Web Scraping can be Misappropriation of Trade Secrets featured image

Web Scraping can be Misappropriation of Trade Secrets

by John DiGiacomo

Partner

Internet Law

A recent decision from the US Court of Appeals for the 11th Circuit has held that web scraping data from a public website can, under some circumstances, be deemed a misappropriation of trade secrets. See Compulife Software, Inc. v. Newman, Case Nos. 18-12004, 18-12007 (11th Cir. May 20, 2020). The case was decided under the Florida version of the Uniform Trade Secrets Act (“UTSA”). 47 states have enacted the UTSA, so the case has potential applicability in most jurisdictions in the country and is relevant also for cases filed pursuant to the federal Defend Trade Secrets Act (DTSA).

Web Scraping is a technique for extracting data from publicly accessible websites. It is not a traditional form of “hacking,” which involves breach of some security protocol. In theory, web scraping is done “with permission” in the sense that access to the website and the data is allowed. The person engaged in web scraping uses a code software application, or a “bot,” to request information from a server using ordinary commands. An individual can use these commands to obtain data and information from the website’s server. The bot, however, can use the commands to obtain data from the website at the rate of several queries per second. Each query is technically made one at a time, but the automated nature of the bot allows the web scraper to extract tremendous amounts of data in a very short amount of time. As the court explained in Compulife, by formulating queries in an orderly fashion and recording the resulting information, the bot can create a copy of a database underlying a website.

That is what was alleged in the Compulife case. Compulife operates a web-based life insurance quote service that allows registered users to compare life insurance quotes offered by various insurance companies. The plaintiff alleged that the web scraper, an individual hired by a competitor, used a bot to run millions of queries that effectively duplicated the relevant Compulife databases in about four days.

In the lawsuit, among many legal causes of action, Compulife alleged that the defendants misappropriated Compulife’s trade secrets through this web scraping technique. To state a cause of action for trade secret misappropriation, the trade secret owner must allege and prove

  • Possession of a trade secret and
  • That the secret was misappropriated by improper means

In response to the trade secret claim, the defendants argued that the data was not “secret” since it was available to the public, and that web scraping was not “improper” because it was just an automated version of what users were allowed to do.

At the trial level, the assigned Magistrate Judge agreed with the defendants. The Magistrate held that the data was not protectible under the trade secret laws because each quote obtained by the web scraping queries was publicly available and, therefore, not “secret.” Likewise, even if the quotes were subject to the trade secret laws, there was no misappropriation because there was no “improper means.” If an individual could make the query, then using a bot to make the same queries was not misappropriation of trade secrets.

On appeal, the 11th Circuit disagreed. It was conceded by Compulife that the result of a single query was not a trade secret. However, the court held that the status of an individual query as a “secret” might be different from the status of the entire database. Reasonable security measures are needed for data to be deemed a “trade secret.” Although public availability was one factor suggesting that the data was not securely protected, public availability did not automatically strip the database of its trade secret status. More evidence was needed on other security measures put in place by Compulife.

Likewise, on the question of misappropriation, the court held that more evidence was needed. The legal issue is whether the web scraping can be deemed as an “improper means.” Trade secret law has long held that activities which might otherwise be independently lawful, such as aerial reconnaissance, might still constitute improper means for purposes of trade secret misappropriation. Further, while executing one query might not be misappropriation, at some point, executing a sufficient quantity of queries might be. The court also reasoned that intent and permission were relevant in that Compulife might have consented to multiple queries by an individual or company — even thousands of queries — but that consent did not automatically mean that Compulufe consented to millions of queries. All of these factors were relevant to whether web scraping was an “improper means.” The case was returned to the Magistrate Judge for further proceedings.

This is an important case since web scraping has become more and more common. The case provides some practical lessons for companies allowing public access to their data. For example, at a minimum, the relevant Terms of Service Agreement should explicitly limit the allowable access to the data and forbid duplication and storage. Such contractual limitations will constitute a form of “reasonable security measure” that will help protect the database as a “trade secret.” If you have questions about protecting your trade secrets or if you need to initiate trade secret litigation, contact the trade secret lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Internet Law

In May 2024, Minnesota enacted the Minnesota Consumer Data Privacy Act (“MCDPA”). In Part One of this two-part article, the Consumer Data Protection Attorneys at Revision Legal discussed the consumer rights and consumer-facing business obligations imposed by the MCDPA, including additional consumer rights related to automated decisions that utilize profiling data. The MCDPA allows consumers […]

Read more about The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Advantages of Forming Corporate Entities for Operating Your Business

Advantages of Forming Corporate Entities for Operating Your Business

Corporate

Under most circumstances, the experienced Business Lawyers at Revision Legal deem it prudent for clients to operate their businesses through a corporate entity like a standard corporation or a limited liability company. Of course, there are some circumstances where a partnership of some type might be the better option, but it would be a rare […]

Read more about Advantages of Forming Corporate Entities for Operating Your Business

The Minnesota Consumer Data Privacy Law: Summary For Consumers

The Minnesota Consumer Data Privacy Law: Summary For Consumers

Internet Law

In May 2024, Minnesota enacted a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). About 20 States have enacted consumer data privacy statutes similar to the MCDPA, and the MCDPA follows the general template of those statutes. However, there are some unique and additional features of the MCDPA that are very […]

Read more about The Minnesota Consumer Data Privacy Law: Summary For Consumers

Put Revision Legal on your side

Let's Discuss Your Case