Intellectual property protection is a complex duty with aspects that may fall under the purview of Legal, IT, Human Resources and other departments. Ultimately a Chief Security Officer or Risk Committee often serves to unify intellectual property protection efforts.
Here are answers to common IP questions.
- What is intellectual property?
- What are the differences between patents, trademarks, copyrights and trade secrets?
- Isn't protecting intellectual property the legal department's job?
- What does the security group need to do to keep intellectual property safe?
- How does "competitive intelligence" work?
- How do legal protections vary around the world?
- What are ways of protecting intellectual property when you're sending software work offshore?
- Related articles from CSO magazine
'Intellectual property' sounds pretty fuzzy. What exactly is it?
Intellectual property (IP) can be anything from a particular manufacturing process to plans for a product launch, a trade secret like a chemical formula, or a list of the countries in which your patents are registered. It may help to think of it as intangible proprietary information. The formal definition, according to the World Intellectual Property Organization is creations of the mind — inventions, literary and artistic works, symbols, names, images, and designs used in commerce. IP includes but is not limited to proprietary formulas and ideas, inventions (products and processes), industrial designs, and geographic indications of source, as well as literary and artistic works such as novels, films, music, architectural designs and web pages.
For many companies, such as those in the pharmaceutical business, IP is much more valuable than any physical asset. Authoritative sources report that each year, intellectual property theft costs U.S. companies about $300 billion.
Download CSOonline's Ultimate Guide to Intellectual Property Protection for even more IP security practicals from CSOs and other experts [15 page PDF — free Insider registration is required]
From a legal standpoint, there are four types of intellectual property. IP registered in one of those categories with state and federal agencies is protected by law, and if infringed upon or otherwise abused, the infringers can be prosecuted.
The four legally-defined categories of intellectual property are:
- Patents When you register your invention with the government—a process that can take more than a year—you gain the legal right to exclude anyone else from manufacturing or marketing it. Patents cover tangible things. They can also be registered in foreign countries, to help keep international competitors from finding out what your company is doing. Once you hold a patent, others can apply to license your product. Patents can last for 20 years.
- Trademarks A trademark is a name, phrase, sound or symbol used in association with services or products. It often connects a brand with a level of quality on which companies build a reputation. Trademark protection lasts for 10 years after registration and can be renewed "in perpetuity". But trademarks don't have to be registered. If a company creates a symbol or name it wishes to use exclusively, it can simply attach the TM symbol. This effectively marks the territory and gives the company room to prosecute if other companies attempt to use the same symbol for their own purposes.
- Copyrights Copyright laws protect written or artistic expressions fixed in a tangible medium - novels, poems, songs or movies. A copyright protects the expression of an idea, but not the idea itself. The owner of a copyrighted work has the right to reproduce it, to make derivative works from it (such as a movie based on a book), or to sell, perform or display the work to the public. You don't need to register your material to hold a copyright, but registration is a prerequisite if you decide to sue for copyright infringement. A copyright lasts for the life of the author plus another 50 years.
- Trade secrets A formula, pattern, device or compilation of data that grants the user an advantage over competitors is a trade secret. It is covered by state, rather than federal, law. To protect the secret, a business must prove that it adds value to the company - that it is, in fact, a secret - and that appropriate measures have been taken within the company to safeguard the secret, such as restricting knowledge to a select handful of executives. Coca-Cola, for example, has managed to keep its formula under wraps for more than 117 years.
But IP can also be something broader and less tangible than these four protected classes: it can simply be an idea. If the head of your R&D department has a eureka moment during his morning shower and then applies his new idea at work, that's intellectual property too.
Sounds like protecting IP is mostly the legal department's job.
Legal protection is definitely part of the plan, but if your IP is stolen by ne'er-do-wells, catching them is hard, prosecuting them is harder, and getting the stolen information back - putting the proverbial cat back in its bag - is usually impossible. In this area a little bit of paranoia is quite helpful, because people really are out to get you. Consider these real-life examples.
- In the week before one company released its quarterly report, employees in units that report to the CFO received 200 calls from people claiming to be with a credit reporting agency that needed information about the earnings report prior to its release. Employees were instructed to transfer all such inquiries to the security office, but the calls kept coming. It was later revealed that calls came from a research company hired by the competition.
- An engineer regularly had lunch with a former boss now working for a rival, and fancied himself a hero for gathering competitive intelligence. But the information he was giving up in return caused his employer, formerly the market leader, to lose three major bids in 14 months.
- Immigrant scientists from Eastern Europe who were working on an American defense project kept getting unsolicited invitations from their home countries to speak at seminars or serve as paid consultants. The invitations appealed to them as scientists - they wanted to share information about their work with peers. The countries saw this kind of intelligence gathering as cheaper than research and development.
So what does the security group need to do to keep intellectual property safe?
- Know what you've got If all employees understand what needs to be protected, they can better understand how to protect it, and whom to protect it from. To do that, CSOs must communicate on an ongoing basis with the executives who oversee intellectual capital. So meet with the CEO, COO and representatives from HR, marketing, sales, legal services, production and R&D at least once a quarter. Corporate leadership must work in concert to adequately protect IP.
- Prioritize it CSOs who have been protecting intellectual property for years recommend doing a risk and cost-benefit analysis. Make a map of your company's assets and determine what information, if lost, would hurt your company the most. Then consider which of those assets are most at risk of being stolen. Putting those two factors together should help you figure out where to best spend your protective efforts (and money).
- Label it If information is confidential to your company, put a banner or label on it that says so. If your company data is proprietary, put a note to that effect on every log-in screen. This seems trivial, but if you wind up in court trying to prove someone took information they weren't authorized to take, your argument won't stand up if you can't demonstrate that you made it clear that the information was protected.
- Lock it up Physical and digital protection is a must. Lock the rooms where sensitive data is stored, whether it's the server farm or the musty paper archive room. (See Safe Document Transfer: How to Secure the Paper Chain for a fascinating look at physical security measures pertaining to offsite document storage.) Keep track of who has the keys. Use passwords and limit employee access to important databases.
- Educate employees Awareness training can be effective for plugging and preventing IP leaks, but only if it's targeted to the information that a specific group of employees needs to guard. When you talk in specific terms about something that engineers or scientists have invested a lot of time in, they're very attentive.
As is often the case, humans are often the weakest link in the defensive chain. That's why an IP protection effort that counts on firewalls and copyrights, but doesn't also focus on employee awareness and training, is doomed to fail.
- Know your tools A growing variety of software tools are available for tracking documents and other IP stores. The category of data loss protection (or data leakage prevention) grew quickly in the mid-2000s and now shows signs of consolidation into other security toolsets (Symatec's acquisition of Vontu being a milestone in that process), although many independent vendors still exist. They not only locate sensitive documents, but also keep track of how they are being used, and by whom.
[Also read The 2011 Executive Guide to DLP, a 4pp PDF that clearly spells out the foundations of data loss prevention. FREE CSO Insider registration required.]
- Think holistically Motorola's Chief Information Security Officer Bill Boni explains how problems can arise if you don't take a "big picture" view of security. If someone is scanning the internal network, your internal intrusion detection system goes off, and typically somebody from IT calls the employee who's doing the scanning and says, "Stop doing that." The employee offers a plausible explanation, and that's the end of it. Then later, the night watchman sees an employee carrying out protected documents, and his explanation is "Oops...I didn't realize that got into my briefcase." Over time, the human resources group, the audit group, the individual's colleagues, and others all notice isolated incidents, but nobody puts them together and realizes that all these breaches were perpetrated by the same person. This is why communication gaps between infosecurity and corporate security groups can be so harmful. IP protection requires connections and communication between all the corporate functions. The Legal department has to play a role in IP protection, and so does Human Resources, and Information Technology, and Research and Development, and Engineering, and Graphic Design.... Think holistically both to protect and to detect.
- Apply a counter-intelligence mindset If you were spying on your own company, how would you do it? Thinking through such tactics will lead you to consider protecting phone lists, shredding the papers in the recycling bins, convening an internal council to approve your R&D scientists' publications, or other ideas that may prove worthwhile for your particular business.
Phone lists? Paper shredders? Sounds a little extreme.
Security pros have to understand the dark forces that are trying to get information from your company and piece it together in a useful way. Some of these forces come in the guise of "competitive intelligence" researchers who, in theory anyway, are governed by a set of legal and ethical guidelines carefully wrought by the Society of Competitive Intelligence Professionals (SCIP). Others are outright spies hired by competitors, or even foreign governments, who'll stop at nothing, including bribes, thievery, or even a pressure-activated tape recorder hidden in your CEO's chair. But most threats to your information operate in a gray zone.
To build solid defenses, consider how snoops work:
- They look for publicly available information.
Leonard Fuld, a competitive intelligence expert, says more damage is done by a company's lax security than by thieves. Consider these common examples: Salespeople showing off upcoming products at trade shows. Technical organizations describing their R&D facilities in job listings. Suppliers bragging about sales on their websites. Publicity departments issuing press releases about new patent filings. Companies in industries targeted by regulators over-reporting information about manufacturing facilities to the Environmental Protection Agency or OSHA, which can become part of the public record. Employees posting comments on Internet bulletin boards.
All of that data tells a competitor what your company is doing. Combined, the right details might help a rival reduce your first-to-market advantage, improve the efficiency of their own manufacturing facility or refocus their research in a profitable direction.
- They work the phones.
John Nolan, founder of the Phoenix Consulting Group, has some amazing stories of what people will tell him over the phone. This is the man who got his fingers burned in the infamous "dumpster diving" espionage case in 2001 involving Procter & Gamble and Unilever. Nolan won't comment on the case, which was settled out of court, but he insists that there's no need for his company to break the law. "In our experience, it's just not worth it," he explains.
Nolan has other ways of getting people to talk. In fact, people like him are the reason that seemingly benign lists of employee names, titles and phone extensions, or internal newsletters announcing retirements or promotions, should be closely guarded. That's because the more Nolan knows about the person who answers the phone, the better he can work that person for information.
"I identify myself and say, 'I'm working on a project, and I'm told you're the smartest person when it comes to yellow marker pens. Is this a good time to talk?'" says Nolan, describing his methods. "Fifty out of a hundred people are willing to talk to us with just that kind of information."
The other fifty? They ask what Phoenix Consulting Group is. Nolan replies (and this is true) that Phoenix is a research company working on a project for a client he can't name because of a confidentiality agreement. Fifteen people will then usually hang up, but the other 35 start talking. Not a bad hit rate. Nolan starts taking notes that will eventually make their way into two files. The first file is information for his client, and the second is a database of 120,000 past sources, including information about their expertise, how friendly they were, and personal details such as their hobbies or where they went to graduate school.
Often business intelligence gatherers use well-practiced tactics for eliciting information without asking for it directly, or by implying that they are someone they aren't. This is the tactic known as "social engineering." Such scams might also include "pretext" calls from someone pretending to be a student working on a research project, an employee at a conference who needs some paperwork, or a board member's secretary who needs an address list to mail Christmas cards.
Most of those calls are not illegal. Lawyers say that while it is against the law to pretend to be someone else, it's not illegal to be dishonest.
- They go into the field.
During the technology boom, one early-morning flight from Austin to San Jose earned the nickname "the nerd bird." Shuttling businesspeople from one high-tech center to another, that flight and others like it became good places for job recruiters. They also became great places for competitive intelligence professionals to overhear discussions among coworkers or to sneak a peek at a fellow passenger's PowerPoint presentation or financial spreadsheet.
Any public place where employees go, snoops can also go: airports, coffee shops, restaurants, and bars near company offices and factories, and, of course, trade shows. An operative working for the competition might corner one of your researchers after a presentation, or pose as a potential customer to try to get a demo of a new product or learn about pricing from your sales team. Or that operative might simply take off his name badge before approaching your booth at a trade show.
Employees must know not to talk about sensitive business in public places, and how to work with the marketing department to make sure the risks of revealing inside information at a trade show don't outweigh the benefits of drumming up business.
Job interviews are another possible leak. Daring competitors may risk sending one of their own employees to a job interview, or they could hire a competitive intelligence firm to do so. Conversely, a competitor might invite one of your employees in for a job interview with no other purpose than gleaning information about your processes.
- They put the pieces together.
In some ways, trade secrets are easy to protect. Stealing them is illegal under the 1996 Economic Espionage Act. Employees usually know that they're valuable, and nondisclosure agreements may protect your company further. What's more complicated is helping employees understand how seemingly innocuous details can be strung together into a bigger picture-, and how a simple company phone list becomes a weapon in the hands of snoops like John Nolan.
Consider this scenario: Nolan once had a client who wanted him to find out whether any rivals were working on a certain technology. During his research of public records, he came across nine or 10 people who had been publishing papers on this specialized area since they were grad students together. Suddenly, they all stopped writing about the technology. Nolan did some background work and discovered that they had all moved to a certain part of the country to work for the same company. None of that constituted a trade secret or even, necessarily, strategic information. But Nolan saw a picture forming.
"What that told us was that they had stopped [publishing information about the technology] because they recognized that the technology had gotten to a point where it was probably going to be profitable," Nolan says. Then, by calling the people on the phone, going to meetings where they were speaking on other topics, and asking them afterward about the research they were no longer speaking publicly about, Nolan's firm was able to figure out when the technology would hit the market. This information, he says, gave his client a two-year heads up on the competition's plans.
- Some go beyond the gray zones.
Other countries may have vastly different ethical and legal guidelines for information gathering. Almost everything we've talked about so far is legal in the United States, or at least arguably so in the hands of a clever lawyer. But there's another realm of corporate sleuthing, using bugs, bribes, theft, even extortion, that is widely practiced elsewhere.
In his days as a global security consultant, Motorola's Boni saw several things happen that probably wouldn't happen in the U.S. A bank in South America that suspected espionage brought in a security consultancy to sweep the place of bugs. When the loss of information continued, the bank hired a different security team. "They found 27 different devices," Boni recalls. "The whole executive suite was wired for motion and sound. The first team that came in to look for bugs was probably installing them."
Espionage is sometimes sanctioned - or even carried out - by foreign governments, which may view helping local companies keep tabs on foreign rivals as a way to boost the country's economy.
That's why no single set of guidelines for protecting intellectual property will work everywhere in the world. The CSO's job is to evaluate the risks for every country the company does business in, and act accordingly. Some procedures, such as reminding people to protect their laptops, will always be the same. But certain countries require more precautions. Executives traveling to Pakistan, for example, might need to register under pseudonyms, have their hotel rooms or work spaces swept for bugs, or even have security guards help protect information.
Tell me more about global differences. I suspect the legal protections you've mentioned in the U.S. won't apply overseas.
Correct. Over the years, France, China, Latin America and the former Soviet Union have all developed reputations as places where industrial espionage is widely accepted, even encouraged, as a way of promoting the country's economy. Many other countries are worse.
A good resource for evaluating the threat of doing business in different parts of the world is the Corruption Perceptions Index published each year by Transparency International (and made famous by The Economist).
In 2003, the Corruption Perceptions Index ranked the following 12 countries as being "perceived as most corrupt": Bangladesh, Nigeria, Haiti, Paraguay, Myanmar, Tajikistan, Georgia, Cameroon, Azerbaijan, Angola, Kenya, and Indonesia.
Another list ranked big countries where companies are most likely to pay bribes to win or retain business in emerging markets. The worst scores belonged to Russia, China, Taiwan and South Korea, followed by Italy, Hong Kong, Malaysia, Japan, USA and France. (To download the full results of the index, visit Transparency International at www.transparency.org.)
India is another country of increasing importance to American businesses because of the rapid rise of offshore outsourcing. The prevalence of outsourcing of IT functions introduces some vulnerabilities to companies that may not think of themselves as having a global presence. In legal terms, the most pertinent global standard is the World Trade Organization's intellectual property add-on, TRIPS (Trade-Related Aspects of Intellectual Property Rights). But TRIPS protections still must be enforced locally, and none of the countries prominent in software outsourcing, including India, have local laws covering theft of trade secrets. TRIPS signers or not, if a country's culture does not respect property, the courts are unlikely to enforce laws. Several sources interviewed for this article agreed, though not for attribution, that China, which signed the TRIPS aagreement, regards intellectual property (especially that of foreigners) as communal property. Experts say India's culture is generally more IP-friendly, but the legal status of intellectual property in India is in a state of flux.
- Send people to inspect the physical premises where the software will be written. Note whether buildings have basic security check-in procedures and the like. Find out what kind of access people have to key systems.
- Look closely at the way networks function, particularly if you plan to use virtual private networks. These are good for cross-facility communications, but make it easier for remote employees to work from home or on notebook computers, which can increase vulnerability.
- Protect important information, such as source code, with passwords and access codes, and make sure that these are not widely available, either in the United States or at the outsourcing location. Approvals do reduce flexibility, but not as much as they reduce risk.
- Demand that the outsourcer have tight human resources screening. Look for employee retention figures, find out if competitors do business with the same companies, and if so, ensure that there is no contact between teams.
- Know what risks your own organization can take. Regulated industries such as health care and financial services need to keep closer controls over data and software development than, say, packaged goods companies.
- Work to understand the legal system and culture of both countries. Negotiate contracts that make the offshore company responsible for the actions of its employees.
- Budget for greatly increased telecom costs, as well as for regular visits to the outsourcer.
- Make sure that any test data being used does not expose real information traceable to real customers.
- Always maintain an original copy of source code. This step seems obvious, but in one Y2K outsourcing case, a company was unable to prove a bug had been added to a program because it had not kept its source code.
Companies that don't have the resources to take these steps should think twice about what they are putting at risk by offshoring, whether it's software development or some other function like call centers involving sensitive customer data.
Updated 2/142011. This primer has been compiled from CSO articles. Contributing writers include Michael Fitzgerald, Simone Kaplan, and Sarah D. Scalet.