|
Each
of the threats outlined above raises different legal issues
and calls for different preventive measures.
A.
Company Websites
A company
has control over what appears on its Website. While corporate
Websites serve primarily to advertise to customers or to
provide information to investors, competitors often access
them. Thus, businesses should carefully control the content
of their sites, since the appearance of trade secrets there
could divest such information of trade secret protection.
See, e.g., EarthWeb v. Schlack, 71 F. Supp. 2d 299
(S.D.N.Y. 1999), aff'd after remand, 2000 U.S. App.
LEXIS 11446 (2d Cir. 2000).
A business
should have a process of reviewing postings before making
them. This should involve personnel who understand what
information the company wishes to maintain confidential.
Large organizations may wish to include representatives
of several departments, since different groups may not fully
appreciate the sensitive nature of information of others
within the company. The review process should also guard
against disclosure of third party information that the company
may possess by virtue of business relationships with outside
parties.
An experienced
user may also be able to locate source code for the software
that generates the graphics and other matter for a Website.
The site owner may wish to protect the concepts that may
be revealed by a look at the source code - as distinguished
from the literal language of the code, which can be protected
by copyright. The best way to protect against misuse is
to write the software in a manner that does not reveal the
entire source code, but rather includes only instructions
to execute certain programs that reside on the Web server
and not the site (and hence the user's computer) itself.
A less reliable alternative is to require the user to affirmatively
click to signify an intent not to reproduce or disclose
such information as a condition of accessing the computer
program and the underlying source code. Simply running a
banner stating that the information is a trade secret without
requiring affirmative assent to treat it as such will likely
not be viewed as a reasonable precaution to maintain the
secrecy of a program posted on a generally and freely accessible
Website as distinguished from an intranet or extranet that
may be governed by additional contracts.
Website
development by third party contractors also requires special
precautions. The site owner, in addition to providing by
appropriate assignments and work-for-hire agreements that
it owns all of the material on the site and all of the programming
used to create it, should also obtain an agreement obligating
the Website developer to maintain the confidentiality of
such materials and of all business information the company
may provide to the developer in connection with its engagement.
B.
E-Mail
1.
Transmission
In most
cases, there is little practical risk that specific e-mails
will be intercepted by third parties during transmission.
Information travels over the Internet in "packets" that
all may reach their final destination by different paths.
And, while e-mails sent via a service provider such as AOL
may remain intact with the service provider and theoretically
could be accessed by the provider itself or someone who
breaks into the provider's files (in addition to the intended
recipient), the likelihood of such access from among millions
of files is extremely unlikely. Intercepting e-mails also
violates the Electronic Communications Privacy Act ("ECPA"),
25 U.S.C. §§ 2510 et seq.
However,
human error can cause an e-mail to go to an unintended recipient.
As a reasonable measure to maintain the confidentiality
of such information, the sender can accompany it with a
legend advising an unintended recipient to return and permanently
delete any such misdirected e-mail.
An employee
also may e-mail trade secrets intentionally, to spirit them
away for purposes such as forming a competing venture. Such
unauthorized disclosure is actionable as trade secret misappropriation.
See, e.g., Cal. Civ. Code §§ 3426.1(a),(b). Any recipient
of information acquired by such "improper means" may be
enjoined from using or keeping it. Id. and § 3426.2(a).
Acquisition by "improper means" likewise subjects a hacker
to such a remedy for trade secret misappropriation. Id.
2.
Retransmission
The
main risk of sending confidential information over the Internet
lies not in the transmission itself, but the ease with which
digitized information can be retransmitted to a virtually
unlimited audience. Some courts have held that the ECPA
does not apply to appropriation of information once received
and stored. See, e.g., Steve Jackson Games, Inc.
v. United States Secret Service, 36 F.3d 457 (5th
Cir. 1996); Wesley College v. Pitts, 974 F. Supp.
375 (D. Del. 1997), aff'd, 172 F.3d 861 (3d Cir. 1998).
But see Konop v. Hawaiian Airlines, Inc., 2001 WL
13232 (9th Cir. 2001), holding that the Act "protects electronic
communications from interception when stored to the same
extent as when in transit."
Whatever
the legal consequences, retransmission can have a severe
practical impact. A company can reduce this risk in a number
of ways:
*
Carefully consider whether to communicate the information
in digital form to these recipients. Make sure
there is a legitimate business reason for making the communication.
The Coca-Cola formula, for example, undoubtedly will never
be disclosed by that company via e-mail.
*
Take precautions surrounding the disclosure. Know
the recipient(s). Have they been reliable in the
past? Do they have an incentive to maintain the confidentiality
of the information? Restrict it solely to those with a
need to know. Put a confidentiality agreement in place
and make clear that e-mail transmissions will be subject
to it. Then, when confidential information is transmitted,
make the confidential nature of that information clear.
*
Counsel employees. Make sure they observe the
above precautions and address their e-mails carefully.
*
Implement technological protections. For particularly
sensitive information, consider making it available to
the limited number of intended recipients only over secure
intranets or extranets. Encrypt the information and make
it accessible only by password. Use tracking software.
Consider "auto-delete" features that delete particular
information on a specific schedule.
*
Monitor the process. Check periodically
to see that company-mandated safeguards are being followed.
Monitor employee e-mails. Take steps to shore up weaknesses
in the process to lessen lapses in the future.
Of course,
a number of business and practical considerations may impact
the extent to which a company chooses to implement any,
some or all of the foregoing strategies. The extent of a
company's trade secret information, the degree of its sensitivity,
the competitive consequences of disclosure beyond the intended
audience, the cost of protections and the availability and
usability of technological measures all enter into the equation.
3.
Trade Secret Implications
Whether
information is encrypted or not, the mere act of transmitting
it over the Internet should not be held to destroy any expectation
of privacy. In a related context, a number of bar associations
have issued ethics opinions that communications between
attorney and client over the Internet need not necessarily
be encrypted to be protected, since accessing such communications
without authorization would be unlawful. See, e.g., Delaware
State Bar Ass'n Comm on Prof'l Ethics, Op. 2001-2; ABA
Comm on Ethics & Prof'l Responsibility Formal Op'n 99-143
(March 10, 1999), www.abanet.org/cpr; NY St. Bar Ass'n Comm.
on Prof'l Ethics Op'n 709 (Sept. 16, 1998), www.nysba.org/opinions.
Besides
achieving greater practical protection, though, the more
a company does to protect its e-mail transmissions of sensitive
information, the more readily it can show that it has taken
reasonable steps to preserve the confidentiality of its
information, to satisfy that element of the trade secrets
test. See, e.g., United States v. Keystone Sanitation
Co., 903 F. Fupp. 803 (M.D. Pa. 1995) (providing sensitive
information over "intranet" with secure firewall preventing
against potential retransmission over the external Internet
held to maintain a reasonable expectation of privacy). And,
the more widespread and economical technological protections
become, the more they may set the legal standard for what
steps are legally required to constitute reasonable measures
to maintain secrecy. Further, as particular safeguards become
widely available, it may become necessary for companies
or attorneys transmitting third party secrets by means of
the Internet to put the trade secret owner on notice that
it is not using all existing protections to secure the transmission.
Cf. N.Y. Eth. Op. 709.
C.
Discussion Groups
"Chat
rooms" present perhaps the greatest threat to owners of
trade secrets. Once a trade secret finds its way to one
of these locations in cyberspace, its owner will have a
difficult time ever regaining control of it. Recovery -
or, at least, damage control - may require litigation.
Litigation
against third party posters (or disgruntled employees or
others who originally had legitimate access to the secret),
poses its own problems. So can measures one might take before
resorting to the courts, such as demanding that chat room
participants or the Internet Service Provider (ISP) remove
the offending materials. The ISP may not cooperate, and
users who have already manifested a disregard for the intellectual
property rights of others may well respond by stepping up
both their rhetoric and their infringing activities.
D.
Litigation Issues
1. Whom (or What) to Sue
The
first step in many lawsuits following an improper posting
of secrets on the Internet often includes ascertaining the
identity of anonymous posters. A trade secrets owner may
sue a number of unnamed defendants and attempt to subpoena
the ISP for information to identify those "John Does." In
some cases, ISPs have complied. See, e.g., Raytheon v.
Does 1-21, No. MICV 99-00816F (Mass. Super. Ct., filed
02/11/99). In other cases, courts have quashed subpoenas
absent notice of the subpoena by the ISP to the poster and
a strong showing of need or a prima facie case. See,
e.g., In Re 2TheMart.com Inc. Securities Litigation,
Case No. SACV-9901127 (W.D. Wash. Apr. 19, 2001) (quashing
subpoena on grounds that poster has First Amendment right
to anonymity that can be overcome only by showing that identification
is central to a claim or defense in the case).
Alternatively,
as an approach that may lead to more expeditious relief,
a plaintiff could proceed in rem and obtain an injunction
against the posting, and provide notice thereof on the affected
sites.
2. Remedies and Risks
Once
a defendant has been identified, an action can be brought
directly for trade secret misappropriation. Civil remedies
include injunctive relief, actual damages from the misappropriation
(including the loss of the value of the trade secret), profits
derived from the illegal use, exemplary damages and/or a
going-forward royalty, plus attorneys' fees. See, e.g.,
Cal. Civ. Code §§ 3426.2-3426.4.
Trade
secrets litigation can itself pose the threat of further
exposing the very secrets one wishes to protect. The Trade
Secrets Act authorizes measures to limit disclosures in
litigation, and the attendant risk of further misappropriation,
by imposing protective orders, limiting disclosure to certain
persons, sealing court records and restricting access to
court proceedings. See, e.g., Cal. Civ. Code § 3426.5.
Such measures help, and should be pursued fully by trade
secrets plaintiffs, but cannot necessarily guarantee against
disclosure of all information, inadvertent or otherwise.
3.
Defenses
Recently,
those who post trade secrets or provide the chat rooms or
Websites to do so have had some success in invoking the
First Amendment as a defense to claims for injunctive relief
(as opposed to ultimate inability and damages). While enjoining
actual or threatened disclosure by "traditional" means has
presented little problem for the courts - and is specifically
authorized by the Trade Secrets Act, e.g., Cal. Civ.
Code § 3426.2(a) - the prospect of preliminarily enjoining
the potentially much more harmful dissemination of trade
secrets via the Internet has raised free speech concerns
in some courts.
In
Ford Motor Co. v. Lane, 52 U.S.P.Q. 1345 (E.D. Mich.
1999), the trial court recognized that defendant's posting
of plaintiff's confidential documents would constitute a
misappropriation of trade secrets and might even constitute
a criminal offense, but concluded issuing a preliminary
injunction against the posting would abridge the poster's
First Amendment rights. The Court observed that had the
defendant been party to a non-disclosure agreement or been
under a fiduciary duty to Ford, a preliminary injunction
would have been permissible. Since the defendant was a "mere"
third party, however, the Court concluded a preliminary
injunction would be an impermissible prior restraint. In
DVD Copy Control Ass'n v. Bunner, 93 Cal. App. 4th
648 (2001), the California Court of Appeal reversed the
grant of a preliminary injunction, holding that plaintiff's
claim of trade secret protection over the DVD encryption
code could not overcome defendant's First Amendment right
to publish a program - held to constitute fully protected
speech - that breaks the code. Damages, however, for the
destruction of plaintiff's intellectual property, remain
a theoretical, if not necessarily practical, remedy.
By contrast,
the court in Conley v. DSC Communications Corp.,
1999 WL 89955 (Tex. App. 1999) (unpublished decision), rejected
a First Amendment overbreadth challenge to a temporary injunction
against disclosure of trade secrets, since an injunction
was the only effective way to prevent destruction of the
trade secrets at issue. The danger, of course, is that once
a trade secret is published on the Internet, if an injunction
does not lead to its prompt withdrawal, the secret may be
lost forever-and hence destroyed. forever.
Certainly,
though, and the courts recognize, one who has placed another's
trade secrets on the Internet without protection should
not be able to avoid liability by contending that his own
act of publication has caused the plaintiff to lose whatever
trade secret protection it claims. It is less clear whether
innocent third parties become free to access and freely
retransmit such information. The fact that information has
been made available over the Internet does not mean it has,
in fact, become generally known. An unpublished decision
issued in the same case subsequent to the initial decision
in Religious Technology Center v. Netcom On-Line Communication
Services, Inc., 923 F. Supp. 1231 (N.D. Cal. 1995) concluded
that that issue cannot be decided according to a per se
rule, but rather requires a case-by-case factual determination.
The
trial court in Bunner felt likewise. The California
Court of Appeal, though it reversed the grant of a preliminary
injunction, did not quarrel with the notion that plaintiff
had a protectable trade secret interest in the DVD encryption
code. Rather, it held only that the defendants' First Amendment
right to publish the decryption code outweighed that interest
to the extent of barring a preliminary injunction as a remedy
for misappropriation. Plaintiff has sought review of that
ruling by the California Supreme Court.
IV.
CONCLUSION
California's
Bunner decision conflicts with the Second Circuit's
affirmance of a preliminary injunction and rejection of
a First Amendment defense by posters of the DVD decryption
code - albeit on copyright, rather than trade secret, grounds.
Universal City Studios, Inc. v. Corley, 2001 U.S. App.
LEXIS 25330, 60 U.S.P.Q.2d (BNA) 1953, Copy. L. Rep. (CCH)
28,345 (2d Cir. November 28, 2001). Higher courts may well
resolve, or at least further explore, this conflict.
Clearly,
however, court action affords the slowest and least predictable
means to protect one's trade secrets. While a potential
plaintiff must know its rights and available remedies, it
can protect itself better up front by intelligent business,
contractual and technical measures.
|
