Credit Union Times
By Peter Strozniak
August 18, 2017
Click here to view the article

For the good of the credit union movement, many cooperatives say they collaborate and cooperate with other credit unions.

But it's a far different story for credit unions that are competitors in a crowded metropolitan market such as Tampa, Fla. The midsize city with a population of about 377,000 has nearly 50 local and out-of-state commercial banks, eight out-of-town credit unions and a dozen credit unions that are headquartered there.

Competitive pressures have apparently forced a fierce rift between $2.3 billion Grow Financial Federal Credit Union and the $1.8 billion GTE Federal Credit Union, which is playing out in a federal lawsuit that involves serious accusations of unauthorized access to confidential and proprietary information and disclosures of trade secrets. What's more, legal experts, who weighed in on this case after reviewing its court filings, say all too often businesses don't do enough to protect their confidential information and offered their insights on what credit unions should do to protect themselves.

In a lawsuit filed in May in U.S. District Court in Tampa, Grow is accusing a former credit union employee of jumping ship to a new job with GTE who allegedly took with her reams of confidential files, proprietary reports and trade secrets, which included personal information of Grow's members. What's more, Grow also alleges these documents were taken unlawfully at the request of a GTE employee who used to work for Grow.

Although GTE admitted some documents were taken by the former Grow employee, none of them contained proprietary or any personal member information. In addition, GTE contends that the information the former Grow employees disclosed was part of the normal information sharing practices utilized by Grow, GTE and other credit unions in the area.

The story that led to this lawsuit begins on Aug. 23, 2016 when James Esner, GTE's assistant vice president of indirect lending, contacted Erica Pierson Holliday. She was working as Grow's underwriting supervisor and was responsible for supervising employees whose day-to-day duties were to approve or deny consumer loan applications based on a members’ credit profile and the credit union's lending parameters.

Esner asked her to search Grow's secure computer system and to send him the credit union's customized lending strategy materials and its internal procedures and processes for loan applications.

Holliday, who worked from her home, allegedly emailed a copy of those documents to her personal email addresses and then forwarded them to Esner.

Before joining GTE in April 2016, Esner served as Grow's underwriting manager from 2011 to March 2016. During that time, Holliday reported directly to Esner. He was not named as a defendant in this lawsuit.

About a week after contacting Holliday, Esner asked her to send him Grow's dealer scorecard, a document that enables credit unions to assess the performance of auto dealers they work with. Again, Holliday allegedly sent the dealer scorecard to her personal email and then forwarded it to Esner.

“The documents Pierson (Holliday) provided to GTE contained confidential and proprietary information including PII (personal identifiable information) materials customized for Grow Financial, market research and other documents and/or information that may compromise the security of credit union members’ identity, the security of the credit union's technology and information system or detract from its competitive advantage or reputation as a leader in the marketplace,” David Brafman, a West Palm Beach lawyer for Grow Financial, wrote in the civil lawsuit.

Brafman also alleged that Holliday used her personal email to conceal that she was sending the documents to Esner.

On Sept. 20, Holliday submitted her two-week notice that she was leaving the credit union. But she didn't say anything about landing a new job at GTE, according to Brafman.

But in the days leading up to Sept. 20 and through Oct. 7, her last day on the job at Grow, Holliday emailed from her credit union email to her personal email dozens of reports and other documents.

Brafman alleged the documents contained Grow's confidential or proprietary information, which included personal information of Grow members, joint owners, beneficiaries and co-borrowers; historical loan ratio and performance reports; bankruptcy reports; collection files; indirect lending production mortgage and real estate owned members; loan application volume data; loan production data; employee coaching guides and charge-off statistics.

Grow accused GTE and Holliday of violating federal and state computer fraud, abuse and data recovery laws, state and federal laws that protect trade secrets and other violations such as conversion of documents and unfair competition.

Richard Salazar, a Tampa lawyer who is representing GTE, asked a judge to dismiss four of the nine alleged violations claimed by Grow. However, G. Wrede Kirkpatrick, a Tampa attorney, who is representing Holliday, asked a federal judge to toss the entire lawsuit because it does not meet the legal standards of providing factual allegations and that federal rules “demand more than an “unadorned, the defendant-unlawfully-harmed-me accusation.”

Christopher Hohn, a lawyer at Silicon Valley law firm Hopkins & Carley, who focuses on complex commercial and intellectual property litigation, said Grow's trade secret claims depend on proving that the misappropriated documents and other materials are trade secrets.

“To qualify as a trade secret, the information must be [among other things] both secret and subject to reasonable efforts to maintain its secrecy,” he said. “Having employees sign confidentiality or non-disclosure agreements at the outset of their employment is a common precaution to help protect trade secrets and other sensitive information, but it is not the only way to do so.”

For example, Grow may be able to show that it took reasonable measures to maintain the secrecy of the misappropriated data by including confidentiality provisions in other agreements with its employees and used technical means to limit access to the data to only those employees who really need it for legitimate business reasons. The credit union also may be able to show that it made clear what data it considers to be a trade secret and regularly trained its employees on the importance of protecting trade secrets, and the legal consequences of misappropriation.

While Holliday's lawyer said that she did not sign any specific non-disclosure or confidentiality agreements, which are standard documents for ensuring the protection of trade secrets, she did sign a telecommuting agreement with Grow that required Holliday to maintain the security, condition and confidentiality of the credit union's documents, information, data and files.

“Unfortunately, it's always better to be overcautious and have employees sign a separate document for each major requirement, or to have one that at least breaks each thing out very specifically,” Anne P. Mitchell, an Internet Law and policy attorney in Boulder, Colo., explained. “That said, if I were the judge in this case, I would not let someone who signed that telecommuting agreement, with that language, off the hook just because there was not a separate NDA or trade secret agreement. Regardless of what standard practice may be, assuming the language is accurate, what she signed is 

Additionally, even though telecommuting is more common today, employees who work from home who are handling confidential information should never be allowed to easily take that information off the credit union servers.

“And it should be encrypted with a system that can only be decrypted on company-owned devices, which renders it useless to anyone who doesn't have an encryption key,” Mitchell said.

In his experience, Hohn has seen that businesses often neglect to take appropriate actions to protect their trade secrets and other confidential information that can be valuable to their business growth.

While it is important to invest in good confidentiality and employment agreements, it is also a good idea to identify all valuable trade secrets, label them as such and ensure that only employees who need this information have access to it, and that they understand how to handle this information appropriately.

“You might also consider investing in software tools to prevent or monitor the copying or transfer of your trade secrets and other sensitive data,” Hohn said. “Imagine if technical limitations in Grow Financial's computer systems blocked the accused employee from copying the sensitive data, or notified her supervisor when the transfer occurred. Grow Financial could have put an end to the alleged misconduct before much of the alleged harm was done.”