Categories of Company Information Theft
Understanding Legal Consequences for Stealing Company Information
There are a few different types of company information that can be stolen. Supposing the thief does not have permission to access the information, thieves are essentially obtaining information that the company has a proprietary interest in. For example, information regarding how to build a product can be protected as trade secrets. A trade secret is defined as a formula, practice, process, design, instrument, pattern, or compilation of information, including customer lists, that is not generally known or reasonably ascertainable to others who can obtain economic value from its disclosure or use.
Another type of protected company information is intellectual property. Intellectual property is divided into three categories: trademarks, copyrights and patents. A trademark is a word, symbol or device that is used by a person or company in trade with the ultimate goal of helping people differentiate between various companies .
Copyrights are different from trademarks because they do not have to be registered in order to be protected. Copyrights protect creative works, such as books, movies, music, and art.
Patents are similar to copyright, however they protect new inventions and processes. There are three types of patents: utility patents, design, and plant. The most common are utility patents, which protect the way something is made. Design patents protect the way something looks and plant patents exist for people who make or discover a new type of plant.
Another type of information that can be stolen from a company is customer information. This is information about a company’s customers that is collected for business purposes, such as collecting Social Security numbers, bank account numbers, or credit card numbers from customers. The definition of customer information varies from state to state.
Laws Safeguarding Company Information
The legal framework for protecting company information is primarily shaped through the use of non-disclosure agreements and violations of federal and state theft laws. For example, the federal Economic Espionage Act (EEA) provides severe civil and criminal penalties and defines trade secrets. The EEA applies to any information that a company keeps secret including information that is not in a tangible form (such as a formula or recipe), commercial, financial and business information; designs, prototypes and computer software.
The penalties are severe under the EEA and range from three to fifteen years in jail and fines up to $5 million for individuals and $10 million for organizations. Civil actions under the EEA can be initiated by the Attorney General, and civil and criminal actions are initiated by the United States Attorney General. Furthermore, the federal Defend Trade Secrets Act (DTSA) amends the EEA to provide for federal jurisdiction over misappropriation of trade secrets. The DTSA provides a plaintiff with the right to ex parte seizure of property to prevent the propagation or dissemination of a trade secret. Further, the DTSA creates a new federal civil remedy, but it does not preempt or displace existing legal remedies under state law (means that trade secrets protection can exist at both the state and federal level). Most importantly, even though there is a federal statute for trade secret protection, the EEA states "no person is immune" from any other statutory or common law remedy.
In California, trade secret protection is provided by the California Uniform Trade Secret Act (CUTSA), which is the primary state statutory way to protect trade secrets. CUTSA does not apply to patent-eligible subject matter or customer lists. Defenses available to asserted misappropriation claims include reverse engineering, independent development, and prior knowledge. The limitation period for asserting trade secret misappropriation claims under CUTSA is three years after the misappropriation was either discovered or should have been discovered. Much like the DTSA, CUTSA does not preempt or displace existing legal remedies under federal or state law.
Penalties for Criminal Theft of Company Information
The range of potential penalties for those convicted of stealing company information is substantial, and this is true regardless of whether the employee was initially authorized to access the information. The most common statutory provisions that apply to these types of cases are the National Stolen Property Act and the Economic Espionage Act ("EEA").
As the name suggests, the National Stolen Property Act deals with goods that have been stolen. Individuals found to have stolen company information can be subjected to fines, imprisonment, or both. Pursuant to 18 U.S.C. § 659, an individual found to possess stolen goods worth more than $5,000 may receive up to 10 years in prison, an unlimited fine, or both. This penalty is doubled for bringing stolen goods into the U.S., though the potential prison term is limited to 20 years. Statutory damages also apply to cases where the stolen information can be retrieved from an electronic system, such as by hacking. For example, Edwin Vargas, who formerly worked for an aerospace firm in the Southern District of Florida, was charged recently under the National Stolen Property Act for stealing thousands of files from his employer. The firm has stated that none of the data has been used, but the value of the data Vargas stole has been estimated at $25 million. The Department of Justice reports that Vargas has agreed to plead guilty to the crime.
The EEA deals with statutes beyond the theft of property. Under 18 USC § 1831, individuals will be imprisoned up to 15 years, fined up to $5 million, or given both criminal and civil penalties if they are found to have conspired to steal trade secrets, and additionally if the crime involved an international agent that aimed to benefit a foreign government. This provision is strictly enforced in cases where the economic impact of the crime is greater than $100 million. The provision assumes a special interest in economic crimes that primarily target innovation. Biological, chemical, computer, engineering, manufacturing, medical, and military sectors are all explicitly mentioned within the statute as those that are subject to the highest levels of attack.
Civil Remedies and Lawsuits
When someone steals confidential information from your company, you can pursue them (or their new employer) in a civil lawsuit for damages and other remedies. In addition to or instead of, the employee’s theft, you may be able to go after the new employer as well if the new employer has taken action that makes them liable.
If the employee posted the information on a website accessible to the public, you’ll have to prove that information was published with the requisite malicious intent or knowledge of falsity. If the information was disseminated within the company, however, there is stricter liability. Some states just require a failure to exercise "reasonable care" in handling the information. A court may also strike down information in a new non-disclosure agreement signed by the new employer as unenforceable if it includes information belonging to your company.
What remedies you can obtain depend on what the defendant stole , where it occurred, which claims you file, and what laws apply. In addition to being forced to return property and a permanent injunction to prevent any further use of those materials, other remedies can include:
The amount of compensatory damages available varies. Punitive damages can be particularly high if the theft involved the joint ownership of a business. In a joint business venture, the owner who is not stealing information can often obtain a larger share of the assets than they could via compensatory damages alone.
If the stolen property involved client or customer lists, it’s possible that customers can recover damages as well if they obtained their information from the wrongdoer. In some circumstances, the wrongdoer can get stuck having to pay the client full damages if the client was expecting confidentiality and the client ended up not being kept abreast of developments in the business.
Impact on Employment and Future Careers
Employees found to have stolen company information expose themselves to a loss of employment (up to and including termination) and long-lasting impacts on future careers in the industry. When an employee is disciplined for theft or misuse of confidential and proprietary information, it often leads to immediate termination for cause. However, a dismissed employee may be able to find employment elsewhere. Employment interviews do not routinely include questions about past theft of company information. Future employers may not be aware of why the candidate was dismissed by the former employer or may not prioritize the issue — expressly referencing culture fit, drawing from social capital or prior performance in the interview as determining factors. A terminated employee may also obtain the support of friends, professional networks and industry peers who assist in finding a new position by providing references, making introductions or otherwise facilitating employment opportunities. This often works to the benefit of a terminated employee but it may come at the expense of other employees within the industry. Histories of colleagues providing professional references for, or hiring, an employee who was formerly dismissed for misconduct affects the confidence that employers in the industry place in the references and recommendations they receive.
Job applications traditionally do not require applicants to disclose directly whether they were terminated by their previous employer for theft or misuse of confidential and proprietary information. However, the absence of a solid recommendation from a prior employer can prevent future employment opportunities. In particular, for employees whose work involves the handling of proprietary information, blackballing by industry peers may prevent finding a similar position shortly after dismissal if the employee is known to have misused confidential information.
Company Prevention Techniques
A company can do a lot to protect its information from ending up on the other side of a courtroom, so it is useful to take a proactive approach. As stated at the outset, there are always hurt career prospects when a key employee is terminated, even if there was no intention on the part of the employee to use the company’s proprietary information. Obtaining a court order against the departing employee to prevent them from taking company information and using company property, along with sending them off with a gleam in their eye that says "don’t ever come near my business" is always helpful. Many companies have found success in binding departing employees to a non-compete, non-solicitation provision and/or confidentiality agreement, which is given some legal teeth by a judge under the law. The trouble with those provisions is they are useless if they are not enforced, and they are useless if there is a dismissal out of the blue or the employee was unexpected. Still, dealing with someone who is a flight risk should make you dance with joy at the chance to get that employee to sign the non-compete, non-solicitation, and confidentiality agreement or go through any internal computer files and physical copy, if possible. Hopefully it is not too late.
Remember how many comedians joke about hearing their dad yell out "get off your iPhone." That is because people (not just youth) spend a vastly excessive amount of time on their portable gadgets. Set aside those feelings for now. There are many companies that successfully protect their information with a comprehensive anti-internet/intranet policy requiring employees to use the protection features available to them. A good example of this is automatically shutting down the ability of your employees to print onto devices removed from your premises or to email any information or files outside your premises. It is amazing how the threat of discipline acts to prevent a breach of company information. One of the great things about electronically blocking those lines of transmission is it also saves paper at the same time. Truly a win-win. What is most impressive is the fact that by dealing with the problem in advance , an employer can avoid a lot of the chaos. As well, it can be shown that all possible measures were taken in advance to deal with the matter, and a court may be more understanding of that situation, allowing an employer to fight back if needed.
An obvious solution is to identify points of contact that are most vulnerable due to departure and try to make changes long before the departure occurs. For example, if a particular training program is often run by one employee, consider training others to run the same program. Or change your selection criteria from x,y or z employee to a new version of x,y or z employee. This also identifies great performers and ensures a fair process for promotion and evaluation. Another issue that needs to be dealt with is whether the employer has any basis on which to deny the employee access to confidential or proprietary information. It is important to keep that information in a physical location that is secure or in an electronic location that is similarly secure. This includes having the security protocols in place to prevent your own mistakes, as well as a system that tracks who has access to what and when to limit the number of people with access to only the information required. It is essential to make it as easy as possible for an employee to comply with all requirements associated with keeping information safe and private.
