Business Records Handling | Internet Law, Business & Data Security Law

Business records are created every minute in business and in a variety of entities. Every call handled by receptionists, customer service, account managers, and even by management and executives creates a business record. Every transaction, document dispatch, email, scanning of information for sharing, all creates business records. Every function and every task, digitized, becomes a business record, including internal memos, spreadsheets, and so on. Business records are, in other words, incessantly being created. They become the backbone of the enterprise and its operation, to deliver the best service or product possible. Their value is appreciable. Business records are a trade secret. Trade secrets are a valuable commodity for any business of any size.

A trade secret may be a customer list, a new plan for streamlining inventory, or noted logistical adjustment in the organization of delivery processes from manufacturers. Storing such information is fast becoming a colossal fact in cloud data management. The database records that are produced by daily activity of business records are sought after, stealthily by hackers. Any entity you can imagine is a target.

Trespassing into an entity’s database falls under the scope of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, and the Economic Espionage Act (“EEA”), 18 U.S.C. § 1831 et seq.[1] Any unauthorized access to copy, duplicate, or download business records is an enforceable offense. It is important to note how an entity handles its business records. The unique handling of the business records and how they are protected provides a clear depiction of how instrumental the business records are to the entity.

In 2012, the Ninth Circuit Court of Appeals, in United States v. Nosal, dealt with the issues of how business records become a recognized trade secret. Nosal was convicted on two counts of trade secret theft under the EEA. The Court found that Nosal had accessed an entity’s business records without authorization. He was charged with unauthorized downloading, copying and duplicating of trade secrets and unauthorized receipt and possession of stolen trade secrets which violated §§ 1832(a)(2) & (a)(4) of the EEA. Aside from determining if there was intent to convert, as required under the EEA, along with having the knowledge that such conversion would harm the entity, owner of the business record/trade secret, the Court weighed into the handling of the business records, i.e., trade secrets. The Court discussed how an entity, by its very handling of its records, its produced records and reports, etc., gave the data trade secret consideration; hence, gave the records value.

The value of the information, as noted by the Court, arose from the handling of the information and it integral import into the function of the entity’s operation. The Court opined about business records becoming a trade secret, that “the nature of the trade secret and its value stemmed from the unique integration, compilation, cultivation, and sorting of, and the aggressive protections applied. . .”[2] Its analysis borrowed from an Eight Circuit case, Conseco [3] and a Tenth Circuit case, Hertz [4] where customer lists were taken by employees. The customer lists in question were unique by their form, manner of cataloging, and analysis that was involved in the list’s composition. The Eight Circuit stated that they were trade secrets as they are ““specialized” computer program that was “unique” to Conseco.”” Similar to the Hertz case, the process involved to gather and organize the data made it a trade secret.

An entity’s process of handling business records is highly important in order to provide its business records and information trade secret status under the law. The value of a business record is based on how an entity handles the composition, characteristic, cataloging, purpose, use, and its intended unique use and secure storage. Custodial handling is crucial amid internal policies among employees and how depicted in personnel manuals for company enforcement.

[1] Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474. , § 2(g)(4), 100 Stat. 1213-15. CFAA was later expanded to protect any computer “used in interstate or foreign commerce or communication.” Economic Espionage Act of 1996, Pub. L. 104-294, § 201(4)(B), 110 Stat. 3488, 3493 (codified as amended at 18 U.S.C. § 1030(e)(2)(B)).

[2] Order, Ninth Circuit, #14-10037, at p. 34.

[3] Conseco Finance Servicing Corp. v. North American Mortgage Co., 381 F.3d 811 (8th Cir. 2004).

[4] Hertz v. Luzenac Grp., 576 F.3d 1103, 1114 (10th Cir. 2009) (holding that a customer list may be a trade secret where “it is the end result of a long process of culling the relevant information from lengthy and diverse sources, even if the original sources are publicly available”).