James Pooley, member of the Center for Intellectual Property Understanding and former deputy director general of the World Intellectual Property Organization, understands the full seriousness of cyberespionage.
Pooley agrees that COVID has created a riskier environment because employees are away from their usual offices. But the problem is not entirely current, he notes, explaining that a new risk environment emerged in the last 15 to 20 years, as we moved into an information-based economy, where the asset base shifted from tangibles to intangibles.
In addition, “the imperatives for sharing information and trusting other people went up like crazy because of globalisation”, he says. Supply chains have become longer and more complex, as companies shifted to vendors abroad and therefore have to manage their operations at a distance.
During the early-1970s, “all that a company needed to do to protect its information assets was to guard the photocopier and watch who went in and out the front door, because there were no networks, no internet and records were stored on paper”, says Pooley. But, over the last decades, digitalisation coupled with globalisation has changed the playing field. Some of the most valuable assets have become intangible, opening up a whole new world to hackers.
So how does sensitive data end up in the wrong hands? Pooley argues that swathes of valuable information is lost because of employee inadvertence. In rough numbers, he says, “some 80 to 85 per cent of information loss occurs through employees, as opposed to hackers worming their way in from outside”. While organisations can spend effort and money on secure IT infrastructure, they neglect employee behaviour at their peril.
“I see it over and over again,” says Pooley. “I get hired as an expert to critique the protection systems for companies in litigation over trade secrets, because they have to prove they took reasonable steps to prevent the things from happening.” What he sees is companies neglect to train their employees on how to identify and handle confidential data.
Meanwhile, hackers look for the weakest link in a company’s information chain, for instance when employees use the public wifi of a restaurant near their office for work purposes. He mentions the 2014 hack of Target, when the company’s heating and air conditioning contractor was used as an entry point by hackers, who exploited the vendor’s weaker system to gain access to the Target system.
“It's just astonishing to me that more companies don't pay better attention to these issues, but there we are,” says Pooley. “Maybe I'm a Cassandra, but remember, Cassandra was right.”
How can companies train their employees to be more vigilant? “Preventing bad behaviour is usually about awareness, because people want to do the right thing and they want their jobs to be preserved,” he says.
When Pooley advises companies, he begins with a high-level strategic examination of what the company’s most important information assets are, what risks or vulnerabilities they face and what mechanisms there are to reduce these risks.
“Being really attentive to where the risk points are will alert you to pay special attention to areas that are likely to be used as points of entry,” he says. Companies need to set up policies and procedures to ensure their IP is protected and training employees is a big part of that.
“I worked with one company that built a consumer product primarily manufactured in China, so there were obvious leakage risks connected to that.” As they went through the process of developing a comprehensive system to protect their IP, Pooley asked for all the senior managers of the company to get together in one room to discuss the matter. Even though this was not easy to arrange, he insisted.
Once all senior managers came together, including the supply chain managers who talked about issues they experienced directly, sharing information triggered insights for managers across the board.
“‘Wait a minute, I don't think I've ever really looked at the non-disclosure agreement that we have with company x and when it expires.’ All of a sudden, they're seeing vulnerabilities, where they hadn't really thought about them before,” says Pooley. “No one expected the specialty arm of the organisation that dealt with all these companies in China would have something to say to the other business units, but vulnerabilities can overlap.”
Are silos and inefficient communication partly to blame for companies’ vulnerability when it comes to countering cyberthreats? Pooley argues organisations need to confront the fact that separate units within their business may have set up unnecessary walls. In reality, information flows and risks are usually shared across the business.
Part of the solution could be found through automation, he says, because automation includes behavioural analytics and insight tools that help companies monitor what exactly it is employees do on their platforms. However, using these tools always has to be balanced with individuals’ expectations of privacy.
Pooley concludes: “The message that I often give is cyberespionage is scary and ugly, and we need to do everything we can to prevent it and deal with it. But if we're not managing our employees in a smart way, it's almost like we’ve left a couple of doors open.”
What are the key changes in Chinese intellectual property (IP) protections since the phase-one trade agreement? How credible are these commitments compared to previous ones in the absence of an independent judiciary to adjudicate claims?
The Judicial Interpretation from the Supreme People’s Court regarding trade secrets gives good reason to expect at least some modest progress. There are quite a few provisions, but two specifically may be key indicators of whether China is making real progress toward providing safe, effective, and robust mechanisms to enforce trade secrets.
The first of these is shifting the burden of proof (Article 8). Bringing a claim for trade-secret misappropriation can be prohibitively difficult if the court expects the plaintiff to marshal and present sufficient evidence at the outset of the case because China does not have a civil discovery procedure. Therefore, the idea is to set a minimal threshold requirement of initial proof to ensure that the case is reasonably grounded, following which the defendant would have the burden of establishing independent development of the trade-secret information. This notion was not new with the phase-one agreement; it had been introduced as an amendment (with immediate effect) in the 2019 revision of the Anti-Unfair Competition Law. Article 8 of the Judicial Interpretation states that the trade-secret holder first must submit “preliminary evidence” to prove the elements of the claim, and then if the accused infringer claims independent development, “it should provide proof.” The challenge here is to understand what is meant by “preliminary” evidence. In practice, will this come to look like the U.S. threshold of “reasonable suspicion” based on a plausible, but circumstantial, set of allegations? Or will preliminary evidence in effect be subject to the same assessment as at trial? We will not know whether the intent of Article 1.5 of the phase-one agreement, which requires changes in this vein to the burden of proof, has been implemented until there are sufficient examples of actual decisions.
The second key indicator in the Judicial Interpretation is found in Articles 14 and 15, which appear to describe indirect misappropriation. This could be significant because China has in practice only punished misappropriation of a form close to slavish copying. Obviously, improperly gained information can be used to influence the development of a competing product that may look nothing like the original. And there is substantial value in so-called negative trade secrets consisting of experiments through which what does not work, or what works less well, is determined. Although Articles 14 and 15 are not clear (at least in the translation that I read), it is possible that they could be interpreted to allow a court to find that a trade secret has been “used” if it has been “modified” or if “business activities” have been “adjusted” according to the plaintiff’s secret. Again, we will not know whether this portion of the Judicial Interpretation will be followed in that way unless and until we have enough examples of published case reports.
What is the likelihood that China ever makes it fully down the path toward protecting foreign IP? Will there always be significant risks to foreign firms as a result of the Chinese political and economic model?
There can be no doubt that China has been moving toward a more robust IP-protection regime for several decades. This has been in part an assumed obligation of membership in the World Trade Organization (WTO) and in part a classical reaction to the need to construct a framework to provide sustained incentives for domestic innovation. But China’s path, unlike that taken by, for example, Japan, Taiwan, and South Korea, has been strictly controlled by its Communist government, which has tilted the economic playing field to favor Chinese companies.
Therefore, in a sense the very significant and rapid progress made by China since the 1980s in constructing a world-class IP system is a bit like wax fruit: it looks good, but can you eat it? China’s current system, which in practice favors domestic players, must evolve to apply fairly to all litigants, in accord with the principle of national treatment. Moreover, China will move fully down the path toward protecting foreign IP only when its judicial system is sufficiently transparent that one can be confident of even-handed application of the rule of law. Although some within the Chinese judicial system are pushing for such reforms, I do not expect this kind of change will happen in the foreseeable future.
What future policy reforms or other developments would indicate that China will increasingly take trade-secret protection seriously? To what extent might these reforms be influenced by international pressure?
I believe that we need to see fulsome implementation by China of leading reforms, such as reversing the burden of proof and finding misappropriation based on indirect use rather than copying. That sort of demonstration naturally requires more transparency, and in particular the regular publication of judicial opinions. In my view, although there is some internal pressure on China to move in that direction (largely from professors who would like to have access to the reported data to inform their research), domestic forces will never be enough to effect meaningful change. This is simply because the government does not see a compelling reason to give up the inherent advantages of opacity.
Therefore, I believe that change will only come from external influence. As a multilateralist, I hope that such influence is exerted by countries operating through institutional frameworks such as the WTO, but of course there is room for unilateral action by the United States or the European Union, each of which can apply pressure relative to the size of its market.
If China does not fully implement the changes it has promised, or the pace of progress slows due to heightened tensions, what unilateral or multilateral policy measures would be most effective in getting things back on track?
The answer to this question depends very much on what one understands as getting things back on track. It is probably unrealistic to expect that China, without a fundamental change in government, will ever change its court system in a way that would allow us to be fully confident about the implementation of the most important reforms. If by being on track we mean being diplomatically engaged in active discussions about these issues, then I would say that direct economic pressure—perhaps not as drastic as some of the tariffs that have been levied by the United States, but of the same nature—is the most effective means for keeping China at the negotiating table and talking productively. Progress may be measured in inches, but if the parties are engaged, then it is a way of being “on track.”
What is the role of the World Intellectual Property Organization (WIPO) in trade-secret protection, especially with respect to China?
Having spent five years at WIPO, much of it engaged in attempting to facilitate negotiations to improve international IP systems, I am of the view that the organization is highly unlikely to play a meaningful role in securing improvements in China’s trade-secret-protection regime. In large part, this is because the concerns we have with China are about enforcement of the laws, not so much about their content. And enforcement in general is a forbidden subject at WIPO because it is largely perceived to invade the sovereignty of the member states’ judicial systems. This issue is both too diplomatically sensitive and arguably outside WIPO’s mandate. Additionally, there is the problem that trade secrecy in general is largely misunderstood in the international diplomatic community. Among many countries, any discussion of trade secrecy often focuses exclusively on Article 39(3) of the Trade-Related Aspects of Intellectual Property Rights (TRIPS) Agreement. Many believe that this article, which requires protection of pharmaceutical test data, was an unfortunate giveaway to the drug industry. More broadly, the notion of secrecy simply seems inconsistent with the general idea of transparency and so has a sinister connotation.
This debate suggests that WIPO’s primary contribution to protecting trade secrets in China could be to provide a forum to facilitate better understanding of the role of robust protection in enabling technology transfer. This issue itself is a subject of broad interest, particularly among developing countries. If there were a more sophisticated view of the role that secrecy plays in accelerating innovation, it might over time provide very helpful context for a continuing examination of the shortcomings of China’s trade-secret regime.
Given the rather decisive defeat of the Chinese-backed candidate for director general earlier this year, how will China work to influence WIPO in the years to come?
One can conclude from China’s promotion of its own candidate for director general at WIPO, following several successful campaigns for the lead spot at other UN agencies, that China has shifted rather dramatically from a lead-from-behind approach of exercising its influence to a much more aggressive posture that looks like a broad grab for power at the United Nations. This is occurring at a time when the United States has retreated somewhat from its traditional multilateral engagement, which has significant implications for the structures and mandates of multilateral institutions. Notwithstanding its failure in the WIPO elections, I have no doubt that China will continue to assert leadership, at least behind the scenes, where it exerts very powerful influence over a number of other developing countries. On this point, it is important to keep in mind that stopping something from happening at WIPO takes very little political power (as is probably true at most other UN agencies). In general, I would expect China to continue to assert itself at WIPO in ways that will help the country maintain control over the speed and substance of domestic IP reforms. If the United States wishes to understand how that will play out in the coming years, not to mention have any influence over the process, it must engage vigorously in the organization.
The most important and immediate goals for reforming patent eligibility are predictability, predictability and predictability. This framework, coming from legislators who understand the value to our country of a robust and sensible patent system, is exactly the right approach. It will restore much-needed certainty to the acquisition and enforcement of patent rights, reducing costs for all stakeholders.– James Pooley
A new Defend Trade Secrets law may give Latin American companies reason to move computer servers to the United States.
This past week the US Congress passed the Defend Trade Secrets Act (DTSA), less than two weeks after the European Parliament voted through the EU Trade Secrets Directive. What might at first seem like an extraordinary coincidence in fact has a lot to do with pressure applied by industry on both sides of the Atlantic to improve the remedies that are available for theft of trade secrets.
Businesses are relying increasingly on secrecy as the preferred way to protect their innovations, as well as the massive amount of analytics, financial and customer data that drive competitive advantage. But this valuable information is also vulnerable, not just to hacking and other kinds of espionage, but also to careless behaviour by employees and business partners. Having access to robust and predictable legal remedies is important.
Those aren’t available in Europe, the Commission found in a 2013 report. That concern led to its proposal for the EU Trade Secrets Directive, an attempt at minimum harmonisation.
Meanwhile, in the US, where thanks to broad discovery rights and a (mostly) uniform set of state laws, trade secret protection has been viewed as relatively powerful, business called for amendment of the federal Economic Espionage Act – which provides only criminal remedies – to include an option for companies to bring their private trade secret disputes to federal court as well. (Up to now, they have been able to do that only in cases where there is “complete diversity” of citizenship among the parties, an unusual occurrence in trade secret cases, or where there is another federal claim – such as patent infringement – pending based on closely related facts.)
Introduced only nine months ago, the DTSA enjoyed unusually bipartisan political support, buoyed by enthusiastic intervention from industry groups. In fact, the only organised opposition came from a group of law professors who were worried that provisions for seizure of infringing property could lead to a new class of “trade secret trolls” terrorising unsuspecting companies. After a Senate hearing last December, at which I was called to rebut the professors’ arguments, work began on a set of amendments that were all accepted by the end of January. On 4 April, the Senate voted unanimously to accept the legislation, and the House followed suit on 27 April. President Obama is expected to sign it soon.
The DTSA adds a private right of action to the existing federal criminal law, using the same standards expressed in the Uniform Trade Secrets Act, which is the basis for almost all US state laws, and was also the pattern for Article 39 of TRIPS. As a result, it can now be said that the US has fully complied with its TRIPS obligations, since it has a single national law covering the subject. However, the new federal law will not displace existing state statutes. Instead, it will be used optionally for trade secret disputes where the federal courts provide a distinct advantage: cases with
interstate or foreign actors, where attorneys can initiate discovery anywhere in the country, and where judicial experience is needed to handle complex jurisdictional issues.
State courts in the US, even though having similar substantive laws on trade secret protection, apply local procedural rules that can vary enormously, impacting multi-state cases where speed matters. This is why industry was so supportive of the legislation: instead of having to go to various county courts with unpredictable local customs, they can take advantage of a single nationwide system and set of rules.
The DTSA also provides an ex parte seizure when the trade secret holder has advance warning that someone is about to destroy a stolen secret or leave the jurisdiction. This provision has been quite controversial; however, applications have to be so well supported, and the penalties for a mistaken application are so severe, that most believe the remedy will not be invoked often and will be allowed only in obviously deserving cases.
Two other aspects of the DTSA deserve special comment. First, although US law has always allowed courts to issue orders against a “threatened” misappropriation, concern was raised whether this standard language might allow a federal court to stop a departing employee from taking a similar job with a competitor. This so-called “inevitable disclosure doctrine” has provoked fear – not always rational – that courts might be able to bar competitive employment merely based on how much sensitive data the employee knows. The DTSA’s solution to this mobility issue was to prohibit any order that is based only on what the person knows, requiring instead that it be based substantially on the employee’s behaviour that indicates untrustworthiness.
A second significant feature of the DTSA is its grant of immunity to employee whistleblowers reporting suspected wrongdoing. Existing law in the US is sparse and unreliable, based on a highly contextual backward look at the facts to determine whether the employee’s action may have been justified. Unsurprisingly, under these circumstances, the risks of coming forward are too great, and studies show that many who might otherwise have reported significant wrongdoing have remained silent. Of course, the employer has legitimate interests at stake as well, since the claim may turn out to be wrong, or the employee’s disclosure may be broader than necessary. The DTSA resolves this tension by providing clear immunity, but only for disclosures made in confidence to law enforcement, or as part of a court filing under seal. In this way, the information can be provided without fear of retributive litigation, while the relevant authorities can maintain the integrity of the secrets while they determine whether there is a basis to proceed.
The DTSA will improve the efficiency of, but will not revolutionise, trade secret disputes in the US. As already noted, there will be a certain class of cases brought in federal court because they involve foreign actors or witnesses spread across the country. Strictly local cases – where the chef leaves a restaurant with the secret recipes and moves down the street – will still be handled in state courts. That’s in part because the DTSA requires that the information in controversy be related to a product or service in “interstate commerce”, the minimal jurisdictional requirement for federal courts to act. And it’s in part because local cases will be brought by local lawyers who are familiar with their local courts.
Although some lawyers will want to use federal courts for trade secret cases just because they handle patent matters and are more comfortable there, that may not be the smartest tactical move. Federal judges take their cases on “single assignment”, meaning that they are in charge of all issues from beginning to end. They are therefore more likely to view the case skeptically than state court judges, who typically have a “departmental” system and are sometimes seen as waving through weak cases so that they can be taken care of by a different judge at trial. In addition, federal judges are usually more demanding of a plaintiff’s identification of its trade secrets. So we may not see a general rush toward filing in federal court.
What of the EU Trade Secrets Directive? Also driven by industry concerns over the need for harmonisation, the EU effort starts from a much lower base of harmony than has existed in US states. Indeed, the Commission’s report found a disturbing level of inconsistency among the 28 national regimes. So by establishing common definitions, some common remedies and an approach for protecting secrets during litigation, the directive represents a major step forward.
But measured by the expectations and needs of customers, there is quite a distance left to travel. For cultural and political reasons, the directive does not deal with criminal remedies and so there remains an uneven regime for enforcement in the most egregious cases of information theft. More importantly perhaps for business, there has been no progress on addressing the fundamental problem of pursuing trade secret cases in civil law systems: the lack of discovery. Say what you will about the excesses of US civil discovery in general; the trade secret plaintiff, facing losses from behaviours that only the defendants can know, is always disadvantaged at the outset of a dispute by asymmetric access to information about what happened. Without discovery to set the balance right, there will always be a significant number of legitimate cases that cannot be pursued.
Worse still may be the exceptions provided in the Directive. Unlike the DTSA, whistleblowers are free to disclose confidential information not just to government but also to media, so long as it is in the public interest. And the catchall exception for “protecting a legitimate interest” under national or EU law seems a yawning loophole that even the CJEU may not be able to constrain adequately.
The EU Trade Secrets Directive is a very good start on harmonising standards in this critical area. But for the time being, if your clients need extremely reliable civil remedies they are probably well advised to find ways to bring their cases in the US.