Tesla’s Latest Trade Secret Theft Lawsuit

Enigma Forensics experts investigate, preserve and recovery data to prove or disprove Trade Secret Theft. We have assisted many clients in financially recovering what was stolen from them or to help clear their name. Are you interested in learning more about trade secret theft? Check out Tesla’s latest law suit against a former software engineer.

A large portion of our business is forensically recovering and preserving data that is vital in proving or disproving trade secret theft. Enigma Forensics experts love to follow Tesla! We love the look of their beautifully engineered electric cars and we’re very interested in Elon Musk, the controversial character behind the engineering. Who is now labeled the most wealthiest man in the world. Our interest was piqued when we heard about Tesla’s latest lawsuit and that prompted us to write this blog.

On January 22, Tesla filed a lawsuit against Alex Khatilov, a former software engineer over Trade Secret Theft and Breach of Contract. Tesla contends that within days after Khatilov started his position on December 28, 2019, he began stealing thousands of highly confidential software files from Tesla’s secured internal network, transferring them to his personal cloud storage account on Dropbox to which Tesla has no access or visibility.

How did Tesla discover this trade secret theft or misappropriation of data?

On January 6, Tesla’s information security personnel detected Khatilov’s unauthorized download of a complete set of all the automation scripts produce by the Quality Assurance Engineering team for WARP Drive over the last twelve years! He was confronted the next day via Microsoft video chat due to Khatilov working remotely because of COVID-19 restrictions. Khatilov claims he installed a Dropbox desktop application to his Tesla issued laptop to allow him to upload administrative files to his personal Dropbox. He swore over and over that he only transferred administrative documents and then when he finally shared his screen with Tesla investigators he could be seen deleting the Dropbox files while on video chat confirming he had willfully destroyed evidence.

Why all the fuss?

How important are these scripts? These scrips are unique to Tesla and run on WARP Drive, the backend software for much of Tesla’s business. These files consisted of “scripts” of proprietary software code that Tesla has spent years of engineering time to build. When executed, these scripts automate a broad range of functions throughout Tesla’s business and only a few select employees have access to these files. It gets better! This is the good part…Khatilov contends he forgot about downloading thousands of confidential files!

The reality of this trade secret theft or misappropriation of confidential data is that Tesla has no way of knowing whether Khatilov copied the scripts onto a thumb drive, a mobile device, or a cloud based storage or most importantly sent them to another individual. To understand more thoroughly how important these “scripts” or trade secrets are…They map out Tesla’s innovations! Making them extremely valuable and beneficial to any competitor.

What measures ensure against trade secret theft or misappropriation?

  1. Tesla limited the “scripts” access to only members of the Quality Assurance Engineering team in which Khatilov was one of forty employees to have access. The engineers that have access are not permitted to download scripts to the cloud or personal devices. This makes us wonder how Khatilov was able to download data!
  2. Only eight people within the Tesla company are approved to grant access to these scripts.
  3. Each engineer signs an extensive employment agreement and agrees to policy conditions of their employment with includes a non-disclosure agreement (NDA), that holds each employee to the strictest confidence of proprietary information, technical data, trade secrets so on and so forth.
  4. The NDA also states that upon termination or departure each employee will immediately return to the company all original document electronic or hard copies.
  5. Each physical facility has restricted access to only authorized personnel that are monitored by security guards and cameras.
  6. All visitors must check in with security, sign a NDA, submit to a photograph and be escorted by an employee.
  7. Tesla also used password-protected and firewall-protected networks and servers that are only accessible to current Tesla employee with the proper credentials.

Moral of this story is…

Even high level technology companies has issues with trade secret theft. If your company suspects something like this, immediately hire a computer forensics expert to electronically preserve data of soon to be departing or a departed employee that has already left the company. Enigma Forensics can analyze data that was misappropriated or stolen to help clients recover financial loss.

Cloud Cyber Risk

Cloud-based storage of an organization’s data attracts cyber hackers like bees to honey. Hackers take time to study and find flaws to breach, extract and sell personal information data. Data Experts Lee Neubecker and John Blair discuss cloud data compliance and legal regulations put in place to protect cloud-based data.

Compliance and Privacy Laws

Cloud cyber risk goes hand in hand when storing data on the Cloud. New compliance and privacy laws have been enacted to protect this cloud-based private information. The State of Illinois has passed a privacy law that specifically addresses how companies gather and store private data.

The Illinois Policy Group, an independent organization that generates public policy, explained that in 2008, Illinois enacted the BIPA, the most stringent law of any state regarding the consent, notice and disclosure procedures private entities must follow when collecting, storing or using people’s biometric information, such as fingerprints, iris scans and face prints. This law forces companies into compliance and makes them more responsible for the collection and storage of private data ultimately, decreasing exposure to cyber risk.

Data Experts Lee Neubecker and John Blair say because of BIPA companies are now more aware of how they secure and store data. They discuss other data compliance and privacy laws such as; California Consumer Privacy Act (CCPA) and Health Insurance Portability and Accountability Act (HIPAA) and how these laws help regulate the healthcare industry and other organizations when storing consumer data, and vendor data in the cloud ultimately protecting the consumer. Watch this video interview to learn more.

View Part 2 of our 3-Part Series on Cloud Data

Part 2 of our 3-Part Series on Cloud Data

Lee Neubecker: Hi I am back again with John Blair. We’re continuing our discussion on cloud security and helping to minimize your cyber risk of having data in the cloud. And today, we’re going to be talking more about some of the compliance and regulatory issues and legal issues that companies face that are having their data and customer data, vendor data in the cloud. So, John, can you tell me a little bit about some of the regulations that impact the healthcare sector specifically?


John Blair: Yeah, the primary one is going to be HIPAA and associated as subsequent acts like HITECH and things like that that augment HIPAA and some of them more clearly defined some of the rules and regulations, primarily Security Rule and Privacy Rule. So those are going to be the ones that primarily come into play, but there are also individual state versions of healthcare acts that you need to abide by and each state has one so you also need to abide by the state regulations as well.

LN: Interesting. So it really, if a company’s operating in multiple states, they have a lot of issues to be looking at.

JB: They have a lot of regulations to be aware of and to be compliant with, yep.

LN: So I know here in Illinois, we have the Illinois Biometric Information Protection Act, otherwise known as BIPA and that’s been creating a lot of stir with Facebook recently had a settlement.

JB: Yep.

LN: And apparently Illinois Residents that have Facebook accounts might be entitled to around $200 per person.

JB: Yep.

LN: If you are in Illinois and have Facebook, so possibly you will be notified.

JB: Yeah, Illinois is the only one.

LN: And do you think it will be through Facebook Messenger?

JB: I do not but Illinois because of that law, Illinois residents are the only ones that are getting anything out of that lawsuit because of that, specifically because of that law.

LN: Got it.

JB: So I don’t know the details of the law but on the surface, it seems to be headed the right direction.

LN: Right, essentially they took the position that your biometric information, unlike your cell phone or your social security number, you can’t change it.

JB: Right.

LN: So if that data becomes compromised such as your facial vector map,

JB: Yeah.

LN: Or your fingerprint or your DNA, that you can’t swap it, it’s part of who you are.

JB: Right and those, you know, we’re finally headed in the right direction where it’s being considered personal.

LN: Yeah.

JB: So which I totally agree with.

LN: We also had just last month the California Consumer Privacy Act, known as CCPA went into effect and that’s got a huge impact on anyone who does business with California residents.

JB: Yeah, that is yet to, I think people were preparing for that prior to that but it’s going forward, I’m sure there’s going to be a lot of repercussions from that because there’s going to be obviously companies and entities that don’t prepare well for that and are going to get caught up in it because it covers, California is a huge state, a lot of people so there’s going to be some lawsuits.

LN: So it’s also been such that if you’re making medical devices for consumers and you have that information, relaying over 3G, 4G networks, we’ve got CPAP machines, pacemakers, all other types Of information. LN: All kinds of monitors

JB: Yep.

LN: And that information going to the cloud, if you’re a California resident and that information gets breached, it could be used by marketers or it could be used In other ways to target people.

JB: Yeah hospitals are going to need to really step up their game with respect to that particular regulation. Hospitals traditionally are a little bit behind technically speaking from an IT point of view, they’re very much on the bleeding edge from a medical device IT point of view but they tend to lag behind because you can’t, it’s hard to afford both

LN: Yeah.

JB: But this is going to, you know, how they allow individuals or access to their networks, what they allow in and what they allow out because that’s the channel these medical devices use is going to be very, very important that they get more control over those things.

LN: So as it relates to healthcare, what are some of the concerns about when a data incident is discovered to actually turn out to be a data breach, what types of reporting and notification requirements are unique to the healthcare sector?

JB: Well, first and foremost, you need to evaluate the situation and then have in conjunction with your legal team and compliance teams, establish whether or not you do officially declare it a breach which means you need to investigate it, you need to involve any vendors that were involved with that data because it may have been the vendor that you’ve contracted with that actually had the breach of the disclosure and not you but since they’re your vendor, you’re also on the hook and that flows all the way up from business associates, which is what those two entities will be up to the covered entity who actually owns the data. So after a thorough investigation and consultation with legal and compliance, a determination needs to be made whether or not you’ve formally declared a breach. And if so, then there’s all kinds of HIPAA standards that come into play about notification to the government, notification to each individual affected by the breach, what needs to take place with respect to that notification, there’s a timeline involved that needs to be met. So there’s all declaring it a breach is a very formal and arduous task.

LN: Yeah, not a pleasant one.

JB: No.

LN: In our next segment on securing data in the cloud, we’re going to be talking more about when a breach is discovered, some of the issues related to reporting the breach and what that can mean to an entity, especially if it’s not handled correctly. So thanks for being on the show again.

JB: Thanks, Lee.

View Part 1 of our 3-Part series on Data Cloud Storage

BIPPA Laws

To learn more about HIPAA

https://www.hhs.gov/hipaa/index.html

Illinois BIPPA policy

https://www.illinoispolicy.org/