Insider Misuse of Computers: No Big Deal? It Can Be a Data Breach, Ask Boeing

Insider misuse triggers a breach just like outside hackers.

When a company’s information is compromised because of insider[1] misuse of computers or information, regardless of insider’s intentions, the result for the company and the data subjects of that information is often the same as if it were an attack by an outside adversary – it is a data breach.

Boeing’s insider-triggered data breach.

A Boeing employee emailed his spouse an internal company document containing personally identifiable information for about 36,000 co-workers to get help with formatting the document. His intentions were noble and innocent, he wanted to do a good job on the document and believed his spouse could help. The outcome was much different.

See: Guide to Responding to Data Breaches and Reporting Cybersecurity Incidents to Law Enforcement and Governmental Agencies

Because the sensitive data on its employees left Boeing’s “control” when it passed from an employee to a non-employee, it triggered a data breach. As a result, Boeing had to go through the breach notification process by notifying the 36,000 employees affected, providing them with two years of complimentary credit monitoring services, and notify the attorneys general of Washington, California, North Carolina, and Massachusetts. Read the full story here: Boeing discloses 36,000-employee data breach after email to spouse for help

Why was this a data breach?

In this analysis, you start with the data itself. Was the confidentiality, integrity, or availability of the data compromised? When a company collects, stores, or processes data, it is responsible for the safe keeping of that data, wherever it may be (yes, even if the company entrusts it to another for safekeeping, the company is still responsible). Generally speaking, when that company has employees, contractors, or other workers performing services on its behalf -– insiders — they are treated as being within the company’s control and legal protections of that data and their access to, possession, and use of that data is still within the legal fiction of being within company control. The confidentiality of that data is still intact as long as they are acting within the scope of their permissible role.

Insiders exceeding limitations of access and use of information may trigger breach.

When insiders exceed the boundaries that have been placed upon them by accessing, possessing, or using that data in a manner that is unauthorized by the company, it may result in a data breach, depending upon the particular facts of how it is used, the nature of the data, the type of industry, and any regulatory framework that may apply to that industry. For example, in the healthcare context the HIPAA Privacy Rule would almost certainly classify such a situation as an unlawful use or disclosure, triggering a data breach by the company.

Insiders keeping company information after termination of employment is almost certainly a breach.

When insiders take sensitive company data outside of the company, it will almost certainly trigger a data breach for the company. The most obvious example of this is an employee that retains company data after that employee is no longer employed by the company. Once the employment relationship terminates, the employee’s basic duties to the company also terminate and, unless there is some contractual extension of those duties, the employee possessing that information is no different than the spouse of the Boeing employee possessing the information – it is no longer within the legal fiction of “protections” of the company that maintain its confidentiality. In other words, its confidentiality has now been compromised.

Texas’ breach notification law is triggered by insider misuse.

In most cases, determining whether a breach has occurred will depend on the breach notification laws for the particular jurisdiction where the company does business and where the data subjects of that information reside.[2]

What is a breach of system security under Texas law?

The Texas breach notification law, Breach of Security of Computerized Data,[3] requires any company that conducts business in Texas and owns or licenses computerized data that includes sensitive personal information to disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

A “’breach of system security’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”[4]

Regarding insiders, the law specifically states that “[g]ood faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach of system security unless the person uses or discloses the sensitive personal information in an unauthorized manner.”[5] In other words, if an insider is authorized to access company SPI for a valid business purpose, and does so, but later uses or discloses that information in an unauthorized manner, it is a data breach under the Texas breach notification statute.

What is sensitive personal information under Texas law?

What is often referred to as personally identifiable information is defined by the Texas data breach notification law as “sensitive personal information” (SPI). The law has a fairly detailed definition of SPI that should be read carefully. A couple of general points will provide an overview of what is and is not protected:

  • Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
  • Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
  • Also included is information that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Does an employee’s unauthorized taking of company data to use for working for a competitor trigger a data breach under Texas law?

Consider a common scenario in the business world, with a few extra twists for emphasis:

  1. An employee who has had access to and worked with her employer’s customer database containing detailed information and SPI decides to leave the company.
  2. Because she has done most of the work in building up the customer database, she believes she is entitled to have a copy of it for herself so, before giving her notice or actually terminating her employment, she copies the customer database to her personal Dropbox account and saves it to a USB thumb drive.
  3. She then gives her notice, terminates her employment, and goes to work for a competitor.
  4. Once she starts work, she looks for the database but discovers that she lost the USB drive, which was unencrypted, so she downloads the customer database from her Dropbox folder, which also happens to be an openly “shared” folder, freely accessible by anyone on the Internet because she is an amateur photographer and it contains the images she uses to display her work on her blog.
  5. She then begins using her former employer’s customer database without telling her new employer but she does secretly upload the database to her new employer’s computer network.

Texas Broadens Unauthorized Access of Computer Law to Specifically Address Insider Misuse

3 Key Takeaways About Texas’ Unauthorized Access Law

What do you think, data breach or no data breach? In the hypothetical, at which step do you think there became a problem, if any? Please share your answer and reasoning in the comments – this one should be fun!

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

[1] The term “insiders” is often used to refer to “privileged users,” that is, users who have at least some rights, or privileges, to access and use the computers whereas the term “outsiders” refers to users who do not have any access rights, or privileges, to access the computers whatsoever. See Shawn E. Tuma, In Search of the Golden Mean: Examining the Impact of the President’s Proposed Changes to the CFAA on Combatting Insider Misuse, 18 SMU Sci. & Tech. L. Rev. 3, p.4 (2015).

[2] See Shawn E. Tuma, Guide to Responding to Data Breaches and Reporting Cybersecurity Incidents to Law Enforcement and Governmental Agencies, Cybersecurity Business Law (2016).

[3] Breach of Security of Computerized Data, Texas Bus. & Comm. Code § 521.053.

[4] Tex. Bus. & Com. Code Ann. § 521.053 (a) (West).

[5] Tex. Bus. & Com. Code Ann. § 521.053 (a) (West).

What You Need to Know About Protecting Trade Secrets Under State and Federal Law

A few years ago Texas joined most other states and enacted its version of the Uniform Trade Secrets Act (UTSA, or Texas’ TUTSA). Recently, the federal Defend Trade Secrets Act (DTSA) became law. While there are quite a few similarities between these laws, there are also some substantial differences that you need to know to protect your businesses’ trade secrets.  Continue reading “What You Need to Know About Protecting Trade Secrets Under State and Federal Law”

Can Parties be Excluded from the Courtroom in Trade Secrets Cases?

The Texas Supreme Court recently addressed the question of when a competitor’s corporate representative can be excluded from the courtroom in a trade secrets case.  Continue reading “Can Parties be Excluded from the Courtroom in Trade Secrets Cases?”

Can a Company Remotely Wipe an Ex-Employee’s Device?

Note: this article was previously posted on Norse’s DarkMatters.

One of my favorite sayings about cyber risk is “an ounce of prevention is cheaper than the very first day of litigation.” A recent case provides a nice example of exactly what I mean. In this case, an effective BYOD policy could have saved this company tens of thousands of dollars, at least. Continue reading “Can a Company Remotely Wipe an Ex-Employee’s Device?”

Law Firm Cybersecurity: I Hate to Say I Told You So But …

Hey! Any chance you’ve heard anything in the news lately about law firms being under cyber attack? If not, first, crawl out from under that rock; second, take a look at these articles.

Wow. Can you believe it? Law firms? Under cyber attack? What is this world coming to? Continue reading “Law Firm Cybersecurity: I Hate to Say I Told You So But …”

Why every CIO needs a cybersecurity attorney (my comments on why this is my favorite article ever)

Wow, this article seriously just made my day.

I will apologize in advance to my friend and CSO writer and Michael Santarcangelo (@catalyst), but this may very well be my favorite article — anywhere — of all time! And, thank you, Tom Hulsey (@TomHulsey), for sharing it with me! As for you, Ms. Kacy Zurkus (@KSZ714), all I can say is, great job on this article!

Why is it my favorite article?

Well, if the title of the article did not give it away (yes, there’s a reason we attorneys are the 2nd oldest profession … we’re pretty close to the 1st …), then consider these snippets:

“Distinguishing the technical experts from those responsible for legal obligations and risks will help companies develop better breach response plans. Understanding the role of an external cybersecurity firm will only help.” (Have I not been preaching the need for breach response plans??? See Why Your Company Needs a Breach Response Plan: Key Decisions You Must Make Following A Data Breach (Aug. 3, 2015) and More Posts)

“But even with a seemingly impenetrable security system in place, you still need an attorney focused on cybersecurity issues. Sure, internal counsel can help you minimize your company’s legal risks. But partnering with an external firm boasting security expertise can also help the CIO navigate through several unfamiliar legal areas, such as compliance with local, state and national privacy laws and security requirements, civil litigation over data and privacy breaches, and corporate governance.” (ahhh yes, music, sweet music to my ears!)

“’The breadth of industries who need this type of counsel has exploded,’ says Amy Terry Sheehan, editor in chief of the Cybersecurity Law Report.” (preach it sister Amy, preach it!)

“Because every company now has data online – including personally identifiable information (PII), trade secrets and patent information – Sheehan says, ‘There is an increased need for specialized expert attorneys in cybersecurity and data privacy. Even attorneys who are working on mergers and acquisitions need to know the cybersecurity laws. (I could not have said this any better myself, dang Kacy, you are good!)

“Because time is not a friend in any breach situation, companies that have cyber security attorneys on retainer are better positioned to quickly and efficiently respond to incidents.” (mmm hmm, as I write this, there is a leader of a company who did not know my name or know what a “cybersecurity attorney” was on Monday of this week … today (Thurs. morning), I am his new best friend and he calls me more than my wife does!)

“CIOs are clearly responsible for the technical aspects of cybersecurity, of course, but as Sheehan says, ‘negotiating with the government or a complicated investigation that requires more manpower’ demands the expertise of a cybersecurity attorney.” (exactly — those who are looking back with 20/20 hindsight, following a breach, are not technical people, they are lawyers: agency regulators, state attorneys’ general, judges, and plaintiff’s lawyers — you need a legal perspective for this)

“’To not have a cybersecurity attorney on retainer is foolhardy at best,’ because organizations need somebody who is a specialist in what Thompson identifies as the four main areas of concern: breach scenarios, personnel policies, cyber liability insurance and working with government.” (exactly!)

“Maintaining privilege is paramount in the aftermath of a breach, but understanding the differences between a possible incident, an actual incident or a breach will drive the company’s response. Cybersecurity attorneys work with organizations to develop their incident response plans, which determines who speaks to whom when and about what. ‘The plan should be very basic and the attorney is a key part in designing the plan,’ Thompson says.” (privilege can be a huge issue — and as for those Incident Response Plans, definitely use the KISS method)

“Additional risks exist around response time in the aftermath of a breach. According to Sheehan, ‘You’ll not have valuable advice in advance of a breach, which presents litigation risks, and litigation is becoming much more common – it’s filed immediately after a breach, and counsel is involved in mitigating litigation risks.’” (what you do pre-breach can have a huge impact on how you are impacted post-breach, from a liability standpoint)

There is a lot more delicious medium-rare red meat (filet mignon, to be exact) in this article so go read it — NOW! Why every CIO needs a cybersecurity attorney | CIO.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Business Guide: Identifying and Protecting Trade Secrets Under the Texas Uniform Trade Secrets Act

Trade secrets are the lifeblood of a company but it can be a difficult issue to understand.

Here is a free guide to help you identify and protect your company’s trade secrets.

DOWNLOAD: Texas Business Guide for Identifying and Protecting Trade Secrets

Yes, Your Business Has Trade Secrets

Texas Business Guide for Identifying and Protecting Trade Secrets - CoverWhether they realize it or not, virtually every business has trade secrets which can be as simple as something unique or remarkable about the way it makes a product or provides a service that sets it apart from the competition. This is something that gives the business a competitive advantage and is usually something it has spent significant time and resources to develop.

Unfortunately, in today’s business environment, honor and integrity are not always the rule and many businesses find their trade secrets are being taken and used to compete against them. This can come from as close as disloyal employees or local competitors to around the world from foreign state‐sponsored organizations engaging in industrial espionage.

Preparation is the Key to Successfully Protecting Your Businesses’ Trade Secrets

The first-time many businesses ever gives serious thought to their trade secrets is when they find that they have been taken. It is then that the business begins scrambling to identify its trade secrets and, assuming it can put together a comprehensive list, hopes and prays that it has satisfied the requirements for keeping that information protected under the law of trade secrets so that it can use the legal process to keep it from being used by the businesses’ competitors. To make matters worse, when the disclosure of trade secrets is being threatened and an injunction from a court is all that will stop it, Time is precious and every minutes can make the difference between winning or losing.

Here Is The Guide

Shawn Tuma has prepared a comprehensive Guide to help you understand how to identify and protect your businesses’ trade secrets. The Guide provides a step-by-step explanation of everything from what trade secrets are in general, to how to identify your own businesses’ trade secrets, to the most common threats against trade secrets, and how to protect against those threats.

You can download a free .pdf copy of the Guide by clicking on this link: Business Guide for Identifying and Protecting Trade Secrets 

Once you have downloaded the Guide, you can be proactive in protecting your businesses’ trade secrets by using it to prepare for the problem before it ever arises and, in doing so, help reduce the chances that the problem will ever arise by:

  1. carefully evaluating what information it has that qualifies as trade secret information;
  2. implementing security measures, policies, and procedures to prevent the disclosure of that information and protect its trade secret status; and,
  3. in the event its trade secrets are ever compromised, be much better prepared to quickly and efficiently make its case in a court of law and successfully prevent others from using its trade secrets.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Yes, an Employee Really Can Steal Your Data and Then SLAPP You for It?

Don't get SLAPPED by an employee who stole your data!Yes, in California it just happened!

The fact that this happened in California should be of no comfort to Texas businesses, however, because the Texas Anti-SLAPP law comes from California and, therefore, California jurisprudence is considered persuasive authority in Texas. This means that in the not so distant future Texas employees could steal their employers’ data and then SLAPP them for it as well. Many other states have anti-SLAPP laws that are derivative of California’s as well.

Let’s look at a case study to demonstrate what I’m talking about.

Case Study: Emanuel Medical Center, Inc. v. Dominique, 2014 WL 4239346 (Cal. App. Aug. 27, 2014)

Emanuel Medical Center, Inc. hired Susan Dominique to open and direct the cardiovascular services department of one of its California facilities. Her duties included ensuring that the department followed California law with regard to practices that affected patient care such as having a cardiac surgeon available to provide emergency cardiac care, among other things.

Dominique had numerous confrontations with the primary cardiac surgeon over this issue and claims to have personally observed numerous other violations of law and regulation during her employment with EMC.

In October 2011, EMC told Dominique that she was being investigated because of her managerial style.

On November 18, 2011, EMC told Dominique that she was being placed on administrative leave and her employment would terminate on December 9, 2011.

On November 22, 2011, she returned her EMC issued BlackBerry and laptop computer. At some point between November 18 and November 22, EMC disabled her employee’s user account that allowed her to access EMC’s database which, EMC incorrectly believed also prevented her from being able to access EMC’s e-mails.

On December 9, 2011, Dominique was officially terminated from EMC.

The Lawsuit

On March 22, 2012, Dominique sued EMC for wrongful termination.

During discovery in the lawsuit, EMC learned that Dominique continued to have access to EMC’s e-mails after the November 18, 2011, meeting, where EMC informed her of the termination of her employment in that she had forwarded approximately 110 work-related e-mails to her personal account between November 19 and 21, 2011, while on administrative leave. EMC also learned that on October 31, 2011, Dominique forwarded to her personal account approximately 81 e-mails containing hundreds of attached EMC computer files, which included EMC policies, presentations, forms and templates, employee writeups, marketing materials, and disciplinary memoranda and reports.

In October 2012, EMC filed a counterclaim against Dominique that five causes of action that were premised on her wrongfully taking for her own personal use, EMC’s data in the form of e-mails and other proprietary information.

The Anti-SLAPP Motion

In response to the counterclaim, Dominique filed an anti-SLAPP motion to dismiss these five claims based on her argument that EMC’s claims were based on the theory that Dominique “gathered evidence,” including some of her work e-mails, and showed them to an attorney in Southern California in an effort to sell her perceived claims against EMC and that such pre-lawsuit communications and the filing of her wrongful termination action were constitutionally protected activities and that EMC could not demonstrate “a probability of prevailing” on the merits of its counterclaims.

The trial court granted the anti-SLAPP motion and ordered EMC to pay $23,800 in attorneys’ fees to Dominique. EMC appealed.

The Appellate Court’s Ruling

Was taking the information a “protected activity”?

The primary issue that the appellate court faced: was it a “protected activity” for Dominique to forward to herself EMC e-mails and other information to use in preparing for litigation against EMC?

The court gave a bifurcated answer that turned on whether the information she gathered was actually provided to an attorney “in an effort to sell her perceived claims against EMC.” For information that she actually provided to an attorney “in an effort to sell her perceived claims against EMC,” the court held this was a protected activity. For information that she simply forwarded to herself, but did not provide to an attorney, it was not protected activity.

The rationale for the court’s ruling is based on a couple of principles:

  1. the anti-SLAPP law clearly protects as a “protected activity” a plaintiff’s filing a lawsuit against her employer, as the filing is an “act of communication” that is tantamount to an expression of free speech;
  2. when a plaintiff gets counter sued for engaging in an “act of communication” that is in furtherance of her “protected activity,” that action in furtherance of the protected activity is likewise protected;
  3. in this case, the counterclaimant EMC filed a declaration stating that a basis for its lawsuit was that Dominique “distributed some, if not all, of the documents to unknown parties…, potentially including attorneys in Southern California in an effort to sell her perceived claims against EMC”; and
  4. distributing information is viewed as an “act of communication,” thus, it too is a protected activity.

Essentially, what this means is the taking of the information was not a protected activity but the subsequent distribution of that information to an attorney was protected.

Could EMC prevail on the merits?

Under the anti-SLAPP law, once the movant carries its burden of proving that the claims are based on the exercise of a protected activity, the party asserting the claims has the burden of demonstrating a probability of prevailing on those claims by producing prima facie evidence to support each element necessary to prove the claims.

In this case, proof of damages was an essential element to each of EMC’s counterclaims. EMC argued that it suffered two types of damages:

  1. it was forced to report the unauthorized disclosure of the information taken by Dominique and may be subject to fines in the future; and
  2. it will be damaged by the unfair advantage Dominique’s future employer and EMC’s competitor will receive from Dominique’s possession of these materials. The court did not find either of these arguments sufficient proof of damages.

“Both of these contentions suffer from the same flaw. They do not identify damages already incurred. Instead, they identify the possibility of a future liability (i.e., fines not yet levied) and the possibility of a future loss of business. The statement that EMC “may be subject to fines” leaves open the possibility EMC may never be fine for the allegedly unlawful disclosure. Similarly, the statement that EMC “will be damaged by the unfair advantage” a future competitor “will receive” is written in the future tense and does not identify a present injury or loss.”

In a footnote number 9 to the above quoted paragraph, the court notes that “[t]he weakness in EMC’s position that it suffered damages as confirmed by its failure to provide citations to the record to support its position. Ordinarily, a party with the burden of demonstrating a probability of prevailing on the merits would include citations to its evidentiary submissions that support a particular element of its claim.” (Citations omitted). This footnote is important because, in my opinion, the court blew right past a very important aspect of EMC’s damages argument and this may explain why – perhaps the court was frustrated by EMC’s efforts to prove its damages.

EMC was a medical facility that unquestionably qualified as a “covered entity” in possession of patients’ protected health information (PHI). The court’s opinion states “EMC also alleged the e-mails were its property and contain private or confidential information about patients or employees that is protected from disclosure by statute and the California constitutional right to privacy.” If Dominique did in fact take patients’ PHI information and disclose it to anyone who was not already covered with a “business associates agreement” with EMC, such disclosure would be a data breach that would require a very costly and onerous breach notification and reporting under both California and federal law. This alone, would constitute proof of substantial damages caused by Dominique’s taking of the information, if such evidentiary proof had been provided to the court. Given the court’s footnote 9, there is at least the impression that EMC’s attorneys may not have gone through this process in a way that satisfied the court.

The Outcome

Nonetheless, because the court found EMC could not produce prima facie proof of its damages, it found that EMC failed to demonstrate a probability of prevailing on the merits, upheld the trial court’s granting of the anti-SLAPP motion, and awarded Dominique her costs on appeal.

Lessons

This opinion offers some important lessons for both employers and employees when dealing with these types of situations in California, for now, and Texas and other jurisdictions in the future.

  1. for employers, if you are going to terminate an employee, do not simply rely on terminating their access to login to the computer system, but also reacquire all devices that contain or have access to company information;
  2. for employees, if you are going to take company information (which I do not recommend), make sure you give it to an attorney in an effort to obtain representation for bringing claims against your employer;
  3. for all defendants, if you are going to file a retaliatory counterclaim against the party who sued you, make sure you have better grounds for your lawsuit than “because they sued me” and for goodness sakes, do not state in a declaration, affidavit, or court filing that the basis for the counterclaim is because the plaintiff did something “in an effort to sell her perceived claims against” you;
  4. for all would-be litigants, if you are going to file a claim against someone based upon something that could be perceived as a protected activity, make sure you already have obtained and prepared your evidence to make a prima facie showing for each element of the claims you intend to file – before you file them – and when required to respond to an anti-SLAPP motion, take it seriously and spoon feed your evidence to the court. If you do not, do not be surprised when your adversary takes your claims and SLAPPs you right back with them.

 


About the author

Shawn Tuma is a lawyer who is experienced in representing and advising clients on digital business risk which includes complex digital information law and intellectual property issues. This includes things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Collin County Bench Bar Presentation on Cyber Risks to Lawyers #CCBBF

Collin County Bench Bar Presentation Digital Information Law
Collin County Bench Bar Presentation Digital Information Law

This morning I have the privilege of speaking at the Collin County Bench Bar Conference and talking with a tremendous group of Collin County Judges and Lawyers about the risks that lawyers, their clients, and their law practices face from data insecurity issues.

Here is the Prezi presentation that I will be using – take a look and tell me what you think! Cyber Fraud, Data Breaches, and Corporate Espionage: How They Impact Your Law Practice

p.s. The theme for the weekend is The Kentucky Derby if you were wondering how the horse fit in!

Prezi: Data Breach! Hacking! Corporate Espionage! Are you listening yet???

I recently had the pleasure of speaking to a great group of Plano, Frisco, McKinney, and other Collin County lawyers in the Collin County Bar Association’s Corporate Counsel Section about the current trends and risks involving data breach, computer fraud, corporate espionage and the overall threats to companies’ data and intellectual property, especially trade secrets. Here is are Prezi presentation slides — take a look and let me know your thoughts!

Data Breach! Hacking! Corporate Espionage! Are you listening yet???

 


 

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues. These issues include things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the boarder of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.