confidentiality Archives - IPOsgoode /osgoode/iposgoode/tag/confidentiality/ An Authoritive Leader in IP Tue, 19 Apr 2022 16:00:00 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 Shhh… Tiffany knows your (trade) secrets! /osgoode/iposgoode/2022/04/19/shhh-tiffany-knows-your-trade-secrets/ Tue, 19 Apr 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39411 The post Shhh… Tiffany knows your (trade) secrets! appeared first on IPOsgoode.

]]>

Photo by minxlj ()

Jasmine Yu is an IPilogue Writer and a 1L JD Candidate at the University of Toronto Faculty of Law.

All that glitters is not gold, but trade secrets in the sparkling world of luxury jewellery might just be worth the gold and diamonds they sell. On February 28, French luxury jeweller Cartier its competitor, Tiffany & Co. (“Tiffany”), for stealing trade secrets related to its from a former Cartier employee, Megan Marino.

Cartier’s Claims

Tiffany’s high jewelry unit was in the midst of a restructuring following several resignations. Cartier claims that their competitor’s management used “quick money and title advancement” to lure Marino away in December 2021. Further, Cartier also asserts that immediately upon hiring her, Tiffany’s President for the Americas met with Marino for the express purpose of obtaining information about Cartier. This act disregarded Marino’s confidentiality and non-solicitation contractual obligations to Cartier.

Marino, a named co-defendant, started working at Cartier in August 2013, and most recently served as Assistant Manager for Merchandising, Jewelry. Cartier claims that upon her hiring at Tiffany in December 2021, Marino forwarded files containing “sensitive and valuable information” related to Cartier’s high jewelry business to her personal email. These files could purportedly “allow a sophisticated competitor to replicate key strategies” and to “reverse engineer how Cartier allocates, merchandises, and prices its High Jewelry stock.” Cartier claims that this was a breach of her employment agreement, as she was to return “any and all documents” containing “Confidential Information and Trade Secrets” that she obtained in connection with her employment.

The Lawsuit

In the wake of Cartier’s repeated written notices, Tiffany fired Marino for “failing to disclose her misconduct” in February 2022. The corporation did not take any action against upper-level management, who, according to Cartier, “repeatedly and knowingly solicited and received trade secrets” from Marino and tacitly approved of Marino’s breaches of her legal obligations to Cartier.

As Tiffany continues its use of Cartier’s confidential information, such as through using such information in its internal business presentations, Cartier brings this suit. Cartier is seeking injunctive relief and damages for Tiffany’s “deliberate scheming to misappropriate and convert Cartier’s highly confidential business information to unfairly compete with Cartier.”

The Trade Secret Claim

To succeed in its trade secret claim, Cartier will need to :

  • The information is in fact, secret — that it is not generally known or readily ascertainable to competitors, and confers to Cartier a competitive advantage,
  • Cartier has undertaken reasonable efforts to maintain its secrecy, and
  • Tiffany & Co “misappropriated” the information

Cartier gains a strong position in this case from the evidence of emails and text messages between Tiffany’s management and Marino, as well as their outreach to current Cartier employees for information. Nevertheless, Tiffany may have some strong arguments as well. For instance, to the third requirement, Tiffany may argue that Cartier did not make reasonable efforts to maintain its secrecy. What is “reasonable” is typically a cost-benefit analysis. Marino, a lower-level employee who was not directly involved in Cartier High Jewelry, could access allegedly valuable, sensitive, and restricted information.

If they acquired the trade secret by improper means or a breach of confidence, Tiffany can be considered to have committed “misappropriation”. Tiffany may be in an even stronger position if they can establish that they somehow obtained the trade secrets lawfully — through means such as independent discovery or reverse engineering.

We should look forward to seeing the Court’s take on what constitutes “reasonable efforts” to maintain the secrecy of electronic documents in the age of Zoom.

The post Shhh… Tiffany knows your (trade) secrets! appeared first on IPOsgoode.

]]>
COVID-19 & Cybersecurity Risks /osgoode/iposgoode/2020/11/18/covid-19-cybersecurity-risks/ Wed, 18 Nov 2020 15:53:40 +0000 https://www.iposgoode.ca/?p=36153 The post COVID-19 & Cybersecurity Risks appeared first on IPOsgoode.

]]>
On November 2nd and 3rd, I was given the opportunity to attend the Canadian Technology Law Association (CAN-TECH) . , I learned more about the legal aspects of technological COVID-19 responses, proposed frameworks for digital identity, financing and start-ups in the current environment, working from home and its impact on diversity, and the latest legal developments related to privacy, cybersecurity, video games, and artificial intelligence. I particularly enjoyed the plenary session on “Cybersecurity: Shielding Your Clients from Expanding Threats” because of my interests in cybersecurity and privacy law.

In the cybersecurity plenary session, the experts discussed the recent cybersecurity threats in the midst of the COVID-19 pandemic. The global COVID-19 pandemic has been said to add “ to the threat environment leading to a drastic increase in the volume of cyberattacks and breaches during the past 12 months in Canada. In Canada, of businesses experienced a cybersecurity breach that negatively impacted their operations. For instance, refer to hackers infecting a computer or network with viruses that encrypt and hold the data “hostage” until a ransom is paid. Ransomware attacks cost Canadian companies around when downtime costs are factored in.

Moreover, hacking groups, like and , are increasingly conducting attacks where hackers exfiltrate and download sensitive data before launching a ransomware attack. The attackers can maximize their chance of getting the companies to pay the ransom by . Most of these cyber attackers demand the ransom in , making it very difficult for law enforcement agencies to track and investigate the crimes.

The attackers choose different sized businesses and organizations for various reasons. For instance, health care providers, law firms, government organizations and large companies are often targeted by (APT) attacks, which require the attackers to carefully research and choose their victims over a long period. Executing an APT attack usually than other attacks and is typically done by experienced and financially-backed cybercriminals. Cybercriminals might choose to attack to demand greater ransom payments.

Cybercriminals also choose small and medium-sized organizations and businesses because they are seen as soft targets who do not have . Moreover, small and medium-sized companies often outsource their IT needs to third parties, creating another cyber risk level for small-sized companies to mitigate. Consequently, small and medium-sized companies must get which will allow them to access resources that may otherwise not be accessible to them. Cyber insurance may also provide coverage and protection for liability regarding .

Though having cyber insurance is extremely important, cybersecurity risk mitigation and management practices are critical to minimize breaches' harm. It has been said that of successful breaches are initiated through phishing emails, malicious attachments, unpatched systems or “vulnerabilities,” or lack of two-factor authentication systems. To mitigate an attack, best cybersecurity practices, such as having a detection plan, threat intelligence, disaster recovery, training, fire drills and having sufficient back-ups, must be in place prior to the attack. Adopting and applying the best cybersecurity practices is incredibly important during the pandemic for those who in an environment that might not have the same formal cybersecurity protections and processes in place. This is true, especially for who have to meet their professional responsibilities such as the obligation of confidentiality, privilege, and the duty of technological competence. It is very important to know and meet these professional and ethical responsibilities even as a law student. Hence, I am very happy that I was given the opportunity to attend this conference, as it taught me a tremendous amount about the most recent and significant developments in Canadian and international technology law.

Written by Elif Babaoglu. Elif is a contributing IPilogue editor and an avid privacy and tech-law enthusiast with a particular focus on artificial intelligence.

The post COVID-19 & Cybersecurity Risks appeared first on IPOsgoode.

]]>
Is Zoom Doomed? /osgoode/iposgoode/2020/06/09/using-zoom-for-therapy-or-executive-meetings/ Tue, 09 Jun 2020 13:15:53 +0000 https://www.iposgoode.ca/?p=35573 The post Is Zoom Doomed? appeared first on IPOsgoode.

]]>
Until recently, the only people who utilized the video conferencing app Zoom were people who worked in the . However, with the rise of work-at-home arrangements during the COVID-19 pandemic, first-time installations of Zoom's mobile app have skyrocketed since March 2, 2020. In the hopes of going remote efficiently and arranging virtual meetings, many companies have chosen the Zoom app over other platforms. However, concerns began coming to the surface. Privacy experts have even called Zoom "."

The platform's are concerning since Zoom shares the personal data of the users with third parties for business purposes, whatever that may be. indicated that instant messages or videos could be used to target advertising campaigns or develop a facial recognition algorithm. This may be especially threatening for individuals who use Zoom to communicate extremely , such as that shared between corporate management or in therapy sessions. also discouraged the use of Zoom in cases where strong confidentiality is required, including "governments worried about espionage; businesses concerned about cybercrime and industrial espionage; healthcare providers handling sensitive patient information; and activists, lawyers and journalists working on sensitive topics". The also had a feature that exposed individual's personal information to others, as well as not having appropriate end-to-end encryption on its data, meaning Zoom itself has access to the data that flows between users. Due to these serious concerns, multiple organizations such as , and the , have banned their employees from using Zoom.

Moreover, Zoom has been hit by several lawsuits, which damaged the company's reputation. Subsequently, consumers and investors started losing trust, which resulted in the company's since the end of March. Zoom is facing a lawsuit by an investor who claimed that the company had regulations by failing to disclose known problems with its software encryption and privacy, leading to damaged share value. Zoom faces additional class action court filing in the US after it was found out that were able to snoop video calls under certain circumstances.

Due to all the ongoing and upcoming litigation and public outcry, the CEO of Zoom, Eric Yuan, has publicly addressed Zoom's privacy and security issues. has stated, "you know, lesson learned" and promised to double down on privacy and security.  Not only did Zoom institute a 90-day plan aimed at improving the areas of concern were brought forward, but the company also established a where Facebook's former chief security officer Alex Stamos was hired to be a central consultant. The company has also improved its previously outdated standard to AES 256-bit TLS to provide better cybersecurity protection to its users. However, whether these privacy and cybersecurity improvements would be sufficient to comply with the privacy legislation, such as the (PIPEDA) or the (GDPR) is another story.

An expert has stated that Zoom privacy policies would get a C- for its standards according to the European GDPR standards. Moreover, the Canadian requires meaningful consent to collect user disclosed information according to the identified purposes; and must be appropriately safeguarded. Zoom may not sufficiently meet these standards, as the users are required to passively accept the collection of their personal data if they are required to use the program for an interview, for example. The terms for identified purposes for data collection are vague in Zoom’s privacy policies. The drastic effect of the privacy concerns demonstrates the importance of cybersecurity measures, not only for commercial success, but also for legal compliance and the public's trust in the company.

Written by Elif Babaoglu, who is a contributing IPilogue Editor and the Co-Director of Events of the Osgoode Privacy Law Society.

The post Is Zoom Doomed? appeared first on IPOsgoode.

]]>
Volkswagen v Garcia et. al.: Volkswagen Halts Disclosure of Secret Security Algorithm /osgoode/iposgoode/2013/09/24/volkswagen-v-garcia-et-al-volkswagen-halts-disclosure-of-secret-security-algorithm/ Tue, 24 Sep 2013 23:44:12 +0000 http://www.iposgoode.ca/?p=22521 Last June, Justice Birss of the High Court of England and Wales (Chancery Division) ruled in favor of Volkswagen and granted an interim injunction against Flavio Garcia, Computer Science Lecturer at the University of Birmingham, thus prohibiting him from publishing an academic paper that sought to expose weaknesses in Volkswagen automobile security systems. The paper […]

The post Volkswagen v Garcia et. al.: Volkswagen Halts Disclosure of Secret Security Algorithm appeared first on IPOsgoode.

]]>
Last June, Justice Birss of the High Court of England and Wales (Chancery Division) and granted an interim injunction against Flavio Garcia, Computer Science Lecturer at the University of Birmingham, thus prohibiting him from publishing an academic paper that sought to expose weaknesses in Volkswagen automobile security systems.

The paper disclosed the algorithm used to activate the security system, the Megamos Crypto chip, which Volkswagen uses for its vehicles. According to the facts, a group of academics - the parties to this lawsuit - were able to crack the security system and discover its flaws. However, the problem arose when these academics proposed to publish a paper at a conference, a paper which would reveal the algorithm to the public. Due to the confidential nature of the information at stake, the defendants first notified Volkswagen, the proprietor of this information, prior to the paper's publication. Nonetheless, they did not inform Volkswagen until shortly before the date of the conference. Volkswagen contacted Garcia and his associates, requesting that they redact the vehicles’ security codes. The scientists refused to honour the request, arguing that the public has a right to see the weaknesses exposed. Volkswagen subsequently sought an injunction against the researchers on the grounds that revealing the codes used to activate the ignition systems would facilitate criminal activity.

Flavio Garcia and his associates purchased and used software called Tango Programmer, produced by a Bulgarian company called Scorpio. A central question in the case was whether the software used was legitimate. Justice Birss concluded that the software was legitimate and the fact that it originated from Bulgaria had no significance in this respect. He further dismissed the claimant’s inference that the software's presentation in “broken English” as proving its illegitimacy.

The defendants contended that Volkswagen had no right to sue. According to the facts, the principal developer of the Megamos Crypto algorithm is the company Thales. Although not a party to the lawsuit, Justice Birss found that Thales is a "proper and necessary" party to the dispute and added them to the action. He went on to state that in following the decision of the court in , the confidentiality in the Megamos Crypto algorithm most likely belongs to Thales, as the algorithm's creator. Nevertheless, the court also found that Volkswagen had a legitimate interest in being a co-claimant.

The defendants also contended that Volkswagen had no claim to sue for misuse of confidential information. In making its ruling regarding reverse engineering, the court referred to . In that case, the court had ruled that it was not a misuse of confidential information to reverse engineer a product bought to acquire information encrypted for security. Judge Birss held that, in this case, there would be a breach of confidence because the legitimacy of Tango Programmer was successfully called into question by the claimants.

The defendants further contended that there was a strong public interest in the publication of the paper and that they had acted in accordance with responsible disclosure principles. Justice Birss considered , , and the Cream Holdings judgment. According to the court, the standard for not allowing publication is a flexible one, and that the court should be "exceedingly slow" to make interim orders if it is not satisfied that the claimant is likely to succeed at trial. For the court, there seemed to be a reasonable belief that either Thales or Volkswagen would most likely succeed at trial. This finding satisfied the first requirement.

As for the strong public interest argument, Justice Birss stated that freedom of expression and academic freedom are of major importance. However, in balancing freedom of expression with public safety, the court decided in favor of the latter. He stated,"I recognise the high value of academic free speech, but there is another high value, the security of millions of Volkswagen cars."

The judge granted the injunction sought by Volkswagen and ordered for "redaction" of the paper the defendants had written.

The present case is an illustration of the evolution of the society vis-à-vis the conservatism of the way law is applied. The court’s ruling, in my view, entails a significant future danger in that it places an obstacle for academics in the UK and abroad when it comes to conducting research and publishing about flaws in security systems. Judges around the world will eventually have to deal with cases like this one and may have to re-strike a balance between freedom of expression and confidentiality, potentially leading to a more responsive public or greater potential harm caused by disclosing secret security information of this nature.

Georgios Andriotis is an IPilogue Editor and a law student at Université de Montréal.

The post Volkswagen v Garcia et. al.: Volkswagen Halts Disclosure of Secret Security Algorithm appeared first on IPOsgoode.

]]>