The Rogue Insider: Protecting Against Trade Secret Theft
September 16, 2016
One of the greatest, growing threats to financial services companies and investors is the rogue insider. In an era of rapidly advancing information and trading technology — including the development and refinement of computer code for algorithmic and other automated, high-speed trading — rogue insiders today can do far more damage far more quickly, and critical asset loss can occur in seconds. While misappropriation of these tangible and intangible assets can be, and sometimes is, prosecuted as a crime, it is much more commonly addressed through civil claims and remedies, including injunctions and money damages.
These thefts have given rise to numerous highly publicized cases, and many more that have not received any public airing. These include the case involving former Goldman Sachs computer programmer Sergei Aleynikov, who, in 2009, allegedly absconded with algorithmic trading code that he had contributed to creating while at Goldman. He was subsequently prosecuted by both federal and state authorities, and his story became a focus of Michael Lewis’ best-selling book, “Flash Boys: A Wall Street Revolt.” In another, less publicized case, Shashinshekar Doni, a Credit Suisse Securities software developer, took computer code he had worked on relating to CSS’ dark pool trading facility to his new employer, Barclays, and attempted to use it to develop Barclays’ dark pool trading system. Once this was discovered by CSS and Barclays, he was terminated and subjected to a Financial Industry Regulatory Authority disciplinary action, which resulted in significant fines and other discipline. More recently, a former controller of a JPMorgan-traded hedge fund, Contrarian Capital, left Contrarian, retained access to Contrarian accounts, and fraudulently induced JPMorgan to release more than $5 million into those accounts.
In short, gone are the days of physical security being adequate to protect the organization. The threat of critical asset theft or misuse through cloud-based and other technologies is now ever present. In this environment, and with the current, ever-increasing stricture of financial services regulation, companies must take steps to mitigate and respond to critical asset theft by insiders.
This article will briefly discuss: (1) the types of critical assets in the financial services industry that are commonly targeted for misappropriation and require protection; (2) who typically commits these acts; (3) employment and operational safeguards that may be used to mitigate the risk of asset loss; and (4) steps to take in the event of a breach of duty or security involving these assets.
Assets Often Misappropriated
Financial services companies typically possess a wealth of assets that are targeted by disloyal employees for misappropriation. Virtually all of this information today is computer-stored. This information includes:
- Proprietary trading systems, investment systems and business plans;
- Investment research, techniques, testing procedures and results;
- Proprietary computer code, software and programs (not open-source or commercially available), including algorithms;
- Portfolio composition;
- Investor, customer and counterparty information, including investor preferences;
- Customer and trader lists;
- Nonpublic investment research; and
- Company financial information.
It is important to note that, while some of this information may qualify as a “trade secret” — legally defined as “a formula, pattern, compilation, program, device, method, technique, or process, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy” — some may not, but yet still be valuable and protectable company assets. As noted below, companies are free to designate information, within fairly broad parameters, as confidential, proprietary, and/or subject to restricted use and other protections by contract, and it is advisable to do so.
As might be expected, financial services employees who engage in theft or misappropriation of intangible assets tend to be those with the motive, opportunity and ability to profit from the use of the assets. Often, these are some of the highest level employees who routinely are provided access to the company’s most sensitive data. Ironically, these employees are often not subjected to the most common safeguards from asset theft, including employment agreements, exit interviews, and restricted access to proprietary software and other critical electronically stored information.
Therefore, a common scenario is the senior, often C-level officer, director or member who becomes disgruntled with his company, is presented with an opportunity to join a competing company and leverages his access to valuable proprietary and sometimes trade secret information that would be of great interest and economic benefit to his new or prospective employer. Because he is a trusted and highly regarded member of his company, there is often insufficient focus on his ability to simply walk out the door with critical company assets, such as client lists, client trading preferences, portfolio composition, investment strategies and the like.
Of course, other employees with critical asset access also engage in this misconduct. For example, when computer code is involved, misappropriators are often those directly involved in the creation of or modifications to the code. In many cases, particularly where the company primarily provides a technology-based solution to its clients (such as algorithmic trading), proprietary computer code often qualifies as a trade secret, and is considered the “secret sauce” that provides the company with a competitive advantage. As was alleged in the Aleynikov case, ill-intentioned coding experts not only are aware of their access to the most sensitive company asset and recognize its value to competitors, but they also commonly (though incorrectly) believe that they retain a personal proprietary right in code that they create for their employers.
While high-level employees and those with access to computer code are often implicated in asset theft, employees at any level presented with motive and opportunity (i.e., access to the information) are a threat to the company. For this reason, the safeguards discussed below should be implemented across the spectrum of company employees.
Every company should secure its members’ and employees’ contractual agreement to, among other things, preserve the confidentiality of company information and not disseminate or misuse it in any way. These contractual agreements can take many forms but most often are employment agreements, separation agreements, operating agreements, and, in some cases, signed policy acknowledgements. Contractual agreements allow a company to define the scope of an employee’s obligations, including the type of information it considers confidential and proprietary (which often includes far more than what would be considered a legal trade secret), who owns the company information, who may use it and how, the employee’s duty of loyalty, the company’s proprietary rights to code and all other assets developed by the employee (under the so-called “work for hire” doctrine), and duties not to compete or solicit employees or company clients.
In addition to identifying all of these company rights, it is important that these documents specifically and inclusively define company “confidential information.” This definition should include, for example, all company intellectual property, trade secrets, client lists, computer code, internal financial data, and inventions and enhancements created by company employees.
Employment agreements should include clauses that address confidentiality or nondisclosure of company information; the company’s proprietary right to all of its “property” (including information, hardware and software); the employee’s agreement to devote her full time and attention to company work; a “work for hire” provision; noncompete and nonsolicitation clauses; the employee’s agreement to return, unaltered and unmodified, all company property on departure; an assertion of the company’s right to injunctive relief for a breach of the agreement; and a choice of applicable state law and venue for legal action.
Separation agreements or signed exit interview acknowledgements should be obtained from all departing employees. These agreements serve to reinforce obligations contained in the employment and/or operating agreement, and the company’s policies and procedures. In the case of separation agreements, they afford the company additional contractual rights. These documents should contain “representations and warranties” by the departing employee that any benefits to the employee provided in connection with her separation, as well as any agreement by the company to refrain from any legal action against the employee, are contingent upon the employee’s compliance (both pre- and post-employment) with her contractual obligation and other legal duties to the company. The separation agreement or exit interview acknowledgment should expressly include the employee’s representation that she has not retained, or previously improperly disseminated, the originals or copies of any company information, software or hardware.
Written Policies and Procedures
Companies should reinforce their employment agreements, and strengthen their ability to enforce them, through written policies and procedures, which can, among other things, (1) define company computer system; (2) establish ownership of all hardware, software, and data created by or transferred to the company system; (3) advise that all communication on or through company hardware belongs to the company; and (4) advise that all communications can and will be monitored, and the employee has no reasonable expectation of privacy in communications made through the company system. These policies should be read and acknowledged in writing by all employees.
Because most critical company assets are now stored electronically, it is important for a company to strictly control and closely monitor the flow of digital information outside its “four walls.” Because email allows for the easiest transmission of information, it deserves particular attention. Modern email systems and software, like Smarsh, which “journal,” or retain, all emails, were created to address financial services companies’ regulatory obligations to maintain certain electronic communications. As such, these systems allow for the auditing of email usage by employees. Monitoring can disclose unusual activity, such as the mass emailing of sensitive company data to suspicious locations, like the employee’s personal email account or cloud-based stage locations. Companies should therefore limit and monitor employees’ use of personal (cloud-based) email accounts, such as offered by Google and Yahoo, which would not be captured by the journaling system.
Data Access Restrictions
Restricting employee access to electronically stored information on a “need to know” basis is an operational safeguard against asset theft that serves multiple purposes. It can be done mechanically and reinforced by written and acknowledged policies. Login and security credentials can be created that segregate by partitions or separate servers certain highly sensitive information (for example, computer code, client lists and preferences, and other trade secrets) and allow access only to those who must see the data to perform their job functions. Software can also be used to log access to certain data, such as code versioning systems that track check-in/checkout of computer code and code revisions. Other mechanical access limitations include limiting or prohibiting the use of cloud-based (Google drive, Dropbox), USB, and portable hard drive storage of company data.
In addition to mechanically limiting employee access to sensitive data, which itself will prevent misuse, data access restrictions are also helpful in establishing the assets as trade secrets because they demonstrate the required reasonable effort to maintain secrecy. Similarly, such restrictions are helpful if a company decides to pursue legal action, as several federal and state statutes that provide claims and remedies for theft of trade secrets — including the federal Computer Fraud and Abuse Act — require as a threshold matter that the alleged misapropriator has exceeded her “authorized access” to the information stolen or disseminated. Generally, companies should resist providing unfettered — or at least unmonitored — access to all company information, even by high-level employees.
Exit Interviews and Asset Collection
As noted above, all departing employees should be interviewed upon their departures, if possible. Obviously, terminations and other disassociations on bad terms should raise the level of scrutiny before employees formally sever ties. The exit interview is an opportunity to reinforce the employee’s contractual and fiduciary obligations; to collect company hardware, software and other property; and to get assurances that no company property remains in the employee’s possession or control. The departing employee should be asked about offsite working practices, including the use of home devices to work on or store company information, and all company-owned hardware should be accounted for and collected. It is important to clearly advise the employee to return company computers as is, without the alteration or deletion of any data that exists on them. Allowing the employee to selectively delete or alter information on a company device often allows evidence of disloyalty or misappropriation to be discarded, and leaves the employee with the sole discretion to determine what is or is not company property. Any personal data stored on company hardware should, by policy, be accessible to the company. If the employee used personal devices (smartphone, tablet, laptop) or cloud-based accounts to work on or store company information, the company should request access to those devices or locations for purposes of collecting and/or purging, at its discretion, company data. Again, the agreements and policies signed by the employee should have warned him of the restrictions or prohibitions on the use of these locations to store company data, so that the company’s possible exposure to personal information in the collection process is a situation created by the employee’s noncompliance. Where a company permits work-related activity on personal devices, its so-called “bring your own device” policy can include the employee’s agreement to the company’s access to these personal devices for collection purposes on departure. In certain circumstances, the departing employee’s company hard drives should be imaged to preserve in place all data as it existed on the collection date. Finally, password access to all company computer systems and storage locations should be terminated and the departing employee advised of this in writing.
Steps in the Event of a Breach
Given the ease and speed with which electronically stored assets can be stolen, even the most diligent company can find itself facing critical asset misappropriation. The law provides a number of remedies for this misconduct, but certain preliminary steps can ensure their availability and effectiveness.
These preliminary steps begin with heightened awareness. All companies should be alert to the possibility of critical asset theft or misappropriation at any time. The operational safeguards discussed in this article should be instituted, updated and monitored regularly. Any computer activity showing an unusual pattern or even instance of dissemination of sensitive information should be flagged and addressed with those involved. Compliance personnel and employees generally should be alert to an employee’s interest in or pursuit of competitive business opportunities and attempts to access information not relating to their day-to-day responsibilities. Unauthorized use of portable media storage devices, like USB drives and cloud sites, should raise a red flag. Awareness of the signs of competitive or disloyal activity, if acted upon, can sometimes derail the employee’s plans to steal or misuse information.
Should monitoring or other sources disclose a breach that has already occurred, time is of the essence. Counsel experienced in matters of this type should be contacted to assist with and direct the ensuing steps. If still employed, the employee should be immediately interviewed and his computer hardware imaged and examined. If the employee has left the company, the company should confirm that her computers and other devices have been secured, the exit interview documentation is in order, and all password access to company computer systems has been terminated. Co-employees should be interviewed to gather additional information about the former employee’s access to and use of sensitive information, as well as any competitive activity she may have discussed prior to leaving. It may be appropriate to engage a computer forensic expert to examine the former employee’s computers and corporate email archives for evidence of misappropriation. Forensic experts are trained in data analysis, preservation and presentation, and can assist not only in locating and securing evidence through proper chain of custody procedures, but in determining if evidence spoliation (i.e., alteration or destruction) has occurred. Also, if necessary, the forensic expert can later present his findings regarding data recovery and spoliation in a legal proceeding as an independent expert.
Immediately following confirmation of possible misappropriation, the former employee or her representative should be sent a letter from the company’s counsel summarizing the suspected misconduct and ongoing investigation, advising of the potential for litigation, and directing that all data that relates in any way to the company, her work at the company, or the company’s property be preserved as is. This “litigation hold” letter should note that there can be severe consequences for the loss or manipulation of any evidence relevant to the potential claims. When the former employee is already affiliated with another company, that company should also be advised in writing of its employee’s suspected misconduct and her prior and ongoing contractual obligations, and it should be directed to preserve all relevant evidence. If the former employee is still in possession of company computers or other data sources, she should be advised to immediately return those to the company.
Various forms of legal action may be available at this stage. Counsel is in the best position to advise of the appropriate forum, which may be arbitration or a court case, and other legal strategies. Often in these cases, it is appropriate to seek a preliminary injunction, from a court or sometimes an arbitrator. The injunction order effectively maintains the status quo to prevent further harm to the company by continued misuse of the company’s trade secret or confidential information and competitive acts by the former employee and her current employer. The injunction is supported by a formal complaint, which can assert claims such as trade secret misappropriation, breach of contract, breach of fiduciary duty, breach of the duty of loyalty, and conspiracy, and seek various forms of relief, including a permanent injunction, return of past compensation, lost profits and other money damages. As noted, claims may also be brought under various federal statutes, including the Uniform Trades Secrets Act, the Computer Fraud and Abuse Act, and the recently enacted federal Defend Trade Secrets Act, as well as their state equivalents.
Advances in information storage and transmission technology have made financial services companies increasingly susceptible to the misappropriation or theft of critical proprietary assets. With the click of a mouse, rogue employees from the C-suite to the mailroom can download and disseminate hundreds of thousands of documents, lines of computer code, and other data containing a company’s most prized trade secrets. Companies in this industry would be well-served to institute operational safeguards outlined in this article and be aware of the steps to take and available remedies should a breach be discovered.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
Reprinted with permission from Law360 (September 16, 2016)