Today, an organization's information may be its greatest asset. Information translates into money and power. What are your organization's most valuable information assets and how are they protected? If you don't know then it is time to find out.
It has been said that following the end of the Cold War there were nearly one million unemployed KGB agents, many with computer skills. A majority of these "spies" were retrained to seek out and steal economic and financial information from top industrial nations. When the Soviet Union collapsed more that 15 distinct nations sprung up in its place. Now, consider those struggling political states and other third-world nations and their predicament of trying to jump-start their economy. Should a large portion of their GNP be devoted to research and development, or perhaps to improve manufacturing processes? Or is their money better spent stealing existing technology, using the skills of these former spies?
If the thought of your organization being the subject of a LeCarre novel seems absurd, then consider the following:
• Hackers were able to view proprietary computer source code for several Microsoft products, including Windows and Office by penetrating the internal network of the Microsoft Corporation. It has been reported that they entered through an unprotected telecommuter's computer located in her home.
• A former employee of Cisco systems stole source code for a new software product valued at $2 billion. The employee had joined Cisco when his previous employer was acquired by Cisco.
• A French defense contractor suspected that critical design documents were being compromised. The investigation discovered that an espionage agent had obtained a job with the company.
In 1999, the American Society for Industrial Security (ASIS) conducted a survey of Fortune 1000 companies concerning their trade secret thefts. What the survey uncovered is astounding. Fortune 1000 companies lost more than $45 billion in 1999, and the greatest U.S. losses were in Manufacturing and Research & Development. The most frequently stated internal threats were from Other Equipment Manufacturers and on-site Contractors, while computer hackers pose the greatest external threats.
In contrast to previous surveys, ASIS found that it is not current or former employees that are considered to be the greatest risk to an organization's proprietary information and intellectual property. Rather, those with a trusted relationship to the company pose the most serious threats, such as temps, OEMs, service vendors working on-site, and consultants with access to computer networks.
Survey respondents cited their greatest concern is Internet, networks, and computer security. Sadly, a majority of the same respondents admitted that their information system security is not adequate. I have read that most organizations spend more on their coffee service than on information system security. So, how do you protect yourself from internal or external threats to security?
Auditing Your Information Assets
The first step in preventing your organization's assets from being stolen is to perform an audit:
To determine what the information assets used in your organization, consider such items as:
· Processes and Methods
· Drawings and Formulas
· Vendor Lists and Pricing
· Customer Information
· Future Advertising Campaigns
· Future Sales Literature
· Pricing Schedules
· Contracts and Bidding Information
· Personnel Files
· Insurance Files
· Payroll Information
Accounting and Financial Records
· Financial Statements and Supporting Records
· Banking and Finance Information
· Web Site Development Code
Once you have identified what your sensitive assets are, determine how you are currently protecting these assets. Is there a system in place for marking sensitive documents confidential and then filing them under lock and key, accessible only to those privy to the information? Whatever your security measures are, test them, and do so regularly. Are you finding recurring cracks in your security defense system? To conclude your Information Asset Audit, recommend improvements. Address the issues uncovered during each step of the audit. And then, know your rights in case you should have to prosecute the theft of your secrets.
The laws governing information assets generally fall into one or more of three categories:
1) Contractual Restraints – A company's case may rest on the fact that the violator breached a confidentiality agreement or restrictive covenant such as a
Do Not Compete clause or the like.
2) Fiduciary Duties – Employees are expected, during the course of employment, when making judgements regarding the release of secrets to consider whether there is good reason to do so, so that there is no room for carelessness. However, if a breach occurs after employment, the company must seek another avenue for relief.
3) Trade Secret Law – these are Tort actions and therefore a company can seek punitive damages. While it is concise, trade secret law it is somewhat crippled by its uncertainty and lack of uniformity, and its basis on the idea of "misappropriation" which involves a judgement regarding fair practices in a competitive market. Here we look at the two major trade secret laws, the Uniform Trade Secrets Act (UTSA) and the Economic Espionage Act (EEA).
Prosecuting Intellectual Property Crimes – Trade Secrets
The Law makes trade secrets a subset of the broader category "Intellectual Property," including Copyrights, Trademarks, and Patents. In the case of a trade secret, protection can last longer than both Copyrights (100 years) and Patents (20 years). In general, a trade secret may consist of any formula, pattern, device or compilation of information which is used in business, gives a competitive advantage, and which is kept confidential. And, because of this broad definition nearly anything can qualify. Some things seem logical and obvious such as Coca-Cola's secret formula or Brach's formula for Tootsie Rolls, now over 100 years old. While others seem to barely fit our idea of what a trade secret should be, for example, a company's formalized internal collaborative structure between Sales, Marketing, Research & Development, and Manufacturing to exceed customer expectations regarding product and service delivery – which leads to exponential growth in market share.
The law does not identify in concrete terms what a trade secret is; it merely provides guidelines by which to evaluate on a case-by-case basis whether or not something might qualify. To determine whether something is a trade secret, consider whether the information has competitive value? Is the information a secret not generally known in the industry? Is it one that is given deference by the company to be treated with confidentiality? Once determined to be a secret, the question then becomes whether this is a protected trade secret by statute or otherwise.
The UTSA was developed in 1979 by the National Conference of Commissioners on Uniform State Laws (think UCC). And, while it has not been uniformly adopted in its original form, it does provide the most comprehensive synopsis; it can be considered "the Law" in those jurisdictions that have adopted its provisions. Its scope focuses on the following unauthorized activities:
A. Acquisition by improper action such as a breach of duty or espionage, or by accident – provided that the "finder" wouldn't be prejudiced by the Court granting relief;
B. Disclosure, such as getting the information into the hands of a competitor; and,
C. Use, for example, by an existing or newly formed competitor
The EEA enacted in 1996 focuses more specifically on spying to obtain secrets. If intentional spying is suspected, the Act empowers the FBI to investigate spies who steal secrets for foreign interests or economic gain pursuant to Section 1831; and Section 1832 applies to the theft of commercial trade secrets by employees and competitors. Consider the following for bringing charges under the EEA:
• Did the defendant steal; or with or without the authorization of the owner, was information obtained, destroyed, or conveyed?
• Did the defendant know the information was proprietary?
• Is the information in fact a trade secret?
The EEA goes one step further as well, it not only sanctions those who improperly obtain, or convey information, but also it sanctions those who receive, buy, or possess a trade secret knowing that the secret has been stolen or misappropriated. Consider:
• At the time of disclosure, did the defendant have notice that the information was improperly obtained?
• Did he have notice that the disclosure was a breach of duty?
• Did the defendant have notice that the information was in fact a trade secret and that the disclosure was a mistake?
But litigation is expensive, and time-consuming, and the outcome is almost always uncertain. It is more effective (and less costly) to prevent theft than to prosecute theft; and for this - education is critical. Most people believe they have a grasp of what the trade secret law provides. The goal then is not to teach as if the learners were a blank slate, but rather to redefine what they believe they already know. The key is to impress upon workers that they have a responsibility as part of their day to day activities to help administer the company's portfolio of trade secrets. How? Simplify the Law:
1) Make no distinction between information and documents that contain information.
2) State that all company information is owned by the company and that as an employee you are paid and expected to contribute to its overall
3) All information has at least some competitive value and should be protected – the company will determine the proper scope of its use.
4) The company will create "need to know" spheres of information. Information flow between and out of spheres will be at the company's discretion.
Methods of Education
In-house seminars: Don't fall into the easy circumstance of bringing in legal counsel to preach to the masses. Instead, hold an informal, but structured discussion addressing what the employees know and what they might not. Reinforce the session with take-away reference materials.
Newsletters: Distribute or post on the organization's Intranet ad hoc real-life case stories supplemented by analysis and/or commentary from company policy makers, and a restatement of the company's trade secret policy with employee responsibilities.
Methods of Expression to Support Education
Notwithstanding the general assertion that employee handbooks are not to be construed as a contract, with the company's expectation that everyone be conversant with its contents the handbook becomes an ideal instance of express notice regarding what the company deems confidential and how to handle that information.
Use entrance, performance, and exit interviews to determine what the person brings with himself from previous employers, what access he has to sensitive information during his employment, and what risks there are of leakage upon his departure. This tactic could also serve to raise red flags for early detection of breaches.
Place restrictions on visitors and other outsiders to sensitive areas, i.e., do not let the VP of Sales parade potential clients right through the manufacturing floor to the heart of your secret process, to impress upon them how much more technologically advanced you are over your competitors. Mark sensitive documents as such – and store them securely. Don't underestimate the power of more public postings of policy such as bulletin boards.
Schedule periodic Information Drills to sweep all areas randomly. The drills will perform double duty by putting up red flags of possible trouble, and stand testament to the company's diligence in protecting sensitive information. This may be your only defense at trial – a solid, well-oiled security and testing system. Look for exposed documents during work hours to unauthorized personnel and during evening hours in plain view of anyone passing through. Look for computers sitting in "sleep" or energy save mode during lunch and other daytime breaks and overnight rather than off or password protected.
The challenge facing company policy makers is balancing individual creativity and freedom in the workplace with the absolute need to keep certain information a secret. At the end of the day, or at the beginning of trial, you need to be confident that you have in place definite procedures for identifying trade secrets, protecting their leakage, and testing your vulnerability. With these procedures in place your secrets will stay that way.
Copyright © 2018 McGovern & Greene LLP
Questions or comments?