The Considerations of Intellectual Property Protection
Any company's intellectual property—whether that's patents, trade secrets, or just employee know-how—may be more valuable than its physical assets. This primer, compiled from CSO articles, covers basic and overlooked steps for keeping your secrets secret.
Intellectual Property in Simple Terms
Intellectual property can be descriptive materials from a particular manufacturing process to plans for a specific product launch, a chemical formula, or a list of the countries in which your patents are registered. It may help to think of it as intangible proprietary information. The formal definition, according to the World Intellectual Property Organization, is creations of the mind—inventions, literary and artistic works, symbols, names, images, and designs used in commerce. Intellectual property includes (but is not limited to) proprietary algorithms, concepts or ideas, inventions (products and business methods), industrial solution designs, as well as literary and artistic works (e.g., novels, films, music, architectural designs, and Web site pages).
For many companies, such as those in the biomedical or services business, intellectual property carries much more value than any physical asset. It has been purported across industries that each year intellectual property theft costs U.S. enterprises approximately USD $300 billion dollars. This is a non-trivial amount and partly due to lack of security and business operational practices.
Considering the various types of intellectual property we have already discussed, it is important to ensure that intellectual property is registered according to its respective type. This means it is registered with state, federal, and/or international agencies, and if infringed upon or otherwise abused, those infringing upon intellectual property claims can be prosecuted.
As we have already discussed in previous chapters, the four legally defined types of intellectual property protection are noted in the following review list:
Patents. When an individual registers an invention with the government, he or she begins an analytical process that can take more than a year or two to complete, once he or she has filed the idea. This analysis period is required for the investigation of the idea, which is how an individual gains the legal right to exclude anyone from manufacturing or marketing his or her idea. Once an individual (or enterprise) owns the patent, others can then apply to the owner to license the idea. Patents remain valid for 20 years.
Trademarks. A trademark is a symbol, name, phrase, or sound used in association with products or services. It can connect a brand with a level of quality or service, on which companies can build reputations. A trademark protection lasts for ten years after registration, and much like patents, a trademark can be renewed.
Copyrights. Copyright laws protect written or artistic expressions fixed in a tangible medium—for example, novels, poems, songs, or movies. A copyright protects the expression of an idea, but not the idea itself. Only the owner of copyrighted work has the right to reproduce it, to make derivative works from it (e.g., a movie), or to sell, perform, or display the work to the public. You don't need to register your material to hold a copyright, but registration is a prerequisite if you decide to sue for copyright infringement. A copyright lasts for the life of the author plus another 50 years.
Trade secrets. A formula, pattern, device, or compilation of data that grants the user an advantage over competitors is a trade secret. State, rather than federal, law covers it. To protect the secret, a business must prove that it adds value to the company— that it is, in fact, a secret—and that appropriate measures have been taken within the company to safeguard the secret, such as restricting knowledge to a select handful of executives. Coca-Cola, for example, has managed to keep its formula under wraps for more than 117 years.
Intellectual property can also be something broader and less tangible than these four protected classes: It can simply be an idea. If the head of your R&D department has a "eureka" moment during his morning shower and then applies his new idea at work, that's intellectual property, too.
Responsible Protection of Intellectual Property
The aspects we have discussed with regards to legal protection of intellectual property are paramount; however, experiencing the theft of intellectual property is extremely difficult, and prosecuting the thieves is even more difficult. A small amount of due diligence is often very helpful. Do not overlook the fact that because some people really are out to comprise competitive information, everyone concerned with protection needs to be aware. As examples, consider the following real-life situations:
An engineer regularly met for meals with his former manager, who is now working for a competitive company, as opposed to where he used to work managing this engineer. The engineer always felt as though he possessed a critical skill for gathering competitive intelligence information. What this engineer did not realize was that the information he was giving up, in return for this competitive intelligence, caused his current employer (once the market leader) to lose three major bid opportunities in approximately one year. The old cliché here is easy to understand—that is, “loose lips sink ships.”
In the week prior to a company's release of its regular quarterly report, employees across several operating units reporting to the Chief Financial Officer received several hundred calls from individuals claiming to be with a credit-reporting agency. They stated that certain information about the upcoming earnings report (prior to its release) was important for them to be able to better understand. Employees were immediately instructed by management to transfer all such inquiries to the corporate security office, and yet, the calls continued on a regular basis. It was later revealed that all of these calls came from a research company hired by this company's competition.
Immigrant scientists from areas of Europe were working on an American defense project. These scientists kept getting unsolicited invitations from their home countries to speak at events, or for them to serve as consultants. The invitations appealed to them as scientists and professional speakers—because they absolutely wanted to share information about important work with colleagues. Is it possible that certain countries consider this kind of intelligence gathering facade as cheaper than performing their own research and development?
Is Your Intellectual Property Secure?
Securing intellectual property is a responsibility, or should be, if you are an employee of a company. Securing it as an individual for personal interests is simply a wise practice to perform.
The following items are considered as best practices for securing intellectual property. These are not the only means, but a means for doing this:
Know what information assets are in your possession. If all employees understand what information needs to be protected and what about these assets is important, they can better understand how to protect these assets. To do this, security officers in a company must communicate the importance of intellectual property on an on-going basis. They must do this with the responsible executives and other key employees who oversee intellectual capital in the corporation. Security should meet with selected executives and representatives from HR, marketing, sales, legal, manufacturing, and R&D. These individuals should meet at least once a quarter to discuss issues and practices. Corporate leadership must work in concert to adequately protect IP.
Prioritize information assets in your possession. Security specialists skilled at protecting intellectual property suggest doing a risk and cost-benefit analysis of what is believed to be an information asset or intellectual property asset. Create a map of your corporation's assets, and determine what information, if lost, would impact your company the most. Next, consider which of these assets are at high risk of being compromised. Considering these two factors will help you prioritize where to best apply your intellectual property protection activities.
Clearly identify the intellectual property assets. If information is confidential to your company, identify it as such. If your company data is proprietary, put a note to that effect on every login screen. This seems trivial, but if you wind up in court trying to prove someone took information they weren't authorized to take, your argument won't stand up if you can't demonstrate that you made it clear that the information was protected.
Secure the intellectual property assets. Physical and digital protections are very important considerations, with regards to securing intellectual property assets. Ensure that the assets are secured in rooms where sensitive data access is controlled, whether it is a Web server farm, data center, or the long-term storage and retention rooms. Keep auditing track of who has what kind of access to these assets; track their access to each asset, and when they accessed the information. Use effective forms of identification, authentication, and validation. Limit and control every employee's access to important information, and ensure it is only on a “need to know” basis.
Educate and raise the level of awareness of all employees. Education and awareness training can be very effective ways for protecting intellectual property, but only if it is focused on the specific information that a particular group of employees needs to protect. When one speaks in very specific terms about something that professionals have a vested interested in protecting, you will have everyone's attention.
Often times, speech is the absolute weakest link in the defensive chain of protecting intellectual property. That is why an overall intellectual property protection effort that depends on security practices, firewalls, copyrights, patents, trademarks, and trade secrets are all-important. However, not focusing on employee education and awareness is a recipe for failure in this area.
Understand your security practices, policies, and information protection tools. There is an increasing selection of software applications available for tracking files, documents, and other intellectual property repository assets. These methods are designed to perform many types of unique functions, including locating sensitive intellectual property assets, keeping track of who is utilizing these assets, and when they are accessing them. There are also other means of protection, such as patents, copyrights, trademarks, and trade secrets, previously discussed in several sections of this book.
Think in terms of the “big picture.” Information security professionals see how problems can develop if you do not continuously portray the “big picture” view of security. For example, this big picture view includes any situation where someone is scanning the internal network. In this case, the internal intrusion detection systems are triggered, and typically somebody from information technology operations or security calls the employee who is doing the scanning and instructs, “Please stop doing that type of scanning.” The employee offers a plausible explanation, and that is the end of that situation. Then later that evening, the night security officer sees an employee carrying out protected documents, and his explanation is perhaps, “Oh . . . I did not realize that document got into my briefcase.”
Then, over some period of time, the HR or personnel group, the company audit group, even the individual's colleagues (and perhaps some others) all noticed isolated incidents. However, nobody puts these individual incidents together into a pattern and realizes that this same person perpetrated all these security breaches. Do you suppose this person could be actively engaged in stealing intellectual property assets? What should you do?
The point here is that unnecessary communication gaps between company personnel and corporate security groups can be very harmful. Intellectual property protection requires connections and communication between all the corporate functions. The Legal department has to play a role in intellectual property protection, and so do HR organizations, Information Technology groups, R&D, Engineering, Graphic Design groups; every group is involved. So, think with in terms of the big picture; that is, both to protect and to detect those obvious and non-obvious situations related to information security breaches.
Apply a counter-intelligence mindset and professional function to match. If one were spying on his or her company, how do you think it would be accomplished? Thinking through such hypothetical tactics will lead you to consider protection of files, phone lists, personnel records, shredding papers, convening an internal council to approve your R&D scientists' publications, and other worthwhile ideas. Ethical hackers are of a great value, providing a highly valued service and in some cases required to ensure the integrity of a large enterprise. All of these tactics may prove extremely useful in protecting a particular line of business—or the entire company.
Offensive and Defensive Security Measures
Security professionals are constantly working to understand the dark sides of people who are that are trying to get information from a company and then piecing it together in a useful way. Some of these forces come disguised as “competitive intelligence analysts” who, in theory perhaps, are governed by a set of legal and ethical guidelines. These individuals may even say they are careful to abide by the Society of Competitive Intelligence Professionals (SCIP). Other individuals are professional spies, hired by competitors, or even foreign governments, who will stop at nothing to comprise your security. This includes bribes, thievery, or even pressure-activated tape recorders hidden in corporate officers' chairs. However, it is often not this clear of a situation. Most threats to a company's intellectual property assets operate in an ill-defined zone.
In order to create solid intellectual property protection defensive and offensive measures, consider how these types of intelligent thieves work:
Security Breach Offenders Look for Publicly Available Information
A competitive intelligence expert might tell you that more damage is done by a company's inadequate (or lack thereof) security practices than by thieves themselves.
Consider these common examples: salespeople showing off upcoming products at trade shows; technical organizations describing their key technology activities in publicly proclaimed job listings; supplier organizations describing their sales numbers on public Web sites; public relations departments issuing press releases about new patent filings; companies in industries targeted by regulators over-reporting information about manufacturing facilities to the Environmental Protection Agency or OSHA, which can become part of the public record; or employees posting comments on Internet bulletin boards should also be carefully controlled.
All of these types of data tells a competitor what your company is doing. Combined, the right details might help a rival reduce your first-to-market advantage, improve the efficiency of their own manufacturing facility, or refocus their research in a profitable direction.
Security Breach Offenders Often Work the Phones
Some phone solicitation schemes yield amazing stories of what people will tell their uninvited or even invited callers over the phone. There are cases like the publicly acclaimed “dumpster diving” espionage case involving Procter & Gamble and Unilever.
Criminally minded people have many ways of getting people to open-up and talk. In fact, people like this are the primary reason that seemingly all companies should very closely guard innocent lists of company employee names, titles and phone extensions, or internal newsletters announcing retirements or promotions. This is because the more these criminals know about the single person who answers the telephone—the better he or she can deceive that person in malicious ways in order to gain the information he or she is seeking.
Telephone criminals will identify themselves and say something like, “I'm working on a project, and I'm told you're the guru when it comes to the newer technologies in this device. Is this a good time to talk, or should I call you back?” Oddly enough, 50% of the people called by these criminals are willing to talk about that kind of information.
The other 50%—what will they do? They might ask what the person calling on the phone does before they answer any questions. They might ask what organization the caller is a part of, and who they report to in that management chain.
Sometimes, the caller may reply (and this is true) that they are calling on behalf of a Research Corporation, working on a project for a client he or she cannot name because of a confidentiality agreement. Hopefully, everyone will hang up on that kind of a vague response. Fortunately, many of the people will simply hang up the telephone, and unfortunately, many people will just start talking.
Once a person starts talking, these criminals begin taking careful notes that will eventually make their way into one of a couple of files. The first file is information for his or her client asking for the information, and the second file (the darker file), is a database of hundreds of thousands previous information sources. These files include information about the calling respondents' expertise, how friendly they were, and personal details such as their hobbies or where they went to college or high school. The best advice here is very simple and straightforward—hang up the phone. You owe these unsolicited callers nothing (including courtesy). One favorite response is to ask for their home phone numbers or office numbers, so you can call them right back. They will never give out their home phone numbers, and also rarely agree to give out their real office numbers—but do not hesitate to bother you on your numbers. I remind them that I did not give them my phone number, so isn't it fair that they give me theirs in exchange?
Often times, business intelligence miners utilize well-practiced tactics for gathering information without directly asking for it. They accomplish this by implying that they are someone they are not as they begin their lies. This particularly deceptive practice is the tactic known as “social engineering.” Such scam artists might also include “pretext” calls from someone pretending to be a student working on a research project, an employee at a conference who needs some paperwork, or a board member's secretary who needs an address list to mail Christmas cards.
Most of these calls are actually not technically illegal, at least not by themselves. Lawyers will proclaim that while it is against the law to impersonate someone else, it is not illegal to be a liar or dishonest.
These Information Miners Go into the Field of Practice Seeking Information
As another example, during the recent Internet technology boom, one early-morning flight from Austin, Texas, to San Jose, California, earned the nickname of “the nerd bird.” It shuttled business people from one high-tech center to the other. That flight and others like it became excellent places for job recruiters. They also became great places for competitive intelligence professionals to overhear casual discussions between coworkers discussing sensitive information. The miners on these flights were also able to sometimes sneak a peek at a fellow passenger's business presentation or financial spreadsheets. Be careful on aircrafts and, for that matter, trains or any type of public transportation vehicles.
Any public place where employees go, competitive information gatherers can also go: for example, airports, taxis, coffee shops, restaurants, and especially bars near company offices and facilities—and, of course, professional trade shows. An operative working practice for the competition might be to corner one of your business leaders after a company presentation or to pose as a potential customer. They do this in order to try to get a demonstration of a new product or learn about pricing scenarios from your sales team. Or that information gatherer might simply take off his name badge before approaching your booth at a trade show.
Professionals must know when not to speak about sensitive business matters in public forums or places: They must be vigilant about this. These items can be associated with, or worse yet, directly related to intellectual property that the company wishes to protect. Professionals must also know how to work with the their marketing departments to ensure the risks of divulging internal information at a conference or trade show, does not outweigh the benefits of gaining new business.
Employment interviews can also turn into possible disclosures of sensitive information. Competitors may sometimes risk sending one of their own employees to a job interview. They could also hire a competitive intelligence firm to do the same. Conversely, a competitor might invite one of your employees in for a job interview, with no other purpose than gleaning information about your sensitive products, endeavors, and/or processes.
Competitive Intelligence Gatherers Are Experts at Putting the Pieces Together
In many ways, trade secrets are very easy to protect. Stealing trade secrets is illegal under the “1996 Economic Espionage Act.” Employees usually know that trade secrets can be very valuable to the right parties, and nondisclosure agreements may protect your company further. What is more complicated is helping employees understand how seemingly innocuous details can be strung together into a bigger picture (as we just discussed), and think about how simply a company's phone list now can become a weapon in the hands of information gatherers.
Consider the following scenario: An unnamed competitive intelligence research executive once had a client who requested him to find out whether any competitive rivals were working on a specific technology area. During his research of the public records, he was able to discover nine or ten authors who had been publishing several white papers on this specialized technology area. These authors seemed to have been aware of each other for some time, and in some cases, were friends or acquaintances with each other. Then, all of a sudden, these authors all stopped writing about this technology area. This research executive then performed some background investigative work and discovered that each of these authors had moved to a certain part of the country and now worked for the same company. None of that constituted a trade secret or even, necessarily, strategic information. However, the competitive research executive was now clearly beginning to see a big picture forming.
What that told him was that these authors had probably stopped publishing information about this technology area, perhaps because they recognized that the technology had achieved a point where it was probably going to be profitable. Then, by calling the authors on the phone, attending public meetings where they were speaking on other topics, and later asking them after their presentations about the research they were no longer speaking publicly about, the competitive search firm was now able to figure out when the technology was planned to hit the market. This information then gave his client a two-year window into the competition's plans. This big picture the research executive was able to piece together may have in fact been based on gathering this intellectual property, which could very well affect the revenues streams of the company planning to release this technology area.
Some Competitive Research Consultants May Chose to Extend Beyond Acceptable Ethics
Some other countries around the world may have vastly different ethical and legal guidelines for information gathering. Almost everything we have talked about until this point in this chapter is legal in the United States—or, arguably, legal in the hands of a very clever lawyer of the court. However, there is yet another much darker realm of corporate intellectual property sleuthing. Less ethical tactics (at least in the U.S.) include utilizing hidden recording devices, bribery and thievery, and even extortion, which is widely practiced elsewhere in the world.
For example, an unnamed bank in South America suspected espionage and had already retained a private security consultancy for internal purposes. They also selected this private security consultancy to perform an exhaustive sweep of the facilities, searching for any hidden recording devices. Nothing was found. However, since this loss of information continued after this initial sweep, the bank then chose to retain (yet again) a different security consultancy team. This second security team found 27 different hidden recording devices. The entire executive suite was wired for both motion and sound. As it turned out, the first team engaged to look for these recording devices was suspected to have been the team installing these espionage devices.
Espionage is sometimes sanctioned in certain countries—or sometimes even carried out by foreign governments, which may view this as assisting local companies to keep competitive positions on foreign rivals. Some foreign governments might purportedly view this as an acceptable means to boost the country's economy.
This is why there is no single set of guidelines for protecting intellectual property that will work everywhere in the world. The security department's role is to evaluate the risks for every country where the company conducts business and act accordingly, even if this means briefing their professionals prior to their entry into that country. Some company procedures, such as reminding people to protect their laptops, will remain unchanged. Remember that these devices, too, can retain immense amounts of intellectual property. However, for certain countries, it is paramount that more precautions be set in-place. Executives traveling to Pakistan, for example, might need to register under pseudonyms, have their hotel rooms or workspaces swept for bugs, or even have security guards help protect information. One of the authors of this book has been assigned armed drivers in several countries visited, due to corporate kidnappings and protections of other sorts. These topics are not to be taken lightly with regards to intellectual property protection and conducting business as a professional in foreign countries.
Ensure That You Understand Sensitivities of Countries Where You, as a Professional, Must Conduct Business
During the last few years, it has been proven that some countries have developed reputations as places where industrial espionage is widely accepted, even encouraged, as a way of promoting the country's economy. Many other countries are worse.
An excellent resource for evaluating the threat of doing business in different parts of the world is the Corruption Perceptions Index, published each year by “Transparency International” (and made famous by The Economist).
In 2003, the Corruption Perceptions Index ranked 12 countries as being perceived as the most corrupt. These countries were (at that time): Bangladesh, Nigeria, Haiti, Paraguay, Myanmar, Tajikistan, Georgia, Cameroon, Azerbaijan, Angola, Kenya, and Indonesia.
Another list ranked some large countries where companies are most likely to extend and pay bribes in order to win or retain business in their emerging markets. The worst scores belonged to Russia, China, Taiwan, and South Korea, followed by Italy, Hong Kong, Malaysia, Japan, USA, and France.[16]
[16] For more information, please reference this index at Transparency International http://www.transparency.org.
India is another country of increasing importance to global businesses, primarily because of the rapid rise of offshore outsourcing. The prevalence of outsourcing of IT functions now introduces some unique vulnerability to companies that may not think of themselves as having a global presence.
In legal terms, the most widely recognized global standard is the World Trade Organization's intellectual property add-on, TRIPS (Trade-Related Aspects of Intellectual Property Rights). However, TRIPS protection must be enforced locally, and none of the countries prominent in software outsourcing, including India, have local laws covering theft of trade secrets. TRIPS signatures (or not) only happen, if a country's culture does not respect property, then, the courts are unlikely to enforce any respective laws.
Here are ten best practices for protecting intellectual property, specifically where a company might be leveraging offshore software park development work:
Register intellectual property as appropriate, as a copyright, patent, trademark, or trade secret.
Inspect the physical premises where any software will be developed. Note whether buildings have basic security check-in procedures. Find out what kind of access people have to the key development/testing systems.
Analyze networks functions, especially if you plan to use virtual private networks (VPNs). These are excellent for cross-facility communications and make it easier for remote employees to work from home or other remote locations; unfortunately, this benefit can increase vulnerability across the network.
Protect important information (e.g., source code) with passwords and access codes and make sure that these information assets are not widely available, either in the United States or at any of the outsourcing locations. Resist the urge to place any of these assets on removable disk media, as this will make protection and audit of who handles this information virtually impossible.
Demand that the outsourcing parties practice responsible human resource screening procedures. Analyze employee retention figures, and find out if competitors do business with these same companies; if so, work to ensure that there is no contact between any of the personnel teams.
Work to understand the legal systems and cultures of all countries involved in any respective business partnerships. Be sure to negotiate binding contracts/agreements that make the offshore company responsible for the actions of its employees. Realize that when doing business in foreign countries, it is very likely that you are at the will of that country's legal system.
Budget for greatly increased telecom costs, as well as for regular visits to the outsourcer. Ensure that both these acts of conducting telecom transmissions and conducting visits to these countries have all the necessary safeguards available.
Make sure that any test case data being utilized does not expose real information, especially types of information that might be traceable to real customers.
Always maintain original and secured copies of all source code.
Companies that do not have the resources to take these steps should very carefully consider exactly what (if anything) they are putting at risk by leveraging offshore capabilities or international business relations. This is important to consider whether it is software development or some other International function, such as multi-national call centers involving sensitive customer data.
Intellectual property is indeed a sensitive, complex, and rather complicated subject: Complicated, as we can see, across several dimensions. We have discussed in prior chapters acceptable methods of intellectual property protection (at least in the U.S.). In this chapter, we have also discussed the risks associated with International business engagements. The bottom line is that all intellectual property has some form of value. Protection of these types of assets will vary, depending on the nature of the asset, the country the asset was born in, and the laws surrounding business ethics for that country.