Why is PNC Bank Accusing Morgan Stanley of Corporate Espionage and Trade Secret Theft?

You No Let Me Download

©2011 Braydon Fuller

I often write about corporate espionage and trade secrets but I bet some of you may still be trying to imagine real-world scenarios that demonstrate exactly what those terms mean and how they apply. Let me tell you a story and see if it helps it make more sense.

Let’s Talk About Your Business

Let’s say you have a business and you have some really valuable information that your employees use when they are working for your business — the most important of which is the list of your customers and all of the background information you have compiled on those customers. Because you know how valuable this information is, you have had your company’s IT department implement certain technological limits to keep people from downloading that information to USB drives, Dropbox, or emailing it to their Gmail account. You’re really thinking ahead of the curve in trying to safeguard your trade secret information and you’re feeling pretty proud of yourself. And, you should, because most businesses don’t go to such efforts to protect their valuable trade secret information.

Zig Ziglar had a saying about dishonest employees: “If a person is dishonest, I hope he is dumb. I’d hate to have a smart crook working for me.

You, however, hired smart …

Now let’s imagine you had pretty senior and high ranking person in your company decide to leave to go work for one of your competitors where having your customer list (with all the extra information included) would be a great asset to them. And, you later come to believe, the competitor was actively trying to hire your employees and was trying to get them to take your trade secret information and bring it with them. You, however, have thrown a kink in their plans with your on-the-ball IT department’s information security practices. Or so you think.

Before telling you of her intentions to leave your company, this soon-to-be former employee still has access to your trade secret customer list from her computer and decides to access it on the system and pull it up for one last look. Can you imagine what she does next?

She whips out the trusty little smart phone and takes picture after picture after picture of all of the information on her computer monitor! She didn’t download it — she couldn’t. But she has it in several digital images on her mobile phone and when she goes out the door of your company, so too do your highly valuable trade secret customer lists.

Here Is The Real Life Case

This is a storified version of the allegations made by PNC Bank against its former employee, Eileen Daly, and her new employer Morgan Stanley in the case PNC Financial Services Group, Inc. v. Daly and Morgan Stanley, Inc. (Complaint) filed in the United States District Court for the Western District of Pennsylvania on March 14, 2014.

What makes this case (as alleged, anyway) a case of corporate espionage? Simple. It is one company trying to steal the valuable information of another company. It happens all the time. In this case it just so happened to be by an “insider” — a departing employee.

This is Clearly a Trade Secrets Case — But Could it Also Be a CFAA?

PNC sued the defendants for several causes of action, including misappropriation of trade secrets and unfair competition — exactly what you would expect in a case like this, right? It did not, however, sue them for “unauthorized access” in violation of the Computer Fraud and Abuse Act and, while I can think of several reasons why PNC may not have done so, it did get me to wondering if they could have. I mean after all, there have been much weaker CFAA cases filed in Pennsylvania District Courts.

What Does the Statute Say?

To violate the Computer Fraud and Abuse Act  under the most lenient part of the statute, the defendant must “intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] … information from any protected computer;” 18 U.S.C. § 1030(a)(2)(C). And here, the information could not be downloaded, even though attempted, sooooo …..

Was There an Access?

Maybe so. She did have to access the computer system to retrieve the information and pull it up on her computer monitor. The question of whether her access was unauthorized or exceeded authorized access has not been conclusively determined by the Third Circuit, however, the bulk of the district court cases tend to follow the Strict Access Theory of the Ninth and Fourth Circuits, under which it probably would not have been improper, though in the Fifth and Eleventh Circuits under the Intended Use Theory, it may very well have been.

Was Information Obtained?

Yes, it was. The defendant took pictures of the trade secret customer lists — information — and kept those pictures on her smart phone. That sounds like the obtaining of information to me.

Was There a Loss?

I don’t think so. Without the “loss” there is no civil case unless there is “damage,” which is not very common. For the difference between the two, see Loss and Damage Are Not Interchangeable Under CFAA–District Court Blows Right Past CFAA’s “Loss” Requirement in Sysco Corp. v. Katz

The federal district courts in Pennsylvania are extremely strict when it comes to calculating the loss under 18 U.S.C. § 1030(g). Last year I handled the defense of a civil CFAA case in the Eastern District of Pennsylvania and thoroughly briefed two motions to dismiss that were heavily premised on the Pennsylvania district courts’ strict loss jurisprudence. (Here are the motions: Motion to Dismiss and Motion to Dismiss Amended Complaint) I convinced the plaintiff to dismiss the claims against my client with prejudice before the plaintiff filed a response or the court ruled on the motions, however, I remain very confident that the positions asserted in the motions were consistent with the courts’ standards on this issue and would have been successful. 

Under these standards, I cannot imagine how investigating the taking of pictures of a computer monitor could qualify as a “loss” or “damage” such to get the case past 18 U.S.C. 1030(g) and survive a motion to dismiss. I haven’t put a lot of thought into this, and am not saying it can’t happen, I just haven’t thought of how it would.

My guess is this is why the attorneys representing PNC didn’t bother throwing in a claim for violating the CFAA — well that, and, they probably didn’t see a need for it since they were already in federal court on diversity jurisdiction!

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

So, your business has never had a data breach? Have you ever had an employee leave?

i quitTAKEAWAY: Businesses must protect their data from being taken by anyone who is not authorized to have it — insiders and outsiders alike. If their data is taken in a way that is unauthorized, it is a data breach. When a former employee leaves with a thumb drive, Gmail inbox, or Dropbox of your businesses’ data, that person is then an unauthorized person in possession of your businesses’ data and that is a [YOU FILL IN THE BLANK].

The Problem

Businesses lose employees everyday for various reasons. When an employee is leaving it is not uncommon for them to think something like this:

  • “I did a really great job on that project, that’s really my work, not Tyrannaco’s.”
  • “I brought those customers to Tyrannaco, they are really my customers.”
  • “I did such a great job on that proposal that I am going to keep a copy for a form in case I ever need to do one again.”
  • “The stupid management at Tyrannaco never recognized the value of what I brought to the table — I need to let these people know that I was really the one doing all of the work.”
  • “I always keep a copy of everything I do, that way if it gets lost, I always have a backup copy.”

… and with those rationalizations, and infinitely more, we all know what happens next. The employee decides to keep their own copy of your businesses’ data, including all of the sensitive private information that your businesses’ customers have entrusted to you for your safekeeping. And then the employee decides to open their own business or go to work for one of your competitors and guess what they’ll bring with them …

Let’s summarize: Your customers entrusted your business with their sensitive information, which was taken from your business and is now in the hands of someone else. You, my friend, have been breached!

Now the next section tells you why you should care. I’ll leave it at that, you get the point.

Overview of Texas’ Data Breach Notification Law

Texas’ data breach notification law is titled “Notification Required Following Breach of Security of Computerized Data” and is found at Section 521.053 of the Texas Business and Commerce Code. The main body of the law provides as follows:

(b)  A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

What is a “breach of system security”?

The law defines “breach of system security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”

What is “sensitive personal information”?

The law has a fairly detailed definition of “sensitive personal information” that should be read carefully. A couple of general points will provide an overview of what is and is not protected:

  • Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
  • Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
  • Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Who does the law apply to?

The law applies to any person (which includes entities) who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.

Who must be notified?

The law requires notification to “any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” This is an incredibly broad class of individuals that is certainly not limited to only Texas citizens and, quite possibly, is not even limited to citizens of the United States.

When must the notification be given?

The notification must be given as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the notification may be delayed as necessary to determine the scope of the breach and restore the reasonable integrity of the data system or at the request of law enforcement to avoid compromising an investigation.

What is the penalty for failure notify?

Section 151.151 of the law provides for a penalty for failing to comply with this notification requirement is a civil penalty of up to $100.00 per individual per day for the delayed time but is not to exceed $250,000 for a single breach.

Any more questions?

When leaving your job, make sure you do this if you really want to violate the Computer Fraud and Abuse Act!

TAKEAWAY: Do not access your former employer’s computer system without its consent after you no longer work there. New employers, do not encourage or permit your new employees to do this either.

There has been much debate over the last couple of years over whether an employee violates the Computer Fraud and Abuse Act by wrongfully accessing and obtaining information from the employer’s computer for nefarious reasons – while still being employed. This has been referred to as the “circuit split” because the circuit courts of appeal have three different approaches for determining whether this violates the CFAA, what I refer to as the Trilogy of Access Theories (see bottom of post for explanation). What is not open to debate, however, is whether a former employee violates the CFAA by wrongfully accessing its former employer’s computer system after he or she no longer works for that employer.

That is the lesson of Nouveon Technology Partners, Inc. v. McClure & Smarter Systems, LLC, 2013 WL 811102 (W.D.N.C. March 5, 2013). The basis for the Court issuing this order is not the reason I am blogging about it, rather, I am blogging about it because I think the facts of this case are something that all employers and employees need to understand and this case does a nice job of illustrating that point.

The basic facts are all too familiar. Employee decides to go work for a new company and wants to take her former employer’s confidential proprietary information and use it to work for her new employer. Where the facts differ from many of these cases is that, according to the Plaintiff’s Complaint, the employee accessed the employer’s computer system and took the information after she no longer worked for the employer. I recommend you read the Complaint because it does a nice job of laying out the investigation into the employee’s conduct and clearly distinguishes the former employee’s activities prior and subsequent to her employment ending.

The employee’s last day of employment was April 23, 2012. She was directed to return all of employer’s property in her possession and was understood she was no longer permitted to access the employer owned computer system (including the laptop that was issued to her) after her employment ended. She was to return the company issued laptop on April 23 but did not return it until later:

58.   The forensic search of the laptop computer also revealed that McClure had, without NouvEON’s knowledge or approval, retained and continue to use the NouvEON-owned laptop computer in her possession through the evening of April 23, after she had officially ended her duties for NouvEON and was no longer a NouvEON employee. Throughout the evening of April 23, McClure utilized the username and password provided to her by NouvEON solely for NouvEON business to continually remotely access NouvEON’s Salesforce.com account and various folders on the laptop containing Confidential Information such as NouvEON’s recruiting candidate pipeline, information regarding sales activities, the resumes of candidates identified and interviewed by NouvEON for placement with NouvEON clients and related recruiting information.

59.   As a result of further forensics analysis of the NouvEON-owned laptop used by McClure, NouvEON has now learned that after McClure became an employee of Smarter Systems, she continued to remotely access NouvEON’s Salesforce.com Database to access and misappropriate NouvEON’s Confidential Information by using a username and password issued to another employee through as late as June 7, 2012.

60.   In summary, the foregoing forensic inspection of the NouvEON laptop computer used by McClure revealed for the first time that prior to and for over one month after her last day of employment with NouvEON, McClure regularly accessed and misappropriated, and likely downloaded, highly sensitive and proprietary Confidential Information belonging to NouvEON. McClure’s actions in this regard were not known by or authorized by NouvEON and are in violation of her Employee Agreement and NouvEON’s policies.

So there you have it, if you are looking for a really great way to violate the Computer Fraud and Abuse Act when leaving your job, just do what McClure did! If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

How Do You Violate the Computer Fraud and Abuse Act? SunPower Lawsuit Shows How!

A new lawsuit has been filed by SunPower against 5 former employees and it’s rival SolarCity alleging violations of the Computer Fraud and Abuse Act. This is a good one to look at if you want to see how to violate the CFAA with style — especially if you are an soon-to-be-departing employee and you don’t want there to be any doubt until the 9th Circuit resolves the access issues in US v. Nosal.

You’re following me on this, right? Ok, good, let’s have a little test to see: do you know which of these two tidbits of factual information I am talking about that is so important, (a), (b), or both?

(a) “Leyden connected at least three personal USB storage devices, commonly known as flash drives, to SunPower’s internal computer network and downloaded thousands of sensitive sales files and documents in clear violation of the company’s internal guidelines, said SunPower, which said it conducted a forensic analysis of its computer systems before filing the lawsuit.”

“”The forensic evidence indicated that Leyden copied at least thousands of files containing SunPower confidential information and non-confidential proprietary information to these devices,” said the complaint. “These files included hundreds of quotes, proposals, and contracts, as well as files containing market analysis, forecast analysis and business analysis.””

“Leyden also accessed highly confidential data from SunPower’s SalesForce database, according to the lawsuit, including information on major commercial customers who accounted for more than $100 million in sales in 2011.”

OR

(b) “Aguayo, who joined SunPower in 2005, had accessed his company e-mail account after Nov. 1, his last day of employment. It said it than discovered that Aguayo had forwarded several e-mails containing customer information, price lists and market reports to his personal e-mail address in mid-November.”

Lets hear it, what is your answer?

Now, to give credit where credit is due, I first read about this in a nicely done article by Dana Hull (@danahull) from which the above quotes were taken: SunPower sues five former employees and rival SolarCity for data theft and computer fraud. Ms. Hull was kind enough to include a copy of the Complaint in her article so give her a shout-out and tell her thank you for making it a little easier for you to get a hold of this fun reading!

3 Recent Computer Fraud and Abuse Act Cases Worth Noting

Three recent Computer Fraud and Abuse Act cases decided over the last couple of months are worth looking at because they show the following points, respectively: (1) the CFAA in its current form does not give consumers an adequate remedy for privacy related data breach issues; (2) the CFAA’s focus on “access” is more akin to trespassing on a computer system than using a computer to commit a traditional “fraud”; and (3) the way a judge “walks through” the evidence vis-a-vis the elements of a basic civil claim under the Computer Fraud and Abuse Act.

Why the Computer Fraud and Abuse Act in its current form does not give consumers an adequate remedy to address privacy related data breach issues?

This is demonstrated by La Court v. Specific Media, Inc., 2011 WL 2473399 (C.D. Cal. Apr. 28, 2011) in which the court granted the defendant’s Motion to Dismiss because the plaintiffs in a class-action case, even in the aggregate, could not demonstrate the requisite $5000 “loss” required to maintain a civil claim for violation of the CFAA where the only “loss” they sustained was the value of personal data.

The case arose from the alleged use of Adobe Flash cookies that tracked the plaintiffs’ use of the Internet without their knowledge or consent. The plaintiffs brought a claim for violating the CFAA, among other things, alleging “that they sought to maintain the secrecy and confidentiality of the information obtained by Defendant through use of the” flash cookies and that their personal information has discernible value of which they were deprived but defendants use of it for their own economic benefit. The court dismissed the CFAA claim finding that the plaintiffs personal information, in essence, had no value– or at least not enough value to collectively meet the $5000 threshold.

You will recall that I blogged about this impediment when Apple was sued in the iTracking cases. If not, take a look at these posts where I delve a little deeper into this “loss” issue:

Apple iTracking Case: will Apple be WINNING on Computer Fraud and Abuse Act claim?

Apple Should Win the Computer Fraud and Abuse Act Claims …

iTracking II: Apple Sued Again for Violating Computer Fraud and Abuse Act

From what I can tell, nothing has changed.

Now, there is talk around the “data privacy” neighborhood that things could be changing a bit and courts may be starting to ascribe some value to people’s own personal data but I’ve not yet seen anything that has confirmed this is going to happen.

First, apparently two cases related to the La Court case involving Adobe Flash cookies have been settled for a $2.4 million settlement. The cases are Valdez v. Quantcast Corp. and White v. Clearspring Technologies and the article I read indicating the settlement value can be found HERE. I do not know the details of the settlement but, if any of you happen to know, I would be interested in learning more about it.

Second, just yesterday I read an article by Andrew Clearwater on the International Association of Privacy Professionals newsletter entitled New theory of harm in data breach cases that argued that people have a property right in personal information. I found this argument to be persuasive and, according to Clearwater, it is currently being tested in the case Alan Claridge v. RockYou Inc. (2011 WL 1361588 (N.D. Cal. Apr. 11, 2011) where the court has allowed the case to proceed a partially denying the defendant’s motion to dismiss. As Clearwater says, it will be interesting to see how this develops.

If it is treated like a trespass, why is the Computer Fraud and Abuse Act not called the Computer Trespass and Abuse Act?

Now that is a good question, and one that I do not know the answer to! I do suspect, however, that it was probably an easier “sell” to use the word fraud instead of trespass so I will leave it at that. In Xcedex, Inc. v. Vmware, Inc., 2011 WL 2600688 (D. Mass. June 8, 2011), however, the court stated “[t]he conduct prohibited by the CFAA is ‘analogous to that of “breaking and entering” rather than using a computer … in committing the offense.’” This is an important principle to remember about the CFAA and, I believe, helpful to understanding the various arguments circulating around about what is and “access” under the CFAA.

What kind of evidence does a judge look for when analyzing a civil claim under the Computer Fraud and Abuse Act?

The cynics among us will probably look at this next case and say, “he sure was struggling to find a comment-worthy point in this case” and they just may be right. But let me tell you why I wanted to bring this case to your attention.

Not too long ago I was drafting a motion for summary judgment for a plaintiff on a CFAA claim. As we all know, a movant on summary judgment has a better chance of winning when they can present a clear and concise argument that is supported by clear and concise evidence — with brevity being of paramount importance! One of the questions I asked myself during the drafting process was “what evidence should I use that will be most persuasive to the court and give me the maximum bang for the buck?” Within a couple of weeks of that, I read the opinion in Barnstormers, Inc. v. Wing Walkers, LLC, 2011 WL 1671641 (W.D. Tex. May 3, 2011). I found nothing earth shattering about the CFAA issues presented in this default judgment but did appreciate the way the court walked through the elements and discussed the evidence supporting each element that it found persuasive enough to include in its opinion. To me, that was enough to make it worth mentioning.

New “Employment” Computer Fraud and Abuse Act case … but with a twist!

It’s always the same: Employee decides to go work for a competitor. Employee takes confidential information. Employee uses it in new job with competitor. Employer sues.

We see it all the time and, in fact, it is probably the most common scenario of cases asserting claims under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, et seq. This case, however, handed down on April 20, 2011, has an interesting twist.

In Meats by Linz, Inc. v. Dear, 2011 WL 1515028 (N.D. Tex. Apr. 20, 2011), the court handed down a decision denying the Defendant’s Motion to Dismiss the CFAA claim on two distinct grounds: “access” and “loss”.

The Facts, Just the Facts

Steve Dear was employed by Meats by Linz, Inc. (“MBL”) as the general manager of its Dallas sales facility. He had an employment agreement that included a confidentiality / non-disclosure agreement. Dear decided to go work for one of MBL’s competitors but, before announcing he would be leaving, accessed MBL’s password-protected confidential and proprietary information to which only he, and others on a “need to know” basis, had access. In fact, he accessed it at 9:15 p.m. on a Sunday night, downloaded it, and sent an email resignation about two hours later. In the words of Gomer Pyle, “Surprise! Surprise!” … not long afterwards, he was working for a competitor and soliciting MBL’s customers by, according to MBL, using its confidential and proprietary information that he had taken.

Employer Sued

Continue reading