We Have Your Data. Pay Up or Else…

4 minute read | August.22.2014

You wake on a Tuesday morning expecting to have an average day at work.  You are skimming through the emails that came in while you were asleep, when you notice an email from one of your employees.  He is not only giving his resignation, but is also, more importantly, demanding a ransom in exchange for not disclosing company trade secrets and other highly confidential information.  What do you do?

This scenario isn’t simply a bad dream.  It is reality for a Florida company, Unisol International Corp., who recently sued its former operations manager for attempting to extort the company in exchange for not disclosing sensitive confidential information, including information regarding former and current clients.

In its complaint, Unisol, a provider of technology solutions, claims that former employee Eduardo Merino had access to all of Unisol’s confidential and proprietary information and, after quitting unexpectedly, emailed the company demanding a severance payment equivalent to 12 months’ salary plus health insurance.  If Unisol refused to make the payment as demanded, Merino threatened that he would disclose confidential information such as emails, price lists, invoices, serial numbers, and purchase orders. Unisol is currently seeking temporary and permanent injunctions, damages, and attorney’s fees in Florida state court for alleged violation of Florida’s non-compete statute and misappropriation of trade secrets.

Unfortunately, situations like Unisol’s are not unique.  As the types and volume of information that companies maintain continue to increase, so too do threats of blackmail and extortion.  Just last month, a former contract worker for a Boeing subcontractor, Corsair Engineering, was sentenced to three years’ probation in Washington after a jury found him guilty of trade secrets theft under 18 U.S.C. 1832(a)(2).  The government argued for a heavy penalty in its sentencing memorandum because defendant Stephen Martin Ward had acquired trade secrets for financial gain.  Ward had been hired to help prepare technical manuals for drones.  However, after he was terminated due to poor performance and disruptive behavior, Ward called his former employer to inform it that he had “a substantial amount of data,” which he threatened to disclose to foreign entities in the Middle East.  He offered to “go away and not make a fuss” in exchange for a “healthy settlement.”  According to the government, Ward also obstructed justice during an interview with FBI specialists, before negotiating a settlement of $400,000 with his former employer for the return of all evidence and documentation in his possession.  Ward then attended a meeting at a restaurant, where he provided a compact disk containing one of the confidential manuals in exchange for a down payment on the settlement amount.  Unfortunately for Ward, the person who handed over the money was an undercover FBI agent, and Ward was soon arrested.

These are only two of many examples of company trade secrets and other confidential information being held hostage. So, what do you do when you’re the one who gets the email or call demanding money—or else?  First, prepare yourself in advance. Make sure that your employees sign detailed confidentiality and non-disclosure agreements to give you an added basis for moving to enforce should an employee suddenly go renegade.  Also run a strict background check, paying close attention to reasons that might cause a person to demand cash (unpaid alimony, credit card debt, etc.).  Keep an eye out for early warning signs of potential misbehavior by employees, and scrutinize your data security practices.  Similarly, scrutinize the practices and status of your contractors or vendors.  What are their hiring practices?  What security procedures do they have in place? Are they financially solvent, or underwater?   How long have they been in business?  Be sure your contracts with third-party providers include indemnification provisions and explicitly spell out how they must treat your data during the life of the engagement and at conclusion of the matter.  Assess whether your insurance policies are in need of updating to include coverage for data breaches.  Once a threat is made, assess who is making it and why so that you can respond with the right degree of force.  For example, are you dealing with a disgruntled former employee, or a group of cybercriminals? Document all communications and interactions with your extortionist.  Having a black and white record to put before the court will help if and when it com

Take a lesson from Unisol and Corsair Engineering. Secure yourself on the front end, but be prepared for the day that you receive that phone call or email. Have a plan in place so that you can act quickly, and with conviction.