Intellectual property (IP) theft drains billions of dollars from the U.S. economy each year. The U.S. Chamber of Commerce pegs the cost at $250 billion annually, and most analysts believe the problem will continue to worsen. From a security standpoint, countering IP theft dovetails with another difficult security problem: Insider threats.
In December of last year, I wrote about steps you could take to protect your organization from IP theft. Many steps are deceptively simple, such as creating information hierarchies, limiting access to critical data, and deploying information monitoring solutions all help. However, specific efforts to counter IP reflect the changing nature of security in general.
|What to Do After a Theft Occurs|
1. Get a computer forensics expert to find and recover critical information.
2. Notify the former employee that IP will be protected.
3. Communicate with the employee’s new employer, notifying them that you will actively protect your IP.
4. Communicate with customers if necessary.
5. If all else fails, turn to the courts.
Circling the Wagons
Border security is no longer sufficient, since most IP theft is initiated from within the organization. No security strategy can fully protect against motivated insiders. What if IP theft is initiated by an executive who should have access to critical data, for example?
Another issue is the notion of an organizational “insider” is changing. Contract workers, partners, and outsourced labor all fall under the insider umbrella.
“Outsourcing can be particularly difficult to handle,” said Ed Gaudet, vice president of product management for Liquid Machines, a provider of enterprise rights management solutions. “In India and China, for instance, their laws don’t address intellectual property problems.”
If and when it comes time to sue, will you have the legal support to do so?
With outsourcing, most organizations worry about piracy, i.e. IP will be used for product counterfeits. Fortunately, that type of IP theft is not nearly as common as theft involving customer information.
“Ninety percent of the cases I see are customer list related cases,” said Robert Yonowitz, a partner in the law firm Fisher & Phillips, LLP. “Typically, someone in marketing or sales jumps to a competitor and promises to bring along business. Employees believe, mistakenly, that they own the customer relationships.”
Taking customer information, unlike piracy or patent infringement, resides in an IP gray area. After all, how do you decide who owns something as nebulous as a business relationship?
In many states, non-compete and non-solicitation agreements give ownership to the organization, but in some states, such as California, non-compete clauses aren’t enforceable. The employee can retain the relationship as long as it doesn’t involve a solicitation.
Take the example of a sales manager leaving for a new job and sending out an announcement along with new contact information.
“Is the announcement of a departure to a customer simply that, an announcement, or is it a solicitation? asked Todd Stefan, Executive Vice President, Setec Investigations, a computer forensics service provider.
“It can be difficult to tell, so our advice is to avoid dealing with issues like this reactively. Proactively protect yourself through legal documents, training, technology and systems. More importantly, take the time to know what your employees are doing.”
Attitude is a big part of the problem. A 2004 survey of 400 business professionals conducted by Ibas, a data recovery and computer forensics company, found that nearly 70% of respondents admitted to having stolen some form of IP when leaving a job. Over 30% left with sales presentations and proposals, while 30% also took along information from customer databases.
The most troubling finding was only 28% thought IP theft was completely unacceptable. In other words, most business professionals believe they have a right to certain types of IP, and they think it is ethical to take the information with them.