This is the first in a two-part series about protection of trade secrets.
Beneath Your Roof
When you go to sleep at night, do you make sure that your garage door is closed and that all the doors are locked? Our guess is that the answer is most likely yes, and the reason is probably that you want to protect yourself, your family and your valuables from intruders. Companies close the proverbial garage and lock the proverbial doors when they implement firewalls and other protections meant to guard their data and the data of their customers from outside intruders such as hackers.
That is all fine and dandy to guard against outside threats, but what about that wayward teen living beneath your own roof, stealing a $20 bill from your wallet or waiting for you to fall asleep so he or she can take the vintage Corvette for a joyride?
Of course, you can guard against this by keeping your wallet and keys in a safe that only you have access to, but chances are you trust your kids and do not believe they would engage in such mischief. And, even if they did, the consequences are probably not all that high. The same is not true of the wayward teens roaming the halls and perusing the data of your company. Not actual teens, but rather the opportunistic employees secretly looking to jump ship with your trade secrets. Whether they are going to start their own venture or they are moving to a competitor down the street, the consequences of this type of theft can be catastrophic to your company. Fortunately, like hiding your keys and wallet in your safe, there are steps that companies can take to minimize the chances that their trade secrets are stolen.
Know Your Own Secrets
Before your company can take measures to protect its trade secrets, it must determine whether it has any trade secrets. On a gut level, a trade secret is any information that you would not want your competitor to know. It is the information that gives your company a competitive advantage. The legal definition of “trade secret” and the definition adopted in Utah and most other states is “information … that: (a) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means, by other persons who can obtain economic value from its disclosure or use; and (b) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.” See Utah Code Ann. 13-24-2(4). Information that qualifies as a trade secret includes recipes, customer lists, source codes, formulas, techniques, methods of manufactures, strategic business plans, supplier lists, quality control data, designs, customer purchasing history, drawings, measurements and blue prints.
The ABCs of Protecting Your Secrets
In all trade secret litigation, the court will have to answer two fundamental questions: First, is the information generally known or readily ascertainable? And, second, did the company take reasonable steps to keep the information secret? The first question explores whether you are trying to protect information that is public knowledge. The court is not going to afford trade secret status and its protections to information that everybody knows or could legitimately know with a little research.
The second question explores whether your company treated the information as a secret. Did your company take steps to limit access to the information?
Technology cannot completely guarantee that your secrets will not walk out the door with your next employee departure, but it can reduce the odds of that happening and improve the odds that you prevail in a trade secret lawsuit if that does happen. The primary goal in implementing technology to protect your company’s information should be to ensure that only those individuals who need access to information to exploit its economic value have access to that information. For example, the head of marketing at Google does not need to know the search algorithm in order for Google to exploit the algorithms economic value. Another goal of implementing technology to safeguard trade secrets is to easily ascertain who accessed what information at what time and in what manner. Being able to answer these questions with reliable evidence should not only serve as a deterrent to any employee attempting to steal information, but it is also crucial to your company’s success in a trade secret lawsuit.
While it is advisable to have an IT consulting firm review your company’s current protocols and make recommendations, the following are the ABCs of data loss prevention, which includes, among other things, trade secret theft. The ABCs include: Awareness, Barriers and Confirmation.
Awareness
At the core of any data security exercise are people — the people who create and manage the data, the people who have a legitimate need to access the data and, unfortunately, those who would seek to access and exploit the data illegitimately. As such, one of the greatest ROIs with respect to data loss prevention can come from a focus on people. Good cybersecurity hygiene starts with a well-defined and well-maintained sense of awareness. The most sophisticated technologies (door and locks) in the world will be of limited effectiveness if they are not used and maintained appropriately. In the data loss prevention space, this idea starts with training on the threat environment that includes a clear organizational vision of not only the risk, but also the impacts of data loss on the organization. People are more likely to internalize the vision when they know how and why it impacts them personally. Human resource organizations and departments can play a big role in establishing, directing and communicating relevant data protection policies and procedures. Many HR organizations are using company intranets, blogs and cross-functional working groups to help deliver the message. Making and keeping your organization aware of threats and the threat environment means they are more likely to care about data security and less likely to fall victim to data theft.
Barriers
Traditionally, data security was likened to the defense of a medieval castle. Thick walls with guarded gateways did an excellent job of protecting whatever happened to be inside the walls. Today, data is mobile. Cloud applications and a mobile workforce means the castle walls must travel with the data, so the new armor is identity. Making sure that the right people have access to the right information for the right reasons for the right period is key. This starts at the beginning of the employment process via tools like Active Directory that create and maintain the foundation of each employee’s corporate identity. It can be extended and enhanced by third party vendors such as Okta, Microsoft, Ping Identity and One Login to name a few that provide Identity as a Service (IDaaS). These companies provide integrations for tools such as Multi-Factor Authentication (MFA), Conditional Access Management, Single Sign On (SSO), Mobile Device Management (MDM) and other functionalities designed to prevent, detect and respond to threats.
Two of the most commonly exploited avenues of data loss are via email scams and data exfiltration. These generally occur through phishing (generalized email fraud), spear phishing (targeted email fraud) or the conscious or unconscious exfiltration of information from your secure internal environment to external sources by means of digital media transfers, lost or stolen equipment or network breaches. The good news is that most of you reading this article are using email systems that already have at least some basic levels of fraud protection built into the system. These can be set to monitor certain behaviors, sources or patterns and alert you to the potential theft.
Make sure these safeguards are enabled and configured appropriately for your environment. Closer to home on the data exfiltration side are tools that allow you to control data access right down to individual document levels. Thus, when files or documents are created, there can be specific access rules attached at the document level. Even if a document is lost or stolen, opening the document would require specific user or group-based identity credentials. Tools such as Microsoft’s Azure Identity Protection allow users to enable this capability with a few mouse clicks. This becomes a key consideration with respect to barriers, since they tend to restrict movement in both directions.
Confirmation
The cybersecurity threat environment is constantly adapting and evolving. As such, your organization’s data loss prevention process should be structured to adapt and evolve accordingly. Tools at your disposal include:
• Regular training and threat environment updates.
• Periodic testing for network and personnel vulnerabilities.
• Industry reports such as those published by McAfee Labs 2017 Threats Predictions, and the Verizon Data Breach Investigations Report (DBIR).
• Internal or third-party security operations centers that monitor network activity and report or act on anomalous behaviors.
Michael A. Gehret is a partner in the Salt Lake City office of Snell & Wilmer. His practice is concentrated in commercial litigation, where he advises clients on a variety of intellectual property and regulatory matters.
Ed Roberson is director of business development for JourneyTEAM, a Utah-based business technology consulting firm established in 1993. His practice focuses on helping companies bridge the gap between IT and the strategic operations of business units.
Thomas Shields is a senior discovery consultant with Xact Data Discovery’s Salt Lake City office. He consults with law firms, government agencies and private corporations in the areas of information governance, digital forensics, ediscovery, and managed attorney review.
Part 2 of this two-part series will run next week in The Enterprise.