• United States




Stopping trade secret theft in your organization

Apr 10, 20174 mins
Data BreachIT LeadershipSecurity

hacker hacking cyberthreat theft
Credit: Thinkstock

The recent Google vs. Uber self-driving car litigation has brought trade secret theft into the news again. I have blogged on this topic before. In this post and the next three I will take a deeper dive into trade secret theft and how you can reduce the chance you will be the next victim.

Trade secret theft is one of the major cybersecurity risks of our time. Organizations now lose nearly $300 billion per year due to theft or misappropriation of intellectual property. Compare this with the total 2013 US exports to the EU of $241 billion.  Organizations being attacked and making news recently, besides Google and Uber, include Best Buy, Sony Pictures, America’s Home Kitchen, Nortel, Goldman Sachs, RSA, Lockheed, AMSC, Coca-Cola, QinetiQ, NSA and many other commercial and government agencies.

Last year’s Tata software theft from Epic made news after a $940 million judgement against Tata. Intellectual property theft incidents are often cyber-enabled. It is simply much easier to take a 1TB drive of data, rather than 100,000,000 sheets of paper. It can be even easier to remotely download this data from across town or the world.

To protect your trade secrets, your organization must engage in diligent security practices to prevent improper disclosure of your confidential information and proprietary technology. These security practices must be tailored to the nature of trade secret theft. But that will not be enough. Diligent application of legal controls and procedures must accompany information security controls. Together these can combine to prevent a loss of trade secrets or, worst case, give your organization a better chance of winning a trade secret law suit.

In this post, I will define trade secrets and the risks of trade secret theft. In the next post, I will provide a brief primer of trade secret law, for non-lawyers. Next, I analyze the root cause of recent trade secret thefts. Finally, in Part 4, I will outline some of the legal controls and technology controls your organizations should adopt, if your organization has trade secrets to protect.  

So, what is a trade secret? A trade secret is a form of intellectual property (IP), with three characteristics:

  • It is information that has commercial value
  • It is not easily ascertainable by others through proper means
  • It is subject to reasonable efforts to maintain that information in confidence or secrecy

The other forms of IP include patents, copyrights and trademarks. All trade secrets fall into the category of “company confidential information”. However, not all confidential information represents a trade secret. If company A has a contract with a cloud service provider, that contract may well be confidential, but not rise to the level of a trade secret. Each firm must define what it considers to be a trade secret and then protect that information accordingly. A trade secret must receive a higher level of protection than general confidential information.

Examples of trade secrets include: recipes, software source code, software architecture, engineering piping diagrams, sales playbooks and all manner of engineering drawings. Trade secret recipes include Famous Amos cookies (owned by Kellogg’s) and many others. In a recent trade secret issue, Hemlock Semiconductor claimed that a consultant it had hired, visiting its Tennessee polysilicon factory, took improper photos and stole manufacturing related trade secrets. Donald Trump claimed that his Trump University marketing playbooks were trade secrets, but, because a playbook had already been posted on the internet, he did not prevail in this dispute.

Trade secrets fall into a class of assets known as “intangible assets”. One major goal of information security is to defend these assets. Businesses often are more familiar with physical assets such as plants and machinery. However, looking at corporate investments in aggregate, intangible assets are acquiring astronomical valuations.  Software rules and not just in unicorns. According to advisory firm Ocean Tomo, 87 percent of the market value of the S&P 500 is now in the form of intangible assets.

Upcoming:  In the next post, I will review what you need to know about trade secret law.


Dr. Frederick Scholl is a thought leader in information security. His professional experience includes semiconductor researcher and engineer, start-up cofounder, and academic professor and leader.

He has both security practitioner experience and credentials as an educator. He consults on security governance, risk management and compliance issues.

Dr. Scholl started and leads Quinnipiac’s MS Cybersecurity program. This online degree program is focused on career changers who have a strong business and IT background, but little or no cybersecurity experience. The program emphasizes software security, cloud security, risk management and resilient systems.

The opinions expressed in this blog are those of Frederick Scholl and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.