Whatever the exact dollar amounts, the experts agree the problem is huge and only promises to get worse. But the real question facing most organizations is not about the scope of the problem but how to prevent falling victim to IP theft.
“Our advice is to act proactively, rather than reactively. You need to know what your employees are doing. Protect yourself through legal documents, training, technology and systems,” said Todd Stefan, executive vice president of Setec Investigations, a computer forensics service provider.
Many companies believe the best way to do business is by having an “open company.” In certain fields, like high tech, employees are given a lot of autonomy. With openness, though, comes risk. “You don’t want to create a police-state mentality,” Stefan said, “but the more open your company is the more rigorously your recordkeeping needs to be. Create logs and do regular audits.”
According to Robert Yonowitz, a partner in the law firm Fisher & Phillips, LLP, the first thing organizations should do is come up with a plan for managing critical data.
“If your customer lists are readily available to anyone walking in the building, say sitting on receptionists’ desk, then the court won’t view that information as valued,” Yonowitz said.
Internally, the same holds true. “Don’t give every sales person access to the whole customer list. Only give them access only to their accounts.” Otherwise, a court may likely determine those customer leads are easy to get, easy to access, and not worth protecting.
However, an equal problem is being over aggressive when classifying data as sensitive. According to Yonowitz, nearly as many organizations make the mistake of slapping a “confidential” stamp on everything from annual reports to press releases, often for legal reasons.
In court, however, if a judge sees that a company recklessly classifies information, it will be harder for the aggrieved party to justify large damage claims and even prove damage has been done.
“If trade secrets are critical, treat them as such,” Yonowitz said. For example, if your trade secrets are dubbed as confidential in the same way that a pre-release draft of a press release is, then you’ve undermined your case.
After data protection, the most important thing organizations can do to protect their trade secrets is to get a handle on their employees, through training, through hiring, through access control to key data, through the signing of non-solicitation agreements, and through exit interviews that outline IP theft-related offenses.
Too much emphasis is often placed on training employees once they step on site, when the most critical protection happens earlier. “One of the best ways to stop IP theft is to prevent people predisposed to it from having jobs,” Stefan said.
Stefan suggested screening anyone who has access to critical data, be they employees, partners, or large customers. If they have a poor track record, your best defense is not doing business with them.
Other suggestions include making IP theft part of your overall security strategy, creating and enforcing IP policies, being diligent when logging communications systems, and conducting regular audits.