Cybersecurity – Protecting Intellectual Property

February 2017

By: Peter C. Lando

In recent years, cyber-attacks have become a major concern of business and governments worldwide. Many widely reported network breaches of data and other misappropriation of information have disrupted businesses’ and individuals’ activities; retail credit and customer data has been accessed and companies have lost billions of dollars in intellectual property (IP) rights. As society becomes increasingly connected, and as technologies continue to converge offering multiple functions and interconnectivity, a greater number of networks will handle even more highly sensitive information – providing vulnerable access points for cyber-attacks.[1] Cyber-attackers can be sophisticated, targeting specific valuable information and IP; it has been reported that more than 90% of these attacks involve a company’s trade secrets, which include proprietary business information that provides an economic advantage over competitors.

Recognizing the detrimental impact on businesses’ commercial activities and profitability that these threats present is necessary to protect against or minimize such attacks. Many companies are therefore developing cybersecurity software and hardware that address some of these concerns.[2] Even with these current or promised marketplace solutions, users should remain vigilant handling sensitive information, particularly during when such information is accessible through the internet. The following are several considerations (in no particular order) for businesses and individuals to implement or reestablish as part of a cybersecurity plan to protect their IP:

  1. Train employees on IP basics, and inform and remind employees about trade secrets (what they generally include, how they are and remain protected, and the value that they provide to the company). In addition, a trade secret protection plan should be developed, and published for employees.
  2. Conduct IP audits and identify confidential and trade secret information. Label trade secret materials as “confidential” and “property of [the company].” Such labels should be used appropriately on written documents, including e-documents, and in software and source codes. Non-confidential materials should not be identified as such.
  3. Create and publish detailed information technology (IT) management policies, standards, and procedures. In addition to notifying users about risks associated with computer and internet access, these policies should include, for example, best practices and information regarding accessibility (electronic, remote, and physical), and approved applications and devices (computers and mobile devices), connectivity, IP (including trade secrets, copyright), privacy, network management, identification, and web user standards.
  4. Restrict access to confidential information. Determine where it was created, and limit knowledge of confidential and trade secret information, and access to trade secret materials, to employees that need to know it. Limiting access to such information reduces the risk of misappropriation.
  5. Access to electronic documents and confidential information should also be monitored. Utilize e-document security technologies that include document analytics, and information rights. This will allow for tracking of network activity, and may include alerts regarding export or copying of e-files of predetermined size. Secure trade secret materials in locked areas; require visitors to sign confidentiality agreements, and to sign in and out of, and be escorted through, any facility. As to company developments, maintain a lab notebook policy, including e-notebooks, that requires all activities to be recorded, witnessed, identified as “confidential,” and controlled.
  6. Encrypt confidential information and IP. Maintain computer secrecy by limiting access to computer network and files through use of passwords or other personal means, and store computer related materials in secured areas. Encryption is useful for identifying, storing, sending, or receiving confidential materials.
  7. Develop policies and procedures for management and control (including handling, storage, and disposal) of confidential information and other sensitive documents. Review all information disclosed at trade shows, articles, publications, proposals, interviews, and the like. Deal cautiously with third parties; use confidentiality agreements, and identify confidential information being disclosed (or received). Also, confirm that the level of disclosure is appropriate to the obligation (and not greater than required).
  8. Create and test electronic document security policies, including regular audits for compliance with the protection plans. Continually refine these policies and incorporate the most current cybersecurity technologies.
  9. Have employees sign employee agreements that include non-compete and confidentiality provisions. Employment manuals and policies should remind employees of proper handling of IP, electronic data and communications, and confidential information.
  10. Create new/former employee policies. Utilize exit interviews to remind former employees of their obligations to the company, and to collect relevant paper and e-documents and other items from departing employees. Departing employees’ network activity should be reviewed during periods prior to and after resignation or termination.

_____________________

[1] See, for example, Akamai’s 2016 report on the state of the internet’s security reveals that Direct Denial of Services (DDoS) attacks continued to increase throughout 2016, and insecure Internet of Things (IoT) devices continue to be a large source of traffic for DDoS attacks. The report predicts that the rapid growth of IoT devices will provide greater opportunities for such attacks.

[2] For example, some include products that: a.) monitor secure access to third-party applications; b.) offer cloud-based threat scanning; c.) identify potential threats from within organizations; d.) improve anti-virus detection; e.) allow for secure code creation; and/or f.) provide for biometric markers.  RSA Conference 2017, as reported in the Boston Business Journal, Feb. 16, 2017.