Understanding root causes of trade secret breaches

In part 1 of this series, I looked at risks associated with loss of trade secrets; part 2 highlighted trade secret laws, including the recent DTSA Federal law (Defense of Trade Secrets 2016). In this post, I will look at the root causes of several high profile breaches.

These are different from the usual reported PII breaches in that a higher percentage are caused by someone known to the victim. This could be an “insider” or business partner, or contractor. The definition of “insider” must be broadened these days.

Let’s look at five representative cases. Note that I am not an attorney, so don’t take these comments as legal advice! To keep up with current trade secrets cases I highly recommend checking out the blog at Orrick. If you are protecting trade secrets, there is nothing so useful as “evidence based risk analysis.” You can’t mitigate every possible threat, so you need to keep up with attack patterns actually being used.

Epic Systems is one of the largest suppliers of Electronic Health Records (EHR) systems. Tata was providing support to one of Epic’s health system customers. In the course of doing this, a Tata engineer allegedly took software trade secrets and provided them to another division of Tata, building a competing EHR product. A Wisconsin jury awarded Epic $940 million in this matter; the amount has recently been reduced to $420 million. In addition, Tata is appealing the jury decision. This alleged breach resulted from a third party accessing Epic’s systems. My takeaway is: you need to monitor not only your suppliers but also monitor your customers.

Next, let’s take a look at the case of Donald Trump’s playbooks for Trump University (TU). In this class action lawsuit alleging fraud, the playbooks were held to be “trade secrets” by TU; TU then requested that they be sealed. However, this position was challenged in court; ultimately they were unsealed and moved to the public domain. (If you haven’t read the playbooks, you can find them here). The reasons given by the judge for this action were (1) that that one of the playbooks had already been published online (removal of secrecy) and that (2) TU had not designated which parts of the playbooks included trade secret information. This case was settled for $25 million, with no admission of guilt by TU. Takeaways from the case include: you must protect information that you claim is a trade secret; even one disclosure can remove trade secret status. Secondly, document classification and protection is also essential. What exactly are you defining to be a trade secret?

The next case relates to physical access; actually the first line of cybersecurity defense. In Hemlock Semiconductor v. Summit Process Design, the defendants allegedly entered Hemlock’s polysilicon processing plant and took unauthorized photos of proprietary processing systems. At the time, the plant was being shut down and demolished. Nontheless Hemlock regarded the configuration of its systems to be a trade secret. This case settled, so we don’t know the final determination of the court, but red flags brought up include the following. Who is allowed into your secure areas? Do you compartmentalize confidential areas from reception areas? Are security guards trained on how to handle visitors? Often physical security does not report to the CISO. But you should make it a practice to work with building security to better protect trade secrets and other information assets.

The Boeing case, involving theft of F-35 and F-22 fighter jet design information, illustrates cyber-attacks from outside gangs of hackers. In this matter, one hacker, Su Bin, plead guilty to conspiring to steal military secrets.  But the method used was very unusual. Mr. Bin’s job was to determine which Boeing employees to target and which files to take. He traveled to the U.S. part of the time to facilitate this reconnaissance. The actual information exfiltration was carried out by two accomplices in the People’s Republic of China. They are still at large. We already know that criminals are organized into gangs. The details of this matter illustrate just how these gangs can be organized. If you are doing log analysis, focusing on one IOC may not be enough, and may throw you off the trail. If you want more details, the case was tried in Federal Court, Central District of California. (For help on how to access court records, drop me an email). More recently, the Anthem breach was also reported to be the work of two simultaneous hackers. You can listen to the details here.

A final case for discussion here is TechForward versus Best Buy. TechForward won a $27 million judgement against Best Buy for theft of trade secrets related to TechFoward’s buy back plan. This plan enabled customers to turn in technology for a store credit and Best Buy wanted to implement it. The trade secrets involved details of how many people exercise such an option, what to charge for it and what refunds to offer. It was the proprietary business data that was secret, not the software or business process itself. This information was shared under a non-disclosure agreement.  When Best Buy dropped the contract with TechForward and developed their own system, TechForward sued… and won. TechForward then took a huge financial hit and was acquired. This isn’t a story about traditional hackers; but it is about protecting information and managing risk. We don’t know if the TechForward CISO was involved in these discussions. But a lesson learned is that while legal documents may protect you in court, security controls and processes are essential in keeping you out of court.

Many trade secret cases involve some type of “insider,” including contractors, former employees, business partners and existing employees. In addition, the attack paths may vary wildly from the popular “Cyber Kill Chain.” There are many paths through which information can leak out, and it’s up to us to figure out what they are and provide reasonable guidance to management to prevent those leaks. The details, including how technology is used to facilitate the theft, vary from case to case. In Part IV, I will look at technologies that can help minimize the risk of trade secret theft.