When Rep. Zoe Lofgren, the Silicon Valley Democrat, introduced a pair of bills last month on trade secret misappropriation, we puzzled over her purpose. Was this a response to the White House’s call for improved federal legislation to protect U.S. trade secrets? Did the measures mark the start of a comprehensive federal civil “Trade Secrets Act” that would put trade secrets on par with other federally protected intellectual property such as patents, trademarks, and copyrights?
Trade Secrets Watch decided to investigate and tapped our congressional sources for the back story. Turns out our musings were wrong.
First, a quick backgrounder on federal trade secret protection (and lack thereof): The federal government has declined to go all-in on protecting U.S. trade secrets, leaving this area primarily governed by state law. When it comes to trade secrets, federal law consists of a patchwork of acts that leave yawning gaps in legal protection. For example, the federal Economic Espionage Act, known as the EEA, prohibits trade secret theft but is solely a criminal law — it doesn’t provide for a federal civil cause of action (i.e., a right allowing private parties to sue). And the Computer Fraud and Abuse Act, known as the CFAA, only covers certain types of thefts involving unauthorized access to computers. It provides for criminal prosecution and grants a victimized company the right to sue. But in a case last year (United States v. Nosal), the Ninth Circuit U.S. Court of Appeals interpreted the CFAA narrowly, finding that it was primarily intended to curtail hacking and that it does not bar employees from stealing trade secrets from their employers’ computers in more run-of-the-mill cases of trade secret theft. The court reasoned that the CFAA’s prohibitions against accessing a computer “without authorization” or by “exceeding authorized access” don’t apply to employees who steal from their workplace computer systems, as long as they are using their work login credentials and don’t engage in hacking to gain access. The Nosal decision ignited some controversy because it created a split among federal appeals courts: other courts had held that these CFAA provisions do ban “insider” trade secret theft by employees, even those sitting at company computers with authorization. The Fourth Circuit and a number of district courts have since joined the Ninth Circuit in reading the CFAA more narrowly.
On June 20, 2013, Lofgren introduced two bills: (1) Aaron’s Law Act of 2013, and (2) the Private Right of Action Against Theft of Trade Secrets Act of 2013. The first bill, Aaron’s Law, would amend the CFAA to basically make the Nosal decision the law of the land. It would specify that the CFAA’s prohibition against someone cyber-thieving by accessing a computer without authorization or in excess of authorization should only apply where he circumvents a technological barrier to gain access, i.e. engages in some type of hacking. Lofgren’s concern is that the current CFAA makes it a federal crime to access a computer without authorization or in a way that exceeds authorization—but that this is too vague because Congress has never defined what that means. As a result, some prosecutors have taken the view that a person who merely violates a website’s terms of service or an employment agreement should face jail time. The cases of Lori Drew and Andrew Auernheimer are examples. Any number of activities on the Internet could qualify as breaching a site’s terms of service or an employment agreement, even checking personal email on a work computer. Aaron’s Law seeks to ensure that the CFAA will only be used to prosecute hackers and not people engaging in ordinary Internet activity. The bill is named for Aaron Swartz, an Internet activist who committed suicide as he faced criminal prosecution under the CFAA.
Lofgren’s second bill would create a civil cause of action for trade secret theft under the Economic Espionage Act. But why were these bills introduced on the same day? What is the connection between them? Here’s what Trade Secrets Watch learned from our congressional sources.
It turns out that in her discussions with constituents, Lofgren heard that some stakeholders didn’t want her CFAA amendments to deprive them of the right to sue for trade secret theft that they believe they presently have in courts that don’t follow the Nosal line of cases. In a nutshell, Lofgren would remove the right under the CFAA to prosecute and sue employees who steal trade secrets by accessing work computers without or in excess of their authorization (unless they engage in hacking), but she would “replace” it with a right to sue under the EEA.
In some ways, Lofgren’s bill would provide for a broader civil federal trade secret remedy than under the current regime because the EEA prohibits more types of misappropriation than the CFAA’s bans on hacking and accessing computers without authorization. At the same time, an EEA federal cause of action won’t necessarily satisfy all the trade secret groupies out there who were hoping for a comprehensive federal “Trade Secrets Act” that would provide A to Z protection of U.S. trade secrets. Among other things, the EEA doesn’t pre-empt state law and doesn’t provide the full panoply of remedies that state law does.
It does not appear these bills will drive sweeping federal trade secret reform—but then again, they’re not intended to. While Lofgren says she is open to discussion of why such reform is needed, she seems to have proposed these companion measures primarily to increase the chances that Aaron’s Law will pass. If Aaron’s Law can pass on its own, or dies for whatever reason, there may be less incentive to push for a broad trade secret right of action.