KEEP
YOUR EDGE AND KEEP OTHERS AWAY FROM YOUR INFORMATION – PROTECTING YOUR INFORMATION ASSETS
By:
By:
Today, an organization’s information may be its greatest asset. Information translates into money and power. What are your organization’s most valuable information assets and how are they protected? If you don’t know then it is time to find out.
It has been said that following the end of the Cold War
there were nearly one million unemployed KGB agents, many with computer
skills. A majority of these “spies” were
retrained to seek out and steal economic and financial information from top
industrial nations. When the
If the thought of your organization being the subject of a LeCarre novel seems absurd, then consider the following:
·
Hackers were able to view proprietary computer source code for several
Microsoft products, including Windows and Office by penetrating the internal
network of the Microsoft Corporation. It
has been reported that they entered through an unprotected telecommuter’s
computer located in her home.
·
A former employee of Cisco systems stole source code for a new software
product valued at $2 billion. The
employee had joined Cisco when his previous employer was acquired by Cisco.
·
A French defense contractor suspected that critical design documents
were being compromised. The
investigation discovered that an espionage agent had obtained a job with the
company.
In 1999, the American Society for Industrial
Security (ASIS) conducted a survey of Fortune
1000 companies concerning their trade secret thefts. What the survey uncovered is astounding. Fortune
1000 companies lost more than $45 billion in 1999, and the greatest
In contrast to previous surveys, ASIS found that it
is not current or former employees that are considered to be the greatest risk
to an organization’s proprietary information and intellectual property. Rather, those with a trusted relationship to
the company pose the most serious threats, such as temps, OEMs, service vendors
working on-site, and consultants with access to computer networks.
Survey respondents cited their greatest concern is
Internet, networks, and computer security. Sadly, a majority of the same
respondents admitted that their information system security is not
adequate. I have read that most
organizations spend more on their coffee service than on information system
security. So, how do you protect
yourself from internal or external threats to security?
Auditing
Your Information Assets
The first step in preventing your organization’s
assets from being stolen is to perform an audit:
To determine what the information assets used in
your organization, consider such items as:
|
·
Manufacturing ·
Processes and Methods ·
Drawings and Formulas ·
Patents ·
Vendor Lists and Pricing |
·
Marketing ·
Customer Information ·
Future Advertising Campaigns ·
Future Sales Literature ·
Pricing Schedules ·
Contracts and Bidding Information |
|
·
Human Resources ·
Personnel Files ·
Insurance Files ·
Payroll Information |
·
Accounting and Financial Records ·
Financial Statements and Supporting Records ·
Banking and Finance Information |
|
·
E-Commerce Applications ·
Web Site Development Code |
|
Once you have identified what your sensitive assets are, determine how you are currently protecting these assets. Is there a system in place for marking sensitive documents confidential and then filing them under lock and key, accessible only to those privy to the information? Whatever your security measures are, test them, and do so regularly. Are you finding recurring cracks in your security defense system? To conclude your Information Asset Audit, recommend improvements. Address the issues uncovered during each step of the audit. And then, know your rights in case you should have to prosecute the theft of your secrets.
Legal
Considerations
The laws governing information assets generally fall
into one or more of three categories:
1)
Contractual Restraints – A
company’s case may rest on the fact that the violator breached a
confidentiality agreement or restrictive covenant such as a Do Not Compete
clause or the like.
2)
Fiduciary Duties – Employees
are expected, during the course of employment, when making judgements regarding
the release of secrets to consider whether there is good reason to do so, so
that there is no room for carelessness.
However, if a breach occurs after employment, the company must seek
another avenue for relief.
3)
Trade Secret Law – these are
Tort actions and therefore a company can seek punitive damages. While it is concise, trade secret law it is
somewhat crippled by its uncertainty and lack of uniformity, and its basis on
the idea of “misappropriation” which involves a judgement regarding fair
practices in a competitive market. Here
we look at the two major trade secret laws, the Uniform Trade Secrets Act
(UTSA) and the Economic Espionage Act (EEA).
Prosecuting
Intellectual Property Crimes – Trade Secrets
The Law makes trade secrets a subset of the broader category “Intellectual Property,” including Copyrights, Trademarks, and Patents. In the case of a trade secret, protection can last longer than both Copyrights (100 years) and Patents (20 years). In general, a trade secret may consist of any formula, pattern, device or compilation of information which is used in business, gives a competitive advantage, and which is kept confidential. And, because of this broad definition nearly anything can qualify. Some things seem logical and obvious such as Coca-Cola’s secret formula or Brach’s formula for Tootsie Rolls, now over 100 years old. While others seem to barely fit our idea of what a trade secret should be, for example, a company’s formalized internal collaborative structure between Sales, Marketing, Research & Development, and Manufacturing to exceed customer expectations regarding product and service delivery – which leads to exponential growth in market share.
The law does not identify in concrete terms what a trade secret is; it merely provides guidelines by which to evaluate on a case-by-case basis whether or not something might qualify. To determine whether something is a trade secret, consider whether the information has competitive value? Is the information a secret not generally known in the industry? Is it one that is given deference by the company to be treated with confidentiality? Once determined to be a secret, the question then becomes whether this is a protected trade secret by statute or otherwise.
Laws
The UTSA was developed in 1979 by the National Conference of Commissioners on Uniform State Laws (think UCC). And, while it has not been uniformly adopted in its original form, it does provide the most comprehensive synopsis; it can be considered “the Law” in those jurisdictions that have adopted its provisions. Its scope focuses on the following unauthorized activities:
A.
Acquisition by improper action such as a breach of duty or espionage, or by
accident – provided that the “finder” wouldn’t be prejudiced by the Court
granting relief;
B. Disclosure, such as getting the information into the hands of a competitor; and,
C.
Use,
for example, by an existing or newly formed competitor
The EEA enacted in 1996 focuses more specifically on
spying to obtain secrets. If intentional
spying is suspected, the Act empowers the FBI to investigate spies who steal
secrets for foreign interests or economic gain pursuant to Section 1831; and
Section 1832 applies to the theft of commercial trade secrets by employees and
competitors. Consider the following for
bringing charges under the EEA:
ü
Did the defendant steal; or with or without the authorization of the
owner, was information obtained, destroyed, or conveyed?
ü
Did the defendant know the information was proprietary?
ü
Is the information in fact a trade secret?
The EEA goes one step further as well, it not only sanctions those who improperly obtain, or convey information, but also it sanctions those who receive, buy, or possess a trade secret knowing that the secret has been stolen or misappropriated. Consider:
ü
At the time of disclosure, did the defendant have notice that the
information was improperly obtained?
ü
Did he have notice that the disclosure was a breach of duty?
ü
Did the defendant have notice that the information was in fact a trade
secret and that the disclosure was a mistake?
Preventative
Steps
But litigation is expensive, and time-consuming, and
the outcome is almost always uncertain.
It is more effective (and less costly) to prevent theft than to
prosecute theft; and for this - education is critical. Most people believe they have a grasp of what
the trade secret law provides. The goal
then is not to teach as if the learners were a blank slate, but rather to
redefine what they believe they already know.
The key is to impress upon workers that they have a responsibility as
part of their day to day activities to help administer the company’s portfolio
of trade secrets. How? Simplify the Law:
1)
Make no distinction between
information and documents that contain information.
2)
State that all company
information is owned by the company and that as an employee you are paid and
expected to contribute to its overall success.
3)
All information has at least
some competitive value and should be protected – the company will determine the
proper scope of its use.
4)
The company will create
“need to know” spheres of information.
Information flow between and out of spheres will be at the company’s
discretion.
Methods of
Education
In-house seminars: Don’t fall into the easy
circumstance of bringing in legal counsel to preach to the masses. Instead, hold an informal, but structured
discussion addressing what the employees know and what they might not. Reinforce the session with take-away
reference materials.
Newsletters:
Distribute or post on the organization’s Intranet ad hoc real-life case
stories supplemented by analysis and/or commentary from company policy makers,
and a restatement of the company’s trade secret policy with employee
responsibilities.
Methods of
Expression to Support Education
Notwithstanding the general assertion that employee
handbooks are not to be construed as a contract, with the company’s expectation
that everyone be conversant with its contents the handbook becomes an ideal
instance of express notice regarding what the company deems confidential and
how to handle that information.
Use entrance, performance, and exit interviews to determine
what the person brings with himself from previous employers, what access he has
to sensitive information during his employment, and what risks there are of
leakage upon his departure. This tactic
could also serve to raise red flags for early detection of breaches.
Physical
Security
Place restrictions on visitors and other outsiders
to sensitive areas, i.e., do not let the VP of Sales parade potential clients
right through the manufacturing floor to the heart of your secret process, to
impress upon them how much more technologically advanced you are over your
competitors. Mark sensitive documents as
such – and store them securely. Don’t
underestimate the power of more public postings of policy such as bulletin
boards.
Early
Detection
Schedule periodic
Information Drills to sweep all areas randomly. The drills will perform double duty by
putting up red flags of possible trouble, and stand testament to the company’s
diligence in protecting sensitive information.
This may be your only defense at trial – a solid, well-oiled security
and testing system. Look for exposed
documents during work hours to unauthorized personnel and during evening hours
in plain view of anyone passing through.
Look for computers sitting in “sleep” or energy save mode during lunch
and other daytime breaks and overnight rather than off or password protected.
The challenge facing company policy makers is
balancing individual creativity and freedom in the workplace with the absolute
need to keep certain information a secret.
At the end of the day, or at the beginning of trial, you need to be
confident that you have in place definite procedures for identifying trade
secrets, protecting their leakage, and testing your vulnerability. With these procedures in place your secrets
will stay that way.