Protecting IP

Posted by Mark Greisiger

A Q&A with James Giszczak of McDonald Hopkins, LLC
The loss of trade secrets through a data breach can have major implications both financially and legally for an organization. I asked attorney James Giszczak to share his insight about the threats today’s companies are facing and how they can better fortify their intellectual property protections.

Can you explain in layperson terms the issues facing organizations when it comes to safeguarding their IP?
Organizations have external threats—hackers that are either trying to steal information or disrupt business. They have a greater threat internally, whether it is an intentional bad act or simply human error. An employee might lose a laptop while traveling, for instance, and the information on it is lost or stolen. Finally, we are starting to see more bad actors from within, rogue employees that are misusing or stealing information and holding it hostage in exchange for something from the organization.

What are some of the blind spots facing businesses that might lead to a loss/theft of their IP?
All companies must manage these issues, irrespective of the resources of the organization.  Yet there are still many companies who assume this only happens to the Sonys of the world. However, even a small company has substantial risk and exposure, yet in most cases a smaller budget than a Fortune 500 Company to deal with it. Big or small, we find that far too often companies fail to be proactive—they are only reactive. An extraordinary number of data breaches and losses are preventable. What’s sad is that companies will spend millions of dollars, an extremely large percentage of revenue, to generate more revenue but they do very little to protect their assets. Most organizations will leave security up to the IT folks, assuming that they have it covered with firewalls. That is certainly one piece of the pie, if you will, but I always tell my clients that they have to take a holistic view of the issue. Human resources, risk management, in-house counsel, and IT all have to be stakeholders in the process. The first step in being proactive is to educate employees about safeguarding data and why it’s important. For instance, certain information should not be physically removed from the office unless it’s encrypted.

What are some of the legal ramifications involving the protection of IP?
There are 47 states that have adopted the Uniform Trade Secret Act. The UTSA provides a statutory level of protection. Even if the organization doesn’t have its individual employees sign a confidentiality agreement, they may have recourse against former employees through a UTSA. At a basic level, in order to have recourse through a UTSA, you must show that the information has independent economic value and that it has taken reasonable steps to protect the IP. By the same token, if you haven’t been proactive then the law won’t provide you with the sword to protect your assets. Depending on the facts of a theft, an organization may also be able to rely on the Computer Fraud and Abuse Act

What might a risk manager do to proactively mitigate exposure here?
When we counsel organizations we talk about assets and the importance of creating an asset protection program. Assets that typically need to be protected usually fall into three buckets: trade secrets, customer relationships and the knowledge base of personnel. All three need to be protected. One of the things we do first is conduct a review, providing clients with a questionnaire to determine what assets they have, what safeguards they already have and what particular risks and exposure they face. Often organizations don’t even realize what trade secrets they have. We look at what protections are already in place and what things they might not be implementing appropriately, and do a gap analysis to see where there’s exposure. Then we help them determine what policies and procedures can help protect them, making sure they’re robust from both an IT and an HR perspective. Finally, we make sure they have an incident response plan. A fairly basic thing is how people react when there’s an incident—they should not be sending around emails before they retain counsel because those emails are usually discoverable in litigation. I think the most critical thing on the front end is to talk with a data breach expert who understands the issues and the law, which can be dramatically different state to state, and can really explain the nuances of protection, specific to your company’s needs.

In summary…
Counselor Giszczak does an excellent job describing the problems facing the many organizations whose lifeblood is their IP. Given the recent problems highlighted in the press such as the report by Mandiant (see Junto post: Fighting Against IP Espionage), and the APT threats outlined by security vendors such as McAfee (see Junto post: Fighting Advanced Malware), this exposure should be the top priority for risk managers charged with protecting the company’s bottom-line from e-perils such as cyber espionage.