Intellectual property protection is a complex duty with aspects that may fall under the purview of Legal, IT, Human Resources and other departments. Ultimately a Chief Security Officer or Risk Committee often serves to unify intellectual property protection efforts.
Here are answers to common IP questions.
- What is intellectual property?
- What are the differences between patents, trademarks, copyrights and trade secrets?
- Isn't protecting intellectual property the legal department's job?
- What does the security group need to do to keep intellectual property safe?
- How does "competitive intelligence" work?
- How do legal protections vary around the world?
- What are ways of protecting intellectual property when you're sending software work offshore?
- Related articles from CSO magazine
'Intellectual property' sounds pretty fuzzy. What exactly is it?
Intellectual property (IP) can be anything from a particular manufacturing process to plans for a product launch, a trade secret like a chemical formula, or a list of the countries in which your patents are registered. It may help to think of it as intangible proprietary information. The formal definition, according to the World Intellectual Property Organization is creations of the mind — inventions, literary and artistic works, symbols, names, images, and designs used in commerce. IP includes but is not limited to proprietary formulas and ideas, inventions (products and processes), industrial designs, and geographic indications of source, as well as literary and artistic works such as novels, films, music, architectural designs and web pages.
For many companies, such as those in the pharmaceutical business, IP is much more valuable than any physical asset. Authoritative sources report that each year, intellectual property theft costs U.S. companies about $300 billion.
Download CSOonline's Ultimate Guide to Intellectual Property Protection for even more IP security practicals from CSOs and other experts [15 page PDF — free Insider registration is required]
From a legal standpoint, there are four types of intellectual property. IP registered in one of those categories with state and federal agencies is protected by law, and if infringed upon or otherwise abused, the infringers can be prosecuted.
The four legally-defined categories of intellectual property are:
- Patents When you register your invention with the government—a process that can take more than a year—you gain the legal right to exclude anyone else from manufacturing or marketing it. Patents cover tangible things. They can also be registered in foreign countries, to help keep international competitors from finding out what your company is doing. Once you hold a patent, others can apply to license your product. Patents can last for 20 years.
- Trademarks A trademark is a name, phrase, sound or symbol used in association with services or products. It often connects a brand with a level of quality on which companies build a reputation. Trademark protection lasts for 10 years after registration and can be renewed "in perpetuity". But trademarks don't have to be registered. If a company creates a symbol or name it wishes to use exclusively, it can simply attach the TM symbol. This effectively marks the territory and gives the company room to prosecute if other companies attempt to use the same symbol for their own purposes.
- Copyrights Copyright laws protect written or artistic expressions fixed in a tangible medium - novels, poems, songs or movies. A copyright protects the expression of an idea, but not the idea itself. The owner of a copyrighted work has the right to reproduce it, to make derivative works from it (such as a movie based on a book), or to sell, perform or display the work to the public. You don't need to register your material to hold a copyright, but registration is a prerequisite if you decide to sue for copyright infringement. A copyright lasts for the life of the author plus another 50 years.
- Trade secrets A formula, pattern, device or compilation of data that grants the user an advantage over competitors is a trade secret. It is covered by state, rather than federal, law. To protect the secret, a business must prove that it adds value to the company - that it is, in fact, a secret - and that appropriate measures have been taken within the company to safeguard the secret, such as restricting knowledge to a select handful of executives. Coca-Cola, for example, has managed to keep its formula under wraps for more than 117 years.
But IP can also be something broader and less tangible than these four protected classes: it can simply be an idea. If the head of your R&D department has a eureka moment during his morning shower and then applies his new idea at work, that's intellectual property too.
Sounds like protecting IP is mostly the legal department's job.
Legal protection is definitely part of the plan, but if your IP is stolen by ne'er-do-wells, catching them is hard, prosecuting them is harder, and getting the stolen information back - putting the proverbial cat back in its bag - is usually impossible. In this area a little bit of paranoia is quite helpful, because people really are out to get you. Consider these real-life examples.
- In the week before one company released its quarterly report, employees in units that report to the CFO received 200 calls from people claiming to be with a credit reporting agency that needed information about the earnings report prior to its release. Employees were instructed to transfer all such inquiries to the security office, but the calls kept coming. It was later revealed that calls came from a research company hired by the competition.
- An engineer regularly had lunch with a former boss now working for a rival, and fancied himself a hero for gathering competitive intelligence. But the information he was giving up in return caused his employer, formerly the market leader, to lose three major bids in 14 months.
- Immigrant scientists from Eastern Europe who were working on an American defense project kept getting unsolicited invitations from their home countries to speak at seminars or serve as paid consultants. The invitations appealed to them as scientists - they wanted to share information about their work with peers. The countries saw this kind of intelligence gathering as cheaper than research and development.
So what does the security group need to do to keep intellectual property safe?
- Know what you've got If all employees understand what needs to be protected, they can better understand how to protect it, and whom to protect it from. To do that, CSOs must communicate on an ongoing basis with the executives who oversee intellectual capital. So meet with the CEO, COO and representatives from HR, marketing, sales, legal services, production and R&D at least once a quarter. Corporate leadership must work in concert to adequately protect IP.
- Prioritize it CSOs who have been protecting intellectual property for years recommend doing a risk and cost-benefit analysis. Make a map of your company's assets and determine what information, if lost, would hurt your company the most. Then consider which of those assets are most at risk of being stolen. Putting those two factors together should help you figure out where to best spend your protective efforts (and money).
- Label it If information is confidential to your company, put a banner or label on it that says so. If your company data is proprietary, put a note to that effect on every log-in screen. This seems trivial, but if you wind up in court trying to prove someone took information they weren't authorized to take, your argument won't stand up if you can't demonstrate that you made it clear that the information was protected.
- Lock it up Physical and digital protection is a must. Lock the rooms where sensitive data is stored, whether it's the server farm or the musty paper archive room. (See Safe Document Transfer: How to Secure the Paper Chain for a fascinating look at physical security measures pertaining to offsite document storage.) Keep track of who has the keys. Use passwords and limit employee access to important databases.
- Educate employees Awareness training can be effective for plugging and preventing IP leaks, but only if it's targeted to the information that a specific group of employees needs to guard. When you talk in specific terms about something that engineers or scientists have invested a lot of time in, they're very attentive.
As is often the case, humans are often the weakest link in the defensive chain. That's why an IP protection effort that counts on firewalls and copyrights, but doesn't also focus on employee awareness and training, is doomed to fail.
- Know your tools A growing variety of software tools are available for tracking documents and other IP stores. The category of data loss protection (or data leakage prevention) grew quickly in the mid-2000s and now shows signs of consolidation into other security toolsets (Symatec's acquisition of Vontu being a milestone in that process), although many independent vendors still exist. They not only locate sensitive documents, but also keep track of how they are being used, and by whom.
[Also read The 2011 Executive Guide to DLP, a 4pp PDF that clearly spells out the foundations of data loss prevention. FREE CSO Insider registration required.]
- Think holistically Motorola's Chief Information Security Officer Bill Boni explains how problems can arise if you don't take a "big picture" view of security. If someone is scanning the internal network, your internal intrusion detection system goes off, and typically somebody from IT calls the employee who's doing the scanning and says, "Stop doing that." The employee offers a plausible explanation, and that's the end of it. Then later, the night watchman sees an employee carrying out protected documents, and his explanation is "Oops...I didn't realize that got into my briefcase." Over time, the human resources group, the audit group, the individual's colleagues, and others all notice isolated incidents, but nobody puts them together and realizes that all these breaches were perpetrated by the same person. This is why communication gaps between infosecurity and corporate security groups can be so harmful. IP protection requires connections and communication between all the corporate functions. The Legal department has to play a role in IP protection, and so does Human Resources, and Information Technology, and Research and Development, and Engineering, and Graphic Design.... Think holistically both to protect and to detect.
- Apply a counter-intelligence mindset If you were spying on your own company, how would you do it? Thinking through such tactics will lead you to consider protecting phone lists, shredding the papers in the recycling bins, convening an internal council to approve your R&D scientists' publications, or other ideas that may prove worthwhile for your particular business.
Phone lists? Paper shredders? Sounds a little extreme.
Security pros have to understand the dark forces that are trying to get information from your company and piece it together in a useful way. Some of these forces come in the guise of "competitive intelligence" researchers who, in theory anyway, are governed by a set of legal and ethical guidelines carefully wrought by the Society of Competitive Intelligence Professionals (SCIP). Others are outright spies hired by competitors, or even foreign governments, who'll stop at nothing, including bribes, thievery, or even a pressure-activated tape recorder hidden in your CEO's chair. But most threats to your information operate in a gray zone.
To build solid defenses, consider how snoops work: