Trade Secrets

Last Thursday the White House announced that the Obama Administration has transmitted a cybersecurity legislative proposal to the Congress. Citing the approximately 50 cyber-related bills introduced in the last session of Congress, the Fact Sheet for the proposed legislation describes it as “focused on improving cybersecurity for the American people, our Nation’s critical infrastructure, and the Federal Government’s own networks and computers.” The proposal contains the following items:

• National Data Breach Reporting – The legislation would simply and standardize state law requirements regarding notification to customers when a breach has occurred.
• Penalties for Computer Criminals – The legislation would clarify penalties for computer crimes and set mandatory minimums for cyber intrusions into critical infrastructure.
• Voluntary Government Assistance and Information Sharing with Industry, States and Local Government – Clarifies the authority of the Department of Homeland Security (DHS) to assist organizations that suffer a cyber intrusion and provides immunity to businesses, states and local governments that provide cybersecurity information to DHS.
• Critical Infrastructure Cybersecurity Plans – The proposed legislation would require DHS to work with operators of critical infrastructure (i.e. those assets whose disruption “would have a debilitating impact on national security, national economic security, national public health or safety”) to develop frameworks for addressing core cyber-threats.
• Federal Cybersecurity – The legislation contains a number of measures designed to strengthen the cybersecurity of federal government computers, including measures related to the increased use of cloud computing by the federal government.
• Privacy and Civil Liberty – The proposed legislation requires DHS and all other federal agencies to follow privacy and civil liberties procedures in implementing the proposed cybersecurity measures.

Initial reactions to the White House’s proposal appear mixed--see, for example, here and here. Companies should pay close attention to the proposed data breach reporting rules to determine what impact the rules could have on their operations. Operators of critical infrastructure, in particular public utilities, internet service providers and telecommunications providers, should examine the proposed framework for addressing cyber-threats to their assets.

The complete text of the legislative proposal is available here.

Many cyber-security threats involve theft of trade secrets. Trade secrets are traditionally protected under state law, with many states having adopted a version of the Uniform Trade Secrets Act. Many different types of confidential information may be protected as a trade secret, potentially including items such as software and code, business plans, customer lists, and supplier lists. To qualify as a trade secret, the information generally must have been not generally known to the public, must have been subject to reasonable efforts to maintain its confidentiality, and must be of actual or potential economic value. Persons who gain access to or secure trade secrets by improper means - which could include hacking, improper copying of computer files, or walking out the door with hard copy materials - may be liable for trade secret violations. Trade secret statutes typically provide for broad civil remedies, including injunctive relief, compensatory damages (or a reasonable royalty), and a form of punitive damages. Of course, the specifics can vary from state to state, so check with a lawyer licensed in your jurisdiction for more specific information. Particularly in the cyber context, there are federal laws, such as the Computer Fraud and Abuse Act, that may also provide remedies.

This post continues after the jump.