~ Preet Bharara, United States Attorney for the Southern District of New York (20th October 2010)
This recent statement by the chief federal prosecutor in Manhattan underscores the increasing importance that US regulators and prosecutors are placing on combating intellectual property theft. Yet while recent prosecutions and convictions in the United States demonstrate a sustained focus in that country on curtailing such criminal activity, laws in Europe continue to lag behind when it comes to protecting businesses and global markets from this ever-growing threat. The recent conviction of one IP thief in particular, Samarth Agrawal, an Indian national working for French bank Société Générale in New York, highlights this problem.
Stealing sourced code
Société Générale employed Agrawal as a trader within its high frequency trading group. Over a period of several months, unbeknownst to his employer, Agrawal came into the office after hours and copied, printed, and stole hundreds of pages of source code for the bank’s proprietary high frequency trading platform – code used to generate millions of dollars in profits for the bank. Agrawal hoped to use the stolen code to create a similar trading platform at a competing hedge fund. Fortunately, the SocGen caught on to Agrawal’s devious plan and reported it to federal prosecutors in New York. On the morning before he started his new job, FBI agents raided Agrawal’s home, recovered the stolen code, and arrested him. Agrawal was detained, a jury found him guilty of stealing the bank’s trade secrets, and the court sentenced him to three years in prison. Two weeks later, in an unrelated case, Sergey Aleynikov, a programmer at Goldman Sachs & Co. in New York, was also convicted of theft of trade secrets by a different Manhattan jury. His crime? Stealing high frequency trading code that belonged to Goldman Sachs.
The evidence against Agrawal at trial was compelling. Video surveillance recorded his off-hours activities and computerized logs documented his crime in painstaking detail. Yet had Agrawal committed his crime against this European bank in Europe, he might very well be a free man today. Indeed, the curious absence in Europe of express criminal prohibitions against the theft of such trade secrets, coupled with a lack of resources and investigative experience in such cases, has created an environment in Europe where economic espionage of this type often goes unpunished even when detected.
Tight US laws on trade secrets
What we can call trade secrets – information which is kept secret through reasonable efforts and which derives economic value by virtue of not being known to the public – are generally protected in the United States by civil and criminal laws. While almost all states provide civil remedies for misappropriation of trade secrets through their adoption and implementation of the Uniform Trade Secrets Act, the federal Economic Espionage Act – or “EEA” – makes it a crime to steal a company’s trade secrets. Even for first time violators, penalties can be harsh – up to 10 years in prison per offence.
In determining the appropriate sentence, US courts take into account a number of key factors. This includes the value of the trade secret, the number of victims, the use of sophisticated means to execute the crime, attempts by the wrongdoer to relocate to a jurisdiction to evade legal process, whether the wrongdoer was an insider with fiduciary duties to the property owner, and the potential damage to financial institutions and investors.
In passing the EEA, Congress closed a gap in criminal enforcement for thefts targeting intangible intellectual property, recognizing that such thefts posed an unacceptable risk to the US economy in an era where a company’s most valuable assets are unlikely to be corporeal. This point only becomes clearer every day, as trade secrets and IP continue to be digitized and as cyber-criminals continue to develop increasingly sophisticated and unprecedented ways for stealing these assets.
Moreover, the increased use of cloud computing services by organizations to store their intellectual property – as well as by data thieves to hide data they have stolen – only exacerbates this problem. So too does the explosion of widespread and increasingly accessible technologies that allow data thieves to hide their true location as well as cover their electronic tracks after committing their crimes.
UK law lags behind
In contrast to the American approach, laws in the United Kingdom lag behind. Surprisingly, the UK does not currently have any criminal laws which specifically protect trade secrets or criminalize industrial espionage. While a proposal to create a criminal offence for the misuse of trade secrets was put forward by the English Law Commission in 1997, that proposal was subsequently abandoned. Moreover, existing legislation, including the 2006 Fraud Act, focuses largely on the modus operandi of a theft, not its subject matter.
As a result, it is unclear whether these statutes would reach Agrawal’s or Aleynikov’s malfeasance had their misconduct occurred in London. Even in those European countries that do have laws on the books that could be used to criminalize the theft of trade secrets, companies and other organizations that are victims of these crimes often encounter inexperienced or underfunded cybercrime investigators.
Moreover, crimes of this nature are often committed across borders. Accordingly, the lack of standardized laws to combat this conduct create additional challenges for European victims who often face fractured and inconsistent legal regimes and little coordination between national law enforcement agencies.
Privacy laws hamper enforcement
Worse still, privacy laws in Europe – which are far stricter than those in the United States – make it difficult for corporations to monitor and gather evidence against workers who may be involved in malfeasance.
For example, while the use of video surveillance tapes showing Agrawal copying and stealing Société Générale’s code was crucial to his conviction, such evidence may not have been available had he committed the crime in certain parts of Europe where laws significantly limit the use of video surveillance in the work place. As a result, taken together, enforcement shortfalls in Europe are commonplace.
There are, of course, steps companies can take to reduce the risk that their intellectual property will be stolen. For example, companies can employ more robust pre-employment screening programmes. They can carefully limit (and regularly audit) the number of employees who have access to critical data. Where local law allows, they may also deploy data loss prevention software and log system activity related to employees’ data access and transfer.
Risks lead to uncertainty
Trade associations can play an important role too by implementing industry – wide programs to increase awareness about these risks, sharing best practices on how to protect data, and providing thought leadership on legal reform. Such efforts, however, will ultimately be feckless unless the legal and regulatory gap that currently exists between the two sides of the Atlantic is decisively closed. Until then, owners of valuable digital intellectual property face significant economic consequences and uncertainty.
While traditional brick and mortar corporations are largely bound to a specific location by their workforce and facilities, modern financial and e-commerce companies lack any such restrictions. Even a very large hedge fund or e-commerce company often only requires a small number of talented employees and an execution platform. Such companies can also be located almost anywhere in the world. If such highly mobile companies believe that their intellectual property is inadequately protected in a particular jurisdiction they can easily – and likely will – relocate to jurisdictions whose legal systems offer more protections. Investors in and customers of such companies may also be hesitant to place their trust in firms that cannot robustly guard their assets.
The United States, with the EEA on the books and significant experience prosecuting such cases, stands to benefit the most by putting companies and the public worldwide on notice that federal authorities in the US vigorously protect the interests of institutions within its borders. Indeed, as US investors and markets continue to be increasingly harmed by a lack of robust laws and efforts in Europe to combat economic espionage, there is the risk that US prosecutors, and/or regulators will choose to exercise their laws to exert jurisdiction over these crimes in an effort to fill the vacuum.
As US Attorney Bharara made clear in announcing the conviction, “Agrawal was a thief who hoped to make a small fortune by stealing and copying sophisticated computer code that was the equivalent of gold bullion to his former employers. [This] verdict sends a clear message that this Office and the FBI will investigate and prosecute the theft of valuable trade secrets for the serious crime that it is.”
It is a message that is being heard loud and clear by European companies and it is a message that should not be lost on European lawmakers and regulators.
Joseph V. DeMarco is a partner at DeVore & DeMarco LLP where he specializes in counselling clients on complex issues involving information privacy and security. From 1997 to 2007, Mr. DeMarco was an Assistant US Attorney where he founded and headed the Computer Hacking and Intellectual Property (CHIPs) Programme. Since 2002, Mr. DeMarco has been an Adjunct Professor at Columbia Law School.