On 21 July 2020, the US Attorney’s Office in Spokane, WA, unveiled a sweeping indictment accusing a pair of Chinese hackers of conspiring to steal trade secrets from a number of American pharmaceutical companies and research institutions, including biotechnology companies working on potential COVID-19 vaccines (1). Although the hackers apparently did not succeed in their attempt to obtain vaccine data, their years-long conspiracy involved other attacks on the pharmaceutical industry — and netted them troves of sensitive commercial information. Among the stolen data were design specifications and test results, toxicity information, and dosing research about a California company’s therapy for a chronic condition. The hackers also pilfered source code used in a Massachusetts company’s medical devices as well as algorithms essential to their operation.

Although the Spokane case still is in its preliminary investigative phase, that indictment follows a wave of similar cases, both civil and criminal, involving theft of trade secrets from drug companies. In October 2018, prosecutors charged four individuals — including three former Genentech (Roche) employees — with conspiring to steal analytical development methods for the company’s top-selling cancer therapies to help a Taiwanese competitor, JHL Biotech, develop biosimilars for those drugs (2). At the same time, Genentech filed a civil lawsuit that culminated in a settlement at the end of 2019 requiring JHL to abandon development of and destroy all cell materials related to those biosimilars (3). In May 2019, Merck filed a complaint against a former executive for clandestinely downloading thousands of confidential documents to a USB drive — including chemistry, manufacturing, and controls (CMC); drug-substance; and clinical-trial documents related to Merck’s vaccine program — shortly before decamping to vaccine-industry competitor Pfizer (4). And in February 2021, researcher Li Chen pled guilty to stealing trade secrets from the Abigail Wexner Research Institute at Nationwide Children’s Hospital in Columbus, OH. Chen and her husband, who still is awaiting sentencing, had stolen research on exosome isolation and used it to create genetic testing kits that they sold in China (5).

Those cases shed light on growing threats facing US drug companies and potential vulnerabilities within the industry. The incidents suggest that companies need to take precautions to protect their proprietary information.

Risks Abound
Given the high costs that come with researching, developing, and commercializing lifesaving drugs, pharmaceutical companies are poised to suffer unique risks as targets of trade-secret misappropriation. Methods, clinical data, and other such materials generated by such companies reflect months, if not years, of inquiry from many dedicated scientists. By allowing competitors to benefit from their hard work, theft of such information undermines incentives for companies to invest in innovation. Once a trade secret is lost, the economic harm to a company seldom can be rectified. Although a company can pursue civil or criminal sanctions against thieves and hackers, restoring the confidentiality of stolen material is difficult, if not impossible. As a practical matter, a company loses the ability to track — let alone control — subsequent disclosures of that stolen information. That’s a particular concern when, as in the Spokane hacking case, such information is disseminated to foreign agents. Even if a company obtains a court order requiring the return of stolen information or prohibiting its use by the misappropriators, such victories would be pyrrhic if the secrets already have become widely known.

Pharmaceutical companies are particularly susceptible to theft of electronically stored proprietary and trade-secret information. Several aspects of pharmaceutical innovation and production can create vulnerabilities. Drug companies encourage collaborative work environments in which scientists and manufacturing personnel easily and efficiently share discoveries, methods, and best practices. But an environment built around sharing also exposes more entry points for a hacker or other intellectual property (IP) thief. In the Merck case, for example, no technical system restrictions were in place to protect confidential documents, enabling the defendants to transfer hundreds of files to external hard drives.

Similarly, pharmaceutical companies often enter into partnerships with contract research and/or manufacturing organizations (CROs/CMOs) to help manufacture and distribute their drugs. Outsourcing requires companies to share proprietary information with other entities, including those in countries with less-stringent protections for pharmaceutical trade secrets. Such partnerships create additional entry points for thieves and hackers. As highlighted in the Spokane indictment, for example, Chinese hackers specifically targeted companies that possessed information belonging to partner companies. In one instance, the hackers targeted a scientific research and testing company, stealing information that belonged to a number of its clients.

Pharmaceutical companies seeking approval to distribute their products internationally also might be required to submit confidential information to other countries’ government agencies — and different countries have different levels of protection for pharmaceutical trade secrets. In its 2019 report to Congress on trade-secret theft affecting American companies, the US Department of Justice called attention to both the “misuse of information submitted by trade secret owners to government entities” in other countries and the difficulty in obtaining effective remedies following such misuses (6). Likewise, in a 2020 special report to the President, the Office of the US Trade Representative specifically highlighted inadequate protection for pharmaceutical trade secrets in China and India, noting that those countries had failed to establish effective systems for securing undisclosed testing data generated to obtain marketing approval for drug products (7).

Mitigation Strategies
To combat such risks, drug companies can take a number of steps to protect their trade secrets — which, unlike patents, specifically derive value from not being generally known to the public. Thus, pharmaceutical trade secrets can include diverse categories of information across a company, including testing procedures and protocols, manufacturing methods, test results, product designs, customized client lists, market analyses, pricing and marketing information, business strategies, and “negative know-how” (information about techniques or approaches that haven’t worked).

To protect such information and retain its status as trade secret, companies should focus foremost on advising and training their employees, consultants, partners, and vendors on the importance of securing confidential information. As the Genentech, Merck, and Nationwide Children’s Hospital cases indicate, the biggest threat to trade-secret integrity typically comes from unauthorized disclosures by company insiders and former employees. Companies should enter into strong confidentiality and nondisclosure agreements with employees and third parties before sharing information.

They also should establish confidentiality policies that will be distributed to all employees and reinforced through trainings. That should include development of oversight policies that help prevent inadvertent disclosure of trade secrets in written publications and during seminars, speaking engagements, and trade shows. Exit interviews can help ensure that departing employees are advised specifically about confidential business information and the obligation not to disclose or use such information without express written consent of the company.

Company policies should prohibit recipients of confidential information from making copies on laptop hard drives and on thumb drives and other external media. Recipients also should be prohibited from transmitting private information through nonsecure channels such as emails to partners, colleagues, and even personal accounts.

Beyond establishing robust security, companies should ensure that information-security policies are followed. That requires monitoring employee access and use of confidential documents as well as audits of compliance with procedures. Confidential documents should be marked clearly as such and saved in centralized repositories that cannot be accessed without proper credentials. Companies also should consider implementing more stringent measures for their most sensitive documents. That might entail establishing sign out/in procedures to track employee access and return of such materials and restricting access to sensitive documents on a need-to-know basis. To the extent feasible, disclosures to external partners should be made in cloud-based, encrypted, password-protected systems with no ability for printing, rather than by transfer of the electronic documents themselves to places outside a company’s secured servers and databases.

In addition, companies should bolster physical-security precautions. That includes fencing facility perimeters, limiting entrances and exits, using alarmed or self-locking doors, hiring after-hours security personnel, and installing visitor control systems. Companies also should set up convenient, easy-to-use, and (if possible) anonymous systems for employees to report suspicious activities and intrusions into their computers or accounts — and employees should be encouraged to make such reports.

In a worst-case scenario, management should be prepared to take action, including pursuit of legal remedies, against IP thieves. Addressing misappropriation proactively is critical to ensuring the prompt return of confidential documents, protecting the trade-secret status of a company’s most sensitive information, and deterring other bad actors.

References
1 Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research. US Department of Justice: Washington, DC, 22 July 2020; https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion.

2 Former Genentech Employees Charged with Theft of Trade Secrets. US Department of Justice: Washington, DC, 29 October 2018; https://www.justice.gov/usao-ndca/pr/former-genentech-employees-charged-theft-trade-secrets.

3 Keown A. Genentech, JHL Reach Agreement Over Stolen IP. BioSpace 6 September 2019; https://www.biospace.com/article/genentech-settles-ip-theft-dispute-with-jhl-biotech.

4 Sagonowsky E. Amid Next-Gen Vaccine Race, Merck Says Ex-Employee Bolted to Pfizer with “Thousands” of Key Documents. Fierce Pharma 9 October 2019; https://www.fiercepharma.com/pharma/amid-race-to-market-next-gen-pneumococcal-shots-merck-argues-ex-employee-bolted-to-pfizer.

5 Hospital Researcher Sentenced to Prison for Conspiring to Steal Trade Secrets, Sell Them in China. US Department of Justice: Washington, DC, 1 February 2021; https://www.justice.gov/opa/pr/hospital-researcher-sentenced-prison-conspiring-steal-trade-secrets-sell-them-china.

6 Department of Justice Report Pursuant to the Defend Trade Secrets Act. US Department of Justice: Washington, DC, 2019; https://www.justice.gov/iptf/page/file/1101901/download.

7 2020 Special 301 Report. Office of the US Trade Representative: Washington, DC, April 2020; https://ustr.gov/sites/default/files/2020_Special_301_Report.pdf.

Laurie Carr Mims ([email protected]) is a partner, and Maya Perelman ([email protected]) is an associate at Keker, Van Nest & Peters LLP, 633 Battery Street, San Francisco, CA 94111; https://www.keker.com.