It's Cybersecurity Awareness Month, so all eyes are on digital networks and their vulnerabilities. However, when it comes to protecting a company's trade secrets, the cause of a security breach can be virtual or human.

First, it's important to define what constitutes a trade secret. Simply put, the legal community defines a trade secret as technical or non-technical information that provides economic value and a competitive advantage from not being generally known to the public, that is not readily ascertainable, is not a personal skill, and that the owner has taken reasonable efforts to protect.

More colloquially, the broad range of internal and institutional “know how,” whether digital or analog, often comprises a company's most valuable information.  These assets can be the essence that defines a company or its competitive advantage in the market. Unlike patents, trade secrets are not protected by law but are permanent so long as the secret is kept secret.

The ever-increasing number of legal cases involving trade secrets demonstrates the challenge of protecting them. Recent research by Hyperion Global Partners reveals not only the enormous value of trade secrets to modern companies, but also the tremendous opportunity for misappropriation: 97 percent of U.S. companies have experienced a data breach, and an estimated $300 billion is lost annually to trade secret theft.

How can companies protect the sanctity of their assets and the value derived from them without falling victim to misappropriation and the catastrophic economic damage it can cause?

The Content Universe is Vast

The most obvious and easiest content to safeguard are structured technical repositories of data: source code libraries, sales and marketing databases, engineering file servers, etc. But content is ubiquitous and no trade secret is less valuable simply because it is not as articulated as a secret formula or breakthrough chemical compound. Things like communication threads, emails, project documentation, hand-written collaboration notes, marketing pitches, and even rejected initiatives are all examples of proprietary investments of the organization.

The speed of business is increasing and a company's departments, leaders and product teams will often innovate independently. It is absolutely vital, albeit more than a bit daunting, that data security policies such as IT guidelines on acceptable use, protocols for electronic monitoring and specific trade secret program policies are reviewed frequently enough to keep pace with business developments. It is precisely those new developments, changes and product initiatives that will contain some of the most marketable (and therefore most valuable!) trade secrets a company owns.

Since trade secrets lose their protections as soon as they are no longer secret, one of the greatest threats to trade secret protection are employees. The most direct methods to control this are non-disclosure agreements for external contacts and partners, as well as written employee agreements for internal resources. These need to be managed closely, with standardized terms and kept current to comply with the Defend Trade Secrets Act.

Perhaps the most effective tool of all is also the most obvious one: training. Consistent training at all levels is critical to convey the importance of trade secrets and their value to a company. It should be conducted as a relentless awareness campaign across all levels to make sure everyone not only understands what trade secrets are, but exactly where, when and how they personally possess them and the obligations they have to make sure they are handled appropriately.

Content Security: The Trade Secret Governance Model

While perimeter-edge security, anti-hacking and intrusion detection all remain technical responsibilities, data protection and custodianship must be shared by its own stakeholders and those charged with overseeing how sensitive content is handled properly. This brings it directly into the purview of Trade Secret Governance.

There are a number of industry standard tools that should be vigorously applied to trade secrets and the systems and processes used to access them.

  • Multifactor Authentication: Process by which user identification requires two or more pieces of evidence, typically where only one is knowledge (something they know like a password) and the other is either something they have (secure token or smart card), something they are (biometrics) or something independent from them (confirmation code sent via separate communication).
  • Pessimistic Asset Control: File or system level access protocol where access is universally restricted by default and granted only on a minimum-requirement level and on an as-needed basis based on specific role or documented business need.
  • Certified Hosting: A verification protocol where all hosting systems, internal and external, are required to meet applicable certification standards such as ISO270001, SSAE-18 SOC Type 2/3, etc.).
  • Retention Control: An established policy governing how data is proactively removed on a scheduled basis after it is no longer needed or when granted access has expired or been revoked.
  • Encrypt, Encrypt, Encrypt: Encryption must occur in as automated a fashion as possible and across as many aspects of the data's lifecycle as possible. Policies should be set to enforce all devices be configured to physically encrypt their drives.  Over sharing encryption keys out of convenience is a common bad practice that undermines the global level of data protection throughout the system, as well as every business and compliance assumption made about the governance process.  

Trade Secrets in Court

A recent cautionary tale is found in Waymo v. Uber, where the human actors took center stage in illustrating vulnerabilities to a company's trade secrets. According to the forensic evidence shown during the trial, the departing engineer downloaded 14,000 files onto his personal laptop a month before leaving the company.

Whether the files were intentionally downloaded or not, the case demonstrates that misappropriation of trade secrets can come from many actors, and while our attention is often focused on “network hacks,” we need to appreciate the need to secure trade secrets at the human level. Employee awareness of what they know, how valuable it is or may be, and how they should (and should not) handle and share that information is absolutely critical. That awareness comes from effective and consistently reinforced training that needs to happen at every level.

Given how thoroughly trade secrets and business “know how” are woven through every area of an enterprise, it is to be expected that the governance of this information will require a multifaceted policy approach and multilayered procedures to be successful.

 

As President and CEO of Hyperion Global Partners, Eyal Iffergan leads the premier global consultancy for legal business strategy and operations. With over 20 years of leadership in advising the legal and intellectual property business communities, Iffergan brings broad-based legal process and technology experience to managing influential global practices and companies, including founding and building several market-revolutionizing enterprises. Working with AmLaw 200 law firms and Global 1000 corporations, Iffergan is known industrywide for implementing dynamic business strategies, transformation programs and systems that align legal operations with business objectives.