Economic Espionage Act
The Economic Espionage Act details the legal framework for theft of trade secrets:
(a) Whoever, with intent to convert a trade secret, that is related to a product or service used in or intended for use in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly—
(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;
(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
(3) receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization;
(4) attempts to commit any offense described in paragraphs (1) through (3); or
(5) conspires with one or more other persons to commit any offense described in paragraphs (1) through (3), and one or more of such persons do any act to effect the object of the conspiracy, shall, except as provided in subsection (b), be fined under this title or imprisoned not more than 10 years, or both.
(b) Any organization that commits any offense described in subsection (a) shall be fined not more than the greater of $5,000,000 or 3 times the value of the stolen trade secret to the organization, including expenses for research and design and other costs of reproducing the trade secret that the organization has thereby avoided.
There have been several convictions under the EEA, but the true effectiveness of the law as a deterrent is questionable. The EEA has already been amended to increase penalties from a conviction, but still it seems like a drop in the bucket given the volume of IP theft. The EEA may be more effective if amended to allow for a private right of action, letting companies sue for the harm caused from theft of their IP.
On the international stage, agreements, treaties, and organizations exist but may be of limited usefulness in addressing IP theft. For some countries, economic espionage is no different than regular espionage and is considered “fair game.” With few laws to convict the criminals and many practical limitations, understanding how trade-secret crimes are perpetrated today may make more sense to preempt or mitigate harm or to protect your company’s information crown jewels before the theft has transpired than expecting real economic redress through any legal channels.
10 Shocking Ways They Are Stealing Your IP and Corporate Mojo
The world of economic espionage has become rather sophisticated, and in-person theft is very different than cyber theft. When your corporate value may be in jeopardy, it is prudent to assess the risk and attempt to mitigate the issues that create the greatest risk. For example, if your organization needs engineers and hires from abroad, conducting deep background checks, and even hiring judiciously from countries that pose the greatest risk, are prudent courses of action.
If the cyber assault on your IT infrastructure suggests that the bad actors are state entities trying to exploit a weak perimeter, different fixes are needed. In that regard, IT security, although good, will never keep out all the bad actors all of the time. No matter how much money and effort you exert to solve the problem, if they want it badly enough, the cyber thieves will find a way.
What follows are the things that your company is doing wrong and the frankly shocking and brazen nature of how your people and systems are assaulted.
1. The Internet of Things (IoT) Is Awesome and Scary
The IoT involves smart devices (i.e., devices embedded with software and sensors such as copiers, medical devices, refrigerators, sports monitors, TVs, cars, music devices, etc.) that are connected to the Internet and collect and transmit information, sometimes without your knowledge. They continue to make everything interconnected and accessible, but often have limited security, making your information even more vulnerable to cyber attacks, and making it harder to calculate risk.
The prediction is an explosion of IoT and smarter and more connected devices over the next decade, which does not bode well for stemming the tide of theft of trade secrets. In other words, the IoT may be a way your trade secrets are exposed, exploited, and exfiltrated.
2. Economic Espionage as a Service
You can buy almost anything on the “dark web” that you cannot buy on the mainstream web, such as stolen credit-card numbers, stolen IP, and even IP thieves themselves. “Economic espionage attacks can be aided by espionage-as-a-service offerings that are readily available in cybercriminal underground forums and markets and the Deep Web. Attackers can easily buy the tools they need to spy on and exfiltrate highly confidential corporate data or “company crown jewels” from rivals. They can even hire hackers to do the actual spying for them,” according to Trend Micro.
In addition to state actors, IP theft is now increasingly perpetrated by sophisticated cyber mercenaries. Lawyers can help address the new threats by ensuring that heightened security functionality is part of new technology purchases when negotiating contracts on behalf of their company, mandating that company information is stored only in hyper-secure, compliance-driven Clouds, and that policy dictates that information is encrypted when “inflight” or “at rest.”
3. Beware of the Never-Ending Assault of Malware
Malware is malicious software that seeks to get in and grab data, spy, lie in wait to do something nefarious in the future, disrupt IT, and more. Although there are sophisticated attacks on IT security systems, many cyber attacks are successful because they bombard organizations with thousands, or even millions, of cyber assaults just to find a way into company computers. There are endless examples of hacks on U.S. companies that have caused major harm. Persistence combined with greater sophistication means cyber attacks will continue seemingly unabated.
What lawyers can do is help IT professionals combat persistence with compliance. Compliance methodology must be applied to IT and information-security policies and practices. Compliance methodology tends to institutional vigilance and “good” corporate behavior, which helps employees get it right and helps insulate the company if all else fails, as the built-in rigor manifests reasonableness. In other words, the company cares and tries, and institutionalized caring matters to shareholders, markets, the court of public opinion, courts, regulators, and the bottom line. Randolph Kahn, Information Nation: Seven Keys to Information Management Compliance Second Edition (Wiley Press, 2009).
4. Grabbing Treasure Troves Undetected Has Become Easier
More and more data fits in smaller storage devices, which makes stealing more and more valuable data that much easier. Further, sending the information outside the firewall via e-mail and the IoT has been effective as well. The CIA and NSA hacks are just recent examples. Organizations are not “risk profiling” their information so that they can apply the necessary protections. The fact is that not all information is equal in value, and organizations are woefully negligent at managing to that reality. The problem is that, as information volumes increase (and they are already massive for most big companies), being vigilant about everything is impractical.
Most companies have policies that require encryption of company trade-secret information and protection of any confidential information sent outside the protected firewall. Too often, however, information travels freely without any protection or encryption outside the company. In other words, policies are not followed, which leads to exposed IP.
However, the place to start to address the issue is knowing which information deserves protection. Large companies usually have information-security classification regimes that are underutilized or improperly utilized by employees, and technology that can apply the rules “automatically” too often is not harnessed either. To protect information and IP, it must be classified as a trade secret. In any event, the law requires that reasonable steps be taken to protect IP if you want to be able to assert your legal rights, and that begins with classification as well.
Lawyers can help reinvigorate classification regimes, simplify and redraft existing classification policies, and insist on the use of encryption technology. Once again, compliance methodology can help institutionalize vigilance.
5. Demanding Code and Information and Exploiting Legally Mandated “Backdoors”
One way some countries are gaining access to U.S. IP is by requiring the transfer of your company’s information (i.e., trade secrets), including computer code, to be allowed to do business in their country. Indeed, some countries even legislate the result, according to the World Economic Forum, which stated that “China, for instance, has joined Russia in tightening the requirements placed on foreign companies to store information within national borders.”
Another way IP is extracted is by providing access to IP and computer code through “backdoors” to encryption technology. In other words, the locked door protecting your trade secrets is now unlocked. From the hearing before the U.S.-China Economic and Security Review Commission: “Recently the government in Beijing has proposed a series of regulatory provisions that would require U.S. tech companies and their foreign customers, especially financial institutions and banks, to turn over source code and encryption software, effectively creating backdoor entry points into otherwise secure networks, all being done, of course, under the guise of cybersecurity.”
Before sharing a company’s secret sauce, its lawyers must advise their clients on how to proceed, if at all, with maximum protections in place.
6. Cyber Thieves Are Successfully Exploiting Laziness and the Lack of Understanding
The Office of Personnel Management (OPM) hack and so many others were successful because proper authentication to gain access is not effectuated. Many cyber hackers are successful because IT security is unimpressive at best. That is the reality, in part because there is a misunderstanding of how to keep cyber hackers away from your data, as well as a lack of vigilance in doing it. One easy solution to secure important information is to use better authentication techniques.
Two-factor authentication is the very least your company should be using. Passwords alone are not sufficient, as real hackers have technology that will crack your password in no time. Good passwords today are about concepts or ideas, not words. So instead of using “Fluffy123,” the better password is “MyLastDogAte5Shoes.” Still, that is only the first layer and not enough by itself. Every archive containing company “trade secrets” needs at least two-factor authentication, and there is confusion about what two- and three-factor authentication is, so the following is provided to clear it up:
- one-factor authentication is a unique something the employee knows, such as a strong password;
- two-factor authentication is the first factor plus something the employee possesses, such as a company ID card and security code, a security fob that generates a unique code, etc.;
- three-factor authentication adds to the above something the employee is, such as a voice scan, fingerprint, eye scan, etc.
Lawyers must revisit these information-security company policies and gather audit and compliance groups to focus greater scrutiny on how databases and repositories are managed. It may have prevented 20 million Americans from having their personal information stolen.
7. New Techniques and Never-Ending Attacks of Spear Phishing, Ransomware, and Zero-Day Malware Will Catch Someone Off-Guard
Cyber thieves are using more sophisticated ways to breach company security, including spear- phishing, ransomware, and zero-day malware attacks. Unlike phishing, which uses an e-mail and a malicious code attached from an organization with which you were not expecting to communicate, spear phishing is a communication from a trusted individual or organization and one with whom you are likely to engage. This far more targeted and sophisticated approach scams even technically sophisticated people. According to Trend Micro:
Using the intel gathered during reconnaissance, the attackers typically send contextually relevant malware-laden spear-phishing emails to the chosen high-ranking corporate official. This helps ensure they get the credentials with the highest level of access required to infiltrate systems where company crown jewels are stored. Network command and control (C&C) is then established aided by backdoors, remote access Trojans (RATs), or other malware. Attackers then move laterally across the network to seek out top-secret data. The data is then exfiltrated to a site that only the attackers have access to for selling to the highest bidders or delivery to the individual or company that hired them.
Ransomware is even more malicious. It is a special type of malware that secretly installs on a computer and then either holds data hostage, or is a sophisticated leakware that threatens to publish the data. It works by locking the system or even encrypting the files until a ransom is paid.
Finally, unlike in years past, organized entities are now seeking to harvest information or company trade secrets using zero-day malware that got its name because it is so new that no commercial anti-virus software exists yet to eradicate the harm.
8. Exploiting the Slow-Reacting Security Team
The hack of OPM, which has been linked to China, is a perfect example of breaching security and trolling for information. In that case, the bad guys made off with the most extensive collection of personal information about U.S. government employees, past and present, ever.
Shockingly, the OPM IT security team had watched and monitored the bad guys moving throughout their IT systems for months before the information was extracted. Had the IT staff reacted in a timely manner, they likely would have been able to protect the trove of information that ultimately was stolen.
Assuming the bad guys will get in from time to time, it is worthwhile walling off data and setting up “honey pots” in your archives. Honey pots are information troves marked “M&A targets,” “products specs,” or other valuable targets to attract the criminals to a specific location. That misinformation sends the bad guys in the wrong direction.
Lawyers can help customize the honey pots to deal with the various possible assaults on select pools of data depending upon the target country of the thieves, given that certain countries are after money and pricing information, while others are after M&A targets and product designs.
9. Exploiting Your Relationships and Joint Ventures
During negotiations between Westinghouse Electric and a Chinese state-owned nuclear power company, the companies began to cooperate more closely, and the Chinese partner “stole from Westinghouse’s computers, among other things, proprietary and confidential technical and design specifications for pipes, pipe supports, and pipe routing within the nuclear power plants that Westinghouse was contracted to build, as well as internal Westinghouse communications concerning the company’s strategy for doing business,” according to the Wang Dong Indictment.
For all relationships with partners doing business outside the United States, local lawyers will be essential to guide the transaction. Equally as important is limiting access to trade secrets and IP not part of the transactions. That may mean limiting access to facilities and systems where such information is housed, and having strict rules ironed out about who gets access to what information. If cloud-based collaboration tools are used to work on the partnership, more strict rules about what can and cannot be stored and shared in such environments is essential.
Make sure that your IP stays in the United States if possible. If you must bring your IP, make sure there are agreements in place for every eventuality, understanding that such measures still may not be enough protection. Perhaps more importantly is the need to control access to your information and to limit the number of people that have access.
There have been many cases where a “partner” is manufacturing in China and uses the U.S. company’s molds or designs. If there is no agreement governing the molds or designs, and what happens when the relationship ends, then it is quite possible that the Chinese partner will retain the molds or designs and use the same for their own benefit. Even if you have an agreement governing what happens when the relationship is over, they may still steal your molds and designs to work against you.
10. They Are Getting Information from Your Workforce or Your Recruiter
IP is being stolen by competitors or foreign entities hiring operatives who may work at your business for years or even decades. Monitoring and auditing information transmissions and extreme vetting must be utilized to mitigate this risk.
Even more troubling is the recent revelation that the Chinese have begun U.S.-based recruitment and headhunting firms that appear perfectly legitimate, but really are placing “operatives” at U.S. businesses that have IP deemed strategically important to China. Further, according to the FBI, job advertisements are posted online by those intent on stealing IP to attract employees.
Conclusion
Economic espionage from abroad is a significant and growing concern. Cyber attacks are becoming more challenging to combat and, in conjunction with traditional physical stealing of trade secrets, poses a large existential threat to American businesses, the economy, and security.
In the United States, officials are pursuing an enhanced and comprehensive strategy to attempt to counter economic espionage and IP theft in general. Many agencies, including law enforcement, are focused on the problem, and it is a top priority for the FBI. In the end, however, self-help likely is U.S. companies most prudent avenue. In that regard, lawyers play a unique and important role: negotiator, risk manager, creative drafter, and hopefully not litigator. At about a billion dollars a day of U.S. IP theft, however, U.S. companies have much to lose, and they are continuing to lose.