Pfizer Alleges Worker Took COVID Vaccine, Trade SecretsExperts Say Case Underscores Challenges in Protecting IP
Pfizer has filed legal action against a former employee, alleging she uploaded to personal devices and accounts thousands of files containing confidential information and trade secrets pertaining to the company's vaccines and medications, including its COVID-19 vaccine, to potentially provide to her new employer, a competing biopharmaceutical company.
See Also: Case Study: The Road to Zero Trust
In a lawsuit filed on Nov. 23 in a California federal court, New York-based Pfizer alleges that Chun Xiao "Sherry" Li over several days in late October uploaded over 12,000 files - including confidential company documents - from her Pfizer-issued laptop to a personal Google Drive account and onto other personal devices. The complaint alleges that Li had informed Pfizer she planned to resign on Nov. 24, and Pfizer believed she planned join Xencor Inc., a competitor based in Monrovia, California.
"On her way out the door, [Li] transferred onto personal accounts and devices over 12,000 files, scores of which contain Pfizer confidential and trade-secret information, and tried covering her tracks repeatedly," the lawsuit alleges.
Li "went so far as to provide Pfizer’s security team a decoy laptop, leading Pfizer to believe it was the one she used to download the 12,000 files from her Google Drive account. Forensic analyses confirmed it was not, and Li - or somebody else … - likely remains in possession of the actual computer that contains those files," the complaint alleges.
Pfizer's complaint says Li was hired in 2006 and served as associate director of statistics in Pfizer’s global product development group at Pfizer’s facility in La Jolla, California.
Pfizer's lawsuit was also filed against five other as-yet-unnamed defendants, who Pfizer alleges "are individuals or corporations who acted or are acting in concert with Li" in connection with the misappropriation, acquisition or disclosure of Pfizer’s trade-secret and confidential information in violation of federal and state laws.
Among other requests, the company in its lawsuit is seeking a temporary restraining order to stop Li from disclosing or transmitting Pfizer’s confidential information or trade secrets while Pfizer commences arbitration proceedings in accordance with the terms of a confidentiality agreement Li entered into as part of her employment with Pfizer.
In its complaint, Pfizer says that as part of its tracking of employee activity on company devices, the company's security team discovered on Oct. 29 that, between Oct. 23 and Oct. 26, while she was "out of office," Li transferred over 12,000 files from her Pfizer laptop to an online Google Drive account.
"Pfizer immediately initiated a digital review of Li’s emails, her file access, and her internet activity on her Pfizer-issued laptop," the complaint says. An investigation into Li’s Pfizer email account revealed that she had been interviewing with and had received an offer of employment from Xencor, the lawsuit alleges.
Pfizer human resources, security, and digital-forensics personnel spoke with Li twice on Oct. 29, the lawsuit alleges.
In the first conversation, Pfizer alleges Li admitted to having transferred the files, claiming that she had done so because she had wanted to organize her files offline and have them for her own personal use, and had not copied the files elsewhere, the complaint alleges.
"A couple of hours later, Pfizer’s digital-forensics personnel had a second conversation with Li via videoconference. Between the two conversations, Li logged onto her Google Drive account and deleted all of the files saved there," the complaint says.
During the second conversation with Pfizer later that day, Li disclosed that she had deleted all the files from her Google Drive account. Pfizer personnel then requested that Li come to Pfizer’s La Jolla office on Nov. 1 to turn over her external hard drive and personal laptop for inspection, the lawsuit says.
"Li expressed reluctance to provide her personal laptop, explaining that it contained personal information, but ultimately agreed to do so. Later that night, Pfizer personnel subsequently deactivated Li’s Pfizer system access, her laptop, and her badge," the lawsuit says.
When Li came into Pfizer’s offices in La Jolla on Nov. 1 to return her Pfizer-issued laptop, she also provided a personal laptop "that she led Pfizer to believe" was the one she had used to download the Pfizer documents from her Google Drive account onto her external hard drive, as well as the external hard drive itself, the complaint alleges.
Pending completion of Pfizer’s forensic analyses of the devices, Pfizer placed Li on paid administrative leave. "The forensic examination of Li’s devices revealed that Li … provided Pfizer with a personal laptop other than the one she used to download the 12,000 files," the complaint alleges.
"The forensics analysis also revealed that the laptop Li had provided to Pfizer was hardly used during the week of October 25 when the downloads occurred, corroborating that she most likely used a different laptop to initiate the downloads … indicating that another, unknown laptop likely contains the 12,000 files she downloaded," the lawsuit alleges.
"Given that Li is leaving Pfizer to start work for a competitor … and appears to remain in possession of Pfizer trade-secret and confidential information, Pfizer has no choice but to commence this action and seek a temporary restraining order against her."
In a statement provided to Information Security Media Group, Pfizer says it is investigating and pursuing civil action against an employee who it "believes" improperly downloaded thousands of documents before a planned exit from the company.
"Pfizer takes the safeguarding of sensitive and confidential information very seriously. Protecting that information is critical to scientific innovation, ultimately enabling us to deliver breakthroughs for patients," the company says.
Neither Li nor Xencor immediately responded to ISMG's requests for comment.
Some experts say the Pfizer case underscores ongoing challenges many corporations face involving intellectual property.
"Corporate espionage committed by competitors or foreign countries with state-owned businesses is a very real problem for companies," says former federal prosecutor Andrew Wirmani, an attorney at the law firm Reese Marketos LLP.
"To prevent the potentially devastating consequences of this and similar crimes, it is important for companies to have strong policies that restrict how employees handle confidential information and trade secrets and an active IT department that ensures those policies are followed," he says.
Wirmani, who is not involved in the Pfizer case, notes that, so far, it is difficult to say for sure whether the pandemic or organizations having more employees working from home has had any direct impact on these types of alleged trade secret theft issues for companies.
"Because most information is digital in today’s day and age, employees can misuse proprietary information from their offices just as easily as they can from their homes," he says.
"And where an employee is working has little to do with how well an employer can monitor their use of digital devices," he says.
Because the pandemic appears to have led to more employees changing jobs, however, "this could certainly increase the volume of employees attempting to misappropriate confidential information for the benefit of their new employers."
Regulatory attorney Rachel Rose says the use of monitoring tools, such as what apparently helped Pfizer to quickly detect the alleged transfer of sensitive files in its case involving Li, is increasingly critical for organizations in their defense against many types of threats.
"As one can imagine, a pharmaceutical company, medical device company, healthcare system, or a biotechnology company has a lot at stake in terms of intellectual property, ransomware attacks and the exfiltration of data," she says.
Depending upon the circumstances in the Pfizer case, such as whether the information allegedly taken by Li contained patients' personally identifiable information or protected health information - and to whom any potential disclosures were made - the incident might also trigger HIPAA breach notification and other reporting duties for Pfizer, Rose notes.