At first glance, the case of Racho Jordanov, CEO of JHL Biotech (Eden Biologics), and COO Rose Lin looked like another case of corporate espionage. They targeted a technology they needed and then set out to acquire the technology. For many years they successfully stole Genentech’s secrets.

That is until the tap was turned off with the 2018 indictment of wife and husband Xanthe Lam and Allen Lam, who along with others were collectively indicted in October 2018 for the theft of Genentech trade secrets. Xanthe Lam was a senior scientist at Genentech, where she worked from 1986 to 2017. Allen Lam, her husband, worked in quality control at the company from 1989 to 1998.

The duo pleaded guilty in August 2021 to “obtaining and possessing proprietary confidential information and trade secrets of Genentech” between 2011 and 2019.

Five years of insider theft

The guilty plea entered by the Lams indicated how the couple discussed their pipeline of secrets. Their cooperation was sought by Jordanov and Lin. Allen Lam went to work for JHL in 2013 as a consultant and his wife Xanthe continued working at Genentech. The conduit isn’t hard to uncover: She passed on Genetech’s secrets to her husband, who transferred them to JHL. She didn’t just share her secrets with her husband; she shared the contents of her company Genentech’s laptop with JHL when she traveled to Taiwan and quietly toured JHL’s facilities for four weeks.

Indeed, she was all-in, as she was on the interview team of John Chan, a family friend who was hired by JHL to work on formulation development and to whom, via Allen, Xanthe’s stolen information was provided. She remotely supervised Chan’s work at JHL from May 2014 to September 2016.

His access within Genentech was JHL’s access. Xanthe recommended a former Genentech employee to be hired as an “engineering manager” by JHL. When hired, Xanthe provided the manager, James Quach, with his login credentials to access Genentech’s secure databases. As expected, Quach uploaded some interesting material through July and August 2017.

The court document points out that through her “termination in the fall of 2017, she continued to upload and provide Genentech proprietary information to JHL.” The Lams have yet to be convicted.

United States Senior District Judge, Hon. William Alsup of the Northern District of California sentenced the former CEO and COO of JHL Biotech in mid-March 2022 to 12 months and one day in prison, followed by a period of supervised release in lieu of punishment for the theft of Genentech trade secrets and wire fraud to the tune of $101 million.

The Genentech civil case

Genentech sued JHL in October 2018 and the case closed in December 2021, Genentech was awarded relief and in theory their trade secrets are protected from use by the individuals who stole the information and those who used it at JHL. Individual defendants are prohibited from working on specific areas of research for varying periods of time, some lasting until the end of 2028 and others for shorter periods (unless the two parties agree on a path). of research).

Ethical dilemmas around intellectual property

One of the key hiring issues that every entity must engage with a new hire is to ensure that they are not introducing another entity’s intellectual property into your entity, either deliberately or accidentally. .

Clearly, no ethical dilemmas have been encountered within JHL’s corporate culture regarding the infusion of the intellectual property of others to further the company’s plans, intentions and goals given guilty pleas from the CEO and COO. That said, what about the individual employees who weren’t part of the larger conspiracy? What path did they take when they discovered that the company’s research had its roots in Genentech information? The view from afar tells us that the employee could vote with their feet and notify law enforcement and the company whose data was stolen, Genentech.

Infosec Lessons from the JHL/Genentech Case

Likewise, for Genentech, learning that one of its top scientists had been sharing significant amounts of his intellectual property with others for many years must have come as a surprise. There is no doubt that information security teams were engaged in months of damage assessment in 2018.

Questions galore undoubtedly percolated all the way to the top. One of the most significant would appear to be how the company’s laptop issued to Xanthe Lam and viewed in Taiwan during his four-week visit to JHL was not logged as an anomaly. (Maybe his logins weren’t anomalous events with the use of a VPN?) Another question: his own information gathering over the years or the use of his database login credentials? Was sensitive data considered abnormal?

The Lams’ indictment states that Genentech’s infosec team had log files and access to emails that were apparently used to tell the story of the theft and for which the act of multi-count charge was founded.

Genentech trusted its employees and those employees broke that trust. Once Genentech found out what it was, they apparently called law enforcement, allowed the criminal case to continue, and then filed a civil suit to protect their intellectual property.

Businesses would be well served to invest in information security and the resulting information protection policies, procedures and mechanisms to protect against the threat posed by a malicious insider. Otherwise, they will find themselves, like Genentech, investing to be a cooperative witness in the corporate espionage suit, and then pursuing their intellectual property through the court system.