Other Statutes

• Jurisdiction: Maryland

VI. OTHER STATUTES

The character of trade secret litigation continues to evolve with developments in high tech industries and the incorporation of modern computing in daily commerce. Businesses are able to operate more efficiently through immediate and global access to broad sources of information. Unfortunately, that same technology may also afford easy access to trade secrets by the experienced computer hacker, or facilitate theft of valuable information by an opportunistic employee. The following statutes have been enacted to address the changing nature of trade secrets in the computer age and should be considered by the practitioner seeking to bring a trade secret action to determine whether they apply.

A. Uniform Computer Information Transactions Act

The Uniform Computer Information Transactions Act (UCITA) is a proposed state contract law that was designed by the National Conference of Commissioners on Uniform State Laws to create a clear and uniform set of rules to govern software licensing, online access, and other transactions in computer information.¹⁷⁸ A primary goal of UCITA is to address gaps in the Uniform Commercial Code's coverage and provide default rules relating to commercial software transactions in areas such as warranties and terms of use.¹⁷⁹

In 2000, Maryland became the first state to adopt UCITA. The Maryland Uniform Computer Information Transactions Act (MUCITA) became effective on october 1, 2000.¹⁸⁰ MUCITA does not specifically define "trade secret" but instead defines the scope of "informational rights" to "include all rights in information created under laws governing patents, copyrights, mask works, trade secrets, trademarks, publicity rights, or any other law that gives a person, independently of contract, a right to control or preclude another person's use of or access to the information on the basis of the rights holder's interest in the information."¹⁸¹

To bring a claim for trade secret misappropriation under MUCITA, a plaintiff must demonstrate that a breach of contract occurred, as determined by the terms of the agreement at issue.¹⁸² If no agreement exists, the plaintiff must show that a breach occurred because defendant, without legal excuse, either failed to perform contract obligations in a timely manner, repudiated the contract, or exceeded a contractual use term.¹⁸³

The Act also prescribes remedies for breach of contract resulting from disclosure or misuse of a trade secret, and permits award of compensatory damages.¹⁸⁴ As of this writing, there are no reported cases in Maryland that implicate MUCITA in the context of trade secret.

B. Computer Fraud and Abuse Act

The federal Computer Fraud and Abuse Act (CFAA)¹⁸⁵ provides for criminal and civil liability for unauthorized access to a protected computer system. The CFAA contains numerous prohibitions, but in the context of employee theft or misappropriation, plaintiffs rely upon the provision that prohibits obtaining something of value from a computer by exceeding one's authorized access or without authorization.¹⁸⁶

The CFAA does not regulate an employer's ability to monitor electronic communications, but may provide a former employer with criminal and civil remedies when it is harmed by a former employee's misappropriation of proprietary information or sabotage via the use of computers. The statute may in some cases supplement traditional remedies such as theft and trade secret misappropriation, and also serve as a means to bring a misappropriation claim in federal court.

Federal circuits are split on the issue of how broadly the CFAA should be interpreted.¹⁸⁷ The Fourth Circuit has held that the terms "without authorization" and "exceeds authorized access" should be construed narrowly.¹⁸⁸ In WEC Carolina Energy Sols. LLC v. Miller, the Fourth Circuit held that a person accesses a computer "without authorization" when he or she "accesses a computer without permission."¹⁸⁹ And a person "exceeds authorized access" when he or she "has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access."¹⁹⁰ In a recent decision from the Eastern District of virginia, the court found a CFAA violation had been stated where the defendant's employee allegedly accessed files "beyond the files the employee was authorized to view."¹⁹¹

In its en banc decision in United States v. Nosal, the Ninth Circuit refused to extend the CFAA to include employee data theft.¹⁹² In Nosal, the court declined to follow the Fifth, Seventh, and Eleventh Circuits, which have broadly interpreted the CFAA to include violations of corporate computer use restrictions or violations of a duty of loyalty.¹⁹³ The government claimed that a former employee of an executive recruiting firm violated the Act when he induced its present employees to access proprietary information stored on the firm's computer database and transfer the information to him in violation of the company's privacy policy.¹⁹⁴ The court's rationale for rejecting expansion of the CFAA's reach to an employee who "exceeds authorized access" was based on its concerns for statutory overreach because it would punish more than computer hacking, and might improperly impose criminal liability on employees engaged in social networking or online shopping.

In International Association of Machinists v. Werner-Masuda, the United States District Court for the District of Maryland declined to hold the secretary-treasurer of an international labor union liable under the CFAA.¹⁹⁵ During her employment by the union, she had signed a registration agreement forbidding her from using the union's secure, proprietary database for a purpose contrary to the union's constitution. Nevertheless, she accessed and copied names and addresses of union members from the union's confidential database for use by a rival union that sought to challenge plaintiff's representation of over 10,000 member flight attendants. The court opined that in spite of any breach of her agreement, it did not follow that, as a matter of law, she was not authorized to access the proprietary information for purposes of the CFAA. The court noted that the language of the CFAA does not "proscribe authorized access for unauthorized or illegitimate purposes."¹⁹⁶

In Océ North America, Inc. v. MCS Services, Inc., the Maryland district court again analyzed a CFAA claim in the context of trade secret misappropriation and held that a former employee who allegedly stole proprietary information from plaintiff's computer system did not violate the CFAA because he had been authorized to access and use the data prior to termination of employment.¹⁹⁷ The plaintiff, a manufacturer of production printing systems, brought numerous claims, including violation of the CFAA, against a former employee and the industry competitor for whom the employer went to work after terminating employment with the plaintiff.¹⁹⁸ The parties competed in the field of high speed printer servicing, and the plaintiff alleged that prior to going to work for his new employer, the former employee stole "diagnostic software, a parts manual, and maintenance manual" while still employed by the plaintiff, and distributed the information to the competitor's engineers.¹⁹⁹ The information was subject to a confidentiality agreement. The court dismissed the plaintiff's CFAA claim on the grounds that the plaintiff failed to properly plead the Act's $5,000 loss requirement, and failed to sufficiently allege that the former employee's access to the laptops and printers was unauthorized for purposes of the CFAA.²⁰⁰ It further stated that "the fact that [the employee] copied the software on to his own laptop may have been a violation of his employment agreement, but that does not constitute a violation of the CFAA."²⁰¹

C. Economic Espionage Act

In 1996, Congress enacted the Economic Espionage Act (EEA), a criminal statute, to address gaps in federal law as well as economic espionage initiated by foreign governments that have occurred due to the nature of a global economy driven by international access to the Internet, including a steady increase in intellectual property theft and cybercrime.²⁰² Monetary losses to U.S. companies as a result of theft of proprietary information are significant but difficult to calculate, and academic estimates range as high as $400 billion annually.²⁰³ There have been numerous successful prosecutions under this statute, though none reported in the District of Maryland to date.²⁰⁴

Before enactment of the EEA, patents were the primary forms of intellectual property protected by federal law²⁰⁵ and, with respect to trade secrets, the Department of Justice was forced to rely on the National Stolen Property Act and the wire and mail fraud statutes in criminal prosecutions, which proved inadequate and ineffective to combat the wiles of modern cyber criminals and threats to intangible assets.²⁰⁶ The EEA defines "trade secret" to mean:

all forms and types of financial, business, scientific, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if—

(A) the owner has taken reasonable measures to keep such information secret; and

(B) the information derives economic value from not being generally known, and not readily ascertainable through proper means.²⁰⁷

The EEA contains two sections that operate to prohibit the misappropriation of trade secrets. Section 1831 applies to any actor engaged in "foreign economic espionage" and requires that such theft "benefit a foreign government, instrumentality, or foreign agent."²⁰⁸ Section 1832 applies to any individual "with intent to convert a trade secret, that is related to or...