Fraud Management & Cybercrime , Governance & Risk Management , Insider Threat
Engineer Charged With Stealing Medical Device Trade SecretsProsecutors Allege Defendant Planned to Start a Company in China
A criminal case against an engineer who allegedly stole trade secrets while he worked at two U.S. medical device companies so he could help start a firm in China highlights the need for organizations to prioritize the protection of their intellectual property.
A federal grand jury in California has issued a 12-count indictment charging Wenfeng Lu of Irvine, Calif., with stealing and possessing trade secrets belonging to two former employers, both of which develop and manufacture medical devices used to treat cardiac and vascular ailments, according to the U.S. Department of Justice.
"This is another example of insider risks that present enormous potential problems for companies in all industries," says privacy attorney Kirk Nahra of the law firm Wiley Rein, who is not involved in the case. "These can involve trade secrets/proprietary information or sensitive personal information."
Employees who need access to data to do their jobs can misuse this data in many different ways, the attorney notes. "Many companies do not pay enough attention to how they monitor employee data issues and generally do not pay enough attention to addressing these kinds of insider risks," Nahra says.
Federal prosecutors allege that Lu "stole the confidential and proprietary trade secrets from two different medical device companies with research facilities in Irvine, where he worked from January 2009 until he was arrested in 2012."
The indictment alleges that during his employment at the companies - ev3/Covidien and Edwards Lifesciences Corp. - Lu travelled to the People's Republic of China multiple times, "sometimes soon after allegedly downloading trade secrets from an employer's computer and emailing information to his personal email account."
Lu was arrested as he prepared to board a plane to China in November 2012, according to court documents. Lu appeared "to be in the process of setting up a company with other individuals in [China] to manufacture medical devices," an FBI agent wrote in an affidavit filed in the case.
Protecting Trade Secrets
Court documents list a series of precautions each medical device company took to protect its confidential and trade secret information. Those measures included:
- Limiting physical access to the locations within the company where the trade secrets were stored through the use of security personnel and access badges;
- Limiting access to the trade secrets only to those who need them to perform their employment duties;
- Requiring employees to sign nondisclosure and confidentiality agreements that prohibited disclosure of trade secrets and confidential and proprietary information and extended beyond the length of employment;
- Mandating visitor sign-in sheets and escorts;
- Providing training and instruction regarding the security and safeguarding of restricted and confidential business information; and
- Labeling trade secret documents as confidential.
Despite all these precautions, Lu allegedly downloaded a variety of documents, including presentations, reports and internal emails "pertaining to confidential products and components" and sent those to his personal email address, prosecutors say.
In addition, prosecutors also allege Lu took photos in company labs of gear used to document medical device component test results and downloaded and saved confidential company information on USB thumb drives.
"Intellectual property theft poses a grave threat to businesses and the employees who depend on those businesses for their livelihoods," U.S. Attorney Eileen Decker said in a statement. "Moreover, when the stolen material is destined for foreign entities seeking to compete with American businesses, as it was in this case, IP theft also threatens the security of our nation."
Lu was initially indicted in this case in December 2012. That original indictment included allegations related to only one of the companies' trade secrets, prosecutors note. The new indictment incorporates the allegations related to four trade secrets owned by the other medical device maker, the Justice Department says.
The defendant is scheduled to be arraigned on the superseding indictment on June 13, and a trial is slated for Jan. 24, 2017, according to court documents. Each of the 12 felony counts alleging the theft and possession of trade secrets carries a statutory maximum sentence of 10 years in federal prison and a fine of up to $5 million, prosecutors note.
An attorney representing Lu declined to comment on the case. Lu is out free on bail, he says.
Another Trade Secrets Case
In another recent trade secret case in the healthcare arena, a federal jury last month awarded $940 million in damages to electronic health records software vendor Epic Systems, which had sued India-based Tata Consultancy Services, alleging theft of trade secrets by TCS employees (see Jury Awards EHR Vendor $940 Million in Trade Secrets Case) .
At the center of that suit were allegations by Epic that TCS consultants - who under a 2005 contract between the two companies were permitted limited access to and use of Epic's software - downloaded thousands of confidential Epic documents to benefit "in the development or enhancement" of TCS's EHR software, Med Mantra.
TCS is appealing the jury's decision.
The case involving Lu's alleged theft of medical device intellectual property, "further illustrates the importance of protecting all confidential information, whether protected health information, employee information or trade secrets," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who is not involved in the case.
One of the important lessons from both trade secrets cases, Greene says, is that "healthcare organizations should consider whether to include all forms of confidential information, not just electronic protected health information, in an enterprisewide information security risk assessment that identifies both insider and outside threats."
Greene adds: "Controls to reduce risks to trade secrets may include limiting electronic access to such information to only necessary employees, periodically reviewing access to such information to identify suspicious activity and having strong procedures surrounding termination of access so that terminated employees cannot continue to access trade secrets and other confidential information."
While insiders have been implicated in the two recent trade secret cases, organizations need to be mindful of the threats posed by external bad actors as well, Greene notes.
"There may be a very large amount of hacking of trade secrets that either has not been discovered or has not been publicized, so it is hard to gauge the scope of the problem," he says.