TRADE SECRETS- New Identity Theft Law Enacted

Attached is an article from The National Law Journal that was authored by Dorsey & Whitney partners Nick Akerman and Gabrielle Wirth explaining how your company can avoid liability under the new California Data Protection Act, which becomes law today, July 1, 2003.

This new law requires companies doing business in California (whether or not they have an office there) to notify individuals when they suspect that their personal data has been stolen. Complying with that law presents enormous challenges to companies located both inside and outside of California.

Companies can immediately respond to the new California statute by:

· establishing appropriate employee training and company policies to protect computer data, and avoid the threat of punitive damages;

· developing a comprehensive, proactive plan to protect computer data from theft by hackers as well as competitors engaged in economic espionage; and

· auditing the company’s Internet policies and computer network to ensure that it is prepared to take aggressive actions under the federal Computer Fraud and Abuse Act against data thieves.

Dorsey & Whitney is working with outside experts in protecting computer data – a software encryption company, Liquid Machines, and a computer forensics company staffed with former FBI computer fraud experts – to provide legal and practical responses to the new California statute.

Nick Akerman (New York Office) 212-415-9217

Gabrielle Wirth (Southern California Office) 714-424-5590

*********************************

TRADE SECRETS

THE NATIONAL LAW JOURNAL MONDAY, JUNE 16, 2003
NLJ

By Nick Akerman
and Gabrielle Wirth

Nick Akerman is a partner in the New York office
of Minneapolis-based Dorsey & Whitney,
and Gabrielle Wirth is a partner in the firm’s
Irvine, Calif., office.

A NEW CALIFORNIA statute designed to
protect the public from identity
theft and scheduled to become
effective on July 1 promises to have
a profound effect on how major corporations
both in and out of California will
protect their valuable computer data and
trade secrets.

This new law, California Civil
Code § 1798.82, et. seq., requires any business
or person who “maintains computerized
data that includes personal information that
the person or business does not own…[to]
notify the owner or licensee of the information
of any breach of the security of the data
immediately following discovery, if the personal
information was, or is reasonably
believed to have been, acquired by an unauthorized
person.” § 1798.82(b).

The statute’s purpose is to provide sufficient
notice to individuals whose personal
information has been stolen so that they can
prevent the information from being used by
thieves to assume their identities for the purpose
of stealing their bank funds or buying
merchandise with their stolen credit card or
debit card information.

In enacting this statute, the California
Legislature recognized that “[i]dentity theft
is one of the fastest growing crimes committed
in California” and that “[c]riminals who
steal personal information such as social
security numbers use the information to
open credit card accounts, write bad checks,
buy cars, and commit other financial crimes
with other people’s identities.”

Thus, the statute covers private information,
such as a Social Security number, driver’s
license number or a credit or debit card
number. While the statute expressly exempts
“publicly available information that is lawfully
made available to the general public from federal,
state or local government records,” the
number of businesses that maintain simply an
individual’s Social Security number is likely
staggering.

For example, every employee
record contains the employee’s Social Security
number, and banks and insurance companies
use Social Security numbers to identify and
keep track of their customers. And employers
whose employees travel keep driver’s license
numbers for insurance purposes.

Applies to any company
doing business in California

The reach of this statute is expanded by
its explicit application not just to businesses
located in California, but to any business
“that conducts business in California.” §
1798.82(a). The statute also expressly provides
that failure to provide the notice
required by the law can result in damage suits
by “any customer injured” (which could also
include class actions) and injunctive relief. §
1798.82(a)(b)(c). In addition, U.S. Senator
Dianne Feinstein, D-Calif., is sponsoring a
bill in Congress to make this California
statute national law.

Even though this statute will provide a
powerful incentive for companies to protect
a relatively narrow segment of the valuable
computer data maintained on their computer
networks, a savvy company will extend the
same protections to all valuable company
computer data. More than 90% of information
created today by corporations is maintained in
electronic form. See findings of a study at the
University of California at Berkeley, Peter
Lyman and Hal R. Varian, “How Much Information?”
at http://www.sims. berkeley.edu/research/
projects/how-much-info.

********************************

The data that should
be protected along
with the personal
information covered
by the California law
are traditional types
of trade secrets.

*********************************
For that reason, the types of information that should be protected simultaneously with
the personal information covered by the
California statute are the traditional types of
trade secret and confidential and proprietary
information such as marketing plans and
strategies, customer information, acquisition
strategies, product plans and manufacturing
processes.

The marginal cost of broadening
the scope of protection to all such valuable
computer data, if not de minimus, is clearly
worth the extra cost. There are several ways
to accomplish this protection, while at the
same time meeting the new obligations
posed by this new California statute.
First, the simplest way to avoid liability
under the statute and protect all of the company’s
computer data is simply to encrypt it,
scrambling the data systematically and permitting
it to be opened strictly through a
password.

The new statute applies only to
“unencrypted personal information.” This
raises the question of whether the statute
covers an insider thief who removes the
encrypted data and then opens the encryption
to obtain the personal information to
commit identity theft.

While the statute does
not appear to apply once the personal data is
encrypted, the ultimate protection is to use
an encryption software that not only encrypts
the data in the network but maintains that
encryption on the data once it leaves the network,
thereby minimizing the ability of both
outsiders and insiders to break the code.
Second, computer data can be protected
by limiting access to those with a need to use
the particular data in the course of their job
duties.

As mentioned above, the California
statute covers the “unauthorized” taking of
the computer data but does not define what
is “unauthorized.” The federal Computer
Fraud and Abuse Act (CFAA), which makes
it a crime to, among other things, steal computer
data and provides for a civil cause
of action for those damaged by the theft, is
similarly predicated on the “unauthorized”
computer access. 18 U.S.C. 1030.

Under the CFAA, the courts have interpreted
“unauthorized” in its commonly
understood meaning to be access to data to
which one is not entitled. Like the California
statute, the federal courts have held an
employee’s actions to be “unauthorized”
under the CFAA when the employee is not
acting in “good faith” and has accessed the
data for the purpose of competing against his
or her employer. See, e.g., Shurgard Storage
Centers v. Safeguard Self Storage, 119 F. Supp.
2d 1121 (W.D. Wash. 2000).

The federal
courts have also found access to be “unauthorized”
when rules established by the
employer or owner of the computer data have
been violated. US Greenfiber v. Brooks, No.
Civ. A. 02-2215, 2002 WL 31834009, at *3
(W.D. La. Oct. 25, 2002)

Access can be regulated
on a ‘need to know’ basis
In addition to company policies, authorization
can also be enforced on the actual
accessed data by configuring the computer
network in such a way as to provide access
only to certain data on a “need to know”
basis. Such access can be regulated through
passwords or though policy-enforcement
software that regulates who in the company
can access particular data based on the scope
of an individual’s job.

Establishing such authorizations in the
computer network and promulgating company
rules as to which employees are authorized
or not authorized to access specified computer
data not only helps in complying with the
new California statute, it also facilitates the
company’s ability to take advantage of both
the civil and criminal remedies provided
by the CFAA if data are stolen.

Most
significantly, the CFAA allows a company
victimized by the theft of computer data or
other violations of the CFAA to seek
injunctive relief from the courts to obtain the
return of the stolen data and to prevent the
stolen data from being used in competition.
Third, computer data can be protected by
training the entire work force from top to
bottom on the importance of its protection
and the need for the immediate reporting of
thefts. A natural result of the California act
will be employers training employees to be
vigilant for thefts of personal data so that
required notices can be provided. Employee
training will be necessary for no other reason
than to avoid punitive damages under the act
so that a company can show that it alerted its
employees to the company’s responsibilities
under the act. There is, however, no sound
reason not to train employees at the same
time about the need to protect all of the company’s
computer data.

****************************

Software can track data
in and outside a network

****************************

Fourth, computer data can be protected
by using software that tracks the flow of data
inside and outside of the network. Under the
California statute, the company must form a
belief that the personal data have been
acquired by an unauthorized person. A company
is not going to want to give notice,
particularly to customers, when in fact there
is no theft of personal information.

The
problem with many companywide networks
is that they detect an intrusion into the system
but do not necessarily establish whether
data have been copied from the network.
There is commercial software that can definitively
answer that question, and obviously if
it is installed on the network to track personal
information, there is no reason not to
use it to track all of the company’s valuable
computer data. The tracking of data in and
outside of the network will also provide the
necessary admissible evidence of data thefts
to prove violations of the CFAA.

Finally, all of these actions to protect
computer data will strengthen a company’s
ability to take advantage of the civil
remedies provided under state trade secret
laws and enable it to report to the FBI violators
who can be criminally prosecuted under
the federal Economic Espionage Act, which
makes it a crime to steal trade secrets. 18
U.S.C. 1831, et. seq.

Both of these state and federal statutes
require a showing that the company took
reasonable steps to protect its trade secret
information. Encrypting data, limiting data
on a “need to know” basis, training the work
force on the importance of protecting the
data, tracking the data inside the network
and being able to prove whether it leaves the
network’s firewall are all reasonable steps
that will enhance the protection of the company’s
trade secret information.

This article is reprinted with permission from the
June 16, 2003 edition of THE NATIONAL LAW
JOURNAL. © 2003 ALM Properties, Inc. All rights
reserved. Further duplication without permission is
prohibited. For information contact, American
Lawyer Media, Reprint Department at 800-888-8300
x6111. #005-06-03-0024