What the FBI’s “Project Titan” Criminal Complaint Reveals About Trade Secret Protection Efforts

Author: Louis Dorny

The FBI’s affidavit presented in support of a January 22, 2019 criminal complaint provides a rare glimpse into Apple’s effort to maintain trade secrets in its secretive Project Titan self-driving car operation. This glimpse was rare because any detailed effort to protect intellectual property in the form of a trade secret is often kept quiet to avoid providing any aid to a would-be thief.

The Background

Widely reported in recent days is the announcement of a second employee in six months to be accused by the FBI of stealing trade secrets from Apple’s self-driving car unit, known as “Project Titan.” Now, the feds have unsealed the January 22, 2019 criminal complaint against Jizhong Chen, a PhD-trained employee of Apple on the Project Titan team as a hardware developer. As alleged, Apple discovered the existence of over 2,000 photographs on Chen’s personally-owned computer, and subsequently learned Chen applied for two external jobs, including one at a China-based autonomous vehicle company — a purported direct competitor. Chen advised Apple he planned on leaving the country for China on January 22, 2019. The criminal complaint was filed the following day in the Northern District of California.

Apple was alerted to Chen after fellow employees spotted him taking photographs of the workspace where the project takes place. The FBI says Chen told Apple’s global security team that he backed up his work computer to a personal hard drive and computer as an insurance policy after being placed on a performance improvement plan by Apple. Apple’s security team found Chen had “over two thousand files containing confidential and proprietary Apple material, including manuals, schematics, and diagrams,” according to the charging document.

Not A Trade Secret Unless You Restrict Access

Similar to many jurisdictions that follow the Uniform Trade Secret Act (“UTSA”), California has specific requirements to protect against misappropriation of trade secrets. To qualify as a trade secret under section 3426.1 of California’s Civil Code, the owner of the trade secret must establish two elements: First, the trade secret must derive actual or potential independent economic value from not being generally known to the public or to other persons who can obtain economic value from the use or disclosure of the claimed secret. Second, the entity claiming trade secret must establish that it undertook “reasonable efforts under the circumstances” to maintain the secrecy of the trade secret.

So How Does Apple Restrict Access?

Excerpted below with highlighting supplied are paragraphs from the eight-page complaint, which can be found here.

Three software controls are evident to protect data. First, each user requires a password to access a database. Second, database access is restricted to a subset of project employees—likely on a need-to-know basis. Third, all access to information  is logged and therefore capable of audit. An administrator must approve access. None of this is surprising. It has long been true that information stored on computer must require some reasonable form of restricted access. Morlife, Inc. v. Perry, 56 Cal.App.4th 1514, 1523 (1997). Trade-secret protection programs need not be as extensive as this to qualify under the statute. The standard is reasonable, which changes depending on the circumstances.

Physical access is restricted by limiting access to “core” employees with badge access while keeping the whereabouts secret. Such efforts are costly and likely warranted on “Project Titan,” but may be cost-prohibitive elsewhere. Again, efforts required to maintain secrecy are those that are “reasonable under the circumstances.” Moreover, “[t]he courts do not require that extreme and unduly expensive procedures be taken to protect trade secrets against flagrant industrial espionage. It follows that reasonable use of a trade secret including controlled disclosure to employees and licensees is consistent with the requirement of relative secrecy.” UTSA, Comment to § 1 (citation omitted); Senate Comment (1984) to California Civil Code § 3426.1.

While essential to put an employee or contractor on notice of the claim of a protected trade secrets with some specificity, a company would be unwise to rely on confidentiality agreements alone as a sufficient secrecy program. Courts have held that “[r]equiring employees to sign confidentiality agreements is a reasonable step to insure secrecy.” Whyte v. Schlage Lock Co. 101 Cal.App.4th 1443, 1454 (2002); MAI Systems Corp. v. Peak Computer, Inc., 991 F.2d 511, 521 (9th Cir. 1993) (applying California version of UTSA).

Training is often the weak link in an IP protection program due to cost or overreliance on employee agreements. Training is also a problem at the management level, which may not have a firm grip just what exactly compromises the trade secrets. On Project Titan we learn the most interesting tips of all: 1) training includes the importance of keeping details secret and avoiding intended and inadvertent leaks; 2) methods of ensuring protection of trade secrets, as well as device-specific policies; and 3) transmitting documents using secure mechanisms. In sum, an employee who has access to company trade secrets must know what is considered a trade secret. the contours of permissible use and the consequences of misuse—which can only be understood through an active effort to train. While no case in California has held that the failure to implement a training protocol for employees is unreasonable, that case may not be far off.

About the author: Lou Dorny is a partner in Gordon Rees Scully Mansukhani’s Intellectual Property and Commercial Litigation Practice Groups. His practice focuses on intellectual property and high-technology matters, with a particular emphasis on trade secrets. Mr. Dorny’s biography can be found here.

The Rise of Federal Trade Secret Protection

It is done. President Obama signed into law the Defend Trade Secrets Act of 2016 (“DTSA”), the nation’s first federal trade secret protection act with civil remedies. The DTSA is effective May 12, 2016 for any misappropriation (as defined in the statute) “for any act which occurs on or after the date of the enactment of this Act.”

The DTSA does not preempt states’ trade secret laws; those state laws remain in effect. Accordingly, there is no requirement that a party even allege a DTSA claim when pursuing a trade secret action. Strategic consideration must be given to bringing a DTSA claim and the impact on jurisdiction. A plaintiff that prefers litigating in state court may wish to forego adding a DTSA cause of action to the lawsuit because doing so would create a federal question. If a state court lawsuit alleges a DTSA claim, the defendant may remove the case to federal court.

Remedies under the DTSA include damages for the loss caused by the misappropriation, damages for unjust enrichment, and injunctive relief for any actual or threatened misappropriation. If a plaintiff can establish that the trade secret was “willfully and maliciously appropriated,” the court can award exemplary damages of up to two times the amount of actual damages. For bringing a claim, reasonable attorney’s fees may also be awarded to the prevailing party, as well as to a defendant if the claim of misappropriation is made in bad faith.

Once an afterthought, trade secrets were the last of the four major types of IP—patent, copyright, trademark, and trade secret—recognized by the courts, and the basic elements of the tort of trade secret misappropriation have been recognized since only the late 1800s and early 1900s.¹ However, as we reported here, the number of trade theft continues to rise, and by one metric, doubled between 1995 and 2004. Until now, trade secrets were the only major type of intellectual property not backed by U.S. federal civil remedies to compensate owners for theft.

_______________________________________________________________________

¹ Catherine L. Fisk, Working Knowledge: Trade Secrets, Restrictive Covenants in Employment, and the Rise of Corporate Intellectual Property, 1800–1920, 52 HASTINGS L.J. 441, 441 (2000)

Not Licensed To Ill: Why Your Corporate Marketing Employees Need Training on IP Licensing

The case, Beastie Boys et al v. Monster Energy Co, U.S. District Court, Southern District of New York, No. 12-06065 addressed the circumstances under which a corporate defendant can be held liable for acts of willful copyright infringement committed by its employees within the scope of their employment or for its benefit. In a Dec. 4 decision, U.S. District Judge Paul Engelmayer refused to throw out Beastie Boys’ $1.7 million jury verdict against Monster Beverage Corp over the energy drink company’s use of the hip-hop group’s music in a promotional video without permission.

IP BLOG_monster energyThat decision noted that the jury listened to testimony from the employee of Monster who prepared the offending video, where he admitted that he lacked any training in music licensing. Nevertheless, the Monster employee also testified he previously produced a dozen similar “recap” videos for Monster. In those earlier videos, the employee testified that he did contact the artists to seek permission to use the respective artists’ music. The Monster employee was therefore familiar with the process of seeking authorization. Notwithstanding this awareness, the Monster employee did not seek permission from the Beastie Boys or their manager to use their music, nor did he believe that anyone else at Monster had done so. Judge Englemayer held that the jury could thereby determine that the Monster employee acted in reckless disregard of the Beastie Boys rights when using the Beastie Boys’ music without authorization in the promotional video.

Judge Engelmayer’s decision concludes with the observation that “[a]s the Beastie Boys’ counsel noted in closing argument, Monster, at the time, did not perform any training of employees related to the use of copyrighted or trademarked content; it therefore left [the Monster employee] to his own devices in producing the video.” One must ask how Monster’s absence of music licensing training to its employees would have made any difference in this case, given the employee’s prior experience with, and habit of obtaining required authorization from the artists. The answer is simple: A corporate training program must implement compliance policies and procedures for requesting and securing material subject to license, with a direct report to corporate officers tasked with compliance.

The take away here is that the preparation of the offending video fell within the employee’s scope of work, for which no training was received, and his misdeeds were imputed to his employer. As noted in the decision, where the defendant is a corporation, it can be held liable for acts of willful infringement committed by its employees within the scope of their employment or for its benefit. See Sygma Photo News, Inc. v. High Soc. Magazine, Inc., 778 F.2d 89, 92 (2d Cir. 1985) (citing Shapiro, Bernstein & Co. v. H.L. Green Co., 316 F.2d 304, 308–09 (2d Cir. 1963)) (“All persons and corporations who participate in, exercise control over, or benefit from the infringement are jointly and severally liable as copyright infringers.”); Arista Records LLC v. Lime Grp. LLC, 784 F. Supp. 2d 398, 437 (S.D.N.Y. 2011) (same). “[A]n employer is responsible for copyright infringement committed by an employee in the course of employment, under the normal agency rule of respondeat superior.” U.S. Media Corp. v. Edde Enter., Inc., No. 94 Civ. 4849 (MBM)

Image courtesy of Flickr by Mike Mozart

Five Tips to Avoid Theft of Trade Secrets in Your Supply Chain

Trade secret theft is illegal and commonplace. A 2010 report found the number of trade theft cases in federal court doubled between 1988 and 1998, and doubled again between 1995 and 2004.

IP graphWhile external threats (e.g. data thieves) and internal threats (e.g. negligent or rogue employees) comprise the majority of bad actors in the theft of trade secrets, supply chain relationships provide additional vulnerabilities. This is because when corporations outsource, they share highly sensitive and valuable trade secrets with foreign subsidiaries, joint-venture partners and third-party vendors. Examples include customer lists, manufacturing processes, production and sales strategies. A 2013 report issued by the Center for Responsible Enterprise and Trade (CREATe.org) contains numerous tales of trade secret thievery and provides practical guidance on securing supply chains and mitigating risks associated with trade secret theft. Read the report in full here, or consider our summary of the five practical tips its authors provide:

1.   Conduct a Strategic Assessment of the Company’s Trade Secrets

Establish an internal trade secrets program and identify who is charged with ensuring compliance (e.g. chief security officer or general counsel). What the company considers confidential should not be a mystery to the corporate officers and should be clearly and repeatedly communicated to employees. Strictly limit access to the confidential materials as necessary to perform job functions. Consider which trade secrets really need to be transferred to suppliers. As the CREATe report notes, segmenting a manufacturing process across multiple suppliers is one way to ensure the company’s intellectual property is not concentrated in one place for thieves to steal.

2.   Conduct Appropriate Contractual Due Diligence

Does the supplier have a reputation for intellectual property rights violations, trade complaints or export control issues?  Has anyone asked? Verify that the supplier had implemented nondisclosure agreements with its employees and consultants.  Outsourcing may reduce costs, but without thorough due diligence, the corporation exposes itself to unknown risk.

3.   Ensure Strong Contractual Protections

If you don’t ask, you don’t get. Review the contractual requirements to ensure favorable terms from the supplier necessary to safeguard the company’s intellectual property. This may include clear language identifying the confidential material, prohibitions on wrongful disclosure, auditing rights, further assurances, and return of material on termination of the contract. For jurisdictions with weak laws on trade secret misappropriation, arbitration may be a preferable contractual remedy for a dispute. Limit the supplier’s ability to subcontract and/or retain the right to inspect or refuse the supplier’s subcontractors.

4.   Take Appropriate Operational and Security Measures

Building an internal culture of compliance communicates the value of the company’s intellectual property assets to employees who will interact with your supply chain vendors. With favorable contractual terms permitting inspection and auditing rights of the supply chain vendor, budget for period audits and exercise those rights. A vendor may not tell you about a data breach affecting your trade secret unless your contract requires it, and you may never know if you don’t inspect. Review of the vendor’s compliance with the strong contractual protections is necessary to identify any problems.

5.   Take Appropriate Action After the Business Relationship Ends

Departing employees should be reminded of their nondisclosure agreement obligations. Return of company materials and electronic access rights must be rigidly and timely enforced.  Where appropriate, it may be prudent to advise a competitor who has hired an ex-employee of the ongoing duty not to disclose the company’s trade secrets.