information should be given with inquiry, not instruction, designed to elicit the candidate's response to misappropriation opportunities. And character references should be checked. Ask the character reference for additional names not supplied by the candidate for further investigation if necessary. All such inquiries should be documented. Lastly, civil and criminal records may be researched to determine whether prospective employees have been accused of acts suggesting a tendency to lie, steal or commit fraud or other wrongdoing.
Coordinators may require that current employees, including directors and/or trustees, new hires, consultants, temporary workers, contractors, and others, enter into confidentiality agreements. These agreements should be specific, as boilerplate agreements may not satisfy the burden of taking reasonable precautions for purposes of invoking civil and criminal statutory protection.
Likewise, key employees should sign non-competition agreements. Coordinators should have counsel review the agreements to determine whether relevant jurisdictions will enforce the agreement's terms. Courts may decline to enforce non-competition agreements where deemed to be excessive in terms of the scope of competition limited, the duration of the limitation and the geographic restrictions imposed.
The TSPP should also include protocol for securing information upon employee termination. Depending on the nature of your business and the employee's role and access, it may be appropriate upon termination to immediately restrict or eliminate the employee's access to sensitive information and to require the return of devices that contain or might be used to access the same.
Exit interviews should be required upon departure. Prior to the interview, inform the exiting employee, in writing, to return all materials that are proprietary or potentially proprietary in nature. At the interview that follows, remind the employee of his or her legal and contractual obligations. Discuss restrictions on the use of information acquired as an employee, the terms of any agreements the employee entered into such as non-competition and/or confidentiality agreements and remind the employee of obligations established by laws such as the EEA. Finally, collect all materials and require the employee to sign a statement under oath to the effect that he or she has been reminded of her post-employment obligations and has returned all materials.
2. Enforce the Trade Secret Protection Plan
Coordinators should include protocol for enforcement in the TSPP, methods for calling coordinator meetings, and methods for periodic review of the TSPP. Every revision should be communicated to employees subject to the plan and receipt of such revisions should be acknowledged by a writing that is recorded.
Enforcement of the TSPP will have two aspects: potential breaches raised by employees and/or coordinators, and periodic collection and review of TSPP data for evidence of breach.
Enforcement action deriving from suspected breaches should be conducted professionally and without violation of the employee's legal rights. Consultation with employment counsel may be advisable during this process depending on the circumstances, and all enforcement actions should be documented.
B. GUARD AGAINST BUSINESS LIABILITY UNDER THE EEA
The Federal Sentencing Guidelines Commentary to § 8A1.2 are instructive in determining what may constitute due diligence sufficient to ensure that businesses do not become saddled with liability for theft of trade secrets. The two likely scenarios under which such claims might be raised are 1) when competitive intelligence has arguably exceeded lawful bounds and 2) when an employee's conduct may be imputed to the business.
When preparing written policies, use the language of the Sentencing Guidelines, and language from the EEA itself, as a starting point. Give specific guidance to employees. Detail not only the information that is germane for a sales person to obtain, but the method by which the information may legitimately be obtained. Delineate what sources are public sources, such as trade journals, newspapers, stock information from the SEC and government filings, then give examples of sources that are not within the public domain. Learn methods of competitive intelligence employed at previous jobs by new hires and communicate the boundaries within which they now must work. Make it clear to new hires that you do not want access to or use of trade secrets belonging to others. Document this.
If you learn that potential trade secrets of another company may be used by a new hire, establish what steps must be taken to ensure compliance with the EEA including notification to the former employer. Make it policy for employees to notify management 1) of information gathering by other employees that may run afoul of the EEA, 2) when competitors or others are seeking their cooperation in obtaining information, and 3) any time they receive information that may constitute trade secrets of another company. Advise them that the decision as to whether confidential information should be treated as protected or not is to be made by your legal department or a specific designee, not the undesignated employee.
Assign specific high-level personnel the responsibility for overseeing compliance with standards and procedures designed to avoid criminal liability. They will be most effective who have the fortitude to influence all levels of your organization to change organizational behavior as necessary to ensure compliance. Exercise due care not to delegate substantial discretionary authority to individuals whom you know or should know through the exercise of due diligence, have a propensity to engage in illegal conduct. Require only authorized personnel to perform acts such as receiving competitive information customers, suppliers, contractors or other sources.
Your organization must takes steps to communicate its standards and procedures effectively to all employees and other agents. Methods include 1) requiring participation in training programs, 2) disseminating publications that detail the requirements in terms the reader can understand, 3) discussion and distribution of such materials during an employee's initial orientation, and/or 4) periodic dissemination of the materials to current staff. Obtain signatures from employees stating that they have read the material or have had it read to them in a language they understand and that they agree to abide by its terms. Do not limit training to support staff. Top scientists, engineers and designers have been among those successfully prosecuted under the EEA.
Finally, implement periodic reviews to assess the success or failure of various components of your compliance program. Publicize a reporting system by which employees and agents may report suspected criminal conduct without fear of retribution, and act on all reports of suspected trade secret theft or planning. Enforce the standards you have set. Take appropriate action to investigate and identify possible violations, documenting the results of any investigation, and reporting the results to appropriate authorities. This is different in effect from the reasoning behind enforcing your TSPP. Failure to report the action of one of your employees or agents may be construed as complicity, for purposes of liability, under the EEA. The Sentencing Guidelines require businesses to take adequate disciplinary action.
In sum, the EEA is a first step toward whole-scale protection of the intellectual property of businesses and individuals. Not without its problems, the EEA has generated substantial prosecutions sufficient to put employees and competitors on notice of the potential consequences for violating the EEA's dictates. The burden on businesses, however, has not been alleviated. Businesses must actively protect their trade secrets, educate employees, monitor, document and report suspicious behavior. In this regard, the EEA serves as both a beacon and a warning regarding the risks of potential loss and those of liability in the intellectual property domain.