The implication of Sarbanes-Oxley on economic espionage prosecutions
In the January issue we discussed two unfortunate results of not having an OPSEC programs.
• The first was that you will have to deal with the consequences of being in non-compliance with Sarbanes-Oxley because you did not have the appropriate internal controls. These consequences can be both civil and criminal in nature.
• The second was that in case of a loss you face a shareholder negligent action suit because you knew, or should have known that, with annual losses of $300 billion in the U.S alone, there was a significant identifiable threat that you should have addressed. PLUS you were non-compliant with Sarbanes-Oxley, which was at least partly designed to force you to protect the shareholders from just this type of loss, or acknowledge that you are not protecting yourself and your shareholders from losses. We have poled several large insurance companies, and are getting indications that these suits will not be covered under directors and officers insurance as they represent deliberate indifference.
There is a third problem that can arise if you end up in an economic espionage lawsuit. In order for a theft of information to be covered under the Economic Espionage Act of 1996, the information stolen needs to be a trade secret. In order to be a trade secret there are two things that have to be in place.
(A) the owner thereof has taken reasonable measures to keep such information secret; and
(B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.
Before Sarbanes-Oxley this was fairly straightforward.
After Sarbanes-Oxley the issue became more complex once the SEC said that “the Sarbanes-Oxley Act of 2002 and the Commission’s rules promulgated under the Act seek to strengthen pre-existing standards for internal controls, thereby potentially improving the ability of companies to track the costs and impact of economic espionage and theft of intellectual property.” What standards exist for this particular set of internal controls? The standard government program is OPSEC. The professional society dealing with this, the OPSEC Professionals Society, is the body granting OPSEC Certified Professional (OCP) certification.
So, now someone has stolen your apparently-not-so-secret information, and you have caught them, and turned the matter over to the Feds. Now you are in court being examined by the defense counsel.
DC: So Mr. Smith, tell me about your company’s OPSEC program.
YOU: Our what?
DC: Let me rephrase this. Sarbanes-Oxley requires you to have internal controls to track the costs and impact of economic espionage and theft. Which means you have to have a program for the identification, valuation, and protection of your critical information. Could you describe these internal controls?
YOU Well, this is a trade secret, and they stole it!
DC Your honor, it appears that the plaintiff is not in compliance with Sarbanes-Oxley, and, therefore, through deliberate indifference, has not taken reasonable steps to keep his information secret. The plaintiff has therefore abandoned their trade secret. It appears clear that, since the information was not trade secret, it is not covered by Title 18, Part II, Chapter 90. Since this court thus has no jurisdiction, we move that the case be dismissed with prejudice.
At which point you are back to angry shareholders, and have to explain why your company failed to identify, value, and protect its property, and thus have a loss not covered by any insurance or laws.