If your company doesn’t fully understand how trade secrets and IP are stolen, it’s unlikely you’ll be able to safeguard your most critical assets. In this article we will discuss the most common internal and external threats to your IP, and ways you can take action to protect your company’s most critical IP and trade secrets.
Proactive vs. Reactive
While taking action against bad actors in China is possible, it’s far more effective to take proactive measures that anticipate bad behavior to prevent the theft and/or compromise in the first place. Chasing a defendant through the Chinese legal system is a time and resource intensive process which, even if the plaintiff prevails in the matter, the company will have lost the trust of its board, investors, and customers. To add even more bad news, once the theft occurs, there is no effective way to ensure the IP and/or trade secrets can ever be secured again in any meaningful way. The IP is usually quickly dispersed onto remote servers so that the bad actors can gain access remotely and in their own time.
So, while hiring counsel to take legal action after the breach is discovered (which might take years or might come to your attention in a very public manner) might be the most effective way to address the issue in the moment, spending the time to create a preventative strategy is a much more efficient and effective approach.
Unfortunately, companies moving too quickly into China without a unified strategy around IP protection has resulted in ineffective protections and critical IP repeatedly making its way into the hands of competitors.
Developing a sound risk-based proactive strategy requires a detailed understanding of how compromises are likely to occur. To begin formulating your strategy, first consider the following initial steps:
- Understand what constitutes critical IP and/or a trade secret in your company.
- Trade secrets and IP don’t simply reside in one file or location. Ensure Physical and Cyber/IT Security teams both understand and document where critical IP resides throughout the company, including its’ partners, manufacturers, and vendors.
Understanding what constitutes critical IP and/or a trade secret in your company
Almost every company has critical IP and/or trade secrets that need to be protected; however, those with access to the information need to know what the company has determined needs to be protected. If the company has not engaged in this exercise, a multidisciplinary working group will need to be assembled to make those determinations. Equally as important, those responsible for protecting the information need to understand what the company has determined to be critical IP and/or trade secrets.
Protecting these assets within a company will usually entail putting together a working group comprised of legal (an IP attorney), engineering, supply chain, IT and physical security as well as a business leader. The team will be responsible for determining what constitutes critical IP that needs to be secured and monitored and what is considered a trade secret that will need additional protections as well.
If your company utilizes a contract manufacturer to build your product, or you work for a contract manufacturer, the complexity becomes exponential given all the information that needs to be shared and protected by the contract manufacturer. In the contract manufacturing world, customers will often define what constitutes a trade secret or critical IP within the customer’s contract with the contract manufacturer. However, it is more likely than not that the information never makes it from the desk of the attorney negotiating the agreement to the teams entrusted with protecting that information. This gap leaves the door open for a steady stream of inadvertent contract breaches and stolen or leaked IP and/or trade secrets.
Trade secrets and IP don’t simply reside in one file or location
Once upon a time in China, trade secrets at the factory were often the bulky stainless steel molds used in metal and plastic injection, the pattern stencils used for fabricating luxury bags, or pre-release products that could be reverse engineered. A lock, a guard and a camera was often sufficient.
Now legal, IT, physical security and brand protection teams struggle to keep up with engineering and production operations to understand what needs to be protected, where is it stored and how the different layers of confidential data should be triaged in terms of protective efforts.
Often times, these security teams get it wrong because of a disconnect with operations. For example, shared folders that contains schematics should ideally be protected with access rights and encryption, but the bill of materials (BOM) for a new product are often casually passed around the company and even delivered in a complete form to “trusted” suppliers.
The BOM is the “list of ingredients” for your new product and can contain trade secrets and/or critical IP- why is it not carefully guarded?
Transmitting a BOM or other files containing critical IP by email is inherently dangerous, even among internal sources who have a need to know. The wider the content is circulated, the more likely that such a weakness will be exploited - perhaps first by a simple mis-send stemming from an address autofill.
Imagine the fallout from an errant send of a BOM to a commodity supplier that also services your competitors. If the IP protection working group had made a simple observation along the lines of “critical IP is bouncing around in emails” a poka-yoke (mistake proof) solution could have been built-in. This could have been something as simple as identifying and tagging documents that contain sensitive IP and developing a whitelist of acceptable recipients - with everyone else banned from receipt.
This whitelist could be the first step for the working group in developing a roster of employees and supply chain partners that are allowed to access critical IP and trade secrets. This roster could be built out to assign multiple levels of access to protected share folders where confidential information is stored and drawn from. The working group could then embark on a continuous process to ensure that access meets day-to-day legitimate need to know requirements. Cumbersome perhaps, but the fallout from all access and free transmission could cause your best tech to become compromised, lose critical protective designations, and/or destroy your customers’ trust.
Going one step further, let’s say that our working group has also determined that the use of USBs in design and testing areas of our factory puts critical IP at risk given that they could insert a USB with malicious code, or simply insert the USB and take whatever files they want. However, our engineers need USBs to install code, update licenses and conduct tests. The factory has walk-through metal detectors so employees could never use USB’s to remove confidential information, right? Well…
To start with, the USBs are untracked and unmonitored and may not contain enough metal to be detected during an exit screening. A log of authorized, whitelisted USBs is a good start, combined with reconciliation of all authorized USBs prior to end of every shift.
But beware that when preventative measures go half-way, employees may feel inconvenienced and create clever workarounds. This mindset can result in unpredictable and dangerous internal movement of IP. Imagine a scenario where you have cracked down on USB usage at your design facility, only to find that engineers now use high speed cables to directly connect computer hard drives to make file transfers that avoid USB controls and email endpoint encryption. Without a well thought out plan of approach by a team that understands the environment in which the company operates, security measures meant to safeguard the company effectively become rule books that sit on the shelf while workarounds become the norm.
Hopefully this article has highlighted the need to use proactive strategies to identify and safeguard your company’s trade secrets and critical IP. Not only is it essential for the company to understand what constitutes sensitive IP, but where it resides, who has access to it, and how to best protect it without compromising your employees ability to use it when needed.
We live in a globalized world where services like manufacturing are outsourced and manufacturing facilities exist in multiple countries around the globe.
It has become more important than ever to have the right teams involved in creating and monitoring a holistic strategy that includes checks and balances to ensure that your IP is protected and secured. Balancing all these needs is indeed complicated, but if safeguards are not taken, your trade secrets and IP will simply walk out the door. Finally, if your company does not have the specialized knowledge necessary to expertly carry out these protections, consider bringing on a third party that can assist before the next incident occurs.