Important Lesson From Trade Secrets Case

The most important lesson from the lawsuit Epic Systems filed against Tata Consultancy Services is that data security controls must extend beyond protecting personally identifiable information to include intellectual property, says attorney Ron Raether.

"It's now important to lock down your trade secrets and make certain that whatever controls that you've determined are the appropriate level [for PII] are equally applied to your trade secrets," he says in an in-depth interview with Information Security Media Group.

"Data segregation is key - making sure you've classified and given levels of importance to your trade secrets and the information that you truly consider your secret sauce."

Raether, a technology attorney who was not involved in the case, stresses that organizations must use "the most robust security controls that allow your business and company to still function properly while likewise providing the security benefits needed to protect that information from being stolen or exfiltrated."

Epic vs. TCS

The theft of trade secrets and intellectual property - such as was alleged in the lawsuit filed by Epic, one of the largest U.S. electronic health records software vendors, against India-based TCS - is more common than many companies realize, Raether says.

A jury recently awarded Epic $940 million in its trade secrets theft case, but TCS plans to appeal. At the center of the lawsuit are allegations that TCS consultants - who under a contract between the two companies were permitted limited access to and use of Epic's software - inappropriately downloaded thousands of confidential Epic documents to benefit "in the development or enhancement" of TCS's EHR software, Med Mantra, according to court documents.

Epic claims that a TCS consultant who was working for Epic's customer, Kaiser Hospital Foundation in Portland, Ore., transferred his credentials to at least two other TCS employees in India. Using those credentials, Epic alleges, the other TCS workers downloaded, via Epic's UserWeb web portal, "at least 6,477 documents accounting for 1,687 unique files."

Epic said the documents downloaded by TCS personnel included, among other things, "confidential, proprietary and trade secret documents detailing over 20 years of development of Epic's proprietary software and database systems."

The EHR vendor says it first learned about the alleged unauthorized downloading of documents by TCS through an "informant" - another TCS consultant assigned to manage "all aspects of TCS's contract with Kaiser to provide consulting services and report directly to TCS executive management."

Intrusion Detection

It's unclear why Epic's data security team didn't discover the alleged inappropriate downloading of sensitive intellectual property by two unauthorized users located across the globe who were using credentials borrowed from an individual with supposedly limited access rights (see: Epic vs. Tata: Key Security Questions).

"The compromised credentials were used to [allegedly] download over 7,000 documents and files - so the exfiltration could have created a red flag to indicate to Epic that its systems were being misused - and not consistent with the rights granted under the terms of use or the non-disclosure agreement," Raether notes.

"I'm not faulting Epic, but I do believe there are information security controls ... with respect to personally identifiable information and preventing consumer harm that likewise could provide useful benefits in companies protecting their trade secrets."

In this in-depth interview (see audio player below photo), Raether also discusses:

Steps companies can take to help prevent user credentials from being misused or shared with unauthorized individuals; Measures organizations can implement to prevent intellectual property from being stolen by remote outsiders, as well as insiders, including former employees; Potential ways experts might analyze whether allegedly stolen trade secrets are inappropriately applied for the software products of a competitor; Why the damages awarded by the jury to Epic were so substantial, and whether those damages could be reduced.

Raether is a partner at the law firm Troutman Sanders LLP. His experience with technology-related issues spans an array of legal areas, including patents; anti-trust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes.