6:08-cv-01741-JA-DAB Document 68 Filed 03/19/09 Page 1 of 11 PageID 1761 BRIAN HOFFMAN, individually and on behalf of all others similarly situated, U NITED STATES DISTRICT COURT M IDDLE DISTRICT OF FLORIDA ORLANDO DIVISION Plaintiff, -vs- Case No. 6:08-cv-1741-Orl-28DAB AUTHENTEC, INC., F. SCOTT MOODY, and GARY LARSEN, Defendants. ORDER This cause came on for consideration with evidentiary hearing and oral argument on the following motion filed herein: MOTION: MOTION FOR A PROTECTIVE ORDER PROHIBITING USE OF MISAPPROPRIATED E-MAILS AND REQUEST FOR A HEARING (Doc. No. 42) FILED: January 16, 2009 THEREON it is ORDERED that the motion is DENIED. Plaintiff, filed this securities action on behalf of a class of purchasers of stock in Defendant AuthenTec, Inc. ' for claims relating to declines in the stock price 2 following an announcement on September 8, 2008 of an expected reduction in estimated revenue. Plaintiff alleges that Defendants made false and misleading statements and failed to disclose material adverse facts about the 'Plaintiff is also suing the CEO F. Scott Moody and CFO Gary Larsen. 2 AuthenTec s stock is traded on NASDAQ.
6:08-cv-01741-JA-DAB Document 68 Filed 03/19/09 Page 2 of 11 PageID 1762 company s true financial status. Doc. No. 1. Defendants filed a Motion to Dismiss the Complaint arguing that under the strict pleading requirements of the Private Securities Litigation Reform Act of 1995, 15 U.S.C. 78u-4(b), that Plaintiff s claims were not adequately supported or plead with particularity. Doc. No. 11. Following appointment of Mr. Caruso as lead Plaintiff, Plaintiff was granted leave to file an amended complaint, which was filed on January 9, 2009. Doc. Nos. 29, 33. In the Amended Complaint, Plaintiff alleged, based on information from three confidential informants a former employee, an independent contractor, and an outside sales representative that there were internal problems at AuthenTec which Defendants had not disclosed to shareholders in violation of the securities laws. A motion to dismiss the Amended Complaint was filed and is set for oral argument. Defendants now seek a protective order prohibiting the Plaintiff from using AuthenTec s internal confidential e-mails or any information obtained from them. Doc. No. 42. In the Amended Complaint3, Plaintiff references and quotes a series of e-mails generated by AuthenTec s technical team in a troubleshooting operation for one of its clients. Defendants argue that Plaintiff should not be allowed to use the internal confidential e-mails he surreptitiously obtained from a confidential source because the emails contain AuthenTec s confidential proprietary information and should not have been accessed by the Plaintiff, his counsel, or third-parties. Doc. No. 42. AuthenTec contends that it has invested significant time and resources to develop a confidential systematic procedure to resolve software bugs in its products, and the procedure is highly confidential and is part of what makes AuthenTec a unique company in the industry because customers can rely on AuthenTec s 3 The publicly-available version of the Amended Complaint was filed with the information from the emails redacted. Doc. Nos. 32, 37, 39. -2-
6:08-cv-01741-JA-DAB Document 68 Filed 03/19/09 Page 3 of 11 PageID 1763 ability to efficiently address any software issues that they may encounter with AuthenTec sensors. Doc. No. 42. Plaintiff responds that the emails at issue are not subject to trade secret protection just because the email content may be embarrassing or disadvantageous if made public. Doc. No. 48. Plaintiff filed the specific information from the emails in response to Defendants argument that the original complaint had vague references to... emails, without describing their content. Plaintiff argues that Eleventh Circuit case law regarding specificity pleading requirements under the PSLRA acknowledges that citation to corporate email is commonplace and often the most direct means of proving scienter. Doc. No. 48 (citing Mizarro v. Home Depot, Inc., 544F.3d 1230, 1247 (11th Cir. 2008)). Because the Court finds no misconduct attributable to Plaintiff and that the information described in the motion is not otherwise entitled to protection, Defendants Motion for Protective Order is DENIED. I. Background Facts Related to Non-disclosure Issues AuthenTec sells fingerprint authentication sensors and solutions to the PC, wireless device, and access control markets. It acts as a small scanner that reads a fingerprint and determines whether you are who you say you are. AuthenTec primarily sells its products to the PC market and the cell phone market. Because the fingerprint authentication sensor market is an emerging market, there are only two to three significant competitors. AuthenTec contends that it places a high value on the confidentiality of its information and maintains strict security measures to prevent unauthorized access. AuthenTec requires employees and -3-
6:08-cv-01741-JA-DAB Document 68 Filed 03/19/09 Page 4 of 11 PageID 1764 internal sub-contractors to sign a Non-disclosure Agreement 4 before they can access AuthenTec s facilities, confidential information, or computer networks. AuthenTec s computer network is also password restricted. AuthenTec employees are told not to disclose their passwords, and passwords are changed periodically to further enhance the security of the network. Despite AuthenTec s efforts to protect its confidential information, the Plaintiff (or counsel) obtained a series of e-mails generated by AuthenTec s software team in a troubleshooting operation. The e-mails discuss AuthenTec s procedures to address software problems, discuss the development status of some of AuthenTec s proprietary products, and identify specific product tests conducted by AuthenTec; the emails specify the number of software bugs encountered, the type of bugs, where they occurred, and how they are addressed. Of the ten emails at issue, seven were sent to the AuthenTec software engineering team, two were sent to Vince Alvarez, and one was sent from Vince Alvarez to Jim Waldron, an AuthenTec employee. Doc. No. 42 at 6 (chart). The emails are dated from November 12, 2007 to February 14, 2008. Doc. No. 42 at 6 (chart). II. Standard for Protective Order Defendants argue that the Court should, as a sanction, preclude Plaintiff from using any of the disputed emails in support of the Amended Complaint. Defendants contend Plaintiff should not be allowed to taint the integrity of this judicial proceeding with internal confidential e-mails 4 AuthenTec non-disclosure agreements generally provide: I recognize that by virtue of my said employment I may acquire confidential information (in written, or machine readable, or other form) regarding the above matters and other affairs and business of [AuthenTec] and of others, including trade secrets, proprietary data, and computer programs, of which I hold in trust and confidence during and following my employment. At no time will I divulge such confidential information to anyone not entitled thereto nor use same for any purpose other than for the benefit of [AuthenTec] without prior written consent of an authorized executive officer or employee of [AuthenTec]. See Attachment 1 to Dec. of Arlene Mostowsky at 5. -4-
6:08-cv-01741-JA-DAB Document 68 Filed 03/19/09 Page 5 of 11 PageID 1765 surreptitiously obtained. Doc. No. 42 at 8. The appropriate sanction against Plaintiff, Defendants argue, is to bar introduction of the improperly obtained evidence. Doc. No. 42 at 8. A court may impose sanctions for litigation misconduct under its inherent power. Eagle Hosp. Physicians, LLC v. SRG Consulting, Inc., F.3d, 2009 WL 613603 (11th Cir. March 12, 2009) (affirming sanction of dismissal for defendant s litigation misconduct, i.e., his refusal to explain his interception of confidential emails between plaintiffs and attorneys) (citing Chambers v. NASCO, Inc., 501 U.S. 32, 43-44 (1991)). The court s inherent power derives from the court s need to manage [its] own affairs so as to achieve the orderly and expeditious disposition of cases. Chambers, 501 U.S. at 43 (quotation marks and citation omitted). This power, however, must be exercised with restraint and discretion. Roadway Express, Inc. v. Piper, 447 U.S. 752, 764 (1980). The key to unlocking a court s inherent power is a finding of bad faith. Barnes v. Dalton, 158 F.3d 1212, 1214 (11th Cir. 1998). III. Analysis At the March 2, 2009 evidentiary hearing, Larry Ciaccia, President of AuthenTec, testified about the security measures that AuthenTec employs to protect its data. AuthenTec uses its own fingerprint sensor technology to get in and out of the building. The company also uses industry standard network security protection of emails, where each user has a unique user name, and a password is required to get into the system; those passwords are changed on a regular basis. If a user is not within company confines, there are special procedures to access the server where all the information resides; the company is able to monitor who accesses the server and when and keep an eye on email traffic in general. In addition, full-time employees and contractors are required to sign a non-disclosure agreement. When asked about detailed technical information from an AuthenTec -5-
6:08-cv-01741-JA-DAB Document 68 Filed 03/19/09 Page 6 of 11 PageID 1766 engineer (Mark Heilpern) made publicly available on the internet, Mr. Ciaccia admitted that, despite the existence of non-disclosure agreements with customers, AuthenTec does want our engineers to participate in open communities and with other engineers in order to exchange information. Pl. Ex. 1. In a case pending in the Northern District of California, AuthenTec v. Atrua (see Pl. Ex. 3), documents allege that when an employee of a prospective customer left an AuthenTec application engineer alone in the room at the customer s facility, the engineer copied as much as he could of Atrua s proprietary technology and then distributed that proprietary technology within Authentec's organization, including its CEO; Mr. Ciaccia is aware of an email containing the information. Mr. Ciaccia is also aware of allegations that on June 23, 2005, a customer with whom both Authentec and Atrua were negotiating mistakenly left two CDs provided by Atrua and containing proprietary information in a box containing Authentec s equipment. Upon discovering the CDs, an Authentec employee, Glenn Hicks, copied them and then returned Atrua s copies to the customer without informing him of the copying. Mr. Hicks was subsequently reprimanded. Wayne Sanford, Manager of Information Technology, testified that Authentec does not provide any external access to computer systems except through the means of connecting via VPN, which would require an end user to have specific software to gain access external to AuthenTec s network; the user would still be required to enter his user ID and password. If a user is actually in the facility itself, the user is required to enter the user ID and password to gain access to the AuthenTec network. There are also multiple layers depending on which application the user is accessing. AuthenTec has a global policy that is implemented through active directory, which is a Microsoft standard database that stores user IDs and passwords. All of the user IDs inside of the -6-
6:08-cv-01741-JA-DAB Document 68 Filed 03/19/09 Page 7 of 11 PageID 1767 company require the user to maintain the user ID and password within 90 days, and after 90 days change the password again; if the user has used the password before, he or she would not be able to do so for 20 more times; the user has five times to enter the password before being locked out and the administrator notified. For all new contractors and full-time employees at AuthenTec, the hiring manager requests access to the network for the new person, the request is entered into the help desk system and reviewed, and the end user s needed access is verified with the manager, before a user ID and password is issued. Most of the systems have a secondary level of security which would require specific user ID and passwords for that application as well. Following analysis of the emails, Mr. Sanford was able to determined that the emails in dispute were accessed by Vince Alvarez, a former employee, and David Dyer, a contract employee who worked primarily from Texas. The emails had not been obtained via an outside hacker. Mr. Sanford initially opined that one of the individuals took their email database, exported it to a local database and exited the property with it, which would be a violation of the confidentiality agreement. Though on cross-examination, he admitted that it was possible that Dyer had a local copy of his mailbox (and all of his emails) on his laptop, and when Dyer stopped working for AuthenTec, he still had emails on his laptop that had not been destroyed or returned to AuthenTec. Mr. Sanford further admitted that he was not aware of any procedures that Authentec took to assure that all copies of emails were returned to AuthenTec (or destroyed with written notice) when an employee or contractor left. He testified that the exit process he was familiar with focused instead on return of only the equipment itself, and not the emails; particularly emails stored on a laptop owned by an off-site contractor that the contractor does not return to AuthenTec. Even with AuthenTec-owned computers, -7-
6:08-cv-01741-JA-DAB Document 68 Filed 03/19/09 Page 8 of 11 PageID 1768 there is nothing technically to prevent somebody who comes into possession of the laptop from making a copy of the entire hard drive onto an external hard drive or a thumb drive. With particular reference to the email system as deployed by AuthenTec, use of an OST file allows users to have off line files in case the user loses connectivity to the database. By saving his own OST file, the user would still be able to view all emails to which he was privy. OST files are routinely updated automatically up to the minute to copy all of their OST files to users laptops. Thus, even after the user ID and password are canceled so as to prevent further access to the database, the user could still have access to all prior emails saved by the OST on the user s local hard drive. There are many tools publicly available that allow users to read an OST file to extract information, even if the user no longer has access to the Microsoft Outlook program on the server. This is the mechanism by which AuthenTec s information got outside its effective control. An investigator for Plaintiff s counsel, Ashlee Ilewicz, testified that she spoke with David Dyer for 42 minutes at a phone number in Texas on January 6, 2009. Pl. Ex. 8. Dyer told her that he used his own computer in his work for AuthenTec. In an email to the investigator, Dyer attached emails, stating: The attached.txt files contain all the emails I had saved on my laptop before I ended my active work with Authentec. Sorry for the format, but this was the only way I could extract them so that you would have ready access to the messages. This includes everything in my inbox (I don t normally separate emails out unless there s a specific project)... Please do not redistribute this beyond your law firm or use for any other purpose than we discussed. Pl. Ex. 9. At no point did Dyer tell the investigator that he was subject to a non-disclosure agreement. Ms. Ilewicz also testified that she spoke with a former AuthenTec software manager, Vince Alvarez, three times based on phone records (Pl. Ex. 5 and 7) once for 19 minutes, once for 25 minutes, and once to leave a message. Mr. Alvarez testified that he was on medication at the time, -8-
6:08-cv-01741-JA-DAB Document 68 Filed 03/19/09 Page 9 of 11 PageID 1769 mistakenly thought initially he was speaking with a friend, and he does not remember who or how long he spoke with the person who called; when the caller mentioned AuthenTec, he directed the caller to talk to counsel at AuthenTec. IV. Findings Based on the record before the Court, Mr. Dyer provided to Plaintiff s counsel the disputed emails used in support of the allegations of the Amended Complaint. AuthenTec s security systems were thorough and secure, Mr. Dyer could not have copied the emails by hacking. On the other hand, AuthenTec intentionally allowed numerous users to have remote access, including unrestricted copying and file transfer ability. Contractors and employees were encouraged to use the OST file to be more efficient, but no precautions were taken to provide any assurance that file access would end when work necessity was no longer applicable. Indeed, when these individuals stopped working for AuthenTec, there was no exit interview specifically targeted toward getting back the OST emails. AuthenTec apparently passively relied on the non-disclosure agreements, as if they were selfexecuting. Mr. Dyer had routinely saved the emails on his laptop while engaged in active work with Authentec; AuthenTec employed no controls to limit access to the OST emails after a certain time period. Mr. Dyer extracted them from OST to a TXT version so the investigator would have ready access to the messages. Mr. Dyer did not inform the investigator he had a non-disclosure agreement. While Plaintiff s representatives likely assumed that AuthenTec had non-disclosure agreements with its employees and contractors, there is no showing that they had actual knowledge of any such agreements or their terms. There is also some likelihood that Mr. Dyer s transmission of a reformatted copy of his email files may have violated his contract. However, the record does not -9-
6:08-cv-01741-JA-DAB Document 68 Filed 03/19/09 Page 10 of 11 PageID 1770 show bad faith on the part of the Plaintiff in gathering information in order to proceed with the litigation. This conclusion is bolstered by AuthenTec s evident lack of concern with respect to the use of information by authorized personnel. Substantively, Authentec did not treat as confidential ' their software development problems. The company allowed and encouraged engineers to discuss the problems publicly with other engineers openly over the Internet. Moreover, much of the information that AuthenTec now seeks to protect involving client relationship and development issues while potentially embarrassing, does not, standing alone, deserve continuing trade secret protection, in large part because most of it involves events that took place nearly one year ago which is a long time in AuthenTec s industry. The information at issue here is of the sort routinely subject to discovery. Whatever remaining issues there may be regarding the manner of Plaintiff s method of gaining access to it do not rise to the level of excluding it from consideration in the case. AuthenTec s approach would effectively immunize from scrutiny alleged misconduct from any firm that compels employees to sign nondisclosure agreements. Our system of justice could not function under such strictures. For the reasons stated above, Defendants Motion for Protective Order is DENIED. Further, because AuthenTec has not established any basis for the filing of pleadings under seal or with redactions, the Clerk is DIRECTED to unseal the docket entries previously made under seal. This directive shall be stayed pending the oral argument on the motion to dismiss (currently set for March 20, 2009). 'As noted above, AuthenTec was less than punctilious in respecting the confidential information of its competitors. -10-
6:08-cv-01741-JA-DAB Document 68 Filed 03/19/09 Page 11 of 11 PageID 1771 DONE and ORDERED in Orlando, Florida on March 19, 2009. Copies furnished to: Counsel of Record David A. Baker DAVID A. BAKER UNITED STATES MAGISTRATE JUDGE -11-