What the FBI’s “Project Titan” Criminal Complaint Reveals About Trade Secret Protection Efforts

Author: Louis Dorny

The FBI’s affidavit presented in support of a January 22, 2019 criminal complaint provides a rare glimpse into Apple’s effort to maintain trade secrets in its secretive Project Titan self-driving car operation. This glimpse was rare because any detailed effort to protect intellectual property in the form of a trade secret is often kept quiet to avoid providing any aid to a would-be thief.

The Background

Widely reported in recent days is the announcement of a second employee in six months to be accused by the FBI of stealing trade secrets from Apple’s self-driving car unit, known as “Project Titan.” Now, the feds have unsealed the January 22, 2019 criminal complaint against Jizhong Chen, a PhD-trained employee of Apple on the Project Titan team as a hardware developer. As alleged, Apple discovered the existence of over 2,000 photographs on Chen’s personally-owned computer, and subsequently learned Chen applied for two external jobs, including one at a China-based autonomous vehicle company — a purported direct competitor. Chen advised Apple he planned on leaving the country for China on January 22, 2019. The criminal complaint was filed the following day in the Northern District of California.

Apple was alerted to Chen after fellow employees spotted him taking photographs of the workspace where the project takes place. The FBI says Chen told Apple’s global security team that he backed up his work computer to a personal hard drive and computer as an insurance policy after being placed on a performance improvement plan by Apple. Apple’s security team found Chen had “over two thousand files containing confidential and proprietary Apple material, including manuals, schematics, and diagrams,” according to the charging document.

Not A Trade Secret Unless You Restrict Access

Similar to many jurisdictions that follow the Uniform Trade Secret Act (“UTSA”), California has specific requirements to protect against misappropriation of trade secrets. To qualify as a trade secret under section 3426.1 of California’s Civil Code, the owner of the trade secret must establish two elements: First, the trade secret must derive actual or potential independent economic value from not being generally known to the public or to other persons who can obtain economic value from the use or disclosure of the claimed secret. Second, the entity claiming trade secret must establish that it undertook “reasonable efforts under the circumstances” to maintain the secrecy of the trade secret.

So How Does Apple Restrict Access?

Excerpted below with highlighting supplied are paragraphs from the eight-page complaint, which can be found here.

Three software controls are evident to protect data. First, each user requires a password to access a database. Second, database access is restricted to a subset of project employees—likely on a need-to-know basis. Third, all access to information  is logged and therefore capable of audit. An administrator must approve access. None of this is surprising. It has long been true that information stored on computer must require some reasonable form of restricted access. Morlife, Inc. v. Perry, 56 Cal.App.4th 1514, 1523 (1997). Trade-secret protection programs need not be as extensive as this to qualify under the statute. The standard is reasonable, which changes depending on the circumstances.

Physical access is restricted by limiting access to “core” employees with badge access while keeping the whereabouts secret. Such efforts are costly and likely warranted on “Project Titan,” but may be cost-prohibitive elsewhere. Again, efforts required to maintain secrecy are those that are “reasonable under the circumstances.” Moreover, “[t]he courts do not require that extreme and unduly expensive procedures be taken to protect trade secrets against flagrant industrial espionage. It follows that reasonable use of a trade secret including controlled disclosure to employees and licensees is consistent with the requirement of relative secrecy.” UTSA, Comment to § 1 (citation omitted); Senate Comment (1984) to California Civil Code § 3426.1.

While essential to put an employee or contractor on notice of the claim of a protected trade secrets with some specificity, a company would be unwise to rely on confidentiality agreements alone as a sufficient secrecy program. Courts have held that “[r]equiring employees to sign confidentiality agreements is a reasonable step to insure secrecy.” Whyte v. Schlage Lock Co. 101 Cal.App.4th 1443, 1454 (2002); MAI Systems Corp. v. Peak Computer, Inc., 991 F.2d 511, 521 (9th Cir. 1993) (applying California version of UTSA).

Training is often the weak link in an IP protection program due to cost or overreliance on employee agreements. Training is also a problem at the management level, which may not have a firm grip just what exactly compromises the trade secrets. On Project Titan we learn the most interesting tips of all: 1) training includes the importance of keeping details secret and avoiding intended and inadvertent leaks; 2) methods of ensuring protection of trade secrets, as well as device-specific policies; and 3) transmitting documents using secure mechanisms. In sum, an employee who has access to company trade secrets must know what is considered a trade secret. the contours of permissible use and the consequences of misuse—which can only be understood through an active effort to train. While no case in California has held that the failure to implement a training protocol for employees is unreasonable, that case may not be far off.

About the author: Lou Dorny is a partner in Gordon Rees Scully Mansukhani’s Intellectual Property and Commercial Litigation Practice Groups. His practice focuses on intellectual property and high-technology matters, with a particular emphasis on trade secrets. Mr. Dorny’s biography can be found here.

Five Steps to Lower the Risk of Trade Secret Theft from Business Partners

As stories of international and domestic hacking and espionage dominate the news cycle, it’s easy to forget that when it comes to trade secrets, employees and business partners—not hackers—pose the biggest threat. See David S. Almeling et al., A Statistical Analysis of Trade Secret Litigation in Federal Courts, 45 Gonz. L. Rev. 291 (2009/2010).

In a recent webinar, Gordon & Rees addressed protection of trade secrets and proprietary information from employee theft. Here, we address some steps to help prevent business partners from misusing your trade secrets.

  1. Identify your trade secrets and control access to them

Before any agreements are drafted or any information or documents are exchanged, be sure you have identified your trade secrets (see also the definition under the Uniform Trade Secrets Act). You can’t protect them unless you know what they are. This sounds like common sense, but surprisingly, in the hustle and bustle of everyday work, not all companies take the time to do this until they’ve realized their trade secrets have ended up in the wrong hands. (Unless it is appropriate for your industry, referring to everything as a “trade secret” is not helpful, either—for example, your business partners are less likely to take your actual trade secrets seriously if you claim that information you have made public are also trade secrets.)

A trade secret “registry” could be considered favorable evidence in court—as long as it is timely updated and actually distributed to employees. See Schalk v. State, 823 S.W.2d 633, 643 (Tex. Crim. App. 1991). This registry will also help your own employees with the marking the proper designations when such information is exchanged with a business partner.

Securing your trade secrets in-house will not only help your case in court, it also helps when it comes to disclosure to third parties, particularly inadvertent disclosure. Chances are, not every employee will require access to every trade secret. Secure physical and electronic access to the appropriate trade secrets to the appropriate personnel.

What measures are appropriate will depend on the circumstances and will likely evolve with time and technology. Information stored on secure servers that had three layers of physical security passwords, 256-character PuTTY keys, with portions possessed by only a single person was found by a court sufficient evidence for a jury to conclude that a trade secrets owner took appropriate measures to protect its trade secrets. Xtec, Inc. v. CardSmart Techs., Inc., No. 11-22866-CIV-ROSENBAUM, 2014 U.S. Dist. LEXIS 184604, at *26 (S.D. Fla. May 15, 2014).

On the other hand, where information was distributed to 600-700 people where at most only 190 people signed confidentiality agreements, and where that same information was not stamped as “confidential,” a court found that no reasonable jury could conclude that “reasonable efforts” were made. Tax Track Sys. Corp. v. New Inv’r World, Inc., 478 F.3d 783, 788 (7th Cir. 2007).

  1. Draft tailored non-disclosure agreements (“NDAs”)

Before any information is exchanged with a business partner, have your attorneys help you draft a non-disclosure/confidentiality agreement tailored to the arrangement. Not only will this agreement help you in case you need to litigate the matter, it will provide the protocols for your business partner to follow.

Some provisions you and your attorneys will want to consider are the return/destruction of trade secrets at certain stages (and certainly when the relationship is terminated), a perpetual non-disclosure and non-use clause when it comes to trade secrets (as opposed to an expiring one), how trade secrets will be identified/marked (and the ability to later identify/mark previously exchanged documents), and requirements for the business partner’s employees to sign individual NDAs and/or obtain training on how to handle trade secrets.  This is not an exhaustive list—work with your attorney to flesh out the agreement.

Be wary of stock or template agreements; many of them may not contemplate the specific issues that may arise in your situation. Many “standard” agreements also contain language that relieve the business partner of its contractual obligations of non-disclosure and non-use as soon as the trade secrets are made public—without specifying that such public disclosure must have been authorized by the owner of the trade secret, and without giving the owner the chance to mitigate the effects and damage of the unauthorized disclosure.

But no matter how perfect the agreement, it won’t matter if it isn’t properly implemented.

  1. Train your own employees

Identify all the employees who will be corresponding with the business partner and make sure you train them. Let them know what information can be exchanged, what cannot, which individuals from the business partner they can exchange information with. Provide them with a written checklist and designate a person most knowledgeable—or better yet, a specialized team to direct their questions to. This team should also conduct some “spot checks” throughout the relationship to make sure protocols are being followed.

If the relationship with the business partner will span more than a couple months, also have a plan in place to retrain your employees in regular intervals.

  1. Train the business partner’s employees

Even if you require individuals from the business partner’s company to sign an NDA, that may not be enough. You may want to provide the partner’s employees with the necessary training, or at least provide the partner with the necessary materials to provide the training themselves (and require them to do so as part of the NDA). Regularly communicate with the partner to make sure they are protecting your trade secrets, and have your employees and your specialized team pay attention to how the business partner is using this information as well.

  1. Create a contingency/emergency plan

Did an employee send a trade secret to the business partner without marking it as such? Has the business partner communicated plans that may violate the NDA?  Has the relationship with the business partner begun to go sour?

Your team should already have a contingency plan in place to deal with these—and other—situations, and protocols to continually improve security and access. Make sure you follow through on enforcing contractual provisions, and make sure you act swiftly.

In closing, remember that when dealing with trade secrets or handling other proprietary, confidential or otherwise private information, nothing beats being prepared.

Notice Requirements for Employers Under The Defense of Trade Secrets Act

Trade secrets have historically been protected by a patchwork of various state statutes. With the passage of the Defense of Trade Secrets Act (DTSA) on May 11, 2016, trade secrets now have uniform protection under federal law by a powerful set of enforcement tools that can be used in federal court nationwide. The DTSA also grants whistleblower immunity to those who disclose trade secrets to the government for the purpose of reporting suspected illegal conduct.

The DTSA imposes an obligation on employers to notify all employees and contractors that they are entitled to whistleblower immunity. This notice must be provided in every contract with an employee or contractor that governs the use of a trade secret or other confidential information. Applicable contracts may include employment applications containing contractual language, employment agreements, restrictive covenants, non-disclosure agreements, compensation agreements, separation agreements, BYOD agreements that contain confidentiality language, and confidentiality stipulations (entered in lieu of protective orders in court).

If an employer fails to provide the required notice, the DTSA precludes awards for exemplary damages or attorney’s fees in any action against an employee to whom notice was not provided. In view of the many eight- and nine-figure verdicts rendered in recent trade secret cases, this penalty can be substantial.

The DTSA does not articulate specifically what must be included in the notice. While more detail is better than less, anything short of a full verbatim recitation of all of the immunity provisions in the DTSA creates the risk that such notice will be challenged as insufficient. Accordingly, the only way for an employer to eliminate this risk entirely is to provide the complete text of the immunity provisions in the DTSA with every contract that governs the use of a trade secret or other confidential information.

In an apparent recognition of the difficulty of including all of the of the immunity provisions within the text of every such contract, the DTSA provides that employers will be considered in compliance with the notice requirement if they simply provide a “cross-reference” in such contracts to something it calls a “policy document.” According to the DTSA, this policy document must: (1) be provided to the employee or contractor (presumably concurrently with the execution of the contract or agreement); and (2) set forth the employer’s whistleblower policy.

While an employer’s option of only referencing a policy document relieves the burden of including lengthy notice provisions in every agreement, it sheds no light on the what must be included in that document. Ideally, a detailed policy document should identify which individuals are protected, what conduct is protected, and should provide instructions on how to report possible violations of law to appropriate authorities. But, as with providing such notice in contracts themselves, anything less than a complete recitation of the immunity provisions of the DTSA carries risk. Thus, the safest course for an employer to take in crafting its policy document would be to include the entirety of the immunity provisions of the DTSA.

Recommendations

There are several things employers can do to ensure compliance with the DTSA notice requirements, and to minimize the risk of losing the ability to recover exemplary damages and attorney’s fees in future trade secret litigation:

  • Review and update all agreements with employees and contractors which reference confidentiality to ensure that appropriate language is included in all of such agreements going forward.
  • Create a DTSA policy document to be given to every employee and contractor with every contract which references confidentiality.
  • Require all suppliers, vendors, and any other contractors whose employees have access to trade secrets or confidential information to provide appropriate notice to their employees.
  • Verify compliance with the DTSA notice requirements by having counsel review all standard contracts and company policy documents to make sure they contain the required language.

The Rise of Federal Trade Secret Protection

It is done. President Obama signed into law the Defend Trade Secrets Act of 2016 (“DTSA”), the nation’s first federal trade secret protection act with civil remedies. The DTSA is effective May 12, 2016 for any misappropriation (as defined in the statute) “for any act which occurs on or after the date of the enactment of this Act.”

The DTSA does not preempt states’ trade secret laws; those state laws remain in effect. Accordingly, there is no requirement that a party even allege a DTSA claim when pursuing a trade secret action. Strategic consideration must be given to bringing a DTSA claim and the impact on jurisdiction. A plaintiff that prefers litigating in state court may wish to forego adding a DTSA cause of action to the lawsuit because doing so would create a federal question. If a state court lawsuit alleges a DTSA claim, the defendant may remove the case to federal court.

Remedies under the DTSA include damages for the loss caused by the misappropriation, damages for unjust enrichment, and injunctive relief for any actual or threatened misappropriation. If a plaintiff can establish that the trade secret was “willfully and maliciously appropriated,” the court can award exemplary damages of up to two times the amount of actual damages. For bringing a claim, reasonable attorney’s fees may also be awarded to the prevailing party, as well as to a defendant if the claim of misappropriation is made in bad faith.

Once an afterthought, trade secrets were the last of the four major types of IP—patent, copyright, trademark, and trade secret—recognized by the courts, and the basic elements of the tort of trade secret misappropriation have been recognized since only the late 1800s and early 1900s.¹ However, as we reported here, the number of trade theft continues to rise, and by one metric, doubled between 1995 and 2004. Until now, trade secrets were the only major type of intellectual property not backed by U.S. federal civil remedies to compensate owners for theft.

_______________________________________________________________________

¹ Catherine L. Fisk, Working Knowledge: Trade Secrets, Restrictive Covenants in Employment, and the Rise of Corporate Intellectual Property, 1800–1920, 52 HASTINGS L.J. 441, 441 (2000)

Does Your Business Need a Trade Secret Audit?

A trade secret audit evaluates and reports on the status of your business’ trade secrets.  A trade secret audit outlines considerations relevant to your ability to secure, protect and enforce your trade secrets and, if desired, provides an appraisal of the value of these trade secrets.

To know if you need a trade secret audit, consider:

  • Does your business rely on information that is not readily known to others and that provides a business advantage over your competitors and do you require a confidential disclosure agreement to be signed to see such information?
  • Does your business have and maintain a trade secret program?
  • Does your business monitor terminated employees, the single largest reason trade secrets are lost?
  • Does your business permit others to examine and use your trade secrets, do you require a use license and do you have copies of these agreements?
  • Does your business use trade secretsof others and do you require maintenance of these outside trade secrets?
  • Do you have copies of authorizations to examine and use the trade secrets of others?

Your answers to these questions will indicate if it is time to contact an IP audit specialist to ask about a trade secret audit.

The Secret to Success: Use of Trade Secrets Warrants Damages Equal to License Price

On April 22, the California Court of Appeal, Sixth Appellate District, held that the use of trade secrets warrants damages equal to the license price, not the purchase price.

Grail Semiconductor, Inc. invented a new, faster microchip.  The chip used induction to collect electric charges and accelerate computer processes.  Grail discussed the induction technology in 2001 with Mitsubishi Electric, Inc.  Mitsubishi signed a nondisclosure agreement and attended a presentation, but refused to invest.  Mitsubishi’s subsidiary then began to manufacture products with the same inductive design only three years later.

Damages for the breach of a nondisclosure agreement typically reflect the stolen property’s value.  “Value,” however, is a vague term.  It might mean 1) purchase price; 2) projected royalties; or 3) actual profits.  The jury defined “value” as the purchase price.  It awarded around $123 million, the amount for which Grail could sell the technology.  Its calculations reflected projected profits in Grail’s business plan.

However, the jury’s calculation method was not valid.  The appellate court held in Grail Semiconductor Inc. v. Mitsubishi Electric & Electronics USA, Inc., case number 1-07-CV098590, that damages should reflect the price to license the product, not purchase it.  Mainly, Grail could lease the technology to other companies, despite the misappropriation.  The technology, therefore, retained most of its value; Grail and Mitsubishi were the only two companies that knew it.

Furthermore, the court refused to grant a JNOV as Mitsubishi was still liable – it just owed less money.  It also said that damages were a sufficient remedy, though the nondisclosure agreement required an injunction.  Ultimately, it ordered a new trial so a different jury could correctly compute damages.

Consequently, the improper use of trade secrets may warrant fewer damages than disclosure. Plaintiffs who sue for the illicit use of trade secrets may need to consider accepting lower settlement offers.  They might also want to describe a marketing strategy for which mere use of a trade secret completely impairs its value.

Five Tips to Avoid Theft of Trade Secrets in Your Supply Chain

Trade secret theft is illegal and commonplace. A 2010 report found the number of trade theft cases in federal court doubled between 1988 and 1998, and doubled again between 1995 and 2004.

IP graphWhile external threats (e.g. data thieves) and internal threats (e.g. negligent or rogue employees) comprise the majority of bad actors in the theft of trade secrets, supply chain relationships provide additional vulnerabilities. This is because when corporations outsource, they share highly sensitive and valuable trade secrets with foreign subsidiaries, joint-venture partners and third-party vendors. Examples include customer lists, manufacturing processes, production and sales strategies. A 2013 report issued by the Center for Responsible Enterprise and Trade (CREATe.org) contains numerous tales of trade secret thievery and provides practical guidance on securing supply chains and mitigating risks associated with trade secret theft. Read the report in full here, or consider our summary of the five practical tips its authors provide:

1.   Conduct a Strategic Assessment of the Company’s Trade Secrets

Establish an internal trade secrets program and identify who is charged with ensuring compliance (e.g. chief security officer or general counsel). What the company considers confidential should not be a mystery to the corporate officers and should be clearly and repeatedly communicated to employees. Strictly limit access to the confidential materials as necessary to perform job functions. Consider which trade secrets really need to be transferred to suppliers. As the CREATe report notes, segmenting a manufacturing process across multiple suppliers is one way to ensure the company’s intellectual property is not concentrated in one place for thieves to steal.

2.   Conduct Appropriate Contractual Due Diligence

Does the supplier have a reputation for intellectual property rights violations, trade complaints or export control issues?  Has anyone asked? Verify that the supplier had implemented nondisclosure agreements with its employees and consultants.  Outsourcing may reduce costs, but without thorough due diligence, the corporation exposes itself to unknown risk.

3.   Ensure Strong Contractual Protections

If you don’t ask, you don’t get. Review the contractual requirements to ensure favorable terms from the supplier necessary to safeguard the company’s intellectual property. This may include clear language identifying the confidential material, prohibitions on wrongful disclosure, auditing rights, further assurances, and return of material on termination of the contract. For jurisdictions with weak laws on trade secret misappropriation, arbitration may be a preferable contractual remedy for a dispute. Limit the supplier’s ability to subcontract and/or retain the right to inspect or refuse the supplier’s subcontractors.

4.   Take Appropriate Operational and Security Measures

Building an internal culture of compliance communicates the value of the company’s intellectual property assets to employees who will interact with your supply chain vendors. With favorable contractual terms permitting inspection and auditing rights of the supply chain vendor, budget for period audits and exercise those rights. A vendor may not tell you about a data breach affecting your trade secret unless your contract requires it, and you may never know if you don’t inspect. Review of the vendor’s compliance with the strong contractual protections is necessary to identify any problems.

5.   Take Appropriate Action After the Business Relationship Ends

Departing employees should be reminded of their nondisclosure agreement obligations. Return of company materials and electronic access rights must be rigidly and timely enforced.  Where appropriate, it may be prudent to advise a competitor who has hired an ex-employee of the ongoing duty not to disclose the company’s trade secrets.