BBA 3551, Information Systems Management

Course Learning Outcomes for Unit VI Upon completion of this unit, students should be able to:

3. Examine the importance of mobile systems with regard to securing information and knowledge. 3.1 Explore the importance of information systems (IS) security to organizations. 3.2 Discuss sources of security threats to an organization. 3.3 Explain safeguards for hardware and software components.

Course/Unit Learning Outcomes

Learning Activity

3.1 Unit Lesson Chapter 10 Unit VI PowerPoint Presentation

3.2 Unit Lesson Chapter 10 Unit VI PowerPoint Presentation

3.3 Unit Lesson Chapter 10 Unit VI PowerPoint Presentation

Reading Assignment Chapter 10: Information Systems Security

Unit Lesson Information Systems Security Information systems (IS) security is important for keeping information available, confidential, and reliable. Through the use of access controls, unauthorized users can be prevented from accessing integral systems and potentially causing harm. An IS is vulnerable to threats that could potentially put organizational assets at risk. To protect this information, safeguards can be put in place to prevent theft or loss. Security threats such as hacking have evolved into more sophisticated crimes of opportunities, such as illegally or maliciously deploying malware and ransomware. It used to be that hackers were the main source of threats, exploiting system vulnerabilities to prove a point. They were able to access the organization’s information technology (IT) assets and, if they wanted to, compromise those assets. Today, malware and ransomware are a few of those threats and are often used by cyber-crime syndicates, large groups, or even corporations dedicated to performing rogue behavior with the purpose of fleecing legitimate organizations and individuals of cash and intellectual property. Other dangerous threats are minor cons (money mules and money launderers), hacktivists, intellectual theft and corporate espionage, and botnets (Kroenke & Boyle, 2018). One recent example of a small-time botnet con was the arrest of malware kingpin Vladimir Tsastsin, who ran a click-fraud scheme for nearly 10 years and accumulated about $14 million dollars. The money was collected from unsuspecting victims using false advertising called click-fraud. The click-fraud scheme works when a malware-infected computer uses bots to pose as false entities that click on advertisements, tricking legitimate companies into thinking that people were viewing their advertisements on various websites. Vladimir would then collect pay-per-click monies from those unsuspecting companies (Andrew, 2017).

UNIT VI STUDY GUIDE

Information Systems Security

BBA 3551, Information Systems Management 2

UNIT x STUDY GUIDE

Title

This type of scheme is not limited to just individuals but also to large organizations. In another example, a cyber-crime syndicate, which is called Operation GhostClick, infected a number of domain name servers (DNS) with malware called DNSChanger. This malware redirected requests through criminal-controlled servers, collecting money through fraudulent advertisement clicks from unsuspecting and legitimate companies (Lemos, 2011). Threats are not always external; there are also internal threats. Internal threats usually come from within the organization. An example is when a disgruntled employee gains access to the system to cause harm. A second example is phishing. This occurs when an employee posts sensitive data to what he or she thinks is a legitimate company website or e-mail. Another example would be pre-texting; this is when someone pretends to be someone else for the purpose of gathering sensitive data such as social security numbers, passwords, and account information (Kroenke & Boyle, 2018). So, what are organizations doing to prevent threats? Because of the changing nature of IS security, it is very difficult to predict threats, but when they occur, they can be mitigated through the implementation of safeguards. An example of a safeguard is the creation and use of strong passwords. Strong passwords contain a mixture of alphanumeric and special characters as well as lowercase and uppercase letters. Even though strong passwords are difficult to crack, they are vulnerable to brute-force attacks where a hacker tries every possible combination of characters to crack the password and gain entry. This is one way an individual can respond to security threats. Organizations, on the other hand, must take a much more sophisticated approach. Organizations will need to develop and implement security policies; train employees about security risks; create an inventory of its IT assets, such as data and hardware; and evaluate potential risks to those assets. With this information, organizations can determine how much risk they are willing to accept and where security safeguards will need to be implemented (Kroenke & Boyle, 2018). Integrated IS The scenario at the beginning of Chapter 10 of the textbook in uCertify discusses some security concerns that can arise when integrating information systems. Let’s take the company, Volkswagen, as an example. In their advertisements, Volkswagen uses an application (app) called Car-Net that will provide Internet access to music, GPS, diagnostics, and other apps from the vehicle’s dash (Volkswagen, n.d.). So, what are the security risks if Internet access is provided in automobiles? Can cars with this technology create risk? Can hackers access Internet-capable cars and compromise them remotely? The answer is yes. Studies have shown that hackers have the ability to remotely access and sabotage the way a vehicle operates such as applying brakes to stop a car from moving, meddling with the stereo system, and controlling other vehicle functions without having to be anywhere near the car (Peterson, 2015; Rohrer & Hom, 2017; Vanian, 2016). This is possible because computers, or the controller area network (CAN), are used to control many of the car’s operations (e.g., monitoring engine emissions, checking the airbag, sensing when fuel needs to be transferred from the tank to the engine). Self-driving cars are another example of how computers can control the operations of an automobile (Figure 1).

BBA 3551, Information Systems Management 3

UNIT x STUDY GUIDE

Title

Google is only one of several industries experimenting with self- driving cars. Today, we have several auto manufacturers of vehicles that already have some self-driving components such as auto-parking and anti-collision features. These features require the use of complex components such as computers and control modules. One of these features is what is known as self-parking, assisted parking, or autonomous parking, which is a self-maneuvering system that uses various sensors to move a vehicle from a traffic area into a parking space (e.g., parallel parking assistance) (Hamdan, 2017).

Despite the risks, having computers in just about every aspect of the automobile’s operations has its benefits. By using computer modules and sensors to send data throughout the CAN, the vehicle has the ability to perform operations, such as self-diagnosing problems, detecting changes in engine temperature or voltage, detecting tire deflation, warning drivers when they are at risk of falling asleep, as well as other driving tasks, which are all intended to help improve the vehicle’s reliability and safety (Pizzi, 2017). Health IS Another security concern is the potential for a person’s health information to end up in the wrong hands. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation that outlines how patients’ medical information should be protected. The HIPAA law requires that all organizations that deal with patient health data to implement systems that comply with HIPAA rules. Failure to follow these rules to protect patient health information is a violation of the law (The Office of the National Coordinator for Health Information Technology, 2015). Health information systems (HIS) have an important role in the privacy and security of health information. Patient health information can be secured through the use of certified electronic health records (EHR) that apply HIPAA rules. With the use of educational resources and tools, health providers and hospitals can mitigate privacy and security risks in their organizations. Why is it important to safeguard patient information? If patients cannot trust that their medical information is safe and secure, they may not be willing to disclose important health information. Withholding important and potentially life- saving information from healthcare practitioners can have drastic consequences such as loss of life (The Office of the National Coordinator for Health Information Technology, 2015).

Figure 1: Self-driving car by Google (U.S. Department of State, 2016)

Figure 2: The security of health records is an important piece in the information systems security puzzle. (Baer, 2008)

BBA 3551, Information Systems Management 4

UNIT x STUDY GUIDE

Title

Summary Another security concern is what organizations do with client or customer data. If you fill out a form online, what happens to this data? Will the organization use it appropriately or sell it to spammers? This data can contain very personal information such as medical histories, credit card information, purchasing history, and financial information. Data mining is when organizations collect customer data to help them better understand their customers’ buying habits, to provide more personalized services, and to target potential customers. Technology has made it easier to collect and transmit data, whether it be a message or a bank account number. In this context, information has become a valuable commodity. Because of this, there can be tension between privacy and trust. We may be willing to give up some privacy by disclosing personal information to an organization, but we also want to know that we can trust that entity to protect that information (Kroenke & Boyle, 2018). In this unit, we examined some information security threats and how organizations can mitigate these risks. Information security threats will continue to be complex and sophisticated, so we must remain vigilant in our response to those threats. As individuals, we can help by using strong passwords, attending security training sessions, following organizational security directives and guidelines, and reporting anything suspicious. For organizations, they must take a more systematic approach to security threats by addressing two critical security functions: developing and implementing an organization-wide security policy and managing risk.

References

Andrew, N. (2017). Is click fraud illegal or just unethical? Retrieved from https://ppcprotect.com/click-fraud- illegal/

Baer, R. (2008). Doctor explains x-ray to patient [Image]. Retrieved from

https://commons.wikimedia.org/wiki/File:Doctor_explains_x-ray_to_patient.jpg Hamdan, L. (2017, November 13). Revealed: How Ford is gearing up for tomorrow land.

Arabianbusiness.com. Retrieved from https://search-proquest- com.libraryresources.columbiasouthern.edu/docview/1963302512?accountid=33337

Kroenke, D. M., & Boyle, R. J. (2018). Using MIS (10th ed.). New York, NY: Pearson. Lemos, R. (2011). As cybercrimes go international, so must enforcement agencies. Retrieved from

https://www.infoworld.com/article/2621345/cyber-crime/as-cyber-crimes-go-international--so-must- enforcement-agencies.html

The Office of the National Coordinator for Health Information Technology. (2015, April). Guide to privacy and

security of electronic health information. Retrieved from https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf

Peterson, A. (2015, August 14). Here is how you learn to hack a car. Washington Post. Retrieved from

https://www.washingtonpost.com/news/the-switch/wp/2015/08/14/here-is-how-you-learn-to-hack-a- car/

Pizzi, P. J. (2017). Connected cars and automated driving: Privacy challenges on wheels. Defense Counsel

Journal, 84(3), 1–14. Retrieved from https://search-proquest- com.libraryresources.columbiasouthern.edu/docview/1924515502?accountid=33337

Rohrer, K. K., & Hom, N. S. (2017). Who’s responsible for cybersecurity? Strategic Finance, 99(4), 62–63.

Retrieved from https://search-proquest- com.libraryresources.columbiasouthern.edu/docview/1947781911?accountid=33337

BBA 3551, Information Systems Management 5

UNIT x STUDY GUIDE

Title

U.S. Department of State. (2016). Secretary Kerry views the computers inside one of Google’s self-driving cars at the 2016 global entrepreneurship summit’s innovation marketplace at Stanford University [Image]. Retrieved from https://commons.wikimedia.org/w/index.php?curid=49674725

Vanian, J. (2016, January 26). Security experts say that hacking cars is easy. Fortune. Retrieved from

http://fortune.com/2016/01/26/security-experts-hack-cars/ Volkswagen. (n.d.). Volkswagen car-net. Retrieved from http://www.vwcarnetconnect.com/

Suggested Reading The following chapters are located in the textbook in uCertify. Chapter 4 is a review of material presented previously, but you may find the information to be helpful as you complete this unit’s assignment. Chapter 7 focuses on security within the workplace. Chapter 4: Hardware, Software, and Mobile Systems, Q4-7 Chapter 7: Security Guide In order to access the following resources, click the links below: It happens all the time; an employee with proprietary knowledge leaves a company with that knowledge. What does the company do? This article explores that question. Richmond, R., Morrison, K. M., & Lim, E. (2017). What do you do when an employee with access to your

company's trade secrets leaves to work for a competitor? Employee Relations Law Journal, 43(2), 36–44. Retrieved from https://libraryresources.columbiasouthern.edu/login?url=http://search.ebscohost.com/login.aspx?direc t=true&db=buh&AN=124285832&site=ehost-live&scope=site

More and more workplaces are turning to mobile solutions. However, these solutions come with their own issues. The article below examines the different obstacles that organizations face when converting to a more digital workplace. Vieraitis, B. (2003). 5 hurdles to mobile and wireless deployments ... and how to overcome them: Today's

work force is demanding mobile, flexible, and real-time access to critical data. But, you're bound to encounter a few potholes along the road to anytime-anywhere computing. Mobile Business Advisor, 21(5), 20. Retrieved from http://link.galegroup.com.libraryresources.columbiasouthern.edu/apps/doc/A110026621/CDB?u=oran 95108&sid=CDB&xid=00b6246b

Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. To test your knowledge of the material covered in this unit, complete the activities listed below.

 Chapter 10 Active Review

 Chapter 10 Using Your Knowledge

 Chapter 10 Collaboration Exercise

 Chapter 10 Review Questions

 Chapter 10 Cards

BBA 3551, Information Systems Management 6

UNIT x STUDY GUIDE

Title

The activities are located within the chapter readings in uCertify. The Chapter 10 Active Review, Using Your Knowledge, Collaboration Exercise, and Review Questions are located at the end of the chapter. The cards can be accessed by clicking on the Cards icon within uCertify, which is located to the right of the chapter title, and the icon in uCertify resembles the image shown below.

Vol. 43, No. 2, Autumn 2017 36 Employee Relations Law Journal

What Do You Do When an Employee with Access to Your Company’s Trade

Secrets Leaves to Work for a Competitor?

Rick Richmond, Kelly M. Morrison, and Eugene Lim

Rick Richmond ([email protected]) is a commercial litigator, founding and managing partner of Jenner & Block LLP’s Los Angeles offi ce, and co-chair of the fi rm’s Trade Secrets and Restrictive Covenants practice. Kelly M. Morrison ([email protected]) is a partner at the fi rm concentrating on complex civil litigation, arbitration, and appellate matters, with a focus on trade secret litiga- tion and class action defense. Eugene Lim was a summer associate at the fi rm.

The risk of trade secret theft comes from not only employees with malicious intentions, but also those who are not as careful as they should be. This article discusses steps employers should consider taking during their off-boarding processes to minimize the risks of misappropriation by exiting employees.

One of your employees is leaving and you suspect that he or she may start working for a competitor. What can you do to protect your company’s secrets from leaving with your employee? Because millions of pages of information can now be transmitted globally at unprecedented speeds through flash devices or cloud storage, your company would be well-advised to consider rigorous off-boarding procedures for employ- ees who may potentially cause irreparable harm by taking your trade secrets with them.

The risk of trade secret theft comes from not only employees with malicious intentions, but also those who are not as careful as they should be. Because many employees are unaware of company policies regard- ing the handling of confi dential information, for example, confi dential fi les may be emailed or transferred to personal computers, tablets, smart- phones, or third-party servers like DropBox without any realization of wrongdoing. A global survey conducted in 2012 by Symantec found that 62 percent of employees said it was acceptable to transfer work docu- ments to personal computers, tablets, smartphones, or online fi le sharing applications. About half responded that it would not be wrong to use the data of a former employer at a new job, and 40 percent said they planned to do so.1 Only 47 percent said their organizations take action when employees take sensitive information contrary to company policy.

Faced with these circumstances, employers should consider taking steps during their off-boarding processes to minimize the risks of mis- appropriation by exiting employees. Once secret information gets out, recovering that information and preventing future misuse or recovering damages, may be possible only through costly and extended litigation.

What Do You Do?

Employee Relations Law Journal 37 Vol. 43, No. 2, Autumn 2017

IMMEDIATE STEPS: TERMINATE ACCESS, COLLECT, INVESTIGATE, AND INTERVIEW

Terminate Access

An employer usually should revoke any access the departing employee has to confi dential information right away—ideally, upon notice of resignation, which employers should accept immediately. If the employee’s work during the transition period requires some access, consider ways to limit that access to reduce any opportunity for misap- propriation of valuable trade secrets, such as terminating the ability to work remotely.

Collect and Preserve

Employers should consider immediately collecting and securing all physical devices and data. This includes collecting physical devices such as laptops, USB drives, mobile devices, and external devices, and secur- ing data such as confi dential fi les, server logs (e.g., logins, accounting trails), and cloud storage. Securing data may require preservation of metadata with assistance from appropriate experts. To the extent proto- cols are not already in place to complete this collection and preservation process, consider implementing them to ensure that it is done swiftly. Timeliness may be crucial.

Collect Devices

Employers should lay out clear policies establishing employer owner- ship and requiring return of both physical devices and digital assets at the time an employee resigns, is terminated, or is placed on administra- tive leave. These policies should be explained in a written agreement or employee handbook and affi rmed by employees before they are given any devices or granted access to confi dential information. Consequences for failing to return devices, including the possibility of litigation and shifting of attorney’s fees, should be considered for inclusion in the handbook or agreement as well.

Implementing a “Bring Your Own Device” (BYOD) policy can cut costs and provide greater fl exibility, but it also can create greater risks to employers. Once information is stored on a private device, recovery of the stolen information can be diffi cult. Gaining access to such devices also may prove diffi cult in light of privacy laws.

An order issued in Move Inc. v. Zillow Inc., a case in which Move (which operates Realtor.com) sued Seattle-based competitor Zillow and two of Move’s former executives, illustrates the importance of swift

What Do You Do?

Vol. 43, No. 2, Autumn 2017 38 Employee Relations Law Journal

collection and the risks associated with placement of company informa- tion on personal devices.2

The Move court issued detailed fi ndings of fact after a six-day eviden- tiary hearing on issues of evidence destruction. In March 2014, one of the two executives abruptly resigned and immediately joined Zillow, a direct competitor in the online real estate listings industry.3 The second executive, who had reported to the fi rst executive at Move, followed him to Zillow a few weeks later.4 The court found that, at the time they resigned, both employees still had computers and other devices belong- ing to Move, as well as other devices containing Move documents.5 When the former Move executives were required to hand over all of their work-related devices during the litigation, they claimed they had lost, misplaced, damaged, or reformatted many of those fl ash drives and company computers.6

The fi rst executive took steps, some of which the court described as “peculiar,” to copy documents from the Move computers, delete infor- mation from one of them, and re-set other Move-issued devices, assert- ing that he did so because the devices supposedly contained personal information.7 The second executive had launched “cleanup” programs on two computers, allegedly to wipe evidence of his visits to adult web sites.8 He had also “smashed” a hard drive containing Move documents into a wall in a claimed “pique of anger,” and “did not know exactly what happened” to a USB drive that had contained “Move-related” emails.9 As a result of these actions, possible evidence of trade secret misappropriation may have been deleted or lost.10

Preserve Data

Employers should consider preserving all data on the collected devices, including the metadata detailing when confi dential information may have been accessed, transferred, copied, or deleted. This infor- mation potentially can play an important role in establishing whether trade secrets were misappropriated. Although a company’s internal IT department may be suffi cient for this task, the company also may want to consider hiring a forensics expert, particularly if there are suspicions that a departing employee is taking company secrets. Some IT depart- ments may not be equipped with the tools or training to deal with chain of custody issues or forensic analysis. Chain of custody issues may pose problems if the case ultimately ends up in litigation, because even a concern about potential tainting of evidence can be enough to prevent it from being admitted into court. A third-party expert also may be better positioned to provide testimony in court about the results of the investigation. In short, forensics analysts who can preserve and analyze mountains of data quickly may ultimately prove less costly than risking a loss of evidence in the event trade secrets actually have been misappropriated.

What Do You Do?

Employee Relations Law Journal 39 Vol. 43, No. 2, Autumn 2017

Investigate and Continue to Monitor the Employee’s Access to Information

In most circumstances, an employer should conduct a scan of the employee’s returned devices, emails, and other locations the employee may have accessed immediately. An employer can search for evidence of suspicious activity, such as:

• deleted fi les, transfers, or downloads of multiple fi les, or cop- ies of fi les;

• signs of connections to external devices;

• evidence of downloads of signifi cant amounts of data;

• evidence of spyware; or

• signs of information being sent externally through email.

A case fi led by Monsanto underscores the benefi ts of immedi- ate analysis and continued monitoring. According to the complaint, an employee who wrote code and algorithms for the company (and therefore had access to confi dential trade secrets and other proprietary information) resigned to move to Taiwan purportedly to care for his sick father.11 The day he provided two weeks’ notice, the employee turned in two company computers, which was allegedly “inconsistent with Company practice.”12

Monsanto alleged that its IT department’s standard review uncovered the presence of “highly sophisticated and unauthorized software” on the computers, which “could be used to perform reconnaissance, exfi ltrate data, and conceal” on the devices.13 In an initial interview, the employee denied knowledge of any spyware.14 During the course of monitoring over the following two weeks, however, it was apparently discovered that 52 fi les were removed through the employee’s unique credentials, even though no download of data should have been possible.15 During a routine exit inter- view, the departing employee was questioned about the 52 fi les that had been removed. The employee allegedly stated that it was likely the work of a hacker, but also admitted that (i) he had received an employment offer from a company in the agricultural sector in China, (ii) he had been in con- tact with a Chinese national who had recently pleaded guilty to conspiracy to commit theft of trade secrets in another case, and (iii) the 52 fi les that had been transferred contained trade secret information.16

Conduct Exit Interview(s)

The Monsanto case discussed above also highlights the value of exit interviews. Employers should consider requiring exit interviews

What Do You Do?

Vol. 43, No. 2, Autumn 2017 40 Employee Relations Law Journal

by written agreement for all employees who have had access to trade secrets. During the exit interview, employers may wish to:

• Present the departing employee with a copy of any restrictive covenants signed by the employee.

• Provide the employee with a copy of any agreements contain- ing post-employment confi dentiality obligations.

• Make arrangements for return of remaining company devices and data in possession of the employee.

• Investigate any potential trade secrets or access that the employee may still possess.

• Inquire about the employee’s plans, including actual and potential employment opportunities.

CONSIDER WHETHER YOU CAN STOP THE EMPLOYEE FROM WORKING FOR A COMPETITOR

What if—in spite of your best efforts to terminate access, collect devices, investigate, and interview—it appears that an employee has departed to a competitor and is going to use your company’s trade secrets for the benefi t of your competitor? There are at least two things you should consider right away.

One thing to consider is whether the departing employee has signed any noncompete agreements with your company and, if so, whether they can be enforced. A second is whether the so-called “inevitable dis- closure” doctrine is applicable to your situation and whether your juris- diction recognizes the doctrine as a means of preventing the departing employee from taking on the new job.

Noncompete Agreements

Noncompete agreements can be extremely helpful in protecting confi dential information, but states differ in their willingness to enforce them. What follows is a brief overview of some considerations related to noncompete agreements. However, because states treat these agree- ments differently, you should be aware of the laws applicable to the jurisdictions in which your company operates, and seek the advice of legal counsel as appropriate.

Reasonableness

Generally, noncompete agreements prevent an employee from work- ing for a direct competitor for a specifi ed period of time after leaving a

What Do You Do?

Employee Relations Law Journal 41 Vol. 43, No. 2, Autumn 2017

company. Most states recognize and enforce noncompete agreements as long as they are reasonable.17 Accordingly, employers should be careful to ensure that their noncompete agreements do not exceed the scope of “reasonableness” permitted by the jurisdictions in which they operate. For example, in AssuredPartners, Inc. v. Schmitt, an Illinois appellate court held that a noncompete agreement preventing a former employee from working as a professional liability insurance broker nationwide for 28 months, when the employee’s employment lasted only 20 months, was unreasonable.18 The court held that the agreement was unreason- able because it was both broader than necessary to protect the employ- er’s legitimate business interests, and it imposed an undue hardship on the employee by forcing him to work in another country if he wished to continue earning a living in the same profession.

Most states will not automatically invalidate an agreement that contains unreasonable provisions; instead, the court may apply equitable reforma- tion or “blue-penciling” to make the agreement reasonable. Equitable refor- mation involves changing “unreasonable” terms to satisfy a state’s standards for reasonability, while blue-penciling entails striking them. However, even states that allow reformation or blue-penciling do not require it. As a result, a court simply may choose to void an agreement rather than re-write it or strike only those provisions deemed unreasonable.19

Consideration

Like any contract, an employer must provide an employee some ben- efi t or consideration in exchange for signing a noncompete agreement. Depending upon the jurisdiction, either offering a job or continued employment may be suffi cient consideration for signing a noncompete, but several states require more.20 Further, in some jurisdictions, a com- pany may be subject to tort liability if it terminates an employee based on a refusal to sign a noncompete agreement.21

Forum Selection Clauses

If a departing employee joins a competitor in a state that does not enforce noncompete agreements, this may lead to a race to the court- house. Some states permit the use of forum selection clauses to prevent the race to the courthouse, but, again, the enforceability of forum selec- tion clauses varies by state and circumstances.22

The Inevitable Disclosure Doctrine

Under some circumstances, an employer may be able to obtain an injunction or some other form of court-ordered remedy if it can show

What Do You Do?

Vol. 43, No. 2, Autumn 2017 42 Employee Relations Law Journal

that a former employee would be unable to perform his or her duties for a competitor without inevitably using or disclosing a company’s trade secrets.

In PepsiCo, Inc. v. Redmond, the U.S. Court of Appeals for the Seventh Circuit held that a plaintiff may prove a claim of trade secret misap- propriation by showing that a former employee’s new job inevitably will lead him or her to rely on the plaintiff’s trade secrets.23 In reaching its conclusion that the doctrine applied to the facts of that case, the court emphasized that the former PepsiCo executive possessed intimate knowledge of PepsiCo’s strategic goals, which were trade secrets, and his new position at Quaker Oats may cause him to be faced with deci- sions that could be infl uenced by that information. As the court put it, “PepsiCo fi nds itself in the position of a coach, one of whose players has left, playbook in hand, to join the opposing team before the big game.”24 The court also held that the district court had not abused its discretion in fi nding that the former executive had demonstrated a lack of can- dor while pursuing and accepting the new employment, and that this indicated he “could not be trusted to act with the necessary sensitivity and good faith” not to use PepsiCo’s trade secrets in his new employ- ment.25 The court affi rmed the district court’s injunction preventing the employee from assuming duties at Quaker Oats for fi ve months.

Several states, however, do not apply the inevitable disclosure doc- trine on the ground that doing so may curtail an employee’s employment opportunities. For example, in Gillette Co. v. Provost, a Massachusetts court refused to enter an injunction barring Gillette’s former in-house counsel from providing legal advice to a competitor, ShaveLogic, regard- ing Gillette’s patents. Although Gillette argued that the former employee inevitably would disclose trade secrets related to Gillette’s patents, the court followed its state’s policy of rejecting the doctrine “since it has the potential for severely curtailing one’s employment opportunities.”26 The court also held that an injunction was not warranted under the cir- cumstances of the case, because the employee had left Gillette 10 years prior, his noncompete agreement had expired “years ago,” and much of the information related to the patents at issue was “already publicly available.”27

CONCLUSION

In sum, while noncompete agreements and the inevitable disclosure doctrine may be valuable tools in preventing a departing employee from sharing trade secrets with a competitor, their utility varies by jurisdiction. Moreover, even in those jurisdictions that embrace the use of such tools in theory, their applicability will turn on the specifi c facts of the case. Accordingly, a company’s best chance of protecting its trade secrets may be through immediate termination of the departing employee’s access to confi dential data, collection of devices and data used by the employee,

What Do You Do?

Employee Relations Law Journal 43 Vol. 43, No. 2, Autumn 2017

preservation and analysis of that data, and continued monitoring for unauthorized access.

NOTES

1. Symantec Study Shows Employees Steal Corporate Data and Don’t Believe It’s Wrong, Symantec Newsroom, (February 6, 2013), https://www.symantec.com/about/newsroom/ press-releases/2013/symantec_0206_01.

2. Move, Inc. v. Zillow, Inc., Findings of Fact and Conclusions of Law, No. 14-2-07669, at 2 (Wash. Super. May 17, 2016).

3. Id. at 2.

4. Id.

5. Id. at 11-12, 15-22.

6. Id. at 11-23.

7. Id.

8. Id. at 21-22.

9. Id. at 15, 17-18.

10. The Move court stated it would issue an adverse inference instruction against the second executive, allowing the jury to infer that missing evidence would have benefi tted Move’s case, id. at 23-24, and the lawsuit ultimately settled for $130 million on the eve of trial. http:// www.seattletimes.com/business/technology/zillow-settles-suit-by-rival-for-130-million/.

11. Monsanto Co. v. Chen, No. 16-00876, ECF No. at 2, 3 (E.D. Mo. June 16, 2016).

12. Id. at 3.

13. Id.

14. Id. at 4.

15. Id. at 4-5.

16. Id. at 5-6; see also SOAProjects, Inc. v. Swaminathan, No. 16-3982, ECF No. 1, at 4-5 (N.D. Cal. July 14, 2014) (alleging former employee obtained company trade secrets through a deactivated account by using the backup security question to create a new password).

17. A few states refuse to enforce noncompete agreements, albeit with some limited exceptions. California, for example, provides a narrow exception that allows enforce- ment of noncompete agreements where necessary to protect trade secrets. See, e.g., Asset Mktg. Sys., Inc. v. Gagnon, 542 F.3d 748, 758 (9th Cir. 2008); Gatan, Inc., v. Nion Company, No. 15-1862, 2016 WL 1243477, at *3 (N.D. Cal. Mar. 30, 2016).

18. 44 N.E.3d 463, 471-73 (Ill. Ct. App. 2025).

19. See, e.g., Scott, Stackrow & Co. v. Skavina, 9 A.D.3d 805, 807 (N.Y. App. Div. 2004) (affi rming trial court’s decision to decline to partially enforce permissible aspects of the defendant’s employment agreement).

What Do You Do?

Vol. 43, No. 2, Autumn 2017 44 Employee Relations Law Journal

20. Compare, e.g., Camco, Inc. v. Baker, 936 P.2d 829, 832 (Nev. 1997) (“an at-will employ- ee’s continued employment is suffi cient consideration for enforcing a non-competition agreement”) with McKasson v. Johnson, 315 P.3d 1138, 1141 (Wash. Ct. App. 2013) (hold- ing that, where agreement is signed upon hiring, “employment by itself may be suffi cient consideration,” but asking an existing at-will employee to sign a non-compete agreement requires additional consideration beyond continuing employment).

21. See, e.g., D’Sa v. Playhut, Inc., 85 Cal. App. 4th 927 (Cal. Ct. App. 2000) (holding termination of employment for refusal to sign a noncompete agreement could support a claim for wrongful termination).

22. See, e.g., Swenson v. T-Mobile USA, Inc., 415 F. Supp. 2d 1101 (S.D. Cal. 2006) (dismissing case fi led by former employee in California give days after employer had commenced action in Washington to enforce noncompete agreement and alleging trade secret misappropriation).

23. 54 F.3d 1262, 1269 (7th Cir. 1995).

24. Id. at 1270.

25. Id.

26. No. 15-0149, 2015 WL 10382572, at *2 (Mass. Sup. Dec. 23, 2015); see also, e.g., Whyte v. Schlage Lock Co., 101 Cal. App. 4th 1443, 1447 (4th Dist. 2002) (rejecting the inevitable disclosure doctrine as “contrary to California law and policy because it creates and after- the-fact covenant not to compete restricting employee mobility”).

27. Gillette, 2015 WL 10382572, at *2.

Copyright of Employee Relations Law Journal is the property of Aspen Publishers Inc. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.