Almost one year has passed since news broke about Samsung employees sharing highly sensitive trade secrets with ChatGPT while testing software. As one of the world’s largest companies, Samsung has undertaken a wide–and expensive–series of measures to protect against intentional or unintentional disclosure of trade secrets.
But trade secrets are usually taken without permission versus being freely handed over. A couple of recent cases show how AI and similar programming are persistent threats.
West Technology Group LLC et al. v. Sundstrom, U.S. District Court for the District of Connecticut: In a case filed last month, a former employee recorded meetings which resulted in this person possessing highly confidential sales and strategy information. Then, after his employment ended, the former employee’s AI system (Otter) automatically logged-in for future company. The plaintiffs pled that Otter is an “unauthorized” AI program and, therefore, its recording of confidential information was performed without consent of all participants of such calls. The plaintiffs also complained that because company confidential information was siphoned to Otter, the defendant continues to have access to that information even after termination.
In a previous blog post, we noted that an absolute ban on recording any meeting should be strongly considered (Recording Virtual Meetings – Seidman Law (seidmanlawgroup.com). Employees should be reminded that third party programs like Otter and ChatGPT may seem like an innocent uses of helpful productivity tools but they are also potential legal traps for their everyone involved. Sharing confidential Information with third-party software AI programs with unknown security parameters and data set usage rules may put company trade secrets at serious risk.
Vox Marketing Group v. Prodigy Promos, (D.Utah. Aug. 20, 2021): The Court ruled the Defendant should have known access to particular information was limited and, therefore, should not have made efforts to evade its unauthorized user status. The Plaintiff made pricing proposals and packing lists available to its current and potential customers on the internet through a username/password system. Visits to the site or specific proposals required the user to enter its credentials.
At some point the username/password protection system could be evaded, which made the information freely available on the internet when the specific URLs were targeted. The Defendant discovered it could not access any URL or data through the home page without a username/password; however, the Defendant learned it could access individual proposals by generating URLs using Plaintiff’s internal coding system to maintain information.
The Court ruled the Plaintiff could prove Defendant violated the Computer Fraud and Abuse Act by alleging (a) the Defendant engaged in unlawful conduct by learning how to evade the username/password system, (b) knew the information was competitively sensitive and valuable, and (c) knew the Plaintiff intended the entire site to be protected through a security wall of some kind.
Taken together, these two cases show that companies need to be proactive in different ways. In West Technology Group, company policy and subsequent enforcement would eliminate the risk. Whereas in Vox Marketing Group, simply hiring high school students to try to find random ways to penetrate a computer system would have found the IT security lapse.
David Seidman is the principal and founder of Seidman Law Group, LLC. He serves as outside general counsel for companies, which requires him to consider a diverse range of corporate, dispute resolution and avoidance, contract drafting and negotiation, and other issues. He can be reached at david@seidmanlawgroup.com or 312-399-7390.
This blog post is not legal advice. Please consult an experienced attorney to assist with your legal issues.