11th Circuit Addresses Trade Secret Misappropriation & Web/Data Scraping in High-Tech Corporate Espionage Case - Compulife v. Newman Part II
Compulife Software Inc. v. Newman, No. 18-12004, 2020 WL 2549505 (11th Cir. May 20, 2020)
Part I, addressing the Copyright aspect of this case, is available at:
For a brief review of the facts of this case:
Compulife Software, Inc., which has developed and markets a computerized mechanism for calculating, organizing, and comparing life-insurance quotes, alleges that one of its competitors lied and hacked its way into Compulife’s system and stole its proprietary data. The question for us is whether the defendants crossed any legal lines—and, in particular, whether they infringed Compulife’s copyright or misappropriated its trade secrets, engaged in false advertising, or violated an anti-hacking statute.
Compulife and the defendants are direct competitors in a niche industry: generating life-insurance quotes. Compulife maintains a database of insurance-premium information—called the “Transformative Database”—to which it sells access. The Transformative Database is valuable because it contains up-to -date information on many life insurers’ premium-rate tables and thus allows for simultaneous comparison of rates from dozens of providers. Most of Compulife’s customers are insurance agents who buy access to the database so that they can more easily provide reliable cost estimates to prospective policy purchasers. Although the Transformative Database is based on publicly available information—namely, individual insurers’ rate tables—it can’t be replicated without a specialized method and formula known only within Compulife. Compulife sells two different kinds of access to the Transformative Database—a “PC version” and an “internet-engine version”—each run by its own piece of software and each accompanied by its own type of license. Both pieces of software contain an encrypted copy of the database. The PC-version software—called the “PC quoter”—is sold along with a PC license that allows licensees to install copies of the quoter on their personal computers and other devices for (depending on the number of devices) a cost of either $180 or $300 per year. The PC quoter uses its local copy of the Transformative Database to generateinsurance-rate estimates corresponding to demographic information entered by the end user. A PC licensee can purchase an add-on called the “web quoter” for an extra$96 per year. The web-quoter feature allows the PC licensee to put a quoter on its own website, which it can then use as a marketing tool to attract customers. Once a licensee’s website is equipped with the web quoter, prospective life-insurance purchasers can enter demographic information into fields on the licensee’s site and receive quotes directly from the licensee.
The defendants, who are also in the business of generating life-insurance quotes—primarily through a website, www.naaip.org. “NAAIP” stands for National Association of Accredited Insurance Professionals, but as the court below found, “NAAIP is not a real entity, charity, not-for-profit, or trade association, and is not incorporated anywhere." Through naaip.org, the defendants offer a service similar to—and, the evidence shows, at least partially copied from—Compulife’s web quoter, which they call a “Life Insurance Quote Engine.” Any insurance agent can sign up for a free website located on the domain naaip.org—for example. The defendants host thousands of these sites on a server in Israel and equip each one with the Life Insurance Quote Engine. Prospective life-insurance purchasers can then obtain quotes on any of these NAAIP-hosted websites by entering demographic information, just as they could on the website of any Compulife PC licensee with a web quoter add-on. Each NAAIP site includes a link that allows consumers to purchase insurance through One Resource Group, Inc., a brokerage firm with which the defendants have partnered. If a visitor to an NAAIP site uses the link to buy insurance, the defendants receive a part of One Resource’s brokerage fees in exchange for the referral. The defendants also operate the BeyondQuotes website, www.beyondquotes.com, which includes a Life Insurance Quote Engine like the ones on participating NAAIP websites. BeyondQuotes operates similarly to Compulife’s Term4Sale site, generating revenue by selling referrals to affiliated insurance agents.
(Image credit: https://www.simplilearn.com/what-is-a-web-crawler-article)
Topic: Trade Secrets & Misappropriation
Takeaways:
- Publicly available data obtained through large-scale data scraping hack of Compulife's system should not have been considered on an individual piece-by-piece basis of the insurance quote data obtained, but rather the aggregate block of information obtained when considering an improper means and trade-secret appropriation analysis.
- A site's lack of usage restriction regarding publicly available information does not automatically make Data Scraping through robotic means proper.
- Court generally opines that using a bot to collect "infeasible amounts" of data through data/web scraping may be improper means.
This is Part II to the discussion of Compulife Software Inc. v. Newman.
Part I, addressing the Copyright aspect of this case, is available at:
https://tennesseetechnologylaw.blogspot.com/2020/05/abstraction-filtration-comparison-oh-my.html.
For a brief review of the facts of this case:
Compulife Software, Inc., which has developed and markets a computerized mechanism for calculating, organizing, and comparing life-insurance quotes, alleges that one of its competitors lied and hacked its way into Compulife’s system and stole its proprietary data. The question for us is whether the defendants crossed any legal lines—and, in particular, whether they infringed Compulife’s copyright or misappropriated its trade secrets, engaged in false advertising, or violated an anti-hacking statute.
Compulife and the defendants are direct competitors in a niche industry: generating life-insurance quotes. Compulife maintains a database of insurance-premium information—called the “Transformative Database”—to which it sells access. The Transformative Database is valuable because it contains up-to -date information on many life insurers’ premium-rate tables and thus allows for simultaneous comparison of rates from dozens of providers. Most of Compulife’s customers are insurance agents who buy access to the database so that they can more easily provide reliable cost estimates to prospective policy purchasers. Although the Transformative Database is based on publicly available information—namely, individual insurers’ rate tables—it can’t be replicated without a specialized method and formula known only within Compulife. Compulife sells two different kinds of access to the Transformative Database—a “PC version” and an “internet-engine version”—each run by its own piece of software and each accompanied by its own type of license. Both pieces of software contain an encrypted copy of the database. The PC-version software—called the “PC quoter”—is sold along with a PC license that allows licensees to install copies of the quoter on their personal computers and other devices for (depending on the number of devices) a cost of either $180 or $300 per year. The PC quoter uses its local copy of the Transformative Database to generateinsurance-rate estimates corresponding to demographic information entered by the end user. A PC licensee can purchase an add-on called the “web quoter” for an extra$96 per year. The web-quoter feature allows the PC licensee to put a quoter on its own website, which it can then use as a marketing tool to attract customers. Once a licensee’s website is equipped with the web quoter, prospective life-insurance purchasers can enter demographic information into fields on the licensee’s site and receive quotes directly from the licensee.
The defendants, who are also in the business of generating life-insurance quotes—primarily through a website, www.naaip.org. “NAAIP” stands for National Association of Accredited Insurance Professionals, but as the court below found, “NAAIP is not a real entity, charity, not-for-profit, or trade association, and is not incorporated anywhere." Through naaip.org, the defendants offer a service similar to—and, the evidence shows, at least partially copied from—Compulife’s web quoter, which they call a “Life Insurance Quote Engine.” Any insurance agent can sign up for a free website located on the domain naaip.org—for example. The defendants host thousands of these sites on a server in Israel and equip each one with the Life Insurance Quote Engine. Prospective life-insurance purchasers can then obtain quotes on any of these NAAIP-hosted websites by entering demographic information, just as they could on the website of any Compulife PC licensee with a web quoter add-on. Each NAAIP site includes a link that allows consumers to purchase insurance through One Resource Group, Inc., a brokerage firm with which the defendants have partnered. If a visitor to an NAAIP site uses the link to buy insurance, the defendants receive a part of One Resource’s brokerage fees in exchange for the referral. The defendants also operate the BeyondQuotes website, www.beyondquotes.com, which includes a Life Insurance Quote Engine like the ones on participating NAAIP websites. BeyondQuotes operates similarly to Compulife’s Term4Sale site, generating revenue by selling referrals to affiliated insurance agents.
Trade Secret & Misappropriation
To prove a claim under the Florida Uniform Trade Secrets Act (FUTSA), Compulife “must demonstrate that (1) it possessed a trade secret and (2) the secret was misappropriated.” Yellowfin Yachts, Inc. v. Barker Boatworks, LLC, 898 F.3d 1279, 1297 (11th Cir. 2018) (quotation and quotation marks omitted). Florida law defines a trade secret as:
information ... that: (a) [d]erives independent economic value ... from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and (b) [i]s the subject of efforts that are reasonable under the circumstances to maintain its secrecy.
Fla. Stat. § 688.002(4). “[W]hether something is a trade secret is a question typically ‘resolved by a fact finder after full presentation of evidence from each side.’ ” Yellowfin Yachts, 898 F.3d at 1298–99 (quoting Lear Siegler, Inc. v. Ark-Ell Springs, Inc., 569 F.2d 286, 288–89 (5th Cir. 1978)).
The magistrate judge found that Compulife’s Transformative Database was a trade secret, a finding that is not clearly erroneous and that, in any event, doesn’t seem to be contested on appeal. We can therefore move straight to the question of misappropriation.
One party can misappropriate another’s trade secret by either acquisition, disclosure, or use. See Fla. Stat. § 688.002(2). Compulife alleges misappropriation both by acquisition and by use—but not by improper disclosure. A person misappropriates a trade secret by acquisition when he acquires it and “knows or has reason to know that the trade secret was acquired by improper means.” Id.§ 688.002(2)
(a). A person misappropriates a secret by use if he uses it “without express or implied consent” and either:
1. Used improper means to acquire knowledge of the trade secret; or
2. At the time of disclosure or use, knew or had reason to know that her or his knowledge of the trade secret was:
a. Derived from or through a person who had utilized improper means to acquire it;
b. Acquired under circumstances giving rise to a duty to maintain its secrecy or limit its use; or
c. Derived from or through a person who owed a duty to the person seeking relief to maintain its secrecy or limit its use; or
3. Before a material change of her or his position, knew or had reason to know that it was a trade secret and that knowledge of it had been acquired by accident or mistake.
Id. § 688.002(2)(b).
The concept of “improper means”—which under FUTSA may apply in both the acquisition and use contexts—is significant here, so we should pause to unpack it. As used in FUTSA, “[i]mproper means” is defined to include “theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means.” Id. § 688.002(1). In the law of trade secrets more generally, “theft, wiretapping, or even aerial reconnaissance” can constitute improper means, but “independent invention, accidental disclosure, or ... reverse engineering” cannot. Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470, 476, 94 S.Ct. 1879, 40 L.Ed.2d 315 (1974).14 Actions may be “improper” for trade-secret purposes even if not independently unlawful. See E. I. duPont deNemours & Co. v. Christopher, 431 F.2d 1012, 1014 (5th Cir. 1970) (rejecting the argument “that for an appropriation of trade secrets to be wrongful there must be a trespass, other illegal conduct, or breach of a confidential relationship”). Moreover, the inadequacy of measures taken by the trade-secret owner to protect the secret cannot alone render a means of acquisition proper. So long as the precautions taken were reasonable, it doesn’t matter that the defendant found a way to circumvent them. Indeed, even if the trade-secret owner took no measures to protect its secret from a certain type of reconnaissance, that method may still constitute improper means.
In one case from the former Fifth Circuit, for example, DuPont claimed that trade secrets had been misappropriated by photographers who took pictures of its methanol plant from a plane. See Christopher, 431 F.2d at 1013. These aerial photographs, DuPont contended, threatened to reveal its secret method of manufacturing methanol. See id. at 1013–14. The photographers sought summary judgment, emphasizing that “they conducted all of their activities in public airspace, violated no government aviation standard, did not breach any confidential relation, and did not engage in any fraudulent or illegal conduct.” Id. at 1014. The Fifth Circuit rejected their contention and held that the aerial photography constituted improper means even though DuPont had left the its facility open to inspection from the air. See id. at 1015. Under the broad definition adopted in Christopher, misappropriation occurs whenever a defendant acquires the secret from its owner “without his permission at a time when he is taking reasonable precautions to maintain its secrecy.” Id.
Although the magistrate judge found Compulife’s Transformative Database to be a trade secret, he determined that the defendants hadn’t misappropriated it. The magistrate judge’s analysis, however, contains two flaws. First, in both in the 08 case and in the 42 case, he failed to consider the several alternative varieties of misappropriation contemplated by FUTSA. Second, in the 42 case, he erred in reasoning that the public availability of quotes on Compulife’s Term4Sale site automatically precluded a finding that scraping those quotes constituted misappropriation.
The magistrate judge rejected the misappropriation-by-use claims in the 08 case because he found that Compulife had “failed to prove the existence of the duty critical to its claims of trade secret misappropriation through use.” Compulife Software, 2018 U.S. Dist. LEXIS 41111, at *50. The judge erred in considering only varieties of misappropriation by use that require a violation of some legal “duty” external to the statute. To be sure, some types of use-misappropriation do require proof of an external duty under the Florida statute, see Fla. Stat. § 688.002(2)(b)2.b., c. Just as surely, though, the same statute describes other kinds of use-misappropriation that do not depend on the existence of an external duty. When, for instance, a defendant knows that his knowledge of a trade secret was acquired using “improper means,” or that he has acquired knowledge of a trade secret “by accident or mistake” and still uses it, such use is actionable misappropriation. Fla. Stat. § 688.002(2)(b) 1., 2.a., 3. Moreover, while not defined in the statute, the bar for what counts as “use” of a trade secret is generally low. See Penalty Kick Mgmt. v. Coca Cola Co., 318 F.3d 1284, 1292 (11th Cir. 2003) (“[A]ny exploitation of the trade secret that is likely to result in injury to the trade secret owner or enrichment to the defendant is a ‘use.’ ” (quoting Restatement (Third) of Unfair Competition § 40 cmt. c (1995))). Even assuming that the defendants had no external “duty” not to use Compulife’s trade secret, they nonetheless may have used the secret in violation of the statute.
The magistrate judge never considered these possibilities, although they are plainly contemplated in the Florida statute. And there was clearly enough evidence of these other, non-duty-based varieties of use-misappropriation that the magistrate judge should have discussed them before dismissing them. In the 08 case, the defendants plausibly engaged in “misrepresentation”—and thus “improper means” within meaning of the statute—given the way that David Rutstein explained the defendants’ affiliation with McSweeney and Savage to Compulife’s Jeremiah Kuhn when Rutstein initially sought access to the Transformative Database. Fla. Stat. § 688.002(1), (2)(b) 1. Alternatively, even if the email exchange between Rutstein and Kuhn didn’t amount to “improper means,” it could have been understood as an “accident or mistake” of which the defendants knew or had reason to know and by which they gained knowledge of the Transformative Database. Id. § (2)(b)3. In either case, the defendants’ use would amount to misappropriation—without respect to the presence (or absence) of any external duty. The magistrate judge’s failure to consider either possibility requires vacatur and remand. See Swint, 456 U.S. at 291, 102 S.Ct. 1781 (explaining that failure “to make a finding because of an erroneous view of the law” generally requires remand “to permit the trial court to make the missing findings”).
The magistrate judge should also have considered misappropriation by use in the 42 case. The judge seems to have considered only misappropriation by acquisition as to that case—more on that momentarily—but there was no justification for truncating the analysis in this way. If the scraping attack constituted “improper means”—a question that the magistrate judge also failed to address—it would be difficult to escape the conclusion that the defendants either (1) used a trade secret of which they had improperly acquired knowledge or (2) used a trade secret of which they had acquired knowledge from a person whom they knew or had reason to know had improperly acquired the knowledge. See Fla. Stat. § 688.002(2)(b) 1., 2.a. The defendants admitted both to hiring the hacker and to observing her take actions consistent with a scraping attack. It’s hard to see how the defendants didn’t at least “have reason to know” that Natal had acquired knowledge of a trade secret for them by improper means—if, indeed, the scraping attack amounted to improper means. The magistrate judge’s failure to consider this possibility must also be rectified on remand.
In addition to improperly ignoring the possibility of misappropriation by use in the 42 case, the magistrate judge erred in his treatment of misappropriation by acquisition. He reasoned—improperly, we conclude—that the Transformative Database couldn’t have been misappropriated by acquisition in the 42 case because the individual quotes that Natal scraped were freely available to the public. True, the quotes’ public availability is important to the first prong of trade-secret misappropriation—the initial determination whether a protectable secret exists. Public availability creates a vulnerability, which—if unreasonable—could be inconsistent with the reasonable precautions requisite to trade-secret protection. See Fla. Stat.§ 688.002(4)(b). But here the magistrate judge found that the Transformative Database was a trade secret; he gave judgment for the defendants because he believed that the public availability of the quotes precluded a finding of misappropriation. The magistrate judge reasoned that all “claims in the 42 case, alleging misappropriation of these quotes, necessarily fail” simply because the individual quotes were available to the public and thus did “not constitute trade secrets.” Compulife Software, 2018 U.S. Dist. LEXIS 41111, at *45.
That is incorrect. Even granting that individual quotes themselves are not entitled to protection as trade secrets, the magistrate judge failed to consider the important possibility that so much of the Transformative Database was taken—in a bit-by-bit fashion—that a protected portion of the trade secret was acquired. The magistrate judge was correct to conclude that the scraped quotes were not individually protectable trade secrets because each is readily available to the public—but that doesn’t in and of itself resolve the question whether, in effect, the database as a whole was misappropriated. Even if quotes aren’t trade secrets, taking enough of them must amount to misappropriation of the underlying secret at some point. Otherwise, there would be no substance to trade-secret protections for “compilations,” which the law clearly provides. See Fla. Stat. § 688.002(4) (“ ‘Trade secret’ means information, including a ... compilation.”); Unistar Corp. v. Child, 415 So. 2d 733, 734 (Fla. 3rd DCA 1982) (holding that a “distillation of” publicly available information was a protectable trade secret). And total, stem-to-stern appropriation is unnecessary to establish liability; appropriation of a “substantial portion” is sufficient. Cf. Penalty Kick Mgmt., 318 F.3d at 1292–1293 (“The unauthorized use need not extend to every aspect or feature of the trade secret; use of any substantial portion of the secret is sufficient to subject the actor to liability.” (quoting Restatement (Third) of Unfair Competition § 40 cmt. c (1995))).
Nor does the fact that the defendants took the quotes from a publicly accessible site automatically mean that the taking was authorized or otherwise proper. Although Compulife has plainly given the world implicit permission to access as many quotes as is humanly possible, a robot can collect more quotes than any human practicably could. So, while manually accessing quotes from Compulife’s database is unlikely ever to constitute improper means, using a bot to collect an otherwise infeasible amount of data may well be—in the same way that using aerial photography may be improper when a secret is exposed to view from above. See Christopher, 431 F.2d at 1013. In the most closely analogous case of which we are aware, a district court held that hacking a public-facing website with a bot amounted “improper means.” Physicians Interactive v. Lathian Sys., Inc., No. CA 03-1193-A, 2003 WL 23018270, at *8 (E.D. Va. Dec. 5, 2003) (“There can be no doubt that the use of a computer software robot to hack into a computer system and to take or copy proprietary information is an improper means to obtain a trade secret, and thus is misappropriation under the VUTSA.”).16 In that case, the trade-secret owner’s “failure to place a usage restriction on its website” did not automatically render the hacking proper. Id. at *7. So too, here.
Consider how broadly the magistrate judge’s reasoning would sweep. Even if Compulife had implemented a technological limit on how many quotes one person could obtain, and even if the defendants had taken all the data, rather than a subset of it, each quote would still be available to the public and therefore not entitled to protection individually. On the magistrate judge’s logic, Compulife couldn’t recover even in that circumstance, because even there—in the magistrate judge’s words—“any member of the public [could] visit the website of a Compulife customer to obtain a quote” with “no restriction” on the subsequent use of the quote. Compulife Software, 2018 U.S. Dist. LEXIS 41111, at *45. But under the plain terms of the governing statute, the defendants would be liable in this scenario; they would have acquired a compilation of information that “[d]erives independent economic value ... from ... not being readily ascertainable” and “[i]s the subject of efforts that are reasonable under the circumstances to maintain its secrecy” by means which plainly amount to “espionage through electronic ... means.” Fla. Stat.§ 688.002(1), (4).
The magistrate judge treated the wrong question as decisive—namely, whether the quotes taken were individually protectable. He left undecided the truly determinative questions: (1) whether the block of data that the defendants took was large enough to constitute appropriation of the Transformative Database itself, and (2) whether the means they employed were improper. Having found that the Transformative Database was protectable generally, the magistrate judge was not free simply to observe that the portions taken were not individually protectable trade secrets.
We express no opinion as to whether enough of the Transformative Database was taken to amount to an acquisition of the trade secret, nor do we opine as to whether the means were improper such that the acquisition or use of the quotes could amount to misappropriation. We merely clarify that the simple fact that the quotes taken were publicly available does not automatically resolve the question in the defendants’ favor. These issues must be addressed on remand.
(Image credit: https://www.simplilearn.com/what-is-a-web-crawler-article)
Comments
Post a Comment