This is the fifth in a series of columns on information security. Prior articles dealt with simple steps to keep your data safe, especially while traveling, and with information security with respect to different forms of technology. This article will help to highlight the growing concern regarding keeping your company’s intellectual properties safe given the rising tide of trade secret theft.
The recent admission by RSA that their SecureID product had been breached and the disclosure of attempted espionage at a major U.S. defense contractor both highlight the growing trend of cyber espionage and the resulting need for companies to keep their data safe. Just like other areas of the company responsible for information security, in-house counsel should be at the forefront of this effort.
The seriousness of the rise in attempted intellectual property thefts from U.S. companies is highlighted by the Department of Homeland Security’s move to actively engage many companies with respect to cyber security. Additionally, it is worth noting that the U.S. Department of Defense has indicated that cyber attacks potentially could be considered acts of war. Given this heightened awareness, good governance dictates that information security be considered a mission critical part of a company’s business plan.
While there are many “cyber exposures” companies should consider, such as sabotage, website defacement, electronic vandalism, electronic fraud and denial of service attacks, perhaps one of the least understood—yet increasingly problematic—exposures is cyber espionage and the theft of trade secrets and other intellectual property.
In the past, hackers and other malicious actors attacked computer networks for the notoriety, curiosity, thrill seeking or, in some cases, for extortion. However, the main threat facing companies these days is probably the theft of valuable trade secrets.
For example, in 2010 a Michigan couple was charged with allegedly stealing over $40 million worth of hybrid automobile related technology secrets. In this case, the thieves were actually employed by the company they stole from and had hoped to sell the secrets to one of the company’s competitors. Also in 2010, a research scientist was charged in a 17 count indictment for economic espionage intended to benefit a foreign government. He was indicted for misappropriating and transporting trade secrets and other intellectual properties to a foreign government, while working as a research scientist at a large pharmaceutical company.
In light of this increase, companies and in-house counsel need to develop action plans to proactively address and mitigate these threats.
Understanding Your Data
The first step in creating an effective information security plan is understanding your company’s data. Unless you truly understand your company’s data, it will be almost impossible to secure. When we speak of understanding your data, some of the questions you should ask are:
- What is the data?
- Who is creating the data?
- Who is using the data?
- What is the level of the sensitivity of the data? (Remember, all data is not created equally.)
- Given the above, how do we protect the different data?
Additionally, you must understand the life cycle of the various types of data in question. This includes understanding:
- When and where data is originated.
- When and where data is resting.
- When and how data is transmitted.
- How the data is used.
- What happens to the data when it is at the end of its life and is no longer being used.
Developing an Information Security Plan
Once you understand the answers to the above basic questions, it becomes easier for a company to develop adequate information protection policies and procedures.
In crafting an information protection plan, companies must also understand any industry specific rules and regulations with which they must comply. For example, companies in the health care industry will need to thoroughly understand HIPAA and HITECH among other regulations, while a company in the banking industry might have to comply with Gramm-Leach-Bliley. A thorough understanding of these rules and regulations will be instrumental in developing a proper information security plan.
Finally, any information security plan must have input from the proper company employees. The most effective privacy and information security plans incorporate input from legal, compliance, information technology, finance and risk management. These types of multi-dimensional teams can more fully understand and address the risks facing a corporate enterprise. Additionally, it is worth noting that information security is increasingly landing on the radar screen of corporate boards and often falls under the oversight of either the governance or compliance committees of many boards.
In short, in-house counsel need to understand that their companies are facing an increasingly growing threats from malicious actors and that these threats must be addressed both contractually and in practice. Only through a robust information security plan can the trade secrets and other intellectual property developed by a company be adequately protected. Companies spend millions if not billions of dollars a year in research and development to build intellectual property portfolios and will need to make certain that they are protected with the same level of dedication and diligence that are applied to any mission critical asset.