Brain drain: Protecting your organization’s IP

Global healthcare provider Best Doctors employs the most robust technologies and practices available to protect the privacy of its members’ personal data—but that’s just a part of doing business in this industry. Less obvious but equally important is the degree of vigilance with which the company protects its brand name, which is trademarked in dozens of countries worldwide.

“Our distinctive name and logo, those two words connote the high quality of our doctors and hospitals. Something very simple can be very powerful,” says Tom Seaman, senior vice president and general counsel for the company, which provides health insurance as well as health advisory services.

[Also in this special report on IP protection:]Jason Clark: 4 keys to IP protection The in-depth guide to data destructionPatent trolls in our midst—what your general counsel is worried aboutBob Bragdon: SOPA, PIPA, Anonymous and IP

Though Best Doctors has a small portfolio of patents (including a business process patent it received in the 1990s when such things were in vogue), the firm’s primary focus when it comes to intellectual property protection is its brand, which is trademarked. “We take extreme measures to protect it,” says Seaman. His vigilance is entirely appropriate.

This is no time to blink. Many now see intellectual property (IP) as one of the most important corporate assets—worthy of protection, electronic and otherwise.

“Targeting of IP is increasing,” says Gary Loveland, partner at PricewaterhouseCoopers. “We’re seeing an evolution from a hacking perspective. Before, [breaking in] was just a trophy to show you could get access to the data. Then there was identity theft. Now, there’s a focus on IP because of the profit motive.” Accessing a company’s proprietary information provides a quick path to stealing its business.

Download CSOonline’s Ultimate Guide to Intellectual Property Protection for even more IP security practicals from CSOs and other experts [15 page PDF — free Insider registration is required]

Daily headlines detail attacks on corporate IP, especially when the assaults are launched from emerging economies such as China. For example, security software vendor Symantec recently announced its discovery that hackers had targeted the intellectual property of about 50 organizations, including chemical and defense companies, in a global wave of cyberespionage. These attacks were thought to be the work of a Chinese man. Symantec competitor McAfee also reported that it detected that 72 organizations had been subject to cyberattacks on IP last summer. Google disclosed its Aurora attacks in 2010. The Wall Street Journal recently reported that the Chamber of Commerce suffered a major theft of information, also believed to have been conducted by someone in China. The full extent of the damage from these incidents won’t be understood for years, say experts.

But as scary as these stories are (and they are that, if you’re paying attention), they shouldn’t eclipse your concern over a host of more mundane but potentially equally damaging threats to your company’s IP. The most common scenario, alas, is that an employee unwittingly shares a trade secret or a confidential idea, or that your business partner forgets about a nondisclosure agreement signed long ago. Social networks make this scenario exponentially more likely. The problem is, most companies have a broad range of information that can be considered intellectual property—though many have not taken the time to properly identify it all—and protecting all of it from myriad threats is a daunting prospect.

A number of CISOs contacted for this article say their corporate intellectual property is adequately protected by the standard data security practices they already have in place. That could be true, but consider: Much of the attention in recent years has focused on protection of transactional data and personally identifiable information (PII), such as customer names and credit card numbers. That’s what compliance regimes such as PCI DSS address. Intellectual property is much squishier and may live in different parts of your network—and of your filing cabinets and whiteboards and so on—from PII. And it is sometimes subject to a different set of legal protections.

So read on for expert advice on connecting all the dots and creating a more robust IP protection program.

Taking Stock of Intellectual Property

Unless you have already done this, and recently, the first thing you have to do is identify what your IP consists of and where it resides. This is no easy feat, as IP can be deceptively chameleon-like, taking multiple forms: structured and unstructured, amorphous and concrete, small shreds of things or entire databases, thoughts in someone’s head or captured in a document. You need to explain to your employees and business partners in particular what your IP is, because if you don’t, you can be sure they will share the information haphazardly and thereby reduce its value (at best) or jeopardize the company (at worst).

More about IP protection

• Offsite meeting security: Test your security IQ
• The clean desk test
• Industrial espionage: Secrets stolen, fortunes lost
• Corporate espionage: Tomorrow arrived yesterday
• Three companies that fought IP theft

Nuance Communications, a $1.3 billion software company, recently embarked upon a major effort to understand and rationalize its IP, says CSO Stan Black. This was necessary in the wake of Nuance’s massive acquisition spree over the past five years, in which it bought up 50 companies.

“We have gone through a significant effort to understand what we have in-house, what’s commercial, where it resides,” says Black. “Due to the speed at which we iterate, it’s quite an effort.”

After you’ve completed your IP inventory, the next step is to map the data, according to Gary Lynch, global head of strategic consulting for Marsh, a security advisory company.

“How does it get created, where does it get created, what happens to it? You have to look at all the stages of data formation and use all the way through to disposal, access, storage and transmission,” says Lynch. Your IP data map then becomes your footprint for applying controls. (And, obviously, the data map itself will be a very sensitive document requiring excellent protection.)

Electronic protection of IP is different from protecting many other types of information. Often referred to as the “corporate jewels,” IP is so precious it needs to be protected at a data and document level, as opposed to just at the level of the system on which it resides. Unfortunately, more draconian protections make it difficult to share the data, which is the order of the day in today’s collaborative environments. “Public key infrastructure and general encryption are not very usable in an enterprise,” says Ryan Kalember, who became chief marketing officer of WatchDox last month. “Users will find their way around the controls.”

On the other hand, when you have a small amount of ultra-secret, non-shared information to protect from prying eyes, the task is fairly straightforward: encryption or data masking, two- or three-factor authentication and embedded access controls you get from a tool like WatchDox or Tripwire. The latter tools represent the future of electronic IP protection, says Kalember. “The protections must be embedded in the IP in a frictionless way for the users. Otherwise, it’s just the whack-a-mole routine we’ve been doing for years.”

These decisions—what to count as IP and how and to what degree to protect it—should flow from your business objectives, according to Evan Falchuk, chief strategy officer for Best Doctors.

“The way you focus those efforts has to fit into your business. Our business is to make sure people get the right medical care. We have to have a brand that people know and recognize and trust. They need to feel completely secure when they share information with us. We ask, ‘What does it take for our business to win?’ Our strategies flow from that,” says Falchuk.

So, as mentioned above, Best Doctors focuses on supporting its brand name with its IP protection, though it uses comprehensive IT security technologies and practices, including requiring all new employees to sign a nondisclosure agreement. And everyone has to leave behind a clean desk when they go home for the night, part of Best Doctors’ attention to seemingly minor details.

Many companies turn to the experts—lawyers, generally—for help educating staff and getting their commitment to protect IP. Jeff Feldman of Feldman Gale is often called in to do IP counseling for employees. Seminars covering IP basics can help the organization immunize itself against the virus of IP leakage, which can take benign-looking forms.

[Also read about the basics of internal investigations]

An in-house patent lawyer at a healthcare company laments the collegial way doctors tend to share data. “It’s like an academic environment—they’re just trying to further the cause of medicine. But they don’t understand that the company has shareholders, and the company has to make investment decisions for its shareholders,” he says. This attorney does training based on real-life scenarios, telling people, “Don’t let this be you.”

Feldman’s bugaboo is idea misappropriation. He has seen too many instances where a former employee tries to claim credit for the idea behind a product or service. He also cringes when content and entertainment companies have no clear-cut idea-submission policy.

“Follow the lead of Google and Facebook and have a policy: ‘You send me an idea, it’s mine,'” he advises. Eliminate the implied duty of confidentiality right out of the box, and avoid claims down the road.

A Cautionary Tale

Virtually everyone interviewed for this story warned that IP is highly perishable. Once the secret is out, it’s out. And the consequences can be dire.

Prescott Winter, CTO of the public sector for HP Enterprise Security Products, was advising a small high-tech company that was hit by the Google Aurora attacks in 2010. This company spent a significant portion of its revenue on research and development.

“They only had about nine months of profit on their new products, about a 35 percent to 40 percent return on investment,” says Winter. After that, the return rates dropped off. “The advantage they had dissipated immediately. They had overlapping nine- to 12-month bumps in revenue. If three of those high-revenue product cycles in a row were to be damaged or destroyed because a competitor gets the information, game over.” Post-Aurora, the company was forced to shut down.

“They were unable to respond before their future was stolen,” says Winter. “So many companies are hanging by a thread.” In the words of the patent lawyer, don’t let this be you.

The IP Landscape

Your company’s intellectual property may encompass a wider range of items than you’ve considered, including:

Patents. This is usually fairly straightforward. If your firm was granted one or more patents, you or your legal department will be charged with defending it (that is, detecting and suing over possible infringement). Less clear-cut: When other companies or patent trolls claim your firm is infringing their patents. It happens every day. In industries like high tech, companies routinely infringe each other’s patents via reverse-engineering, according to an industry insider, and then negotiate to decide a reasonable licensing fee post-facto.

Copyrighted material. When an author creates a written work, a natural copyright (that is, the right to exclude others from copying that work) arises. This natural copyright exists even without registering a formal copyright and using the © symbol, but if the document or work is important, you should take the time to register its copyright.

Trademarked names or logos. If your corporate name or logo carries a trademark, create usage policies for employees and business partners to follow or risk diluting the value of your IP.

Ideas. These are amorphous and generally exist in unstructured form (often in people’s heads) and so can be difficult to protect. Most important here is to have a written agreement in place from the beginning of the person’s employment or the start of the partnership so all parties understand who owns what in the case of a later claim.

Trade secrets (including recipes, ideas, transcripts, notes, presentations). This category covers any manifestation of value to the corporation for which you prefer not to seek formal IP protection, due to competitive or other reasons. The object here is to make sure the secret remains safe from prying eyes. You should seek the highest information security for this type of information, including encryption and multi-factor authentication. And don’t skimp on the employee and partner education and security policies.

Mark Itri, a patent attorney with law firm McDermott Will and Emery, was on a plane going to visit a major airplane manufacturer when he overhead a conversation, apparently among employees, about the schematics for the next generation of jet engines.

“They were talking really loud. Everyone could hear. All over the schematics were the words ‘confidential and proprietary,'” says Itri.

He promptly walked into the airplane maker’s offices and said, “This is how you lose your trade secrets.”