| | | | | |
Douglas Panzer
January 29, 2015

Trade Secrets: It’s All About the Bacon…’Bout the Bacon

Posted By Douglas Panzer @ 3:49 pm
Filed under: Litigation,Patents,Risk Management,Trade Secrets

The court set the stage on the technology:

Unitherm developed what it called the “Unitherm Process” for preparing pre-cooked sliced bacon. This process involved the use of a spiral ovens [sic] and super-heated steam. According to Unitherm, before it developed this process, there was no acceptable process for pre-cooking sliced bacon because all attempts had resulted in bacon that did not resemble a pan-fried product.

The relationship between the parties appears to have been a bit of a soap opera from the start. Unitherm, which claimed that its process was a trade secret, met with Hormel in June 2007, to discuss a potential business deal between the two companies regarding the process. No signed NDA was provided in court as evidence, but Hormel did not dispute the claim that one was signed around July 20, 2007. Of course, Unitherm also claimed that Hormel disclosed some Unitherm confidential information to a Unitherm competitor (FMC Technologies) at some point between the June meeting and the July 20 NDA. Hormel claimed to have remedied that situation and the parties entered into a joint development agreement in September 2012, despite the early hiccup.

Despite Unitherm’s position that its process was a confidential trade secret, the company filed a patent application on the process in January 2008, which published in due course in July of 2009. In April 2010, Hormel terminated the joint development agreement with Unitherm and less than 5 months later filed its own patent application on the process. After the Hormel patent application published, Unitherm sued Hormel alleging, among other counts, that Hormel misappropriated Unitherm’s trade secrets (under Minnesota law).

On Hormel’s motion to dismiss, the court dealt Unitherm the harsh reality of Trade Secret 101:

“[I]t is axiomatic that a thing patented cannot also remain a secret.”

In order for information to constitute a trade secret, it must be kept secret. As a quid pro quo for patent protection, one must publish a specification detailing the process to be patented. Unitherm published the information it claimed constituted its trade secret. The court, therefore, held that any activity regarding the supposed trade secret information after the July 2009 date of publication could not constitute misappropriation of a trade secret since no trade secret remained. In the court’s words: “The publication of the patent means that Unitherm no longer had a trade secret in the Process, and its misappropriation claim fails.”

While the full details of this particular story contain significant additional complexities, the lesson is pretty simple – trade secrets must be kept strictly confidential or they will be lost, period.

Plaintiff: Unitherm Food Systems, Inc.
Defendants: Hormel Foods Corporation; Hormel Foods Corporate Services, LLC
Decision Date: January 27, 2015
Case Number: Civ. No. 14-4034 (D.Minn.)

Unitherm-v-Hormel-Trade-Secret-14-4034 (Opinion on Motion to Dismiss)

June 4, 2013

Should General Counsel Audit Sales Promises vs. Technical Requirements?

The consulting company’s “sales guys” do a great job of bringing in the client, promising efficiency from a quickly implemented, not-overly-complex integration of out-of-the-box-technology. Management is thrilled to win the contract. The tech folks are intrigued by the prospect of curing a big client’s business pains. And then reality hits. The technology architects have to square their real-world solution and the consulting costs of its implementation with the sales team’s promises regarding time, price and disruptive effect (or lack thereof). As both a technology attorney and a former software/web developer I’ve seen it a hundred times and – to turn a phrase – sixty percent of the time it’s a mismatch every time.

This appears to be precisely the situation in the recently settled suit between Lehigh Valley chemical manufacturer Avantor and IBM, in which Avantor’s business was, per their federal district court complaint (PACER login req’d.), crippled by the mismatch between IBM’s sales promises and their allegedly amateurish and unsuitable implementation.

Tech consultancy general counsels need to involve themselves in these situations from the inception to assure sales teams have adequately consulted technology resources prior to the sale and that technology and business leaders have properly understood and prepared to deliver their contractual obligations to the client.

IBM was said to be “surprised” by the suit. While this is likely PR speak, it should also be a red flag. While it is likely inappropriate for in-house counsel to insert its judgment into the process of each sale, GC’s need to educate their organizations to measure and accurately quantify/qualify their promises to clients. Whether this involves establishing technology/business/sales team collaboration processes or even direct involvement from legal is a question for the organization. However, general counsel cannot remove itself from the establishment of such procedures. In order to manage litigation risk, consulting companies’ general counsel should establish review, collaboration and/or audit procedures to appropriately match contractual promises to technical capabilities Anything less leaves litigation risk management to chance.

April 22, 2013

Dear General Counsel, Is Your Customer-Facing Website Storing Plain Text Login Credentials? (Part 1)

Your business relies on its website to provide information and service to customers and to increase the business’s own efficiency. What happens when that efficiency is stymied by a customer’s “senior moment”…the all-too-common forgotten password? If the answer is a reminder email to the customer containing his or her username and password in plain text, you may want to notify your insurance carrier and replenish your litigation counsel retainer.

Now, I’m not saying the practice of emailing usernames and passwords is a slamdunk path to civil or criminal liability. However, the risks associated with such a practice may be greater than you know and are undoubtedly greater than your business should be willing to subject itself. Perhaps customers manage their contact information or email subscriptions online. Perhaps you provide true e-commerce and store credit card information. In providing their information, your customers rely on your business to provide reasonable safeguards for the personal information you store about them and your business has a duty – in the truest legal sense of the word – to do so.

E-Mail: Just One Link in Your Non-Secure Communication Chain

Did you know that email is not a secure means of communication? It’s true. Of course, many readers will already know that the vast majority of email messages traverse the Internet as unencrypted messages; binary strings simply transmitted from sender to recipient without any form of obfuscation. Some small comfort may be found in knowing that the email programs used to send and receive these messages require usernames and passwords, but this does not remove the fact that the messages themselves, if intercepted, require no translation or decryption to reveal their full contents. If the message is intercepted, any private information contained therein is visible for all to read. But even the ability of your business to send plain text login credentials signals larger technical shortcomings.

Plain Text Means Something is Plain Wrong in the System Architecture

In order for a customer support system or representative to be able to retrieve a username/password combination and send it to the user, one of two scenarios must be at play: Either a) your tech folks are storing the information in your company’s database as plain text; or b) the login information, though stored encrypted, uses reversible encryption. In either case, your business is not using tech security best practices and arguably you are failing in your duty to safeguard private customer information. Heck, that practice doesn’t even comport with common state privacy laws’ definition of encryption.

Massachusetts statute 201 CMR 17.00 (that state’s data privacy law), for example, defines “Encrypted” as “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.” If your company’s customer-facing system can decrypt stored user credentials, there is at least one software developer who has seen the key or process while coding it. If your company’s email system can then send that decrypted information over standard email, there is likely at least one system administrator who can see those sent emails on your system. We’re up to two people who shouldn’t have access…shall I continue? What if – please don’t be the one reader whose company does this – your CSR’s can look up usernames and passwords in order to communicate them to customers? What’s the number now? By the letter of the law (at least Massachusetts’ law…which, by the way, is nearly identical to many others) your process may not even represent encryption at all since the process or key is arguably no longer confidential.

Do a Legal Review and Work With IT to Craft a Policy

In order to minimize the risk of data loss by and resulting negligence claims against the organization, it is incumbent upon counsel to apprise themselves of the practices used by their company with regard to login credential storage, encryption, communication and reset procedures. Find out what your tech people are doing now and work with them to craft a written policy for the future. Then, be sure to follow up at regular intervals to ensure compliance with the policy. Anything less may be less than due care.

Next Time: Is plain text credential storage criminal?


* indicates required