Is Credit Card Information Stored by a Restaurant a “Trade Secret”?

Credit Card Data BreachA federal district court in Colorado recently ruled that customer credit card information was not a “trade secret” under the federal Defend Trade Secrets Act (DTSA).

This case arose out of a 2017 data breach of Chipotle Mexican Grill, Inc.’s computer system and point of service (POS) terminals which resulted in the theft of customers’ credit card and debit card data. As the result of the breach, several financial institutions had to replace their members’ credit and debit cards and refund fraudulent payments. Consequently, they sued Chipotle for negligence, unfair competition, and a violation of the DTSA, on behalf of themselves and other financial institutions. 

Plaintiffs argued that the credit card information of their members was a “trade secret” under the DTSA because: (1) it was plaintiffs’ financial data; (2) they had taken reasonable measure to keep it secret; and (3) the data had independent economic value, and that Chipotle misappropriated it in violation of the federal statute.

The district court noted that the question of whether the credit card information was a trade secret was a question of first impression as neither plaintiffs not Chipotle cited any authority clearly addressing this issue. However, it concluded that because the credit card information simply created an access mechanism for the members’ accounts, it had no independent value.  In other words, the value of the credit card information derived from the thing that it was intended to protect – a bank account.  See N. Star Media, LLC v. Winogradsky-Sobel, 2011 WL 13220157, at *10-11 (C.D. Cal. May 23, 2011); State Analysis, Inc. v. Am. Fin. Servs. Assoc., 621 F. Supp. 2d 309, 321 (E.D. Va. 2009); see also MicroStrategy Inc. v. Bus. Objects, S.A., 331 F. Supp. 2d 396, 429 (E.D. Va. 2004)(expressing skepticism that a CD key is a trade secret); Tryco, Inc. v. U.S. Med. Source, L.L.C., 80 Va. Cir. 619 (2010) (“Courts have repeatedly held that collections of numbers and/or letters, whose only value is to access other potentially valuable information, do not by themselves have independent economic value.”).

The court reasoned that the payment card data (including cardholder names, credit or debit card numbers, and corresponding CVVs) was similar to passwords and usernames that provided access to something of value, i.e. an individual’s line of credit with a financial institution or money in an account with a financial institution. Absent a connection to either a line of credit or a bank account, payment card data was simply a string of alpha or numeric (or indeed other typographical) symbols, and, thus, had no independent economic value.

Because the court concluded that the credit card information was not a trade secret, it did not address whether a misappropriation occurred during the breach or whether Chipotle could be liable under the DTSA. 

Leiza litigates trade secrets and non-compete agreements disputes in a variety of industries.  If you are a party to a dispute involving a non-compete agreement or theft of confidential information, contact Leiza at Leiza.Dolghih@lewisbrisbois.com or (214) 722-7108 or fill out the form below.

Employees’ Unauthorized Copying of Electronic Files is Not Theft in Texas

1sbkpi.jpgWhen a company learns that an employee took or copied confidential materials, it’s not unusual for the company to sue the employee for misappropriation of trade secrets and theft of trade secrets under the Texas’s civil theft statute.   A recent federal court decision out of the Southern District, however, serves as a reminder that employers should carefully analyze what exactly the employee took and/or copied before tacking on a claim under the Texas Theft Liability Act (TTLA) to their lawsuit.

In BHL Boresight, Inc. v. Geo-Steering Sols. Inc., BHL accused the defendants of stealing: (1) software; (2) bitlocks; (3) data; and (4) user guides for BHL’s software program.  It claimed that these items constituted “property” under Texas Penal Code §33.03 and that defendants committed civil theft of this property by  unlawfully appropriating it without BHL’s effective consent.

Defendants argued that the civil theft claim must be dismissed because “general theft applies to unique documents and not copies of documents,” and the district court agreed finding that “consensus appears to be that if the plaintiff continues to possess and control originals of the subject property, he cannot show that the defendant possessed the requisite intent to deprive” the owner of its property.  And without intent, there is no claim for theft.

The district court ruled that because BHL retained the originals of its user guides and the software program, its theft claim related to these two items failed. However, bitlocks and the data generated by the software were a different matter.  Because bitlocks were physical USB devices that allowed users to access BHL’s software, they were neither “documents” nor “originals” and, therefore, when the defendants took them, they had the intent to deprive BHL of these devices.  Similarly, the data generated by BHL’s software was unique because the software generated different data depending on which oil & gas well it was applied to.  Therefore, the court did not dismiss BHL’s claim with respect to the theft of bitlocks and the software data.

BOTTOM LINE FOR COMPANIES:  Before pleading a Texas Theft Liability Act claim against an employee for stealing the company’s data, information, documents, or other property, the company should make sure that there is at least some evidence of the employee’s intent to deprive the company of its property.   While unauthorized copying of information or files may not be sufficient to bring a theft claim, the company may have other claims under Texas and federal law that it may use to remedy the harm from the employee’s actions.

Leiza litigates non-compete and trade secrets lawsuits in a variety of industries in federal and state courts. For a consultation regarding a dispute involving a noncompete agreement or misappropriation of trade secrets, contact Leiza at Leiza.Dolghih@lewisbrisbois.com or (214) 722-7108 or fill out the form below.

Out With the Old, In With the New: The Texas Uniform Trade Secrets Act (TUTSA) Explained

The Texas Uniform Trade Secrets Act (TUTSA) became effective on September 1, 2013, replacing the hodgepodge of common law, restatements and the Texas Theft Liability Act with a well-established statutory framework that 46 other states are already employing. TUTSA is a welcome change in our state because it modernizes and clarifies a lot of outdated rules, some of which have not been updated since 1930s. TUTSA does not apply to any misappropriation, including continuing misappropriation, occurring prior to September 1, 2013.

This post explains the major changes brought by TUTSA and their effect on trade secret litigation n Texas.

1.         TUTSA clarifies and expands the definition of “trade secret.

Under TUTSA § 134A.002(6), “trade secret” means information that derives independent economic value from not being generally known or readily ascertainable and for which reasonable efforts are made to maintain its secrecy.  Such “information” includes “a formula, pattern, compilation, program, device, method, technique, process, financial data, or list of actual or potential customers or suppliers.”

  • The new definition omits the “continuous use” language, thus allowing plaintiffs to claim as trade secret information that they have not yet had an opportunity to use.
  • Trade secrets now include not only positive information, but “negative knowhow,” which is information that has commercial value from a negative viewpoint, such as the results of lengthy and expensive research which proves that a certain process will not work could be of great value to a competitor.  See UTSA § 1 cmt.
  • Whether the information is considered “secret” is now determined by whether a party undertook “reasonable efforts to maintain the secrecy of such information,” rather than the difficulty with which such information could be acquired.  The new standard allows a fact finder to consider the nature of the trade secret and the facts and circumstances surrounding the efforts to maintain its secrecy in order to determine whether these efforts were reasonable under the circumstances.

2.         TUTSA requires “knowing” misappropriation.

Under TUTSA § 134A.002(3), “misappropriation” includes: (1) acquiring a trade secret by improper means or (2) disclosing a trade secret without consent.  Unlike the old common law, this new statutory definition makes clear that liability applies only to those who know or have reason to know that a trade secret was acquired by improper means, rather than accident or mistake.  Thus, for example, if an employee misappropriates a former employer’s trade secrets and uses them in his new job, the new employer is not liable for misappropriation of trade secrets unless the employer had actual or constructive knowledge that the material was improperly obtained. Needless to say, this provision is a great improvement for employers.

3.         Under TUTSA, “improper means” might include reverse engineering.

Under TUTSA § 134A.002(2), “improper means” includes theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, to limit use of, or to prohibit discovery of a trade secret, or espionage through electronic or other means.  When a license agreement prohibits reverse engineering, such activity would constitute a breach of the duty to limit the use of trade secret information and would constitute “improper means.”  In absence of any prohibition in a license agreement, however, reverse engineering would constitute “proper means” as defined in § 134A.002(4).

4.       TUTSA broadens injunctive relief

  • Texas courts have traditionally been reluctant to expressly recognize the idea of “threatened misappropriation,” which is often linked to the “inevitable disclosure” doctrine.  TUTSA § 134A.003 now includes a provision that allows injunctive relief for both actual and threatened misappropriation of trade secrets.  In some states that have adopted a version of the Uniform Trade Secrets Act,  “threatened misappropriation” does not equal “inevitable disclosure,” while in other states, the courts have found that as long as an employer can show that an employee will perform duties in his new employment that will inevitably cause the employee to use or disclose the former employer’s trade secrets, the old employer can establish “threatened misappropriation.”  Only time will tell, which way Texas will lean.
  • TUTSA § 134A.003 allows the continuation of an injunction for additional time to eliminate any commercial advantage derived from misappropriation, rather than termination of the injunction once the protected information is no longer secret.
  • The same section, “in exceptional circumstances,” allows an injunction that conditions future use of a trade secret upon payment of a reasonably royalty for no longer than the period of time for which use could have been prohibited.  “Exceptional circumstances” include a material and prejudicial change of position before acquiring knowledge or reason to know of misappropriation that renders a prohibitive injunction inequitable.
  • Finally, TUTSA § 134A.003 gives courts the power to compel “affirmative acts to protect a trade secret” under appropriate circumstances.

5.        TUTSA creates a cap for exemplary damages

Under TUTSA § 134A.004, “if willful and malicious misappropriation is proven by clear and convincing evidence, the fact finder may award exemplary damages in an amount not exceeding twice any award” of actual damages.  Such cap did not exist under Texas common law.

6.        TUTSA allows recovery of attorneys fees

Prior to TUTSA, the only way a party could recover attorneys’ fees for misappropriation of trade secrets was by filing a claim under the Texas Theft Liability Act, which allows for the recovery of attorneys’ fees to the prevailing party.  Now, under TUTSA § 134A.005, a court may award reasonable attorney’s fees to the prevailing party if: (1) a claim of misappropriation is made in bad faith; (2) a motion to terminate an injunction is made or resisted in bad faith; or (3) willful and malicious misappropriation exists.

7.       TUTSA enhances protection of trade secrets in court

TUTSA provides “a presumption in favor of granting protective orders to preserve the secrecy of trade secrets” and under TUTSA § 134A.006, “protective orders may include provision limiting access to confidential information to only the attorneys and their experts, holding in camera hearings, sealing the records of the action, and ordering any person involved in the litigation not to disclose an alleged trade secret without prior court approval.”

8.        TUTSA has not changed the following rules:

  • Damages. Under TUTSA § 134A.004(a), “in addition to or in lieu of injunctive relief,” a claimant is entitled to recover damages for misappropriation, which can include both the actual loss caused by misappropriation and the unjust enrichment caused by misappropriation that is not taken into account in computing actual loss.  A court may also impose reasonable royalty for a misappropriator’s unauthorized disclosure or use of a trade secret.  These are the same type of damages allowed under Texas common law prior to TUTSA‘s enactment.

Leiza Dolghih is a partner at Lewis Brisbois Bisgaard & Smith LLP in Dallas, Texas and a Co-Chair of the firm’s Trade Secrets and Non-Compete Disputes national practice.  His practice includes commercial, intellectual property and employment litigation.  You can contact her directly at Leiza.Dolghih@LewisBrisbois.com or (214) 722-7108.