There is an epidemic in the business community. Few see it, few recognize it, and even fewer know how to combat it. It is not deterred by many of the measures put in place by most security professionals, and it can significantly impact an organization's ability to conduct business. This epidemic is the theft of trade secrets. It happens on a regular basis, and it is on the rise due to the fact that nearly all of our business documents and communications are in electronic format.
It is extremely difficult to keep track of all versions of all files and to keep tabs on the activities of traveling employees when they work on their laptops while on the road. Many people have multiple e-mail accounts?both business and personal. It is a trivial matter for an individual to forward confidential and proprietary files to a personal e-mail account. This may be done without any malicious intent; many people work at home on a regular basis. As a speaker and a writer I have copies of everything I have created stored at home both on CDs and my home computer hard drive. If I were devious, it would not be difficult to do the same thing with confidential and proprietary documents and files. With a business downturn these same documents could be used as a bartering tool for someone seeking employment with a competitor.
We have worked many cases that exemplify the current problem with theft of trade secrets. One intriguing case involved the lead salesperson for an international company. He was upset because he thought his compensation was not at the appropriate level. He left his employer to work for a direct competitor. On the surface this does not look like a significant issue, but due to poor security measures on his previous employer's network this person had access to all of the proprietary research and development files along with all of the marketing and sales plans. Upon examination of his computer we discovered a deleted personal e-mail in which he promised the competition that he would provide them with as much proprietary information as possible if the competitor would hire him.
Another example involved the vice president of a division of a Fortune 500 company who decided to work as CEO of his division's direct competition. His compensation package was doubled and included a 50 percent signing bonus. Do you think he received this generous compensation package solely on his merits as a businessman? When examining his laptop we discovered duplicate copies of several documents: one copy on his previous employer's letterhead, the other on his new employer's letterhead. We even found a deleted memo that included a marketing plan in which the new CEO was tasked with reaching out to all of the clients of his previous employer to earn their business.
In a final example, a company announced a downsizing. The following day a corporate executive was seen copying a great deal of information to CDs. The day after that the executive left, along with about half a dozen other employees. It was soon discovered that that team of people was now working for the competition. Why was this a concern? The previous employer had developed a brand-new product line that would give it an edge over the competition. The competition now had all of the design plans and specifications for the new products, along with the engineers that designed them.
When an employee leaves his employer to work for the competition and brings trade secret information with him, he is providing the competition with an unfair business advantage. There are laws in place that are designed to protect trade secrets. One is the Uniform Trade Secrets Act, which is a federal law, but most states have adopted similar legislation and the Economic Espionage Act of 1996.
A Trade Secret Is ...
Before calling your attorney or an investigator with a claim of the theft of trade secrets, it is important to define a trade secret. One of the more commonly cited definitions comes from the "Restatement of Torts," which defines a trade secret in the following manner: "A trade secret may consist of any formula, pattern, device or compilation of information which is used in one's business, and which gives him an opportunity to obtain an advantage over competitors who do not know or use it. It may be a formula for a chemical compound, a process of manufacturing, treating or preserving material, a pattern for a machine or other device, or a list of customers."
The Uniform Trade Secrets Act expands on this definition by stating: "Trade secret means information, including a formula, pattern, compilation, program device, method, technique, or process, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy."
In simple terms, a trade secret must be novel or unique, it must be protected and it must have economic value.
Reasonable Measures of Protection
According to the above definition, a company must take reasonable measures to protect trade secrets, or it will be easy to say that the information is not a trade secret because everyone had access to it. When reviewing the following "reasonable measures," notice that the steps outlined cross departmental lines. Protecting trade secrets falls upon the shoulders of the legal, HR, physical security and IT/IT security departments. This again reinforces the current trend of holistic or collaborative security.
Trade secrets should be classified as "Confidential" or "Trade Secret," labeled accordingly and stored appropriately. Electronic files should have the appropriate rights and restrictions applied so that only those with a definite need can access them. Restrict or eliminate remote access to trade secrets. Other technology measures should also be implemented to protect trade secrets, including the installation of a properly configured and maintained firewall. (In this day and age it is hard to imagine any company exists that does not have a firewall.) Initiate monitoring of corporate e-mail. E-mail monitoring applications exist that allow companies to filter e-mail messages based on certain criteria. If there is a new product under development and it has a specific code name, it might be prudent to filter e-mail to ensure that no e-mail exits the organization that contains this particular code name. One solution that provides this capability is CAMEO, Content Auditing for Microsoft Exchange Organizations. Information on this product can be found at www.amtsoft.com/cameo.
However, the filtering of corporate e-mails may not be enough. Those intent on sending information to the competition will not use a corporate-supplied e-mail account. It is extremely simple to set up a free Web-based e-mail account or to use a personal account that provides Web access. Companies should block access to free e-mail sites such as Hotmail and should issue a policy prohibiting the use of Web-based e-mail. This can assist not only with protecting trade secrets but with employee productivity issues as well.
Lastly, it might be important to perform periodic audits of the laptop computers of traveling sales staff and corporate executives. Because laptop computers are portable, it is possible they are being used to communicate trade secrets when the suspect employee is out of the office. When an employee is terminated or leaves the company, take the appropriate steps to have the laptop returned as quickly as possible.
Technology solutions are not the only steps that need to be implemented; physical security issues need to be addressed as well. Hard copies of trade secrets should be stored in locked file cabinets that are located in rooms with restricted access. Other physical and procedural barriers should be put in place that prevent non-employees from being in areas where these trade secrets are stored. This includes restricting access to cleaning crews, other third-party vendors and the general public. Many companies refuse to implement measures like this because access can become cumbersome if the measures are not implemented properly.
In addition to the steps already mentioned, consider implementing a document management program. This should include a valid document retention policy that outlines what documents are kept and for how long. Documents that are no longer needed should be deleted and hard copies shredded. A restriction should be set as to how many copies of a particular document or file can be created. This policy should include a prohibition on the e-mailing of trade secrets to electronic distribution lists. As with all other policies, mechanisms should be implemented to enforce these policies and consequences should be outlined for non-compliance.
Other methods of protecting documents include developing a series of policies addressing trade secrets, including non-disclosure, non-solicitation, non-recruitment and non-compete agreements.
A non-disclosure agreement basically binds an employee to not disclose trade secret information during and for a specified time after employment. This agreement should be signed when an employee begins employment and should be addressed with the employee during the exit interview.
A non-solicitation agreement forbids an employee to solicit business from current clients for a specified time period if they work for a competitor. Competitors may try to avoid conflicts by assigning new sales territories to people that come to work for them. On the surface this looks like a willingness to adhere to the non-solicitation agreement, but in reality, there is nothing to stop the new salesperson from sharing specific information about their old territory and their old clients with the new company.
Another beneficial policy is a non-recruitment policy (sometimes called a non-solicitation of employees policy). This policy prohibits former employees from actively recruiting employees from his previous employer. This type of policy can help prevent the wholesale departure of a particular department.
A non-compete agreement specifically prohibits an employee from working for the competition for a specified period of time. Non-compete agreements can sometimes be difficult to enforce, because the courts argue that employers do not have the right to prevent former employees from earning a living. Another interesting point is that even if a former employee promises not to disclose proprietary or confidential information to his new employer, it is possible to argue that there will be an inevitable disclosure of confidential information on the part of the employee. This inevitable disclosure doctrine may be the point needed to prevent proprietary information from falling into the competition's hands. To learn more about inevitable disclosure, research the case of PepsiCo Inc. v. Redmond. For additional information on how these policies can help protect trade secrets, go to www.findlaw.com and conduct a search on the term "trade secrets."
Once these policies are in place, a periodic review should be established. All too often companies keep their policies in a dust-covered tome and only refer to them during a crisis. Keeping employees fully aware of the policies covering trade secrets and proprietary information will help reduce the risk of losing trade secrets and can be a valuable tool should you find yourself legally pursuing someone in violation.
The theft of trade secrets is a significant issue for any business. Because information can now be disseminated with the click of a mouse, and it often falls outside the scope of many security measures currently in place, the problem can only get worse. Now is the time to put mechanisms in place to reduce this vulnerability.
John Mallery is chief technology officer for Clarence M. Kelley and Associates Inc., a private investigation firm headquartered in Kansas City, Mo. He manages the firm's technical service offerings, network security consulting and computer forensics. John can be reached at firstname.lastname@example.org .