As a special feature of our blog –special guest postings by experts, clients, and other professionals –please enjoy this blog entry by Pamela Passman, President and CEO for the Center for Responsible Enterprise and Trade (CREATe.org)
-Robert Milligan, Editor of Trading Secrets
Around the globe, dozens of countries are considering or enacting legal reforms to grapple with the growing misappropriation of trade secrets. As these changes lumber forward, it remains to be seen how new laws will be enforced, and whether legal remedies will offset the losses from theft.
In this uncertain landscape, companies must invest in practical, preventive measures to address the risk to their valuable intellectual assets, according to a new report, “Economic Impact of Trade Secret Theft: A framework for companies to safeguard trade secrets and mitigate potential threats.”
The report by the Center for Responsible Enterprise and Trade (CREATe.org) and PriceWaterhouseCoopers provides a fresh look at the problem of trade secret theft — including an estimate of the magnitude of the problem and analysis of the main types of perpetrators, their motivations and means. It also develops several scenarios suggesting how the effectiveness of regulation, the openness of the internet, and cyber threats could play out and impact the environment for the protection of trade secrets in the coming 10-15 years.
Practical measures in an uncertain world
For companies, this analysis provides a backdrop for addressing the immediate and pressing challenge: How to protect trade secrets in a rapidly changing and risky global marketplace?
The report offers companies an original framework for protecting valuable competitive information that has been developed through experience, investment and research.
A series of practical measures, the report argues, should be adopted throughout the company’s operations — and shared or required of contractors and business partners throughout the global supply chain, to the greatest extent practical.
The five-part framework — illustrated with the help of a fictional company, ABC Widget— starts with making an inventory of trade secrets.
ABC is billed as a large, global, publicly traded, U.S.-based alternative energy company with a widely dispersed global supply chain.
Get a handle on the goods
The inventory process starts with “a cross-functional team of senior executives, business unit leaders and corporate functional leaders” who are asked to make lists of key company information in five categories: product information, research and development, critical and unique business processes, sensitive business information, IT systems and information.
“Participants arrive at the working session with their lists, which they present, discuss, and compile into a master list that aligns with ABC’s views about what constitutes a trade secret. The meeting results in a categorized list of valuable trade secrets reflecting critical elements of ABC’s business model.”
With that, a team of security professionals moves into action:
“Using tools that search based on keywords and other identifiers, trade secrets from the master list are found on various servers, in files with non-relevant file names, and on shared-file sites created for reasons unrelated to the trade secret itself. The results for the location of each trade secret found are noted on the master list, to be incorporated later into the vulnerability assessment.”
The security team also works with the other business leaders to find trade secrets that are not digitized — things like hand written notes and prototypes — in an effort to make the inventory as comprehensive as possible.
Pick your poison
The second step is to assess the “threat actors” that present the greatest risk to the company’s assets, given its specific industry and areas of operation—and how company security systems measure up.
Various perpetrators — competing companies, transnational criminal organizations, “hacktivists,” nation-states and “malicious insiders” in the company have various means of stealing trade secrets and a variety of motivations, including pure profit, nationalistic advantage and political or social goals.
Companies involved in military technologies or dual-use technologies that have civilian and military applications, for instance, will need to factor in the threat from governments that have been known to steal information through cyber attacks or by dealing with “malicious insiders” who work for the company.
Where to put the money
From there, the report walks through level three of the framework — ranking trade secrets according to the impact that their theft would have on the business.
Step four is to assign a dollar cost to those hypothetical losses. This includes direct impact on performance, including lost sales revenue and market share. It also includes indirect losses, where there is damage to investor confidence, customer trust or other secondary impacts.
So, in the case of the fictional ABC alternative energy company, the report explores the indirect dollar impact from stolen source code:
ABC… investors may assert that the company lacks appropriate controls and protection processes to support sustainable growth, deciding to sell shares despite the absence of direct financial consequences of the theft. Also, if discussion of the theft trends on social media blogs or is covered by traditional media, it can influence long-term customers’ buying decisions. Similarly, the theft may erode the trust of the company’s key business partners.
After assigning costs to the damage, the company is in a position to make decisions and investments — step five — to invest its resources to mitigate the most significant potential threats to trade secrets.
This, of course, is the bottom line: Companies need to understand, assess and embrace their trade secrets, and develop security around them. In the global economy, this security is an investment, rather than a cost.
###
Pamela Passman is President and CEO of the Center for Responsible Enterprise and Trade, a non-profit organization working with companies to protect intellectual property and prevent corruption in global supply chains. Previously, Pamela was the Corporate VP and Deputy General Counsel, Global Corporate and Regulatory Affairs at Microsoft Corp and has practiced law with Covington & Burling (Washington, DC) and Nagashima & Ohno (Tokyo).