As cybersecurity threats grow, Congress seeks solutions
In today’s increasingly connected world, cybersecurity is a major concern for organizations everywhere. In fact, U.S. intelligence officials now consider cybercrime to be a top threat to America’s national security. To combat this growing threat, Congress is considering legislation to strengthen and standardize cybersecurity laws.
At least three recent developments have contributed to the high cybersecurity threat level. First, social media and e-commerce sites regularly require users to provide identity and financial information, raising concerns of consumer data privacy.
Second, the “Internet of things” movement envisions a world in which Internet-enabled “smart” appliances and devices, such as electronic HVAC, security and access control systems, are remotely accessible. These systems expose status information and control capabilities to remote users and create the opportunity for unauthorized users to take over control.
Third, high-speed network connections and highly compact memory devices enable rapid extraction of massive amounts of data from enterprise databases. A single data breach can lead to the sudden and catastrophic loss of an enterprise’s trade secrets, including customer lists, product specifications, manufacturing specifications and research. Once extracted, the stolen data can be transmitted anywhere in a matter of seconds and received by industry competitors.
“Organizations must take great care to protect their trade secrets in today’s technology-driven environment,” says John B. Conklin, a member in Leydig’s Chicago office. “Many enterprises derive a large part of their value from trade secrets, and they are increasingly vulnerable to attack.”
A uniform cybersecurity standard
While the United States has several federal cybersecurity laws, they generally apply to only a handful of activities and industries. In 1984, Congress enacted the Computer Fraud and Abuse Act (CFAA) to protect government computer systems. Over the years, Congress has expanded the CFAA, and today’s version generally prohibits accessing any “protected” computer without authorization. The CFAA does not require minimum data security standards or notification after a breach, however, limiting its effectiveness. The CFAA generally allows cybercrime victims to only sue direct violators and co-conspirators, rendering it ineffective against other recipients of stolen information. Additional federal security laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Communications Act, focus on protecting confidential information in certain industries.
At least 47 states have enacted data security laws, but the laws lack consistency. For example, the type and severity of breach that triggers a required notification varies by state, and only a handful of states require organizations to adopt procedures to prevent data breaches.
Congress is currently considering legislation to enhance cybersecurity. The Data Security and Breach Notification Act (DSBNA) would establish a national cybersecurity standard that would require companies to implement preventive security measures and create a uniform data breach notification procedure.
“The DSBNA offers hope for consumers seeking better protection and businesses seeking clarity,” says Rajul Patel, an associate in Leydig’s Chicago office. “If enacted, the law will create a uniform federal standard and enable companies to avoid the inefficiencies of the patchwork state law system.”
Enhanced trade secret protection
U.S. Sen. Patrick Leahy recently observed, “Trade secret law is the one form of intellectual property protection that currently lacks a federal civil remedy.” In 1979, the National Conference of Commissioners on Uniform State Laws drafted the Uniform Trade Secrets Act (UTSA) with the hope that states’ adoption would create a unified system. States subsequently enacted various amended versions of the UTSA text, however, creating an inconsistent system and wasteful procedural hurdles.
Substantial bipartisan support in Congress of the proposed Defend Trade Secrets Act (DTSA) legislation provides hope for businesses seeking 21st-century solutions. Similar to the DSBNA, the unified federal legal protections under the DTSA are intended to remedy, if not replace, the current legal jumble of state trade secret protections. Furthermore, a federal scope of protection enforced in federal courts provides procedural efficiencies, such as nationwide service of process and quicker discovery. Under the proposed DTSA, a victimized business may seek an ex parte seizure order to impound stolen data from a thief. The benefits may prove invaluable for businesses, which now must be prepared for a hacker escaping U.S. jurisdiction within a few hours or transmitting a critical trade secret across the globe within a few seconds.
“Congress is addressing current cybersecurity threats,” says Mark Joy, a member in Leydig’s Chicago office. “These measures are not a substitute for individual and corporate vigilance. Enterprises must invest in strong network and device security and adopt legally enforceable policies, ensuring cybersecurity vigilance by users, vendors and other businesses.”
Best practices for protecting trade secrets
Even under the protection of an optimal federal system, a business has limited recourse after a hacker or disgruntled employee misappropriates valuable research and sends it to a competitor outside U.S. jurisdiction. Thus, when it comes to cybersecurity, an ounce of prevention is worth a ton of cure.
“A well-defined and executed electronic data asset protection policy provides a vital level of protection that cannot be achieved by simply relying on cybersecurity and trade secret laws,” says Mark Joy, a member in Leydig’s Chicago office.
To protect electronically stored trade secrets, businesses must adopt and enforce vigorous digital asset protection plans that include (1) a robust IT security infrastructure and (2) comprehensive legal agreements, ensuring compliance with digital asset protection measures. Organizations should consider the following when implementing these policies:
A company should consider the nature of its business and information sensitivity. The resulting security is worth the cost and inconvenience of encrypting files before transmitting valuable or private information. If information can be accessed by public network interfaces, stronger encryption may be warranted.
Network monitoring tools, such as intrusion detection programs, provide yet another way to mitigate the risk of unauthorized data access. In addition, businesses should regularly update anti-virus and third-party software, test for common vulnerabilities, and promptly respond to security warnings.
Organizations can also help protect valuable business information by limiting its accessibility. For example, if a contractor needs access to stored information to complete a project, the business should grant temporary credentials permitting authenticated access to only the needed information, create an audit trail of access to the information, and promptly revoke credentials upon project completion. Businesses can thwart hackers by simply requiring and periodically resetting unique, complex passwords.
This “need-to-know” policy can extend to computers, as well. Depending on the sensitivity of the information, organizations can isolate trade secrets in a separate server, implement firewalls, or simply not make the data available over a network.
For guidance on developing effective infrastructure, organizations can look to the National Institute of Standards and Technology, which recently published a three-part framework enabling “organizations — regardless of size, degree of cybersecurity risk, or cybersecurity sophistication — to apply the principles and best practices of risk management.”
The power of contracts
Businesses should not overlook the tried and tested legal protections of contract law.
“Recent contract cases dealing with modern technology have frequently turned on fundamental principles, demonstrating that contract law may offer more predictable protection than trade secret or cybersecurity law,” says John B. Conklin, a member in Leydig’s Chicago office.
Contract law can be particularly effective in situations where organizations must share confidential information with third parties, such as service providers and research partners. Companies should contractually define each person’s responsibilities and outline security requirements, such as authentication policies, encryption standards, and limitations on copying and dissemination. Contracts should specify how the data is maintained on physical computer systems, whether network access is permitted, security breach response plans, and how the organization will verify compliance with all policies. Depending on the circumstances, it may be prudent to require insurance.
Pre- and post-contract due diligence is also essential. Businesses may need to visit a third party’s facility to verify compliance with security provisions. After the contract is signed, compliance should be continuously monitored.
While compliance by third parties is important, successful execution of a data security plan depends on the business’ employees. New employees should sign data confidentiality agreements that detail expectations during and after employment and foster a culture that stresses the importance of data privacy.
In addition to establishing robust preventive measures, organizations should prepare data breach response plans in case the worst occurs. Response plans should detail investigation and notification procedures, and companies should hold regular practice drills.
“Because digital assets are highly mobile, businesses cannot wait for a data breach to occur before developing response plans,” says Rajul Patel, an associate in Leydig’s Chicago office.
Watch for future newsletter articles on best practices for protecting personal information and data operations.
Federal Circuit sides with PTAB yet again over claim decision practice
The Patent Trial and Appeals Board (PTAB) does not have to issue a final decision on all of the challenged claims in an inter partes review, according to the U.S. Court of Appeals for the Federal Circuit. This marks yet another decision where the appeals court has sided with the PTAB and its practices.
In a case of first impression, Synopsys Inc. v. Mentor Graphics Corp. asked the Federal Circuit to consider whether the America Invents Act (AIA) requires the PTAB to issue a final decision on every patent claim challenged by the petitioner in an inter partes review. Petitioners cannot appeal the PTAB’s decision on whether to review a claim, raising the stakes on the PTAB’s actions.
“Synopsys raised a question that people anticipated someone would raise eventually: Must the PTAB issue a decision on all of the claims challenged in the petition?” says John M. Augustyn, a member in Leydig’s Chicago office.
Under the AIA, inter partes review takes place in two parts. First, the PTAB reviews the petition and decides whether there is a “reasonable likelihood that the petitioner would prevail with respect to at least one of the claims challenged in the petition.” Second, the PTAB conducts the review and issues a final decision “with respect to any patent claim challenged by the petitioner.”
Synopsys asked the PTAB to review 29 of Mentor Graphics’ patent claims for tracing coding errors in computer chips. The PTAB agreed to review 12 of the claims but denied Synopsys’ petition on the others, stating that the electronics manufacturer had not shown there was a “reasonable likelihood” that the claims were invalid.
Synopsys appealed to the Federal Circuit, which turned to the AIA’s text. Congress refers to plural “claims” raised in the petition but a singular “claim” that the PTAB has to address in its final decision, making it clear that legislators meant two different things, the court found.
While Synopsys argued that the PTAB is picking and choosing which claims to review, Augustyn says the practice is far from arbitrary.
“The PTAB is not declining to review claims just because it does not feel like it,” he says. “There is a ‘reasonable likelihood’ threshold that petitioners have to meet for review.”
In a different case involving the PTAB, the Federal Circuit overruled the PTAB, which rarely occurs. Specifically, in PPC Broadband Inc. v. Corning Optical Communications, the board had ruled that all 78 of the reviewed claims in PPC Broadband’s patents were obvious, but the Federal Circuit vacated the PTAB decision on 49 of the claims, saying that either the board’s claim construction was too broad to be reasonable or that prior art did not support the findings.
Actual notice not mandatory – but still helpful – for collecting pre-grant damages
While patent holders may not have to provide actual notice of a patent application publication to an alleged infringer to collect pre-grant damages if the infringer has actual knowledge of the application, written notices still play an important role in securing these types of damages.
In a case of first impression, the U.S. Court of Appeals for the Federal Circuit ruled in Rosebud LMS Inc. v. Adobe Systems Inc. that the “actual notice” standard for pre-grant damages does not require action from the patentee. If the patentee can prove that the infringer knew of the application publication, it can collect pre-grant damages. Despite that interpretation, the Federal Circuit still ruled in favor of Adobe, finding that Rosebud failed to prove that Adobe had actual knowledge of the patent application publication in question.
“If you think you might pursue pre-grant damages, you are a lot better off providing written notice to the alleged infringer to avoid having to prove the infringer’s actual knowledge,” says Elias P. Soupos, a member in Leydig’s Chicago office.
Under the Patent Act, patent holders can collect damages on infringement that takes place between the patent’s publication and grant dates if the published and granted claims are substantially identical and the accused infringer has “actual notice of the published patent application.”
Rosebud sued Adobe for infringement after previously asserting two other patents belonging to the same patent family as the asserted patent. Adobe argued that Rosebud was not entitled to pre-grant damages because it had not informed Adobe of the patent publication. Rosebud countered that Adobe likely knew about the publication of the application because of the companies’ litigation history. The Federal Circuit considered the dictionary definition for “actual notice” and compared its meaning with other statutes to conclude that actual notice, in the context of this statute, is “synonymous with knowledge.”
When sending written notices, Soupos cautions, patent holders should always consider all ramifications carefully.
- The Supreme Court has agreed to review Cuozzo Speed Technologies LLC v. Lee, where it will consider the correct claim construction standard for inter partes reviews and if petitioners should be able to appeal Patent Trial and Appeal Board decisions on whether to institute inter partes reviews. The high court has also granted review in Kirtsaeng v. John Wiley & Sons Inc., which addresses the appropriate standard for awarding attorney fees in copyright cases.
The World Trademark Review 1000 listed Leydig as one of the top trademark law firms in Illinois and recognized Mark J. Liss, Tamara A. Miller, Claudia W. Stangle, Kevin C. Parks and Lynn A. Sullivan as top trademark attorneys.
Leydig welcomes to its Chicago office:
- Associate Nicole E. Kopinski graduated from the University of Florida with a bachelor’s degree in microbiology and cell science. She received her J.D. from Boston College Law School.