Out of thin air: trade secrets, cybersecurity and the wrongful acquisition tort

Abstract

The discourse surrounding cybersecurity typically involves stories of some form of computer hacking or other nefarious means by which one person or entity gains information from another. While the nature of the information that is obtained is often of value to the victims of the cyber-intrusion or their clients (usually because it is confidential business or personal information), it may also be of little value, particularly in the long-term. Thus, if we want to deter cyber-intrusions, it makes little sense to focus on the nature of the information if the “wrong” is the intrusion itself. Seeds of the distinction can be seen in U.S. law when one compares the elements of a claim under the Computer Fraud and Abuse Act (CFAA) and the recently enacted Defend Trade Secrets Act of 2016 (DTSA), with the CFAA focusing on the act of intrusion and the DTSA focusing on the nature of the information taken. But embedded within the DTSA and the state law upon which it is based, the Uniform Trade Secrets Act (UTSA), lies a similar distinction that has not been fully explored in the literature; namely, the distinction between the trade secret wrongs of “disclosure or use in breach of a duty of confidence” and “acquisition by improper means.” This paper explores the development of what is henceforth labeled “the wrongful acquisition tort” for purposes of determining both whether it exists with respect to information and, if so, its origins and elements. A goal of the paper is to determine whether it makes sense to conceive of a wrongful acquisition tort as part of the law of trade secrecy (or breach of confidence) or whether it should stand alone so that the nature of the information acquired is less important than the act of wrongful acquisition itself. One ramification of the distinction may be in how we conceive of the harm that is caused by the wrongful acquisition, particularly in cases where the acquired information is not otherwise protected by law or is not subsequently disclosed or used. Another is that recognition of a separate tort of wrongful acquisition might allow us to better distinguish between employee and non-employee trade secret misappropriation claims with their differing public policy implications and defenses. Relatedly, understanding the origins and elements of the wrongful acquisition tort may help to define when and how employers should be allowed to contractually define what constitutes improper access (and therefore, wrongful acquisition) of information by employees. This paper proceeds in three parts. First, based upon historical research, it examines how the “acquisition by improper means” prong of U.S. trade secret law developed and how it became disconnected from the requirement of a subsequent disclosure or use of the trade secrets. This analysis begins in Section II with an overview of the laws of the United States that protect information. In Section III, the history of the “acquisition by improper means” prong of trade secret misappropriation is discussed, showing that it is undertheorized, particularly when the alleged wrongful acquisition is not connected to a duty of confidence or a subsequent disclosure or use of trade secrets. Third, in Section IV, the pros and cons of recognizing a separate wrongful acquisition tort are discussed, including observations concerning the inability of trade secret law to address all incidents of cyber-hacking and how a stand-alone wrongful acquisition tort might be designed.