Do you know where your trade secrets are?

Losses from cyber enabled trade secret theft dominate the cost of privacy breaches. How can you get started protecting this category of information?

sharing business secrets

Earlier this week, I attended a briefing by one of the negotiators of the TPP (Trans-Pacific Partnership) agreement. You’ve heard of the TPP; the trade deal that candidates love to bash on Twitter and in TV debates.

You might be wondering: what does this have to do with information security governance? Today trade secret theft accounts for a significant part of the $200 billion to $300 billion in annual intellectual property losses for US companies; compare this to reports of $10 billion for annual privacy related losses

Many trade secret losses are “cyber enabled”. Yet breaches of personally identifiable information (PII) tend to dominate the headlines and compliance concerns of security officers. Although no law requires you to secure your company’s trade secrets, good security governance requires that you do so. I plan to highlight some ways do this over the next few blog posts.

[ ALSO ON CSO: Hackers inside Chinese military steal U.S. corporate trade secrets ]

Regarding the TPP, I was pleased to learn that a significant part of this agreement does cover trade secret protection. (Before getting too enthusiastic, I have to note that China is not part of the TPP and that the US Congress has yet to approve the agreement). The agreement requires that countries signing up must implement civil and criminal laws in their countries to protect against trade secret theft. Currently a foreign national involved with theft of trade secrets from a US company must be extradited and tried in the US.

On the home front, the Defense of Trade Secrets Act was just signed into law in May. This law provides that plaintiffs can now sue in US Federal Court for financial damages resulting from trade secret theft. Previously, you had to sue in state court using the laws of your state.

So what is a trade secret? There are two requirements. First, the information must have economic value. Second, you must be taking steps to keep the information secret. If you don’t take clear and defensible steps to protect your information, you may not be able to recover damages if your information is stolen.

Some well-known trade secrets include the formula for Coke or WD-40 and the ingredients in KFC fried chicken. Others may include things like customer information, employment candidate information, piping diagrams for chemical processes or photos of specialty tire manufacturing equipment. Is anyone using big data? That could be a trade secret.

Protecting this category of information is harder than protecting PII. Trade secret information needs to be integrated into the business, whereas some PII can be isolated in specific hardened databases. In other cases approaches like PCI de-scoping can move the sensitive data out of the company entirely. To start with, you need to figure out what your firm considers to be a trade secret and where this information is located. This necessitates a deep dive into classification of unstructured data. Fortunately, there are new tools that can help.

Two products that I have looked at recently can help with this process. The first is RightsWatch from Watchful Software. This tool is focused on user oriented classification when data is created or stored. Automated policy analysis prevents users from misclassifying data. Once the asset is classified and a tag attached, then DLP solutions can be more effective at filtering processes. A second tool is VisionGrid from MinerEye. This software takes samples of classified documents, learns their features and then uses this information to put new assets into the right category. Downstream integration with DLP, firewall, cloud and other data protection controls then enable secure data handling.

Protecting trade secrets involves collaboration with your legal counsel. Data classification interfaces with data retention, which interfaces with e-discovery. I’m not an attorney, so this post is not legal advice. My best advice is to start this conversation with your company counsel, if you have not done so.  

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)