Corporate Espionage: Hacking A Company Through A Chinese Restaurant Takeout Menu

Photo Credit: country_boy_shane via Compfight cc
Photo Credit: country_boy_shane via Compfight cc

Corporate espionage (industrial espionage) is a favorite topic of mine. I have written and presented on the subject quite a bit and, while I am never sure how my readers react when I write about this, I do carefully watch the look on my audience members’ faces when I first mention the issue. The story their eyes tell is interesting.

The story of “why should I care about this?”

At first they usually have a glazed over look with no emotion or reaction — as if they are thinking “this is just another lawyer using fancy lawyer words but whatever he is talking about, it doesn’t apply to anything that I do” and they politely sit there feigning paying attention.

And then, I tell them about the cases where Chinese state-sponsored groups had “insiders” planted in companies like Motorola or DuPont to steal their proprietary trade secrets. Their reaction does not change — as if they are thinking “yeah, ok, whatever, my company is not Motorola or DuPont or anything like it — we are a small shop and nobody cares that much about what we have.”

And then, trying to get their attention with something they have heard about, I mention Target and the massive and expensive Target breach. Their reaction does not change — as if they are thinking “dude, why are you telling me this? My company is nothing like Target — we could barely even be a supplier to Target, why would anyone care about us?”

And then, I ask them if they have ever heard of Fazio Mechanical Services — knowing they have no idea of who that is.

Blank stares.

So I ask them to raise their hands if they’ve ever heard of Fazio Mechanical Services — and usually no one raises their hands but at least now they are listening …

So I go on to explain that

  • Fazio Mechanical Services is (or should I say was) a vendor to Target and that it was a breach of Fazio’s computer system through an email spear phishing attack that ultimately allowed the hackers to breach the Target system;
  • While no one may have cared about getting Fazio’s information, Fazio’s system was very valuable to the hackers because it provided an intrusion point into the Target system — which made attacking Fazio very valuable, strategically, to the hackers;
  • Hackers are smart and very strategic and now that they have seen a great example of how effective using indirect methods, such as third party vendors, to attack their primary target has been and they will likely do it again;
  • Even if they do not believe their company is a high value target to hackers, if one of their suppliers, vendors, or other business associates may be, it could be their system that is used to become that intrusion point to reach the high value target, and
  • If that were to happen, their business would likely be the next Fazio and they would probably be looking for new employment.

What does this have to do with hacking through a Chinese Restaurant Takeout Menu (website)?

This usually brings the abstract notion of “corporate espionage” to reality for them. I was reminded of this when I read a recent article in the New York Times titled Hackers Lurking in Vents and Soda Machines that provides a great explanation of how hackers use this indirect method of attack on their primary targets. Here are a few poignant quotes but you should read the whole article:

Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.

*   *   *

Hackers in the recent Target payment card breach gained access to the retailer’s records through its heating and cooling system. In other cases, hackers have used printers, thermostats and videoconferencing equipment.

Companies have always needed to be diligent in keeping ahead of hackers — email and leaky employee devices are an old problem — but the situation has grown increasingly complex and urgent as countless third parties are granted remote access to corporate systems. This access comes through software controlling all kinds of services a company needs: heating, ventilation and air-conditioning; billing, expense and human-resources management systems; graphics and data analytics functions; health insurance providers; and even vending machines.

Full Article: http://www.nytimes.com/2014/04/08/technology/the-spy-in-the-soda-machine.html?ref=technology&_r=0.

This is a serious problem — even your company needs to pay attention to it, even if no one in your company likes Chinese takeout.


 

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues. These issues include things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

3 Steps for Obtaining Trade Secrets in Discovery

Discovery of Trade Secrets
When are trade secrets discoverable?

When can a competitor use litigation to find out your company’s trade secret information?

Let me explain it this way …

What if it was your businesses’ valuable information?

Pause for a moment and imagine that your business is the industry leading innovator in its field because, through your effort and resources, you have developed secret tricks and techniques for how to do things that your customers love and that is what makes your business so successful. You keep these tricks and techniques so secret that only the most trusted people inside your company — those who have a need to know them — have access to and know these secrets.

These secrets are what the law calls trade secrets. They are what most real people (i.e., non-lawyers) call the “crown jewels”, “keys to the kingdom”, or the “secret sauce” — they are that important.

Now, imagine that your fiercest competitor, who is called FierceCo, knows you have secret ways for how you do things, but does not know what those secrets are. FierceCo has tried for years to find out what they are but has never succeeded. Now FierceCo has met an enterprising lawyer and has a new plan.

Would you want your competitor to get your valuable trade secret information simply by suing you?

FierceCo sues your business — for whatever made-up reason it can concoct — and demands that you disclose what your trade secrets are in the discovery in the lawsuit. Will it work? After all of these years of protecting your businesses’ trade secrets from FierceCo, will you now be required to turn over the “keys to the kingdom”?

Maybe, maybe not.

Your secret information that qualifies as trade secrets is privileged and, because of that privilege, the only way FierceCo can get it is if it can satisfy a specific test under the law. And then, even if FierceCo can get access to that information, the purposes for which it can use the information are severely restricted by court order and any violation of that order could land FierceCo in contempt of court. Contempt is not good — trust me on this.

The test under the Texas Common Law

The test that must be met was explained by the Dallas Court of Appeals in In re The Goodyear Tire & Rubber Co., 392 S.W.3d 687 (Tex. App.–Dallas 2010, orig. proceeding). In this case the court said that a party to a lawsuit can refuse to disclose their trade secrets, and prevent others from disclosing its trade secrets if

  1. Not disclosing the trade secrets will not tend to conceal fraud or otherwise work injustice;
  2. The party not wanting to disclose its trade secrets then shows that the information fits the definition of trade secrets; and
  3. The party requesting the information then establishs that the information is necessary for a fair adjudication of its claim or defense.

In our hypothetical case, this means that FierceCo must meet the burden of establishing that the information is necessary for a fair adjudication of its claim or defense or else the court cannot require it to be disclosed. This does not mean simply that it is relevant to the case. Instead, FierceCo “‘must demonstrate with specificity exactly how the lack of the information will impair the presentation of the case on the merits to the point that an unjust result is a real, rather than a merely possible, threat.'” Id. at 696. “This specificity showing must be made with regard to each category of information that” FierceCo requests and for which you assert the trade secret privilege. Id.

“A trial court abuses its discretion if it orders disclosure of trade secrets when the requesting party has not carried its burden to show the information is necessary for a fair adjudication of its claim.” Goodyear, 392 S.W.3d at 693.

The “new” test under the Texas Uniform Trade Secrets Act — substantively, it really is the same

While the 3 step test of Goodyear was under the common law of trade secrets, before Texas enacted the Texas Uniform Trade Secrets Act (TUTSA) (eff. 9/1/13), the test remains substantially the same under TUTSA. TUTSA specifically instructs the Texas courts to look to the cases from other jurisdictions that have adopted their version of the Uniform Trade Secrets Act, Tex. Civ. Prac. & Rem. Code § 134A.008, and the predominate test in those jurisdictions is substantially the same 3 step test.

In Bridgestone Americas Holding, Inc. v. Mayberry, 878 N.E.2d 189, 193 (Ind. 2007), the Supreme Court of Indiana explained the 3 step balancing test that is to be applied under the Uniform Trade Secrets Act when trade secret information is sought in discovery:

  1. The party opposing discovery must show that the information sought is a trade secret and that disclosure would be harmful.
  2. If trade secret status is established, the burden shifts to the party seeking discovery to show that the information is relevant and necessary to bring the matter to trial.
  3. If both parties satisfy their burden, the court must weigh the potential harm of disclosure against the need for the information in reaching a decision.

The focal point of the test should be on proof of real necessity

This 3 step balancing test has been adopted by other states and is the appropriate test for Texas courts to apply under TUTSA. The “necessity” prong is the one that should really be the focal point of the court’s analysis. To meet the burden of establishing the second step of the test, “the party seeking trade secret information cannot simply claim unfairness but must show ‘with specificity how the lack of the information will impair the presentation of the case on the merits to the point that an unjust result is a real, rather than a merely possible, threat.’”

Meanwhile, it is clear from the case law that establishing necessity is the heart of this three-part analysis. When necessity is established, courts frequently hold that the trade secret must be disclosed, albeit with some protection.
“Necessity” means that without discovery of the particular trade secret, the discovering party would be unable to present its case “to the point that an unjust result is a real, rather than a merely possible, threat.” In re Bridgestone/Firestone, Inc., 106 S.W.3d 730, 733 (Tex.2003). Implicit in this is the notion that suitable substitutes must be completely lacking.

The requesting party must meet a very high burden to establish a true necessity, as required, in order to obtain the trade secret information. This requires their showing of a true necessity with no suitable substitutes available to provide the requested information.

 

 

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Why is PNC Bank Accusing Morgan Stanley of Corporate Espionage and Trade Secret Theft?

You No Let Me Download
©2011 Braydon Fuller

I often write about corporate espionage and trade secrets but I bet some of you may still be trying to imagine real-world scenarios that demonstrate exactly what those terms mean and how they apply. Let me tell you a story and see if it helps it make more sense.

Let’s Talk About Your Business

Let’s say you have a business and you have some really valuable information that your employees use when they are working for your business — the most important of which is the list of your customers and all of the background information you have compiled on those customers. Because you know how valuable this information is, you have had your company’s IT department implement certain technological limits to keep people from downloading that information to USB drives, Dropbox, or emailing it to their Gmail account. You’re really thinking ahead of the curve in trying to safeguard your trade secret information and you’re feeling pretty proud of yourself. And, you should, because most businesses don’t go to such efforts to protect their valuable trade secret information.

Zig Ziglar had a saying about dishonest employees: “If a person is dishonest, I hope he is dumb. I’d hate to have a smart crook working for me.

You, however, hired smart …

Now let’s imagine you had pretty senior and high ranking person in your company decide to leave to go work for one of your competitors where having your customer list (with all the extra information included) would be a great asset to them. And, you later come to believe, the competitor was actively trying to hire your employees and was trying to get them to take your trade secret information and bring it with them. You, however, have thrown a kink in their plans with your on-the-ball IT department’s information security practices. Or so you think.

Before telling you of her intentions to leave your company, this soon-to-be former employee still has access to your trade secret customer list from her computer and decides to access it on the system and pull it up for one last look. Can you imagine what she does next?

She whips out the trusty little smart phone and takes picture after picture after picture of all of the information on her computer monitor! She didn’t download it — she couldn’t. But she has it in several digital images on her mobile phone and when she goes out the door of your company, so too do your highly valuable trade secret customer lists.

Here Is The Real Life Case

This is a storified version of the allegations made by PNC Bank against its former employee, Eileen Daly, and her new employer Morgan Stanley in the case PNC Financial Services Group, Inc. v. Daly and Morgan Stanley, Inc. (Complaint) filed in the United States District Court for the Western District of Pennsylvania on March 14, 2014.

What makes this case (as alleged, anyway) a case of corporate espionage? Simple. It is one company trying to steal the valuable information of another company. It happens all the time. In this case it just so happened to be by an “insider” — a departing employee.

This is Clearly a Trade Secrets Case — But Could it Also Be a CFAA?

PNC sued the defendants for several causes of action, including misappropriation of trade secrets and unfair competition — exactly what you would expect in a case like this, right? It did not, however, sue them for “unauthorized access” in violation of the Computer Fraud and Abuse Act and, while I can think of several reasons why PNC may not have done so, it did get me to wondering if they could have. I mean after all, there have been much weaker CFAA cases filed in Pennsylvania District Courts.

What Does the Statute Say?

To violate the Computer Fraud and Abuse Act  under the most lenient part of the statute, the defendant must “intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] … information from any protected computer;” 18 U.S.C. § 1030(a)(2)(C). And here, the information could not be downloaded, even though attempted, sooooo …..

Was There an Access?

Maybe so. She did have to access the computer system to retrieve the information and pull it up on her computer monitor. The question of whether her access was unauthorized or exceeded authorized access has not been conclusively determined by the Third Circuit, however, the bulk of the district court cases tend to follow the Strict Access Theory of the Ninth and Fourth Circuits, under which it probably would not have been improper, though in the Fifth and Eleventh Circuits under the Intended Use Theory, it may very well have been.

Was Information Obtained?

Yes, it was. The defendant took pictures of the trade secret customer lists — information — and kept those pictures on her smart phone. That sounds like the obtaining of information to me.

Was There a Loss?

I don’t think so. Without the “loss” there is no civil case unless there is “damage,” which is not very common. For the difference between the two, see Loss and Damage Are Not Interchangeable Under CFAA–District Court Blows Right Past CFAA’s “Loss” Requirement in Sysco Corp. v. Katz

The federal district courts in Pennsylvania are extremely strict when it comes to calculating the loss under 18 U.S.C. § 1030(g). Last year I handled the defense of a civil CFAA case in the Eastern District of Pennsylvania and thoroughly briefed two motions to dismiss that were heavily premised on the Pennsylvania district courts’ strict loss jurisprudence. (Here are the motions: Motion to Dismiss and Motion to Dismiss Amended Complaint) I convinced the plaintiff to dismiss the claims against my client with prejudice before the plaintiff filed a response or the court ruled on the motions, however, I remain very confident that the positions asserted in the motions were consistent with the courts’ standards on this issue and would have been successful. 

Under these standards, I cannot imagine how investigating the taking of pictures of a computer monitor could qualify as a “loss” or “damage” such to get the case past 18 U.S.C. 1030(g) and survive a motion to dismiss. I haven’t put a lot of thought into this, and am not saying it can’t happen, I just haven’t thought of how it would.

My guess is this is why the attorneys representing PNC didn’t bother throwing in a claim for violating the CFAA — well that, and, they probably didn’t see a need for it since they were already in federal court on diversity jurisdiction!

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Yes, Texas is a good state for plaintiffs to bring a CFAA claim.

©2011 Braydon Fuller
©2011 Braydon Fuller

Is Texas a good state for a plaintiff to bring a Computer Fraud and Abuse Act (CFAA) claim?

Yes it is, and a recent case reaffirms that the Federal District Courts in Texas are generally favorable jurisdictions for plaintiffs with CFAA claims because of two key issues, access and loss jurisprudence. Continue reading “Yes, Texas is a good state for plaintiffs to bring a CFAA claim.”

Your business needs a social media policy and this is why.

It is foolish to not have one. Having a social media policy is like having a Will for your businesses’ branding and marketing efforts and the cost of getting that policy will likely be less than the bill for the first day in litigation if you do not!

Social media is the next big thing when it comes to branding and marketing your business. Actually, it is already here. This has been one of the biggest news stories of 2011 and it is not going away anytime soon.  I am a believer. I love it and I encourage all of my clients to find ways to implement it in their businesses. It is free to sign up and free to use (for the most part) with only time and effort being the primary investment. Businesses usually have their social media being managed by employees, independent contractors, or outside “experts”. The key to success with social media is to have many “connections” with others and develop relationships with them. But, who really owns those connections and relationships?

That is a good question–do you really know who owns your businesses’ social media connections and relationships?

This is a question that has been brought to the forefront because of the recent lawsuit PhoneDog v. Kravitz that is pending in federal court in the Northern District of California.

The essence of this case is pretty simple: PhoneDog used social media such as Twitter, Facebook and YouTube to promote its services and Kravitz worked for PhoneDog as a product reviewer and video blogger and, in conjunction with the duties of his job, Kravitz used a Twitter account with the handle of @PhoneDog_Noah that had approximately 17,000 followers (wow, @shawnetuma only has 1,130 if you’d like help me out). As always seems to be the case in today’s ever changing job market, Kravitz resigned from PhoneDog and PhoneDog asked him to turn over the Twitter account but, instead, he simply changed the handle to @noahkravitz which now has over 24,000 followers and, for its bio says “People are not property. Love over gold.” (it’s ok, I followed him also)

PhoneDog sued Kravitz and Kravitz filed a Motion to Dismiss which is a long and costly way of saying “judge, they have no case so please throw it out.” The court, however, did not see it so clearly and in its Order on Defendant’s Motion to Dismiss allowed PhoneDog to go forward with the key claims of misappropriation of trade secrets and conversion. That does not mean it will be an easy battle for PhoneDog or that it will ultimately prevail. In fact, based on traditional principles of trade secret law I have a feeling it will not, and have previously written about these issues in other blog posts that I would encourage you to read:

Are LinkedIn Contacts Trade Secrets?

LinkedIn: think before you sync!

The issue is not, however, whether PhoneDog will win. The real issue is why is it even having to fight? Let’s assume for the sake of argument that it does win. At what cost will that victory come and, at that cost, will it truly be a victory?

How much will it cost your business to win?

Take a look at the 10 page Complaint in PhoneDog v. Kravitz and take a guess at what it cost in legal fees alone just to prepare and file it. Add to that a $350 filing fee, costs for service of process, and lots and lots of your time and your attorneys’ time which costs lots of money. But, you’re not done yet–not by a long shot. Filing the lawsuit is just the beginning. Go here and take a look at the Docket Sheet for PhoneDog v. Kravitz; they have been fighting over this since July, have addressed over 30 documents filed in the record of the case, and are still not past the initial stages of the lawsuit. Do you want to take a guess at how many thousands of dollars PhoneDog (and Kravitz) have spent so far?

Let me stop here and make something clear. I love being a trial lawyer and I love trying cases. I love technology and technology related cases. There is nothing I would enjoy more than being the attorney handling a case like this. Moreover, I would love for someone to pay me a lot of money to do it! Do you have an interest in having a part of how this body of social media law develops? Would you like to sponsor my efforts to shape it? If so, let’s get rolling!

If your interest, however, is focused on the financial strength of your business and not on shaping the future of social media law, this is probably not a wise use of resources. But if you do not have a policy addressing these issues, it is likely that you could end up doing exactly that though not by choice.

“An ounce of prevention is worth a pound of cure”

That old saying could not be more true than when it comes to having a social media policy for your business. All of the issues that are being litigated in PhoneDog could have been addressed and agreed to from the very beginning in a written social media policy, along with a host of other issues that arise concerning the use of social media. What is even better is that the cost of obtaining such a policy will probably be less than what it would cost for just the first day of litigation! It really is a wise investment for your business and all you have to do to get started is just give me a call. But, …

If you don’t want to do that, then give me a call anyway and we can start planning our litigation strategy — this is going to be fun!