By Megan Wargacki:
Economic espionage, cybercrime and trade secret theft against U.S. businesses has doubled in the last seven years from 1988-199, doubled again in the nine years between 1995 and 2004 and is slated to double again by 2017. Business’ trade secrets are vulnerable to disloyal employees, neglectful employees, competitors, hackers, or even foreign governments and militaries. A recent report entitled “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets” warns that businesses’ secrets are vulnerable now, more than ever, because the information is increasingly stored in a digital format.
How easy is it for your employees to remove digital files from the office using cloud-based applications, wireless technology, or portable storage devices, or by sending themselves files via email? Can hackers or competitors gain access to sensitive business information through flaws in your network? Consider, though your office and network are unbreachable, do your employees take a business laptop home? How secure is the data on that laptop when it is outside your office?
But, you say, my employees are highly responsible, loyal folks who would never steal an employer’s confidential data or leave a business laptop lying around in public. And I’m sure that most employers think the same thing you do. Unfortunately, according to “What’s Yours is Mine: How Employees are Putting Your Intellectual Property at Risk,” a global survey from Symantec, half of the employees who left or lost their jobs in the past year kept confidential business data and 40% plan to use it in their new jobs. Most of these employees are not spies, hackers or paid by the competition; rather they just feel entitled to the information – 62% of employees reported that it was ok to transfer work documents to personal devices or online file sharing applications and the majority never deleted the data because they didn’t see any harm in keeping it.
Because over half of employees think it is permissible to take confidential business data, companies must be aware of this problem. Thus, it seems reasonable to presume that employers try to recover the information once they know it has been taken. Nevertheless, the “What’s Yours is Mine” Survey found that only 47% of employees report that their employers take action when confidential or proprietary information is taken contrary to company policy. It is no wonder, then, that employees are creating data breaches, which release a business’ formerly secure confidential or proprietary information into an untrusted environment.
The results of the “What’s Yours is Mine” survey suggest that many businesses are not creating a culture of security or a culture of confidentiality; only 38% of employees reported that their manager views data protection as a business priority – 38%! Ignoring or delaying the implementation of data protection policies and confidentiality policies can be business suicide, particularly for a small business that doesn’t have extra resources to spend sealing and repairing a data breach.
So, what is a trade secret?
Generally, a trade secret is any information that is not generally known or ascertainable outside the business that derives independent economic value because it remains a secret and that is the subject of reasonable efforts to maintain its confidentiality and secrecy. In other words, it is information that is valuable because your competitors don’t know it and you take actions to keep it that way. The information could be as simple as a customer list or as complex as an invention schematic. One great thing about trade secret protection is that it extends to information that does not qualify for protection under patent law or copyright law. Trade secret laws require merely that the information generates value by remaining a secret! Thus, because your customer list would be highly valuable to your competitors, as they would then start selling to your customers, the list can be protected by trade secret laws.
The most difficult requirement to lift information to trade secret status is secrecy – you must take efforts that are “reasonable under the circumstances” to keep the information a trade secret. What is considered legally “reasonable under the circumstances” will vary depending on the circumstances and the value of the secret. Unfortunately, what courts consider “reasonable under the circumstances” is sometimes more extensive than what businesses first imagine. Fortunately, most secrets don’t need eyeball scanners, laser alarms, and 10-digit PIN codes for protection. But with extremely valuable information, you do want to take extreme measures to maintain the confidentiality and secrecy of your information. For a practical example, going back to the customer list, you might stamp the document “confidential,” place it in a “confidential” folder (physical or digital), place it in a locked file (physical or digital), and restrict employee access to the document and folder to a “need-to-know” basis.
Why go to all this trouble? Well, once a trade secret is lost, the information is no longer a business asset. Therefore, the more you can do to protect your confidential and proprietary information the more the law will be on your side in the event that someone does steal, borrow or lose the information. The efforts you take to maintain your trade secret is the evidence of its value to you; the greater effort you display under the circumstance to maintain the secrecy of the sensitive information, the greater must be the value of the information to your business. Furthermore, for small and mid-sized businesses, it is important to keep in mind that these protection measures are generally less costly than losing the trade secret in the first place and/or the fight to recover the information, which is often a losing battle.
How can you protect your trade secrets?
Inventory Your Confidential and Proprietary Information: Identify any business information that should be protected as a trade secret, where it is located, with whom it can be shared, etc. Note that trade secrets take many forms, including correspondence and e-mail, contact lists, pricing lists, processes, research notebooks, formulas, designs, blueprints, software scripts, documents, contracts and stored on many media, including paper, optical discs or magnetic discs.
Physically Secure Your Trade Secrets: You can lock cabinets and offices where trade secret information is stored. You can require ID badges, PIN codes entry or other security entry for the entire office and/or into restricted areas for employees with “need-to-know” access to certain trade secrets. A step that does not protect your secret, but that shows you mean for the information to remain confidential, is to simply mark the document as “confidential” or “secret.”
Protect Electronic Trade Secrets: Make a habit of using stringent security policies for all digital confidential and proprietary information, such as data encryption and multi-factor authentication measures. Require employees to change their network password frequently and prohibit them from sharing it with anyone. Monitor company networks to identify and react quickly in the event of a cyber-attack. Create a policy prohibiting employees from downloading business information to personal devices, cloud-based applications, online file sharing applications, using wireless technology or by sending through personal e-mail. Finally, if you allow employees to work remotely, use a secure connection platform, such as remote desktop software, so that the employees will not have to download sensitive business information to their personal devices to work remotely.
Create a Culture of Data Security and Confidentiality. Before doing business with new hires, vendors or potential business partners, enter into non-disclosure agreements that protect sensitive proprietary company information and that ensure that the information remains secret. Train managers and human resources staff to honor the culture of data security and confidentiality by implementing policies that are geared toward the protection of trade secrets: frequent employee training on the importance of maintaining trade secrets, handbook provisions regarding trade secrets that are signed by employees, social networking policies that prohibit posting business information on the internet, exit interviews that stress ongoing non-disclosure agreements. Finally, develop a procedure for handling departing employees that ensures they return all company property, such as documents, portable drives, smartphones, computers, etc.
It is important to note that although the federal government has taken actions to protect U.S. trade secrets recently, many of these policy changes affect only companies that do business overseas or the policies only come into effect after a company’s trade secret has been stolen. Thus, it is important for every business to take responsibility for its own trade secret protection. Remember trade secrets are a valuable business asset, vulnerable to hackers and thieves and an asset that some departing employees may use at a competing company. By being proactive and creating a culture of data security and confidentiality, you will protect your trade secrets, so you will never be in the position of having to face a data breach!