Much has been written about the SEC’s interpretive guidance on cybersecurity disclosures, issued in late February, including Commissioner Stein’s statement that it under-delivers for investors, public companies, and the capital markets. As many observers have noted, the Commission largely repackaged the Division of Corporation Finance’s prior October 2011 guidance. Further, by issuing interpretive guidance, rather than engaging in formal rulemaking, the SEC’s pronouncement does not have the force and effect of law and is not accorded such weight in the adjudicatory process.
Posts by: Editorial Board
October ordinarily brings the return of crisp air, fall foliage, and Halloween. This year, for the first time, it also brings National Cyber Security Awareness Month. Yet designating a month to increase cybersecurity awareness seems redundant. We are reminded almost daily of the importance of cybersecurity, as media reports of cyber breaches have become commonplace. Of course, the most widely reported cyber incidents have been data privacy breaches that have affected tens of millions of consumers nationwide. These are the sorts of incidents that have spawned a growing market for so-called “cyber policies” (although as we wrote recently, the CEO of one of the largest insurers has acknowledged that cyber insurance capacity remains relatively small).
The American health care industry is under attack by sophisticated hackers seeking access to electronic medical records. Since January, three health insurers have announced major data breaches involving millions of records, with the largest one at Anthem Inc., involving nearly 80 million records. There have been dozens of smaller breaches as well. According to statistics kept by the U.S. Department of Health and Human Services, in 2009 the health care sector experienced 18 data breaches involving 500 or more individuals. In the first three months of 2015, more than 50 such breaches were reported.
In a stunning victory for the former Goldman Sachs programmer, New York State Justice Daniel Conviser threw out Sergey Aleynikov’s jury conviction on state law charges that he stole intellectual property from Goldman. Trade Secrets Watch has extensively covered this story, most recently reporting the start of Aleynikov’s new trial, but missing out on a (later-dismissed) juror’s tale of an errant avocado.
Declaring cybercrime a “national emergency,” President Obama today empowered Treasury to freeze assets that are the fruits of cybercrime, according to an Executive Order issued this afternoon. The agency can block money or property in the United States or in the control of any United States person determined to have engaged in “cyber-enabled activities” originating or directed from outside the United States. Targeted activities include harming computer networks in critical infrastructure sectors; significantly disrupting a computer network; or causing significant misappropriation of trade secrets and other protected information. The EO also enables seizure of money or property of any persons involved in misappropriating trade secrets by “cyber-enabled means” that impact the national security, foreign policy, or economic health or financial stability of the United States.
TSW is tracking the EO and will report further developments.
This marks the inaugural “Five Minutes With” feature that Trade Secrets Watch will run occasionally. These will be question-and-answers with notable figures in the trade secrets world.
TSW got a chance to sit down with UC Hastings College of the Law professor and Liberty, Security & Technology Clinic founder Ahmed Ghappour. He had a lot to say about trade secrets, cybersecurity, and encrypting “all the things.”
TSW: Ahmed, TSW is dying to know what you’ve been up to lately in the world of economic espionage. What’s the inside scoop?
One of the biggest challenges the cyber-security field faces today—aside from outright hacking—is the fact that employees’ data is increasingly portable. Data portability can be a major boon for employers. For instance, it may allow an employer to offer its employees the ability to work remotely (something that can improve employees’ work/life balance, or could be a reasonable accommodation for an employee’s disability). However, data portability can also present major risks for an employer, particularly if an employee stands to profit from misuse of that information.
While there have been a number of high-profile data breaches in recent years, there have been few coverage lawsuits arising out of these breaches, presumably because cyber insurers have been paying claims. A recent action, however, suggests how cyber insurers may be trying to fund this coverage position: by suing allegedly responsible third parties. In what appears to be a novel approach for insurers covering data breach claims, Travelers Casualty and Surety Co. of America has sued its insured’s website designer in the wake of a cyber attack. Travelers’ complaint alleges that its insured, Alpine Bank, hired Ignition Studio, Inc. to design and service the bank’s website. Travelers alleges that Ignition negligently designed and maintained the website, allowing hackers to access the site through the server on which it was hosted. Alpine spent over $150,000 complying with its data breach notification obligations, for which it was reimbursed by Travelers. Travelers, as Alpine Bank’s assignee and subrogee, now seeks to recover that amount from Ignition. READ MORE
Policyholders hope and expect that their insurance companies will work with them to resolve claims promptly and fairly. We are constantly being told that our insurers, like good neighbors, will be there, and that the insurer’s umbrella will protect us. Sometimes, however, the good neighbor will not welcome us, and the umbrella may spring a leak. These situations sometimes lead to litigation, and then the fight becomes where to file suit.
Problems often arise when the claim is large enough, or involves a type of claim, that the insurance company will not want to pay. Even when the insurance company will not pay the claim after a lengthy period of negotiation, many policyholders still prefer not to initiate a lawsuit, especially since they cannot believe that their trusted insurer will not eventually cover the loss. Insurance companies, however, are not always as reluctant to bring suit, especially when it will further their aims. Moreover, when they choose to commence an action, insurance companies typically bring suit in a state that tends to favor insurance companies in litigation, even if that state only has a minimal connection to the dispute. READ MORE
Orrick’s Chris Ottenweller and Derek Knerr recently took to Law360 to review recent cases involving theories of third-party liability for trade secret misappropriation. New employees are one obvious source of potential liability if they bring to the job information obtained from their prior employer. But in recent years companies have also increasingly faced suits based on relationships with contractors and vendors. Chris and Derek offer some practical considerations to help companies mitigate potential liability in the first place.