Intellectual property protection do's and don'ts

Theft of intellectual property is a growing problem but many companies are not prepared to deal with this security threat. Learn about the risk involved with trade secrets, why companies are failing to protect intellectual property and tips for data protection, including risk assessment, encryption, and corporate governance.

It's a cold day in late November. Two men are getting ready to board a plane bound for Southeast Asia at San Francisco...

International airport. In their luggage is millions of dollars worth of stolen trade secrets. These pilfered project designs, manuals, CDs, floppy diskettes and third-party licensed materials will allow nefarious foreign buyers to unlock the secrets of the most innovative U.S. companies, and aggressively compete with them on the open market. But just as the men are about to step onto the plane, they are arrested by a joint FBI/Computer Hacking and Intellectual Property (CHIP) investigative team.

It sounds like an episode of a television crime drama. Yet this actually happened in 2001, when two men tried to flee the country with trade secrets stolen from a few of the biggest names in Silicon Valley. In this case, the criminals were stopped in their tracks, but theft of trade secrets is a growing and evolving problem, says Matt Parrella, assistant U.S. attorney and chief of the San Jose branch of the U.S. Department of Justice's CHIP unit.

"It's growing in terms of the number and types of trade secret cases we're prosecuting," he says. "Three to five years ago we saw physical manuals being stolen, whereas today digital versions of schematics, data sheets, manufacturing processes and source code are at risk. And the number of complaints being filed and investigations pursued are dramatically on the rise."

According to a 2006 report from the office of the United States Trade Representative (USTR), U.S. businesses are losing approximately $250 billion annually from trade secret theft. Federal law enforcement officials say the most targeted industries include biotechnologies and pharmaceutical research, advanced materials, weapons systems not yet classified, communications and encryption technologies, nanotechnology and quantum computing.

What companies hear about in the media is "probably just the tip of the iceberg," says Randy Sabett, a partner at Sonnenschein Nath & Rosenthal in Washington, D.C., and a member of the firm's information security and intellectual property practice group. "There are probably a fair number of situations where people don't even realize their trade secrets have been stolen."

Here are some Tips that can help protect your company's trade secrets.
  1. Identify a champion within the C-suite who can provide the credibility and support you will need in implementing an enterprise-wide program.

  2. Create an inventory of your company's trade secrets and the form they take (paper-based, electronic, undocumented employee knowledge).

  3. Prioritize the trade secrets according to their value to your organization based on the risk of loss, compromise or theft. To keep things simple, consider using a high/medium/low scale in terms of likelihood and impact.

  4. Analyze how your company's trade secrets map to organizational business processes throughout their entire lifecycle.

  5. Perform a risk assessment against the mapped trade secrets to determine which ones are exposed to vulnerabilities that have a high likelihood of happening, and the impact their exposure would have on your organization.

  6. Based on the risk assessment, establish a clearly documented enterprise-wide data protection framework supported by specific actions laid out in processes and procedures; roles and responsibilities; and monitoring and enforcement activities employees can easily follow.

  7. Perform a "gap analysis" to determine how well your existing practices protect your trade secrets versus the data protection framework.

  8. Address gaps using a combination of security and data protection policies and procedures, process-level controls, technology controls, physical controls and education/ awareness.

  9. Establish metrics to continuously assess the effectiveness of your protection program.

The Crown Jewels
Intellectual property (IP) is ex-tremely important to the U.S. economy. As of 2003, IP accounted for approximately 33 percent of the value of U.S. corporations, or more than $5 trillion, according to Stephen Siwek, principal at Econo- mists Incorporated, a consulting firm based in Washington, D.C. Yet many companies are ill prepared to adequately protect their IP in the face of increased attempts to steal it.

At least part of the problem is due to economic pressure on U.S. firms to control costs, says Abe Michael Smith, CSO at Xilinx, a digital programmable logic device maker based in San Jose, Calif. As more enterprises outsource part or even all of their research and development and product development activities to overseas partners, there is far greater risk that important information can slip through the cracks. And establishing overseas divisions that play a significant role in developing IP can be risky when strong IP laws do not exist within those countries. "Balancing the need for improving profit margins with the kind of security required to adequately protect IP can be very difficult," says Smith.

Moreover, the unique characteristics of trade secrets make companies particularly vulnerable to their loss.

"Once a trade secret is out of the bag you can't get it back in," says Sabett. "If you are talking about something like source code, that represents the crown jewels of the company. And when its status as a trade secret is gone, it's gone."

Worse, it can take years until a trade secret theft is detected, says Smith: "You wouldn't even know it [your IP] was missing for five years, when a competitor would suddenly introduce a product that sold for one-third to one-fifth of the price of yours."

And it is important to note that trade secrets are vulnerable not just to malicious theft but also to accidental leakage in the normal course of business. For example, an engineer who has not been properly trained in what constitutes trade secrets might make a seemingly innocuous conference presentation that includes them.

Putting the 'Secret' in Trade Secret
Part of the reason U.S. firms are struggling to protect IP is a widespread misunderstanding of what a trade secret is, and what legal protection it possesses.

A trade secret is a type of IP that represents an organization's intangible assets. Unlike tangible assets such as land, buildings, office equipment or manufacturing equipment, intangible assets cannot be seen or touched and are created not by physical materials but by human labor or thought.

According to the Uniform Trade Secrets Act (UTSA), trade secrets include formulas, patterns, compilations, program devices, methods, techniques or processes. They also can be diagrams and flow charts, supplier data, pricing data and strategies, source code, marketing plans and customer information. So varied are the things that can be considered trade secrets that your employees may not even know when they are handling them.

For organizations that depend heavily on commercializing the product of their R&D activities, trade secrets are particularly important. Patents are equally important, but trade secrets differ from patents in a significant way. They are--as their name implies--secret. Whereas patents represent a set of exclusive rights granted by the government in exchange for the public disclosure of an invention, a trade secret is internal information or knowledge that a company claims it alone knows, and which is a valuable intangible asset.

While patent owners have certain legal protections from anyone using their patents without permission, companies are responsible for proving they have the right to legal protection of their trade secrets. According to the UTSA, your company must demonstrate that the specific information or knowledge is not generally known to the public, therefore it derives independent economic value; and that you have made reasonable efforts to make sure the knowledge remains secret.

A trade secret's validity can only be proven via litigation; there's no automatic protection just because your company believes it possesses one. Ironically, a trade secret must be stolen or compromised before you can attempt to demonstrate it is legally a trade secret. Once in litigation, your company must convince the court of three points: secrecy, value and security. Inevitably, the most difficult element to demonstrate is that your company had reasonable controls in place to protect the secrecy of the IP in question.

"A successful prosecution requires that you prove you took sufficient steps to protect your trade secrets," says Joseph Schadler, an FBI special agent. "This includes everything from putting banners on computers, to having secure logons, to requiring NDAs [non-disclosure agreements], to controlling physical access to a room."

Unsecured Secrets
Why are many companies not sufficiently protecting their trade secrets? Aside from not fully understanding what a trade secret is, many have not identified their own trade secrets. Even if they have, a lot have not determined where in the organization their secrets are, in what form they exist (such as digital or paper) and by whom they are used.

"If your employees don't know what to protect, how can they protect it?" says Christopher Burgess, senior security adviser to the CSO at Cisco Systems.

Additionally, some companies put a priority on innovation rather than security. "The smaller tech companies in particular need to be very nimble, so the focus in the executive suite is on product development and customer service rather than protecting IP," says Parrella of the CHIP unit.

Even with the IP protections many Fortune 500 companies have in place, trade secrets continue to leak out. Weaknesses in security procedures, inherent vulnerabilities within business processes, disjointed risk management programs and ineffective education and awareness programs all contribute to this problem.

All too often, senior management teams, boards of directors and senior executives are lulled into a false sense of security about trade secrets. Largely this is due to misunderstanding the legal protection for trade secrets, coupled with being organizationally buffered from the daily operations security managers face.

"When we speak to victims, we are finding out that the people responsible for security on R&D projects are not at the C-suite level, so that magnitude of the risk is filtered out by the time it gets to the top of the organization," says Parrella.

Furthermore, many organizations believe that they mitigate the risk of trade secret theft via contractual agreements such as NDAs and confidentiality agreements, but this simply isn't the case. Although important to have in place from a prosecution standpoint, these agreements are not particularly effective at preventing theft, says Schadler: "The sort of people who want to steal the trade secrets are not going to feel bound by an NDA."

And while a company might have a strong IP protection program on paper, it can get in the way of employees doing their jobs effectively. A related problem is that the corporate culture may be at odds with IP security directives and employees simply ignore them. IP protection done wrong creates a barrier to creativity, which is what makes U.S. companies such great innovators.

Spilled Secrets
Recent cases illustrate the variety of ways valuable IP can leak out of an organization.
  • An executive of an Ohio hydraulic pump maker was convicted last year of stealing his company's trade secrets by handing over financial and confidential marketing materials to a South African-based competitor.

  • A Kentucky man was convicted in 2006 of conspiring to steal and sell trade secrets belonging to Corning. While an employee, the man stole drawings of Corning's Thin Filter Translator Liquid Crystal Display glass and sold them to an offshore-based business.

  • A Duracell employee downloaded sensitive data about a top-selling product from company computers onto his home PC and sent it to two Duracell competitors; he was convicted earlier this year.

  • A magazine publisher kept its entire pricing strategy, competitive intelligence, financing information and marketing plans for a new, unreleased magazine stored within a hidden file share on its public Web server. Due to a misconfiguration on its Web site, these trade secrets were exposed to the public through Google hacking.

  • A large technology company, as a normal part of its RFP process, sent detailed specifications, drawings and sub-assembly information to potential suppliers without obtaining signed NDAs or confidentiality agreements in advance.

  • Engineers working for a global technology organization moved between employee and contractor status as individual projects required. Although based out of offshore locations in countries without strong IP laws, they were not required to re-sign the NDA/confidentiality agreements at the onset of each new project.

Technological Solutions
Essentially, a trade secret is just another piece of corporate information. Like all information, it has a lifecycle--it is created, used, shared, stored and eventually destroyed.

What makes protecting a trade secret challenging is how it changes form and proliferates through the organization during its lifecycle. It may start as a chemical process written in a lab notebook, at some point be recorded in an electronic document, become a set of discrete tasks in a manufacturing process and eventually be combined with other IP to form a product. Each of these forms--manual, digital, process, product--may have different lifecycles. At each point, the IP may face different risks that must be examined and, where appropriate, mitigated.

Various products can help protect trade secrets and IP data that exist in digital form, during certain points in the data's lifecycle. There are emerging technologies that monitor the movement of structured and unstructured data and enforce actions on the data based on custom policies. These products from vendors such as Orchestria and Vericept work at the network and desktop levels, and can monitor movement, prevent data from being copied from the originating application to external sources--for example, USB drives--and help classify data as requiring more or less protection.

EMC's Infoscape can help inventory unstructured data, such as Microsoft Word documents, Adobe PDF files and various spreadsheets, and also classify it based on a company's data classification scheme. Complementary EMC products offer secure storage and archival of data. Sun Microsystems' Identity Manager can provide a foundation for controlling what systems people are given access to and what roles they are given within an application based on company-defined policy. Sun also offers integrated solutions for secure data storage.

In addition, there are products from companies such as PGP and Entrust to protect mobile data with combinations of file-level encryption and access controls on physical interfaces to the mobile device. Finally, vendors such as Adobe have developed enterprise rights management (ERM) products designed to provide data protection--specifically IP--across business processes and organizational boundaries.

Adobe offers products designed to securely capture, process, transfer and archive information, both online and offline. John Landwehr, Adobe's director of security solutions and strategy, believes that the best protection of sensitive data happens at the document level: "Given the range of devices that IP can live on--from desktops, to laptops, to PDAs and mobile phones--we think that the only viable way to persistently protect that information is if the protection travels with the document."

However, a word of caution about some of these products designed to protect confidential data: Because the vast majority are based on rule-set driven engines, the number of false positives they generate can be significant.

Protective Steps
Despite the increasing sophistication of technology, there's no magic bullet for protecting IP. "There is no absolute 100 percent foolproof way to protect trade secrets," says legal expert Sabett. "You could spend all your time and money on technological protections and yet your trade secrets could be flowing out of the organization in all sorts of other ways."

An effective protection program must include a number of strategies, including educating employees, contractors and partners about what constitutes trade secrets; establishing the right governance model (policies, roles and responsibilities, enforcement); process-level controls and procedural, physical and technical controls to minimize risk to a level acceptable by management.

The first step to protecting your trade secrets is to identify them through interviews with the business process owners and document them. Next, estimate how much these trade secrets are worth. Although this is just a snapshot that will change over time, it's essential for building a business case to obtain the funding to put protections in place. Having this valuation is also important should a theft actually occur. "It's a complicated process to do this, but a critical element for prosecutors," says the FBI's Schadler. Then, rank the trade secrets according to their value as well as the threats, vulnerabilities and resulting risk.

A comprehensive education and awareness program is a critical step; some experts argue that it's the most important one. "Education and awareness is your first and foremost practical solution for protecting trade secrets," says Cisco's Burgess. Landwehr of Adobe agrees: "Whatever technology you decide to implement, it won't be effective unless you also have a plan to educate users."

Finally, your company should define programmatic, compliance and operational metrics to measure the performance of your trade secret protections against key indicators. Without the metrics, you will not know whether you are effectively protecting your trade secrets.

Everyone agrees: Not doing anything to protect your company's trade secrets is simply not an option anymore. The U.S. Department of Justice is making it a first order of business.

"The prosecution of IP theft cases--specifically trade secret theft and economic espionage--is a priority for the CHIP unit and is critical to the economy of Silicon Valley and indeed to the nation's security," says Parrella.


Dig Deeper on Risk assessments, metrics and frameworks