Cybersecurity Awareness Month: The Human Side of Safeguarding Trade Secrets
How can companies protect the sanctity of their assets and the value derived from them without falling victim to misappropriation and the catastrophic economic damage it can cause?
October 26, 2018 at 07:00 AM
6 minute read
It's Cybersecurity Awareness Month, so all eyes are on digital networks and their vulnerabilities. However, when it comes to protecting a company's trade secrets, the cause of a security breach can be virtual or human.
First, it's important to define what constitutes a trade secret. Simply put, the legal community defines a trade secret as technical or non-technical information that provides economic value and a competitive advantage from not being generally known to the public, that is not readily ascertainable, is not a personal skill, and that the owner has taken reasonable efforts to protect.
More colloquially, the broad range of internal and institutional “know how,” whether digital or analog, often comprises a company's most valuable information. These assets can be the essence that defines a company or its competitive advantage in the market. Unlike patents, trade secrets are not protected by law but are permanent so long as the secret is kept secret.
The ever-increasing number of legal cases involving trade secrets demonstrates the challenge of protecting them. Recent research by Hyperion Global Partners reveals not only the enormous value of trade secrets to modern companies, but also the tremendous opportunity for misappropriation: 97 percent of U.S. companies have experienced a data breach, and an estimated $300 billion is lost annually to trade secret theft.
How can companies protect the sanctity of their assets and the value derived from them without falling victim to misappropriation and the catastrophic economic damage it can cause?
|The Content Universe is Vast
The most obvious and easiest content to safeguard are structured technical repositories of data: source code libraries, sales and marketing databases, engineering file servers, etc. But content is ubiquitous and no trade secret is less valuable simply because it is not as articulated as a secret formula or breakthrough chemical compound. Things like communication threads, emails, project documentation, hand-written collaboration notes, marketing pitches, and even rejected initiatives are all examples of proprietary investments of the organization.
The speed of business is increasing and a company's departments, leaders and product teams will often innovate independently. It is absolutely vital, albeit more than a bit daunting, that data security policies such as IT guidelines on acceptable use, protocols for electronic monitoring and specific trade secret program policies are reviewed frequently enough to keep pace with business developments. It is precisely those new developments, changes and product initiatives that will contain some of the most marketable (and therefore most valuable!) trade secrets a company owns.
Since trade secrets lose their protections as soon as they are no longer secret, one of the greatest threats to trade secret protection are employees. The most direct methods to control this are non-disclosure agreements for external contacts and partners, as well as written employee agreements for internal resources. These need to be managed closely, with standardized terms and kept current to comply with the Defend Trade Secrets Act.
Perhaps the most effective tool of all is also the most obvious one: training. Consistent training at all levels is critical to convey the importance of trade secrets and their value to a company. It should be conducted as a relentless awareness campaign across all levels to make sure everyone not only understands what trade secrets are, but exactly where, when and how they personally possess them and the obligations they have to make sure they are handled appropriately.
|Content Security: The Trade Secret Governance Model
While perimeter-edge security, anti-hacking and intrusion detection all remain technical responsibilities, data protection and custodianship must be shared by its own stakeholders and those charged with overseeing how sensitive content is handled properly. This brings it directly into the purview of Trade Secret Governance.
There are a number of industry standard tools that should be vigorously applied to trade secrets and the systems and processes used to access them.
- Multifactor Authentication: Process by which user identification requires two or more pieces of evidence, typically where only one is knowledge (something they know like a password) and the other is either something they have (secure token or smart card), something they are (biometrics) or something independent from them (confirmation code sent via separate communication).
- Pessimistic Asset Control: File or system level access protocol where access is universally restricted by default and granted only on a minimum-requirement level and on an as-needed basis based on specific role or documented business need.
- Certified Hosting: A verification protocol where all hosting systems, internal and external, are required to meet applicable certification standards such as ISO270001, SSAE-18 SOC Type 2/3, etc.).
- Retention Control: An established policy governing how data is proactively removed on a scheduled basis after it is no longer needed or when granted access has expired or been revoked.
- Encrypt, Encrypt, Encrypt: Encryption must occur in as automated a fashion as possible and across as many aspects of the data's lifecycle as possible. Policies should be set to enforce all devices be configured to physically encrypt their drives. Over sharing encryption keys out of convenience is a common bad practice that undermines the global level of data protection throughout the system, as well as every business and compliance assumption made about the governance process.
Trade Secrets in Court
A recent cautionary tale is found in Waymo v. Uber, where the human actors took center stage in illustrating vulnerabilities to a company's trade secrets. According to the forensic evidence shown during the trial, the departing engineer downloaded 14,000 files onto his personal laptop a month before leaving the company.
Whether the files were intentionally downloaded or not, the case demonstrates that misappropriation of trade secrets can come from many actors, and while our attention is often focused on “network hacks,” we need to appreciate the need to secure trade secrets at the human level. Employee awareness of what they know, how valuable it is or may be, and how they should (and should not) handle and share that information is absolutely critical. That awareness comes from effective and consistently reinforced training that needs to happen at every level.
Given how thoroughly trade secrets and business “know how” are woven through every area of an enterprise, it is to be expected that the governance of this information will require a multifaceted policy approach and multilayered procedures to be successful.
As President and CEO of Hyperion Global Partners, Eyal Iffergan leads the premier global consultancy for legal business strategy and operations. With over 20 years of leadership in advising the legal and intellectual property business communities, Iffergan brings broad-based legal process and technology experience to managing influential global practices and companies, including founding and building several market-revolutionizing enterprises. Working with AmLaw 200 law firms and Global 1000 corporations, Iffergan is known industrywide for implementing dynamic business strategies, transformation programs and systems that align legal operations with business objectives.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250