This article can also be found in the Premium Editorial Download "Information Security magazine: Seven Outstanding Security Pros in 2012."
Download it now to read this article plus other related content.
The confidential information and trade secrets of U.S. corporations will be stolen, the only questions are when, and how much damage will the theft cause? Indeed, Congress has heard this year from a slew of witnesses who have testified about the threat posed by foreign hackers who penetrate U.S. companies’ computers and steal valuable data and intellectual property. FBI Director Robert Mueller testified that hacking could soon replace terrorism as the FBI’s primary concern. Gen. Keith Alexander, head of the military’s Cyber Command, characterized the losses caused by cybertheft as the “greatest transfer of wealth in history.”
At the same time, however, employees and other insiders, who by virtue of their position have access to companies’ confidential information, remain the greatest threat to the security of the intellectual property. According to a study I conducted of the 120 prosecutions the government has brought for theft of trade secrets, in more than 90 percent of the prosecutions, the defendant was an “insider” and had access to the trade secrets because he or she either was an employee of the victim, or worked for a vendor or contractor of the victim.
Companies should also be aware that defendants almost always misappropriate the trade secrets shortly before resigning from the victim company. In addition, most information is obtained by downloading from the companies’ computer system.
The threats to confidential data are even greater for companies that operate overseas, especially in countries that don’t enforce the protection of intellectual property rights to the same extent as the United States. It is critical, therefore, that U.S. companies operating worldwide adopt a set of best practices for protecting intellectual property that not only applies to their U.S. employees, but to their foreign offices as well.
There are a number of best practices that a company, whether operating domestically or internationally should adopt:
- Employees and vendors must be required to sign a code of conduct and confidentiality, and non-disclosure agreements before beginning work. It is critically important to create not only legal obligations for employees to safeguard the company’s confidential information, but also to impress upon them the importance of doing so. Employees should be reminded of their obligation to maintain the secrecy of the company’s proprietary information through regular training and audits.
- Electronically stored confidential information should be compartmentalized and accessible only on a need-to-know basis. There is simply no reason for employees who, for example, are not working on a particular project to have access to confidential information relating to the project or for employees who are working on a section of the project to have access to all of the project’s intellectual property.
- Immediately revoke a departing employee’s ability to access any proprietary information.
- Conduct an exit interview with the employee and require him or her to attest that he or she is not taking any confidential or proprietary information to a new employer. It is absolutely critical for a company to learn the departing employee’s future plans and, more specifically, if the departing employee intends to join a competitor or start his or her own company.
- If suspicious activity on the part of the departing employee is uncovered, consider conducting a full-scale investigation of the former employee’s recent conduct. This should include, for example, a forensic analysis of the employee’s electronic devices, including any company-issued computer laptop.
It is especially important that U.S. companies operating internationally understand that regardless of the steps undertaken to protect their confidential information, the protection is only as strong as the weakest link; companies must continuously evaluate the situation and implement new protections as the situation warrants. At a minimum, companies, regardless of where they do business, should implement the following additional measures:
1. Physical security measures should include carefully controlled access to facilities containing valuable proprietary and confidential information.
2. Network and computer security should at a minimum include passwords and firewalls to prevent infiltration by hackers and other outside threats.
3. Implementation of a policy that controls the classification and marking of proprietary documents and access to documents and their physical handling.
4. Training of new hires and current employees, regardless of nationality, as well as security audits to promote compliance with the program’s policies.
Even with best practices for protecting intellectual property, companies are still vulnerable to having their confidential information and trade secrets misappropriated. Accordingly, it is crucial that companies not only continuously re-evaluate their practices, but also consult with security and legal experts in each country that they do business to make sure it’s not running afoul of any laws and is protecting its valuable information in a manner that preserves all available legal protections. The review should emphasize internal threats and the danger of foreign economic espionage, especially to high-tech companies.
Peter J. Toren is a partner with Weisbrod, Matteis & Copley in Washington, D.C. He was also federal prosecutor with the Computer Crime & Intellectual Property Section of the Justice Department and is the author of Intellectual Property & Computer Crimes. Send comments on this column to firstname.lastname@example.org.
This was first published in November 2012