Trade Secret Theft

When employees leave a company, it is common that departing staff may take electronic files belonging to their former employer. Matthew Prewitt, a trade secret litigator shares his experiences pursuing and defending against such litigation. The role of computer forensics and the importance it plays in getting to the truth is discussed in this informative interview.

Leading computer forensics Expert Lee Neubecker discusses trade secret misappropriation by a departing employee and how that can lead to a competitor gaining an unfair competitive edge. The Chair of Schiff Hardin’s trade secret practice, Matthew Prewitt, emphasizes the importance of working with a computer forensics expert to preserve digital evidence and perform effective discovery that can later be used if litigation is necessary. Enigma Forensics staff are experts when investigating a departed employee using computer forensics.

The transcript of the video follows:

Lee Neubecker: Hi, I’m here today with Matt Prewitt. Matt is the chair of Schiff Hardin’s trade secret practice, and is an experienced litigator that focuses on the area of trade secret theft. Matt, thanks for being on the show.

Matthew Prewitt: Thanks for having me, Lee.

Lee Neubecker: We’ve had cases we worked on before involving departed employees. Could you tell everyone a little bit about your experience in this area, dealing with trade secret theft?

Matthew Prewitt: Sure, I mean as a trial lawyer, I’ve litigated both sides, sometimes, defending the departing employee, and/or that employee’s new employer, other times representing as the plaintiff, the company that the employee left.

Lee Neubecker: So, can you tell people generally what happens when you’re on the side of that had the employee that left? What happens at ground zero?

Matthew Prewitt: Well, ideally, the company would already have in place a structure of trade secret protection, and contractual, policy, and technology protections against unfair competition by the departing employee. So, that framework consists of, typically, a confidentiality agreement with the employee, perhaps a set of restrictive covenants, like a non-compete agreement, and then, hopefully, handbook policies that govern the conduct of the employee. Those will be coupled with restrictions, of course, that integrate with the company’s relationships, with its vendors and customers. Basically what the company ideally should be doing, is sitting down with outside counsel, in-house counsel, IT, and thinking about all the places where the company has sensitive, competitive information, trade secrets, or other confidential information, that are at risk when an employee turns out to be disloyal.

Lee Neubecker: So, when a client calls you, and they suspect that someone took stuff, what do you advise them to do, initially?

Matthew Prewitt: Well, I mean the first is to assess the situation and, that consists of identifying, with these days, almost everything is electronic of course, so, the first part of the assessment is to identify the types of electronic information that the departing employee would have access to. Either legitimately, during the course of that employee’s work, or, by exceeding the policy limits or protections that the company had in place. You’re doing, you’re identifying those areas for two reasons, one, preservation of evidence is very very important. And there’s no way to know what you need to preserve if you don’t know what the employee had access to, or potentially could’ve stolen. And then the other reason is to assess the competitive risk, and to begin to develop a plan for the investigation, and perhaps litigation response if it turns out to be warranted.

Lee Neubecker: And, so, typically, I know part of that initial response, when I’ve worked with you in the past, you want a forensic image made of the employee’s computer, before anyone mucks it up.

Matthew Prewitt: That is a, certainly an important starting point. With the changes in technology, for better or for worse, the places where the relevant data reside and the places that need to be preserved are, are multiplying instead of getting narrower, so, the hard drive of the laptop remains a very important source, because, forensically, it is often times the area that is most susceptible to forensic analysis and investigation. But there certainly are other places, as well. Cloud storage, the company’s computer network, personal email account of the employee, personal phone, company-issued phone, it goes on.

Lee Neubecker: I know when I first started in this area many years ago, the misappropriation was on a CD-ROM, and now, you’ve got smart phones, you’ve got USB drives, but the cloud is a whole other area of concern, because, companies can connect to Dropbox,, various other place, AWS, and move data to the cloud, so that, that becomes another point of concern in a need to be able to collect and preserve data from sources other than the computer.

Matthew Prewitt: You’re absolutely right, Lee.

Lee Neubecker: So can you tell us any war stories about what, what’s happened in the past when you’ve used forensics to pursue a case, and what kind of result you’ve been able to get for your clients?

Matthew Prewitt: Sure. I mean the forensic examination is really a critical part of a trade secrets case, especially if you’re on the plaintiff side, because, in, when you’re in court, trying to enforce restrictions against a departing employee, the, for better or for worse, the court is typically going to start that process with having, with some sympathy to the departing employee. I mean we are in America, and people are supposed to be rewarded for their ingenuity and hard work, and, employee mobility from one company to another is a basic value of our society. So, showing the court that the employee cannot be trusted to do the right thing, to be an honest and ethical employee at the new employer, at the new, at the competitor that she or he’s goin’ to, is really really important for building an effective non-compete case, or trade secrets theft case as a plaintiff.

Lee Neubecker: So for instance, if your client had a policy of no USB drives, and didn’t use USB drives, but yet, your forensic expert reported that a USB device was plugged into the computer the day before they filed their resignation, and that various files appear to have been copied to that drive, that would be something that would be compelling in support of an injunction, correct?

Matthew Prewitt: It’s certainly a brick in the building that you’re trying, or the story that you’re trying to build from court, absolutely.

Lee Neubecker: So there’s other pieces too, have you had situations where you’ve petitioned the court to allow discovery of that departed employee’s home computer, or the new workplace computer?

Matthew Prewitt: Yes, part of the forensic exercise is demonstrating the need for that discovery. And so, what you’ll want to start with as part of your initial investigation, is to have your forensic expert look for evidence that will show that the employee has used her home computer, has used external devices, has copied to the cloud, and once you can show the migration of data, under suspicious circumstances, off the realm of the company-owned hardware or accounts, then that’s the central starting point for demonstrating the court that you need a more invasive approach into the personal devices and accounts of the departing employee.

Lee Neubecker: Great so, let’s say that the plaintiff attorney has established convincingly with their forensic expert that data was misappropriated, and that the data clearly is confidential, and trade secret-type information. If you’re advising the new company that hired the sales person, and you saw the report and you believed the report to be credible, how might you try to help that new employer end the litigation and get things to a peaceful place?

Matthew Prewitt: Hopefully that they, the new employer has already laid the foundation for that scenario by instructing the employee before arriving, that they should not copy or take things with them, from their previous employment, should not load things onto the company network that are… belong to the previous employer, et cetera. And, to have done that in writing. If that’s happened, that puts the new employer in a potentially awkward spot, because you have an employee who not only has, has taken his former, his or her former employer’s stuff, but then has also disregarded the instructions of the new employer as well. That’s the situation where the new employer may be seriously considering terminating its relationship with the new employee.

Lee Neubecker: I’ve seen that happen, I’ve also seen situations where, the employee who departs agrees to have forensic inspections on his computer, and, signs an agreement that pretty much guarantees that if he’s caught doing something with this, that he’s going to have, face massive legal costs, and admit to wrongdoing.

Matthew Prewitt: That’s where that trust factor or credibility factor, that comes, that’s one example of where it becomes really critical. Not only is the court typically going to be inclined to the defendant departing employee’s situation, and want that employee to be able have gainful employment, many courts are also going to want to give that employee a second chance. And the second chance here is the chance to turn over the, turn over the information, and provide exactly the kind of affidavit or certification you’re referring to.

Lee Neubecker: Great well, I appreciate you being on the show and talking about this topic. It’s one that impacts most businesses, so, thanks again for being on the show.

Keys to Investigating Departed Employees using Computer Forensics

  • Forensically preserve the departed employee’s computer storage media before any examination of the contents occurs
  • Look for recently accessed files as reported by shortcuts and other system activity logs
  • Analyze recently deleted files to look for evidence of trade secret theft
  • Investigate recent connections of external storage to the computer
  • Build a timeline of events that led up to the departure to assist in an efficient investigation
  • Hire an experienced computer forensics expert – that’s us

Read More on Trade Secret Theft:

When to Select A Computer Forensic Expert

Selecting A Forensic Expert

Data Diva Debbie Reynolds and Enigma Forensics’ CEO Lee Neubecker discuss what to look for in selecting a computer forensics expert to assist with preservation, litigation and eDiscovery.

The transcript of the video follows

Lee Neubecker: Debbie, thanks for being on the show again today. I’m here with Debbie Reynolds, she is Eimer Stahl’s data protection officer and she also is the director of their eDiscovery subsidiary. Thank you for coming in and being on the show.

Debbie Reynolds: Thank you, it’s always a pleasure, Lee.

Lee Neubecker: So, today we’re going to talk a little bit about the differences between eDiscovery and computer forensics and when it’s necessary to bring in an expert to actually be the testifying expert or to handle more sensitive issues, and what you look for when you’re pulling in a computer forensic expert to assist one of your projects?

Debbie Reynolds: Well, it’s never not a good idea to bring in a forensic person, so I try to get someone who’s a professional in forensics on every case that we have, so, just depends. Some big corporations, they actually have people, ’cause they do so much litigation, they have people who are captive to their organization that do it. More times than not, they either farm out that work, to a company like Lee’s company, or they come to me, they ask me for recommendations. Just depends on where they are, what their ability, who’s available. For me, it’s really important that I work with people that I trust, smart people like Lee, who knows what they’re doing. Me, I tell people, I don’t chase company names, I chase the talent, so, I’ve had situations where I’ve had an investigator or forensic person go from one company to the next, and as a stipulation of us working with them, that case went with them ’cause they had the knowledge, so for me, the thing that I look for is a company, again, people that I know and trust, people that I know are smart that know what they’re doing, people who can really present themselves, ’cause a lot of times you’re going into a situation, you’ve not met these people, you’re going in there, touching their data, people are very sensitive about it, IT people can be very territorial, so having someone who can really put people at ease and be very professional in a situation where it’s semi-hostile, where you know that the IT guy takes pride in what he’s doing, thinks he’s the expert, so you have to kind of disarm that person.

Lee Neubecker: How often are IT people hostile?

Debbie Reynolds: Oh, 1000% of the time. They’re always hostile in some way, some are more passive aggressive than others, but you know, this is their baby, you have to work with them to get access to the data, and a lot of times they feel like, well why can I do this?

Lee Neubecker: And part of the problem, when I’ve worked with the IT people, usually they’re defensive because they’re having extra work to do.

Debbie Reynolds: Oh, absolutely.

Lee Neubecker: And they’re involved in litigation, so what I try to do is I try to sit down with them and say, “hey look, “this is my role, I need to understand enough of your stuff “so that you don’t have to talk to the attorneys, “and then I can buffer you from that so that you can “do your daily work,” and when they hear that, it helps them to understand, okay, you’re here to save me from a deposition.

Debbie Reynolds: Oh, absolutely.

Lee Neubecker: Then they’re more relieved, more willing to work with you.

Debbie Reynolds: Absolutely. I think the challenge is to get, when you start a litigation, companies, in order to try to save money, that’s where they want to save money. They don’t want to spend money on a forensic person, but if I compare cases against one another, two cases are very similar, one they had a forensic person, one who doesn’t, the one that has a forensic person, down the line, their case is more smooth, ’cause we don’t have a lot of questions about who did what, what is where, we don’t have a question about who needs to sign affidavits, who needs to go to court, all that stuff, so all that headache down the line is eliminated when we bring in someone. And I’ve had people on our cases tell me, who’ve decided that they didn’t want to bring in someone, they said no, but bad decision, we should have really brought in someone.

Lee Neubecker: In my opinion, I think it’s important to know who the person to be responsible for that data, if they’d never testified in court before, that’s a potential problem, and a lot of times people don’t ask those questions. Other things like, do they have some type of certification that shows that they mastered the field of computer forensics? And did they have to take a exam that was proctored by some independent party to assess that so that you know that your person truly has the knowledge, they didn’t just attend a class and got a certificate, because that’s a little bit of a difference, and there are many people, though, that I’ve encountered, that haven’t had the formal certifications, and they’re very bright, but when you’re putting the people up, they’ve got to survive a challenge against their admissibilities expert, if they don’t have cases of record, if none of the judges know who the person is, those things are definitely problems.

Oftentimes, I’ve seen new experts get up and make basic beginner mistakes where they let the attorney override what their report is, they let the attorney write the affidavit for them, and then it gets stretched too far, and then there might have been many good things that they had to say, but all of it goes out the window because they didn’t know how to manage the hard, nose-driven litigator that wants that report to be aggressive, so you have to listen and understand those driven litigators, but you also have to protect them from killing the case, and they assume that whatever expert you put there has those skills and a lot of them don’t know when they’re getting into trouble, and they need to be able to stand up for themselves, and do it professionally, and objectively.

Debbie Reynolds: Absolutely, absolutely. A lot of times, they don’t know what they don’t know. We had a person that actually went out and got a cell phone for a case, and we were like, we don’t want anyone to touch it, we want the forensic people to look at it, or whatever, he thought, oh well you know, I’m smart, I know how to do this stuff. Not that he wasn’t smart, but this was not his area of expertise, and he turned this phone on, and basically, the person who had the data on the phone, had sent a command to the phone to be erased, so when they turned it on, it wiped out all the stuff.

Lee Neubecker: So they didn’t put it in a Faraday bag?

Debbie Reynolds: No, they didn’t put it in a Faraday bag, they didn’t put it in airplane mode, they went to Walgreens, got cords, stuck the cord in the thing and turned it on, and that was it.

Lee Neubecker: So then that becomes some spoliation claim against–

Debbie Reynolds: It was spoliation, yeah. Everyone thinks, oh I have a cell phone, so I can do this, and it’s like no. I think people need to understand that what you guys do is very different than what we do in eDiscovery and what a normal person who’s doing IT can do, ’cause you have a different aim in my mind, and you understand spoliation of evidence, and how to get data in the right formats, where another person would not know that ’cause that’s not their background, that’s not their training and that’s not the purpose of what they’re handling data for.

Lee Neubecker: Well I really thank you for being on the show, again, to talk about this, it’s great. I look forward to seeing you again soon.

Debbie Reynolds: Fantastic, thank you!

Lee Neubecker: Thank you.

Do You Suspect Your Company Has Been Hacked?

Electronic Discovery Wins Litigation

Cell Phone Forensics for Use in Litigation

Computer “bots” Used by Insurance Companies

Are Computer “Bots” Making Your Healthcare Decisions?

Are Computer “Bots” Making Your Healthcare Decisions?

Enigma Forensics CEO Lee Neubecker and David Bryant from Bryant Legal Group discuss computer “bots” used by insurance companies as a way to underwrite policies and making insurance claims decisions. Bots are now determining how a given claim should be scored. See how ediscovery plays a role in getting success for your client.

The transcript of the video follows

Lee Neubecker: I’m here today with David Bryant from the Bryant Legal Group and we’re going to talk a little bit about health insurance claims in his work, helping people get the coverage they deserve.

David Bryant: Nice to be here, Lee, thanks for taking the time to stop by. We’re seeing a very significant shift in the insurance industry with respect to claims adjudication and claims determinations. One way of looking at how this change is happening is to look at the dollar volume that’s being invested into underwriting insurance policies and making claims decisions. The first metric I’d like to share with you is there is a company out of Europe that did some research on money flowing into what’s now called Insurance Tech, and approximately two billion dollars went into the Insurance Tech arena in 2016. This money is being deployed into not only underwriting, but how claims are made and I think everyone out there is familiar with Watson and the new term artificial intelligence. And how that’s playing out in the insurance industry is that a lot of claims decision-making is being taken out of the hands of individuals and being given to what we’ll call “bots”, robots, or termed a “bot” in tech speak. So these algorithms which will be designed by very bright people, such as yourself, to determine what a given claim should be scored. And if there’s a certain score, then a claims individual will be required to deny that claim. This is problematic for some of the insurance companies because if it’s discovered, through the discovery process, it can wind up hurting them in litigation for bad faith denial of a claim.

Lee Neubecker: So, David, can you tell me a little bit about what you do at the onset of one of your case matters to help make sure that you could argue your case in court?

David Bryant: So there’s really two phases to insurance claims. There’s the appeal process and then there is court. If your claim is denied I can always sue an insurance company in court. Typically that’s in Federal Court. I primarily practice in Federal Court but I do State Court as well. So once I wind up in a court setting I will send a litigation hold letter to the general counsel of the insurance company and that letter secures that all of the data in its electronic format is preserved. So if I want the emails on a particular claim individuals hard drive, that information should be present when I request that information by way of that litigation hold letter. When I do discovery in Federal Court we’re looking for electronically stored information. I’m not looking for paper any longer because we’re looking to get the metadata that’s embedded in that electronic information so we can find out who looked at it, when it was looked at, when it was altered. So, Enigma Forensics having the skill set to be able to determine who touches electronic files, who views electronic files, we will bring in your firm in those circumstances when we want that type of information in litigation. Lee Neubecker: So can you give me an example of when you’ve had to rely upon our computer forensic services for us to help you out with a matter and how that played a role in getting success for your client?

David Bryant: So we handle primarily health insurance and disability insurance claims on behalf of individuals and physician groups. So one of the matters that you handled for us dealt with a disability insurance claim and we were looking for certain key words and key word phrases that were on the server or hard drives of the particular individuals at the insurance company. Being able to cull through all this data is a Herculean task and would be extremely expensive for the defendants. So the defendants will typically go to the Court and say, “Judge, this is going to cost us way too much “money and interrupt our normal course of business. “We don’t want, Mr. Bryant, to have access “to this information or put us through the trouble “and cost of doing it.” I brought in your firm and your services and you were able to explain to the judge that you could do a search of all of the information held by the insurance company and find these key words and submit them to the Court in-camera, so there was no privacy concerns, and report to the judge what your findings were. The case soon settled thereafter.

Lee Neubecker: They usually do. Well thank you for being on the show today. If you need to reach David, his info is on the screen. Thank you.

Artificial Technology

Artificial Technology and Medical Data

Enigma Forensics, Lee Neubecker reviews with Eric Fish, the Federation of State Medical Boards, Senior VP of Legal Services, about the positive impact of artificial technology and machine learning on medical standards and regulations. Find answers how this technology will improve the patient experience in the future.

The transcript of the video follows

Lee Neubecker: Hello, I’m here today with Eric Fish, Senior Vice President of legal services. He’s with the Federation of State Medical Boards and he’s going to be talking to us a little bit today about his organization and how they’re using technology to change how things work.

Eric Fish: Thank you, well the Federation State Medical Boards is the organization that represents the 70 state medical and osteopathic boards who are charged by state law to regulate the practice of medicine within the various states, in that we help build standards for regulation, best practices. We also work with states on our data and other things that are exchanged that really help improve the regulation of medicine for the patient, the end user of medicine.

Lee Neubecker: Eric can you tell us a little bit about how artificial intelligence and machine learning are impacting your organization and membership?

Eric Fish: Well, Lee, we’re actually at a, what I believe to be, a crossroads of cultural, social, and technological change that are really going to change the way that we have to look at regulation for the public benefit. There’s going to be a lot more data on patient/provider interactions. There is also going to be much more data consumed by state regulators to see which of these interactions comply with the standards. One of the things that I see developing out of this A.I. and machine learning is that we’re going to be creating much more data that can be mined as a regulator to see what interactions are good and which interactions are bad.

Lee Neubecker: Eric can you tell us a little bit about how A.I. and machine learning are being implemented to improve transparency?

Eric Fish: Well, one of the things that’s going to occur, I believe, is that as patients and providers start turning to algorithms to help with that continuation of care. Really the people who implement these systems have to prove up to the regulators how these comply, how these algorithms, how other things are going to comply with the standards that are there. Artificial intelligence has been in medicine for a long time. Machine learning is a little bit new, where we’re taking some of the discussions and building a knowledge base that’s then going to be applied to the patient experience and regulation isn’t standing in the way of these things. The regulations are there so that they are done the right way and in comply with the standards and being transparent on that beginning end is a really great step toward complying with regulations and making the regulatory process better.

Lee Neubecker: Great, and so, you told me that your organization runs some services that consumers might want to be aware of. What are those and what are they used for?

Eric Fish: Well, one of the things that we do on behalf of our members is collate all the disciplinary and regulatory actions that are taken against a provider, and we have a service called Doc Info, where a member of the public can go look to see if an action has ever been taken against their physician. We have access to all 900,000 plus licensees and their information, and it’s really a great service and use of data that we’ve collated and given out to the public.

Lee Neubecker: Great. Well thanks for coming on today. I know you’ve brought your colleague, Mike Dugan. Who’s going to talk for a little bit. Thanks again for coming to the show.

Eric Fish: Thanks, thank you.

Lee Neubecker: I have Eric’s colleague, Mike Dugan, he’s the CIO of the organization, and Mike can you tell me a little bit more about some of the things that you’re doing to improve the quality of the data and integrity of the information?

Mike Dugan: Sure, surely, thank you. We, in many ways, we are a data aggregator and this involves a credentialing process for physicians so we pull data from national data sources, we pull data from institutions to verify physicians’ identity as well as their credentials, so the training and process that they have done. Historically, these have been very manual processes, but we’ve implemented technology to add additional data sources and also give us flexibility in how we consume data. Historically, it’s been a very structured we need a file in this format and our technology is still evolving, but we’re working it to give us the flexibility to work with any data source available.

Lee Neubecker: What are the concerns that your members have regarding data breaches and the potential complications resulting from them?

Mike Dugan: Well, I think they worry about that quite a bit and if anyone in technology who deals with identity and has information, if you’re not worried about data breaches then you’re missing the point and perhaps should be in another line of work. So, we are given the trust of the physicians and our member boards that when they give us their data that it will be protected and that it will be safeguarded, and we work very hard to do that, proactively. So I think that in this environment and this day and age, that is an activity and a task that we will do, it will never go away. It will be ongoing and we will have to adapt if there is new ways that are found to hack information, we always will have to improve our data security.

Lee Neubecker: Well thanks a bunch for being on the show. I appreciate you taking time.

Mike Dugan: Okay, thank you, thanks for having us.

Read More About Government Privacy Controls on Artificial Technolgy

Defend Trade Secrets Act of 2016

Learn more about the Defend Trade Secret Act

Enigma Forensics CEO & President, Lee Neubecker discusses the of the Defend Trade Secrets Act with Trademark Attorney Brian Michalek.

The transcript of the Defend Trade Secrets Act 2016 video follows:

Lee Neubecker: I’m here today with Brian Michalek. He’s a trademark and IP attorney. Brian tell us what you’ve come on the show to talk about today?

Brian Michalek: Yeah, well first of all thanks for having me Lee. I appreciate you coming down here and spending some time with me today. You know what I wanted to talk about today is kind of some new applications of the Defend Trade Secrets Act. Which is, it’s about two years old now but it’s basically a federal cause of action concerning trade secret law.

Lee Neubecker: And what this means basically is if you’re an employer and you have someone who stole trade secrets, it offers you an opportunity to file in federal court as opposed to the state courts statutes.

Brian Michalek: Yeah, I think that’s right. And kind of taking like a step back, you know prior to 2016, what we had when we were talking about trade secret law were really a bunch of different states that had their own specific type of trade secret statutes. Some of these statutes were in fact pretty similar and shared a lot of consistencies but there were others that kind of had their own nuances and what that meant was that trade secret jurisprudence wasn’t completely harmonized. And it made it a lot more difficult to account for situations where we often encounter in the digital age where misappropriation of trade secrets happens across state lines or if we have a scenario where an individual who misappropriates a trade secret, resides in one state and the server in which they access to take the trade secret is in another state. We found that there was a lot of clunkiness with trying to figure out which state law would apply and how we could best go forward to making sure that the owner of the trade secret could get restitution appropriately. So, really what we have now in 2016 is a federal cause of action as you stated correctly that allows us to go straight into the federal courts and manage trade secret litigation from that vantage point. And I think it’s important to say also, that what we’re having is not a federal law that preempts state law but it supplements it. So, both can be acted upon.

Lee Neubecker: So, here in Illinois we have the Computer Fraud and Abuse Act that is often one venue. Why would someone who’s contemplating filing litigation against an employee who stole trade secrets here in Illinois. Under what circumstances would they want to try to pursue the Defend Trade Secret Act, a federal option as opposed to the Computer Fraud and Abuse Act.

Brian Michalek: Yeah, well it’s really going to depend on the particular fact scenario. That’s an issue here. The Computer Fraud and Abuse Act, you know, that generally is tailored to somebody who goes into a computer without authority to do so or oversteps their bounds and oversteps their access. So, it’s a little bit of a different cause of action but then again, there are situations where you have a fact pattern where an employee could run afoul of both statutes. Both the Computer Fraud and Abuse Act as well as the new federal Defend Trade Secrets Act.

Lee Neubecker: So, what are some of the advantages for someone who perceives a claim using the Defend Trade Secrets Act?

Brian Michalek: Yeah, I think there several advantages. I kind of hit on some of them earlier when we’re talking about the kind of this discord among different state laws and how they’re actually applied to certain fact patterns. But one advantage is that you get access to the federal court system. Previously when you have a state law you can do some things to get the claim into federal courts but it takes a little bit more, little more effort and you often times need to show that there’s diversity or you need to tack on a federal cause of action like the Computer Fraud and Abuse Act in order to do so. Right now with this cause of action, we’re actually allowed to file in federal court right from the get-go. And you know, there’s certain bit of strategy and advantage for employers to do that from an efficiency standpoint, from a practicality standpoint which allows to redress this misappropriation as soon as possible because you know, we’re dealing with a situation many times that when you have a trade secret that’s misappropriated, you need to act very quickly. Otherwise it can be disseminated and ultimately lost if things aren’t done to stop that.

Lee Neubecker: I understand the Act requires you to present your case of sorts as to why there’s an urgency to seize this information, when you’re trying to get the evidence. What would you try to do before you file your case to bolster your chances of getting a judge to grant you relief in terms of obtaining your trade secrets and getting that information back?

Brian Michalek: Yeah, that’s a good question. I think what you’re getting at is the defend Trade Secrets Act has a very special and new kind of prong to it. It’s a mechanism for a civil seizure and what that basically says it gives the court the power to and it’s ex parte I should say. So, it allows you if you feel that your trade secret is misappropriated to go to the court ex parte and explain to the court why you need redress and you need to, you know get your trade secret back or have it deleted of someone’s computer who misappropriated it or whatever recourse is appropriate. Now, this is new to the 2016 statute but there are some very specific hurdles that you need to get over. The statute itself says that this is really only for extraordinary circumstances and you have to show that other equitable means would not serve your interest like a preliminary injunction or a temporary restraining order. So, it is kind of a special remedy that’s offered and I think you know, we’ve had the statute for about two years now and there’s only been a handful of cases. There’s one in particular where the judge in fact did grant a civil seizure order and one of the reasons was because they found that failure to do so would cause the trade secret to be disseminated and ultimately lost. And really the next step there is to get the Federal Marshal Service involved and they will go in and actually reclaim that trade secret or delete it or make sure that appropriate recourse is made.

Lee Neubecker: Now, when you’re filing, would you encourage your clients to have an independent forensic analysis done with affidavit to support their claims? Do you think that would help the likelihood of actually getting that relief?

Brian Michalek: It’s again, it’s going to depend on the situation but I think kind of what you’re getting us is when you’re dealing with something that is taken from a computer. You know, we’ve dealt with situations where and I think these are becoming more and more common in the digital age, where an employee will do something with his computer before he quits and goes to competitor, he will transfer a file or copy a file or do something he’s not supposed to and the employer finds out and if they believe that there is some type of misappropriation or the employee took something that he worked here or she was not supposed to you know, they may have cause of action under this this federal action. And to your point, a lot of times doing a dealing with computers you do have to get a forensic expert involved so that you can actually know what was happening because people sometimes thinks that they can delete something or they can transfer it or hide it and you know, I’ve dealt with this enough times and I know you too, you have to Lee is that, you know, it’s very, very difficult to actually cover up your tracks unless you really know what you’re doing and that’s really where a forensic expert can help. Is when somebody tries to cover up their missteps, their tracks and if you get the right expert involved early, then you can at least have that evidence to really show the fact that or what was going on and why you are entitled to remedy under this federal act.

Lee Neubecker: And so Brian can you tell everyone some of the benefits, financially filing under this act?

Brian Michalek: Well, I think what you’re referring to is this act has one other wrinkle. It’s known as the whistle blower provision and basically it allows employees to blow the whistle and disclose what could be a trade secret and very limited fashion, if they believe that there is some wrongdoing. On the flip side of things, employers if they want to take full advantage of this act and maybe receive attorney’s fees should they win or exemplary damages in certain situations. They’re now tasked with including this whistle blower provision in employee agreements. Meaning they have to make note of it and specifically instruct the employee that this is an option and the mechanisms for which apply.

Lee Neubecker: So, the fully benefit from those people should revisit their paperwork, their confidentiality agreements and whatnot with their vendors and employees. Is that something that you could assist people with?

Brian Michalek: Yeah, absolutely. That’s something that we’re happy to talk with you about and if need be, we’re going to help and assist.

Lee Neubecker: Great, well thanks for being on the show.

Brian Michalek: All right thanks so much.

Lee Neubecker: Take care.

Data Breach Response

A forensic expert will help you avoid a data breach and save you money.

A planned data breach response is imperative and will save millions of dollars in litigation and forensic fees. Enigma Forensics CEO & President, Lee Neubecker engaged in a video discussion with Privacy Expert, Jackie Cooney from Paul Hastings Law. These experts provide solutions for many clients who seek operation privacy and cyber security. A planned data breach response can save companies millions of dollars.

The transcript of the video follows

Lee Neubecker: So, I’m here with Jackie Cooney from Paul Hastings, and she’s their privacy expert here. Can you tell me a little bit about your practice and how you help your clients?

Jackie Cooney: Sure, so I am the senior director of the Privacy and Cyber Security Solutions Group, here at the law firm. We’re kind of a unique part of the law firm, in that we’re very much integrated into the legal practice, but what my group does is really provide solutions for clients to operationalize privacy and cyber security requirements.

Lee Neubecker: So what happens when a company suspects they have a issue? What do you typically advise your clients to do if they’re concerned about a potential breach?

Jackie Cooney: A potential breach, so that’s a good question, and I get these calls actually pretty frequently, maybe even on a weekly basis. Hey, we think something has happened to our data, what do we do? And there’s a few threshold questions that I ask. Number one, do you have cyber insurance, and have you called your cyber insurance company? Because often cyber insurance companies will cover you, but only if you use their counsel and you use their forensic experts. So, it’s important for you to understand what your coverage is there. Now, if you don’t have those kind of limitations, or you don’t have cyber insurance, and hopefully most of your clients do have some coverage, or if Paul Hastings is on the approved list of those cyber insurance vendors, then we go onto step two. So, that first question, 30 seconds, one minute, do you have cyber insurance, have you called them yet? And what I typically like to do is say, okay, give me the two-minute version of what happened, and then I can pretty quickly decide, okay, this is a purely cyber incident or this is a cyber incident that has some privacy implications. And then there are questions that go from there. And, of course, if there’s something that has privacy implications, that there’s a lot of regulations that you have to worry about that require notification, too.

Lee Neubecker: So, can you tell me a little bit more about some of the new regulations that face companies that operate in the U.S., related to data breach requirements

Jackie Cooney: Sure.

Lee Neubecker: and responsibilities?

Jackie Cooney: So, in the United States, if you’re talking about a U.S. company that operates only in the United States, and those are becoming fewer and fewer. Most companies are international, or becoming international, or have an international market. But if you’re talking about a incident that happens in the United States, U.S. only, it’s important to remember a couple of things. Depending on the type of information, there might be federal laws that are implicated. So, if it’s financial information, there’s requirements for reporting under Gramm-Leach-Bliley. And if it’s medical information, specifically, protected health information, if your an insurance carrier or health care provider, there might be reporting under HIPAA. And even if you don’t fall under any of those federal statutes, there are 50 states that all have different breach notification requirements. And, for instance, there are 14 that have medical information as the threshold for having to notify people for breaches. So, it’s important to understand, in the United States, because we’re sectoral, and because our laws are federated among the states, that there are a lot of different places where you might have to notify. If it’s international, of course, the thing on everybody’s mind right now, is GDPR, the General Data Protection Regulation, which has breach notifications requirements in there and they’re pretty onerous. Here’s the thing, companies have a responsibility, not only to provide you with things like a privacy policy that tells you what they do with your information, but they also have a responsibility to not do things with your data that you wouldn’t expect, even notwithstanding the privacy policy. They shouldn’t be doing things that violate your trust.

Lee Neubecker: Well, you explained that very well. I thank you for being on the show today and this was really informative.

Jackie Cooney: You’re welcome.

Lee Neubecker: Thanks.

Internal Trade Secret Management Defend Trade Secret Act of 2016

Enigma Forensics CEO & President, Lee Nuebecker welcomes Attorney Mark Halligan as they discuss internal trade secret management.

Lee Neubecker and Mark Halligan

The transcript of the video follows

Lee Neubecker: Hello, I’m here today with author and attorney Mark Halligan from Fisher Broyles, and he’s going to talk a little bit about his books today. Mark, how are you doing?

Mark Halligan: Very good.

Lee Neubecker: Thanks for being on the show.

Mark Halligan: Thank you, thanks for inviting me.

Lee Neubecker: So you were approached about writing a book a while back on the Defend Trade Secrets Act. Can you tell everyone a little bit about what your book covers and why it’s relevant?

Mark Halligan: Well, the Defend Trade Secrets Act of 2016 is a watershed event in intellectual property law and it’s the culmination of, you know, years of work on my part to emphasize the need for a federal civil course of action. In most cases, the victims are corporations and they should access to the federal courts.

Lee Neubecker: Okay. In what cases would the Defend Trade Secret Act apply?

Mark Halligan: Well, in any case involving the alleged misappropriation or the actual misappropriation or threatened misappropriation of trade secrets, you now have access to bring a private civil course of action. That is subject matter jurisdiction in the federal courts nationwide.

Lee Neubecker: So now, you’ve written a second book more recently, The Trade Secret Asset Management 2018 book. Can you tell people a little bit about what that’s about?

Mark Halligan: Well, that’s the next phase in trade secrets law. That is the internal act of management by companies of their trade secret assets, which involves identification, classification, protection, and valuation. And in order to be able to use the Defend Trade Secrets Act and be able to allow this intellectual property right to thrive and grow, now with federal protection in the courts, you have to have internal systems in place for these trade secret assets.

Lee Neubecker: So do clients sometimes contact you before employees leave and take things to proactively try to make sure their stuff’s in order?

Mark Halligan: Well, unfortunately, companies wait until the horse is out of the barn and then they scramble to retain outside counsel and then I scramble around trying to determine what the trade secrets are and what the evidence and misappropriation is. And we’ve seen this play out in major cases now, most recently in the Waymo case out in California, where everybody is running around trying to determine what’s at issue in the case. So it’s better to do that ahead of time with internal management.

Lee Neubecker: So clients that are proactive and they get an assessment of what their assets are beforehand, do they tend to spend less money when they become embroiled with litigation if they’ve done that?

Mark Halligan: Yes, yes, absolutely. If you have internal active trade secret management, you are able to identify within a matter of seconds literally the trade secrets that are in issue and the evidence that the employee had access to those trade secrets, or the former employee.

Lee Neubecker: Now, you have some proprietary program you developed that deals with that, correct?

Mark Halligan: I do. The name of the program is The Trade Secret Examiner and it was introduced, commercially deployed version, I believe version four or version five, last August. And it is a revolutionary new platform to assist companies in the identification, classification, protection, and valuation of trade secret assets.

Lee Neubecker: So if someone is watching this video at night and they’re an executive of a company and they lost their head of sales and marketing, what steps should they take immediately to help protect their company and their client base?

Mark Halligan: Well, if they have been engaged in internal trade secret asset management, then I would expect they have a trade secret incident response plan that can be activated immediately and a SWAT team, which is essentially outside counsel ready to go to the courthouse, you know. And if they do not have those procedures and mechanisms in place, then they call me and I head out to the company with a yellow pad and a pen, and start to interview witnesses to see if I can determine what the trade secrets are and what the evidence and misappropriation is.

Lee Neubecker: So once you have reason to believe that some of your clients’ data was inappropriately taken and misappropriated, what do you do first to get ready for court after you’ve taken those notes? What do you prepare, have the data prepared for your TRO?

Mark Halligan: Well, again, from a forensics standpoint, the first thing you need to do is cordon off the area where the defendant worked or had computers and you get EnCase images of the computer to preserve the evidence. You certainly don’t want to have the IT department flailing around inside the computer because you know, that will change the evidence.

Lee Neubecker: You know, it was interesting, Mark. One of my colleagues Alex Gesson had done some research and what he realized is that companies that use tools such as FTK Imager, when you capture the forensic image of a hard drive device, it records a serial number for that device that is not detected when you do forensic analysis to see if devices were plugged in. In actuality, there’s two serial numbers on a hard drive and only one of the two serial numbers is the one reported and they’re not always consistently detected. So we agree with you on that, using EnCase to make the forensic image. EnCase actually, at the time of imaging, EnCase will capture the serial number that can be detected in the registry. So what we’ve discovered is that people who haven’t used EnCase, they later on do this analysis to see, was the thumb drive plugged into the computer, and they can actually have a false negative because they didn’t appropriately image the media at issue.

Mark Halligan: Well, that’s fascinating and that shows you how critical it is to do the forensics correctly at the very beginning of the case. It could be case-determinative.

Lee Neubecker: So you’ve done the forensics and you’re going into court. What are you hoping to prove when you’ve done the computer forensics? What type of things are you hoping to be able to express in the form of an affidavit or support for your motion?

Mark Halligan: Well, a trade secret misappropriation case involves the actual or threatened misappropriation of trade secrets. So what you’re trying to do is protect these fragile assets. I mean, a trade secret, once lost, is lost forever. So you are attempting to stop the bleeding, plug the dyke, get an order that there is to be a preservation of evidence. Also, stop the continuing misappropriation activity or if it has not occurred yet, through injunctive relief, set up a wall to prevent the misappropriation of trade secrets, and to the extent possible, prevent its dissemination to other computers in the United States or to other parts of the world.

Lee Neubecker: Well, Mark, can you tell me any war stories about your use of computer forensics and what happened going into court?

Mark Halligan: Well, I think what I have seen in some occasions and I represented a major company in a case involving very serious acts of trade secret misappropriation and alleged foreign economic espionage. You know, the federal courts want to protect the privacy rights of individuals with electronically stored information, so there’s always this tension between, you know, the plaintiff seeking to prove up its trade secret case or misappropriation of trade secrets with the defendant’s interest in protecting the privacy of files and things that are on the computer. So oftentimes, the court requires search terms and you start off the case by looking at whether or not these search terms pop up on the computers. In a case that I was involved with, when those search terms were plugged in, we found that a file destruction software program had been run.

Lee Neubecker: Oh, that never happens.

Mark Halligan: And that the clock had been changed. And with that kind of evidence before the judge, we were then given access to the entire computer. No more search terms. And when we got access to the entire computer, we found out other third parties that were involved and of course, the case expanded to involve other defendants, other entities. But it all happened with the finding on the initial search terms of indicia of a file destruction software being run.

Lee Neubecker: Well, thanks a bunch for being on the show today, Mark. This was great stuff.

Mark Halligan: Thank you.

Lee Neubecker: People need to reach you, they can see the link to your website.

Mark Halligan: Thank you.

Lee Neubecker: Thanks a bunch.

Mark Halligan: Thank you very much, take care.

NIST 800-53: Security & Privacy Controls

NIST National Institute Standards and Technology

Video Discussion on: National Institute Security and Technology

Enigma Forensics CEO & President, Lee Neubecker and Cyber Security Expert Gary Rimar sit down to discuss NIST 800-53 and it is a security controlled catalog. NIST SP 800-53 is shorthand for the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization. The NIST is a non-regulatory agency of the U.S. Commerce Department and was established to encourage and assist innovation and science through the promotion and maintenance of a set of industry standards. Lee and Gary disect how this agency works to keep your company’s technolgy systems safe.

Find out the top 3 parts of this framework.

The transcript of the NIST 800-53 Framework video follows:

Lee Neubecker: Hello, I’m here today with Gary Rimar he’s here to talk a little bit about one of the NIST frameworks that can be very helpful in helping you to keep your organization safe. Gary, Gary’s a CISSP, it’s great to have you on the show. Can you tell me a little bit about the framework your going to talk to us about today?

Gary Rimar: Well the framework I’m going to talk to you about today is NIST 800-53 and it is a security controlled catalog. So if there is a security control for whatever you’re going to need in an organization it’s going to be in there. In something, it’s where your government actually did earn there keep because this is your tax dollars hard at work and it’s available publicly. Most people, and this is one of the things that always bothers me Lee, is that most people go for these real exotic threats and they’re real, they’re real, but there’s so many people out there that don’t even do the basics and the reason they don’t do the basics is because the company doesn’t want to invest in security, they tell them that their IT guy, “Oh, you can do security, it’s okay, “you don’t have to worry about it, “you’ll get it good, I’ll except the risk “of you doing security.” when the IT guy barely knows how to do computers. And so what ends up happening is they don’t know anything about security which is very deep and important and technical. And so when it comes to things like how do you do access control? What can you do to do access control? Today at work one of the people, and I work with a security guy, we have something where for what ever reason they can’t do two-factor authentication. Two-factor authentication is definitely a better way to go, but they can’t. So they said, “What mitigating factors “are there that you can use to help us “be able to do a one-factor authentication “and be less in danger?” And so I looked through the catalog IA5 and there’s a bunch of different things you can do just to make it simple and safer. You know they’ve done all the imagination for us.

Lee Neubecker: What would you say are the more important, if you had to pick the top three parts of this? What would you advise companies to focus on first if they’re starting down the road of trying to implement this framework?

Gary Rimar: Well first is planning, because, and that’s the PL family, if you don’t do planning nothing works right because you have to have a basis for security. If the CEO and senior management aren’t on board then when security says, “You need to do X” and operations says, “We don’t feel like doing that. If the CEO doesn’t say, “No, I need “to be secure, you need to do X.” then your hosed. So that would be the planning family. Second would probably be access control, which is actually 20% of all of it. You know, you’ve got several hundred controls and access controls 20% of them.

Lee Neubecker: Do you feel sometimes that companies don’t really care about security and just want to ignore it and pretend it’s going to take care of itself.

Gary Rimar: Well I don’t know that that’s necess… that could be. I think it could be willful ignorance, what I don’t know won’t hurt me, but it’s not true. For example, the Sony hack. The Sony hack they said “You know, I’m not “going to spend $10 million fixing a $1 million problem.” and that in its self makes sense. Cause you don’t want step on a dollar to pick up a dime. However, it was a lot more than a million dollar threat that they were compromised on and had they done it correctly and had they taken security seriously things would have been a lot better for them.

Lee Neubecker: So Gary are there any portions that deal with some of the current vulnerabilities involving hardware and firmware that this could apply to?

Gary Rimar: You know, yeah. Cause hardware and firmware are definitely part of the information system. It would be in the SI family for sure. If I had to guess off the top of my head without looking I think it would probably be SI7, because that, if it’s the control I think it is it deals with hardware it deals with software it deals with firmware because if your firmware’s corrupted your done, your owned. If your hardware’s corrupted your done, your owned. In fact supply-chain management is even a factor in NIST 800-53. I don’t have it remembered exactly which control that one is. But it’s important, you have to have all of your system protected from the beginning to the end and monitored and audited in the middle.

Lee Neubecker: Yeah, but there was a notice last month from the NSA about Cisco routers being compromised in that there aren’t fixes yet out. So if that still accurate it’s a concern and one of the ways using this framework IT professionals might try to assess this would be to open up the routers, get inside and dump the firmware off the microchips and compare that against the manufactured supplied hash values, but the challenge I’m seeing with that is a lot of companies aren’t putting the hash values for their firmware. They might do it for their software, but if you have a home consumer router I’d be challenged to see how many home consumer routers have the manufacturers listing the firmware version with hash and really letting you get there to apply the software, because the ISPs are controlling that for the most part.

Gary Rimar: Yeah, but you also have to recognize that your definitely going down a very valid, but also very deep rabbit hole, just as an example, one time I was talking with this guy it was like 1999, I lived in the Detroit metropolitan area and I was at a coffee house and this guy, who looked like Boss Hog, but tall said, “Everybody’s stupid, they’re “buying windows, they should build “their own operating system, they can use Linux.” And I looked at him and I said, “Your an idiot.” He said, “Well, why would you think that?” I said, “We have people who can hardly “find the on/off switch. Your going to tell them they’re supposed to compile their own OS.” and so when your talking about no, I don’t know. The thing is when your talking about the level of inspection you probably need to have somebody do some appropriate, professional vetting. That’s over the skill level of a significant number of professionals that your going to meet in the market. Your right. Your totally right. But you probably need to get some people who eat and drink and breath this stuff and real experts to do this. I personally don’t choose to stick a thumb drive in a computer anymore. There’s no need to do it. Inside a USB chip, I’m thinking you know this, but not everybody knows this, is that there’s this own little operating system inside the USB. So if you have an 8 gig USB, you know a small one these days, that used to be huge, it’s small now, that there’s actually more chip behind it that’s its own operating system and if that operating system is compromised its firmware and if that firmware’s compromised then whatever you plug that in is potentially owned.

Lee Neubecker: There’s no cryptic graphic process that checks and validates that software’s authentic on many devices. So it’s easy for nation-state malware to get into the chips and you know when WannaCry wreaked havoc on many hospitals. I saw there was one out east that they said that they replaced all the hard drives and all their systems and it’s like well that’s great.

Gary Rimar: Did they replace them with ones that went through appropriate supply-chain risk management?

Lee Neubecker: But even if they did replace all the hard drives if malware injected into the chips of the mouse, the CD-ROM, the printer then that was a waste of time because those computers are going to quickly become compromised.

Gary Rimar: You’re right about that, but again, this goes back to supply-chain risk management. If you don’t know where you’re getting your stuff you don’t know what you’re getting and what I did read is that China has actually started making their own chips for themselves. They don’t market them out of their country. Now one can determine is that their motivation that they don’t want to be infiltrated by another country or do they want to infiltrate their country because of their politics. I don’t know. I can’t know. However, it might be a good thing for countries, at least as big as us, with such a big target on our backs, to start creating our own chips and our own designs in our own country. Where we can control the entire process from picking up the sand off the beach to handing you a laptop.

Lee Neubecker: Yeah.

Gary Rimar: And your right, it’s not just the laptops or the hard drives it’s all the peripherals,

Lee Neubecker: Yeah, you know that’s the struggle because we want cheap, affordable products, but your…

Gary Rimar: Mm-hmm, well you can…

Lee Neubecker: Quality, cheap, fast.

Gary Rimar: You have good, fast, cheap pick which two. Yeah, I understand.

Lee Neubecker: Actually it was interesting to see that they brought Broadcom is coming back into the US and we’re seeing some of these moves of the President trying to get key industries back in to protect from some of these compromises and you know Apple some chips are going to be made outside of China now and other things happening there, but it’s a real concern and it’s one that the frame work identified here can hopefully help companies just have an outline to go through to evaluate where are we? What have we worked on? What do we need to do more work on?

Gary Rimar: Yeah, you know. And back to our original topic of NIST 800-53 it’s in there, that’s it’s in there supply-chain risk management, you know. If you know, when I was first starting in IT in like 2000 I knew enough about security to know I didn’t know enough about security. That I hired it out. And had I been availed of this book I would have probably been able to do a much better job and I would have probably gotten into this career sooner cause this stuff is cool.

Lee Neubecker: Okay.

Gary Rimar: But I didn’t know it then. Know I know it.

Lee Neubecker: That’s interesting stuff.

Gary Rimar: Yeah.

Lee Neubecker: So do you have any other advise you’d like to give to our viewers as it relates to helping to keep themselves secure?

Gary Rimar: Well, I used to joke about always practicing safe hacks, but really, the one thing that I think that people aren’t doing, and this is totally off topic, is even though all the concerns we talked about there are still people who are getting owned because they’re surfing in places that are unsafe. And there are a couple companies out there I don’t know if you want me to say their names on your podcast, but at least one in mind where you can actually go ahead and surf through a virtual browser. Like browsers a service, so you log into their site and then they fire up an ubuntu instance and then put a Firefox browser behind it and the only thing that touches your computer is pixels.

Lee Neubecker: So your not having any risk of Java Script

Gary Rimar: Not having any risk of anything.

Lee Neubecker: Well I think that kind of sandboxing makes a lot of sense and I could almost see a point where the end user desktop is basically just a sandbox that you wipe clean and start fresh every time booting.

Gary Rimar: Yeah, I have a former computer client who does legitimate research, he’s a psychologist, and he does legitimate research into pornography.

Lee Neubecker: Mm-hm.

Gary Rimar: I mean believe it or not, there is such a thing and his computer at home is, is his one computer, he’s computer stupid and so he had his HIPPA data on there and he’s surfing these kinds of websites and it scared the heck out of me. So I set him up a Linux virtual machine on his computer so he could surf there and I could rebuild that and I set it up so nothing could ever touch anything and the only thing he could swap is pixels and when I found out about one of these services I called him. You know he hasn’t been my client for years now cause I moved, but I called them up and says, “Hey Marty, you should use this.”

Lee Neubecker: Yeah.

Gary Rimar: And so now he can continue to do his research and not put his client records at risk.

Lee Neubecker: Well thanks for being on the show today. It’s been a great interview, I appreciate you being on Gary.

Gary Rimar: Thank you very much. I’m happy to have been here.

Trade Secret Theft Litigation

Enigma Forensics CEO & President Lee Neubecker and Johnson & Bell Attorney Joseph Marconi sit down to discuss Trade Secret Theft Litigation. They identify ways a company can safeguard themselves against trade secret theft. Lee discusses how Enigma Forensics provided a forensic copy of a critical hard drive that won an important case. Joseph emphasizes that when an employee leaves a company the importance to verify what information was there, where it went, and to whom it was sent. If you suspect someone in your organization is stealing trade secrets call Enigma Forensics or Johnson & Bell to help you recover your information and minimize the damage.

The transcript of the Trade Secret Theft video follows:

Lee Neubecker: Today I’m here with Joe Marconi from Johnson and Bell, who’s going to talk a little bit about trade secret litigation cases he’s been involved with, and how computer forensics has played a key role in getting success for him and his clients. Joe, thanks for being on the show.

Joe Marconi: Thank you Lee, it’s good to see you again.

Lee Neubecker: Joe, we started working together a long time ago. The first case that we had was one of my very first forensic expert cases ever. I think it was back in 2002 or 2003. It was the Lebert matter. Can you tell us a little bit more about what the issues were involved there and ultimately what happened in that case.

Joe Marconi: Yeah, that was Lebert versus Maiser. It was a trade secrets case. And we actually tried it in a bench trial and it went to the appellate court twice. And the appellate court actually quoted from your testimony at the trial and in that case, it was a sales distributor who we sued their top salesman. We represented the manufacturer and the local distribution company. And you were able to prove that before their key employee sales representative left the distributor, he downloaded a number of files. Shortly before or a couple of weeks before. And as with other trade secrets cases that I’ve been involved in, and I’ve tried several, computer forensics are very important. And you’ve been helpful, I think in three or four of them, Lee.

Lee Neubecker: I remember we had one case we worked on where your firm was being accused of exploitation of evidence. Can you tell people a little bit about that?

Joe Marconi: In that case, that case involved again, and typically what happens, the trade secrets case, it’s usually an employee leaves the company or a sales distribution company, terminates a contract with the manufacturer. And in the process, they take trade secrets. In this case, again, it was a local distributor. The case involved a company that distributed wines from all over the world. The new employer of the local distributor hired us to defend it and its former, and its now current employee. And we had her computer and we did and you did a forensic hard drive of the computer. You made a forensic copy of the hard drive, and it was blank. And the courts accused not the firm, but this particular distributor of destroying evidence. And that was the key issue in the case. And during trial, we had an unusual moment. In the night before the testimony by your forensic expert, you were able to open it up and show that nothing was really destroyed. And at trial that day, the other side’s forensic expert made a big point about how this hard drive had been wiped, and it had been wiped to destroy evidence of her misappropriation of trade secrets. And we then put on your forensic expert, and he testified. And we displayed it with a screen and everything, and he opened it up and the judge threw her pencil down on the desk, looked at her law clerks who were sitting there and said, “this does not happen every day.”

Lee Neubecker: I recall that was a situation where the hard drive, the other experts said the hard drive was completely wiped clean based on his testing of that drive on a PC, but in fact, I had my expert stay late that night and connect the drive to all different types of computers, and when it was connected to a Macintosh computer, lo and behold, it prompted for a password to decrypt the hard drive, so the hard drive was actually encrypted. And once a password was supplied, voila, it wasn’t a drive empty, but it had all the data. And the judge certainly was animated. I think the transcript on that was a really interesting case.

Joe Marconi: And the opponent’s expert had no clue, that was the, and the lawyer said to me afterwards, “I’m going to sue that guy.” The lawyer for the opponent.

Lee Neubecker: I felt bad for the expert, but that’s one of the problems that happens when you hire a computer forensic expert that hasn’t been doing it for a very long time. Problems can happen and mistakes happen.

Joe Marconi: Right. And for the most part, in the times that we’ve used you, have dealt with trade secrets. And I also remember the case that we recently tried last year in federal court, regarding a Chinese manufacturer. And again, an employee left a manufacturing company, started a competitive distributorship here in Chicago, and employed a Chinese manufacturer to make products for the same market. And the local manufacturer claimed that he had taken the plans and designs of the products and had given them to the Chinese manufacturer. And you helped us disprove that, or also helped us to prove that they couldn’t prove that that happened. So that’s another example of a trade secrets case. So I find computer forensics almost an essential part of any trade secrets case.

Lee Neubecker: So you’ve had experience being on kind of all sides, the firm that lost employee, the firm that hired the employee, and you’ve been able to get good results for your client, whether they’re plaintiff or defense.

Joe Marconi: The issues are the same no matter what side you are, and there’s not really only plaintiffs trade secrets lawyers, and defense lawyers. You either defend them or you prosecute ’em. And I’ve done both over the years. It’s a fascinating area of the law. And it’s something that every company deals with when they lose an employee, when they lose a manufacturer. And you know, as a matter of course, when one of my clients lose a sensitive employee that has confidential information, one of the first things I do is call you to make a forensic hard drive of that person’s computer before anyone opens the file and in any way causes it to change at all. And you can explain why that’s important.

Lee Neubecker: Well, I appreciate you calling me when that happens. Thanks, Joe. Well if you want to know more about computer forensics, please check out our blog. My blog’s at And you can also find Joe and Joe’s contact information there. Thank you, Joe.

Joe Marconi: Thank you.

GDPR and Online Trademark Infringement

Enigma Forensics CEO & President Lee Neubecker and Trademark Attorney Paul McGrady. They disect what is the GDPR and internet and domain name enforcement. Tune in to find out more about how complicated trademark infringement and what to do if you find out your product is being sold by another company online.

Online Trademark Infringement

The transcript of the video follows

Lee Neubecker: So I’m here today with attorney Paul McGrady and Paul, can you tell me a little bit about what type of attorney you are?

Paul McGrady: I’m a really good attorney.

Lee Neubecker: Okay.

Paul McGrady: Yeah.

Lee Neubecker: So what type of matters and problems do you help solve for your clients?

Paul McGrady: So I’m a trademark attorney, so a lot of what I do involves trademark litigation and involves trademark prosecution, clearing marks, protecting those marks from infringing uses of third parties. I developed a reputation in this space as someone who is heavily involved in the internet and domain name enforcement. I’m heavily active in ICANN, involved in policy development, but also contractual compliance issues and things of that nature. And so clients come to me often times, at least initially, for help dealing with an online infringement or counterfeiting problem.

Lee Neubecker: So what happens when a company finds that their products are being sold online, but not by them? Knockoffs and other products that might have fake labels on. Do you handle any of those type of projects?

Paul McGrady: Sure those things come up all the time in this practice. So, there’s a couple of different things. Sometimes they’re being sold online through websites that the infringers own themselves. That is one track. Other times, they show up on various sales platforms and that’s handled by a completely different track. Should we talk about both a little bit?

Lee Neubecker: Sure.

Paul McGrady: So when it comes to websites that the infringer may own themselves, that’s very often handled with take down notices to hosts. It’s, back in the day, when whois was as, more accessible than it’s going to be in the future, and we can talk a bit about that too, you would use whois searches, you would run reverse registrant searches, find out the full universe of what the bad guys were up to. More hosting take downs, maybe a UDRP complaint, which is an informal domain name complaint on the papers only. And then sometimes you’d have to go in and file lawsuits, either for trademark infringement or cyber squatting, or both. Just depending on the facts of the case. But, as I mentioned, whois is changing, we can talk a bit about that.

Lee Neubecker: Paul, can you tell me a little bit more about the platform issues?

Paul McGrady: Sure so the platform issues are different than in the cases where the bad guy owns a domain name them self. The bad guy may be taking advantage of legitimate platforms to sell infringing counterfeit goods. In those cases, many of those platforms will have a notice and take down mechanism. Those are not meant to be used just to keep your trade channels clear, but rather to be used to report actually infringing, counterfeit materials and sales, to have those taken down. If you have repeat offenders, it can get a little messier because you do ultimately need to find out who they are and unlike domain names, who have up until very recently had a predictable whois framework, the platforms don’t have anything like that.

Lee Neubecker: Let’s say you identify a website that is selling your clients’ products. How have you gone about unmasking those entities in the past when they’re hidden behind proxies?

Paul McGrady: Sure, so historically I’ve had really great relationships with many of the proxy privacy providers. A lot of them are legitimate outfits that have a mechanism by which you can alert them to a concern and either they write to their customer directly and tell them to contact you or they may even reveal the underlying customer information, depending on how egregious the situation is. However those proxy providers are moving into a new era where the European privacy law is going to dramatically change what information ICANN will allow the privacy proxy provider to disclose and to whom.

Lee Neubecker: Great. So Hide My Stuff might not actually work, or whatever it’s called.

Paul McGrady: Yeah, so in the coming months we are going to be seeing registrars, many of whom have privacy proxy services, implementing ICANN’s new proposed GDPR compliance model. And that model basically boils down to this, there’ll be essentially almost every domain name will be hidden behind some sort of privacy proxy service and brand owners who are concerned about abuse of their trademarks, either in the domain name or in the content of the website, will have to try to get access to that whois information through an accreditation process. The problem is, is that GDPR compliance begins in May with stiff penalties, but there’s so far no accreditation process that ICANN has even sketched out. And so, we are maybe going into a period of time where there truly is a blackout of whois between when whois is shut off and when accreditation begins. And that will be an interesting time because brand owners will have no choice, but to go to court, issue subpoenas, try to get records from the registrars, and the privacy proxy services. And then engage in forensics experts to come in and try to help them determine the entire universe of the infringing actors, domain name, portfolio, and things like that. Track them back through credit card issues, IP addresses, you name it. So the good old days of whois are winding down.

Lee Neubecker: And Paul, just so you remember, as part of our practice we often can unmask people online by looking at other data. Operators often point to their websites from various places. They get lazy. They’ll use the same DNS servers, they’ll use the same mail routing services, and often times we’ve been able to unmask people even when the legal means can’t identify them. But, you know when it really comes down to it, once you get your hands on the entity, what have you had to do to get the court to allow you to do forensics to inspect the computers?

Paul McGrady: Well, I mean that’s fairly straightforward right? Because we’re usually talking about demonstrably bad guys and you know going in and essentially seeking discovery orders to have the computers turned over, to be looked at. It’s, you know fairly straightforward these days. Several years ago it was not quite as common as it is now, but we’re going to see an uptick in that kind of thing because without easy access to whois, therefore leading to easy, you know UDRP compliance to deal with the problems, you know essentially in a Whack-a-Mole fashion. Once a brand owner is forced to go to court, they’ve already gone through the effort of being there, they’re going to try to get the full resources of the court behind them in trying to get the infringing material stop.

Lee Neubecker: You mentioned before, GDPR and its impacts on your process. Can you tell us a little bit more about how that’s going to impact your clients in the coming year as it relates to internet domain disputes?

Paul McGrady: Sure, so back in the day and I mean last month, it was easy to conduct a whois search on a domain name, figure out the email address, then do a reverse registrant search on that email address, and essentially take a look at the entire portfolio and understand the universe of problem that you’re having with a particular bad guy. And that would also draw out uses by that particular bad guy of third party marks, which was a bad faith factor for the UDRP complaint that helps you win your UDRP arbitrations. But as I mentioned, a lot of that easy access is essentially going away and so from now in order to prove, you know, the kinds of bad faith multiple infringements that were easy to prove just a few weeks ago, unless ICANN confirms that the tiered access accreditation process will result in searchable whois data. You know, that easy method is going to go away and we’re going to have to figure out how to do that by piecing together information, like you mentioned Lee, that you know, you are able to go in and see where the bad guys are pointing, what DNS records they have, but of course that’s a bit more work than just a simple reverse registrant search. So, you know what is new maybe became a little common place, but now it’s back, mostly because of how ICANN is handling the GDPR law.

Lee Neubecker: Well thank you Paul for being on the show today and if you need to reach Paul, his contact information is available on our blog post at Thank you.

Paul McGrady: Thanks Lee.