September 21, 2018
Author: Steven R. Cupp
Organization: Fisher & Phillips
Introduction
From the first inventions of tools and weapons, civilizations and cultures have guarded the intellectual property that gives them a competitive advantage. Yet, despite all of that history – and the fact that an estimated 70 percent of an average business’s value is held within its information systems – small companies still aren’t doing enough to protect their trade secrets from walking out the door. The evolving world of social media multiplies their vulnerabilities.
Twenty years ago, employers were unburdened by fears of cyber-attacks or data breaches. They stored documents in a locked file cabinet – not laptops, servers, PDAs or portable devices (e.g., thumb drives). Today, in the modern internet era, those fears are warranted and breaches occur with uncomfortable frequency. Considering the increasing value of the data, which often times surpasses the value of any physical assets, employers should take steps to respond to prepare for and prevent intellectual property theft – especially from their employees. But, what are cyber-attacks and data breaches? Who is committing them? Should you be worried? And, how can you protect yourself? This paper delves into all of those issues, and offers some practical advice to avoid becoming the next victim of theft in the internet age.
What are cyber-attacks and data breaches?
On the most basic level, a cyber-attack is an attempt to gain unauthorized access to a computer, computer system or network, for the purpose of damaging it, disrupting it, or stealing from it. Data breaches refer to the release of secure information, whether intentionally or unintentionally, to an unintended environment. Very commonly, companies experience cyber-attacks or data breaches in the form of misappropriation of trade secrets or otherwise confidential or proprietary information. This can be as simple as sending an email to the wrong recipient or stealing client lists to take to a new employer.
In the first half of 2014 alone, there have been numerous and very public attacks – a 21% increase from the same period in 2013 – and it does not appear that the trend is slowing down. From Ebay to Target, even the most sophisticated companies are vulnerable to theft of sensitive information, like login credentials or credit card numbers. Smaller companies are also at risk, but probably not from the same sources.
Who is committing cyber-attacks and data breaches?
There are a host of enemies when it comes to cyber-attacks and data breaches. The most notable attacks have been at the hands of hackers, primarily in Asia or Eastern Europe, who are able to evade the security measures that a company has in place (if any), and obtain the information they seek. While these attacks receive considerably more media attention, which is often one of the motivating factors behind the attacks, the real threat to a company lies within. More than three out of four instances of intellectual property theft are perpetrated by inside employees or contractors – those that the company trusts and allows access.
Because of this reality, the so-called “human element” is the weakest link of a company’s security program. Virtually anyone – from contract and temporary workers, to visitors and interns, and even maintenance workers – has access to unlocked computer workstations, servers, and login credentials left unprotected or in plain sight, if certain precautionary steps are not taken. Therefore, it is critical to protect from internal threats – even if your company has already implemented IT security controls. In the end, it only takes one person with the right access to misappropriate a lot of valuable information.
Should you be worried?
Yes! While it is reasonable for smaller companies to be unconcerned about Eastern European hackers, it is wholly unreasonable for those same companies to fail to prepare for a breach from within.
And, there is more than the loss of trade secrets or confidential information to be concerned about. With the various state and federal laws that regulate a company’s dissemination of certain information – like the Health Insurance Portability and Accountability Act or the Fair Credit Reporting Act – there can be fines or even criminal penalties.
How can an employer protect itself?
There are various steps a company can take to minimize or eliminate the risk of cyber-attacks or data breaches.
Claim what’s yours
First, a company can move to obtain protected status for certain trade secrets. Items like customer lists, product formulas, strategic plans, marketing methods, merger-and-acquisition activity, sales data, client profitability reports, vendor relationships or software designed for a particular internal purpose may qualify as trade secrets. Small business owners also may need to begin protecting information they previously have made publicly available. For instance, if the firm displays a poster in its lobby that lists clients and declares, “We’re proud to serve these customers,” or posts customer names on its website, or if the information generally is available or known to the industry, it can’t claim that the list is private and protected. The company, however, can protect the information about its customer contacts and history if appropriate actions are taken.
Get the employee nod
Second, a company should get the employee with access to sensitive information to sign an employment agreement acknowledging that the information is confidential. Each agreement also should include:
• A non-solicitation clause that secures the employee’s agreement not to solicit customers if he leaves the company;
• A provision stating that the employee won’t use confidential proprietary information to compete against the company; and
• An agreement that a departing employee will surrender designated private information that may be in her possession on a computer, PDA or other electronic device.
Protecting trade secrets requires small businesses to walk a fine line with employees. Workers need access to the information required to perform their job functions, but smaller organizations usually are lean and staff members often are cross-trained, extending the number of individuals who have access to trade secrets.
Have a policy and a plan
Because the insider threat is often responsible for the theft of intellectual property, the company can take certain steps to minimize the risk of cyber-attacks and data breaches, and further facilitate the protection of a company’s intellectual property:
• Be prepared when an employee leaves: ensure that login credentials, like passwords, are disabled immediately;
• Diversify login credentials: do not allow multiple employees to share a single authorized account that allows access to network resources;
• Require strong passwords or other login credentials, as well as physical access controls and barriers where appropriate;
• Know your data: know what it is and who has access to it;
• Inform your employees that their use of network resources will be monitored and audited;
• Verify hard copies of confidential information are also protected;
• Keep up with the equipment: make sure you track PDAs, laptops, and other devices to avoid that no systems containing or having access to intellectual property go missing or remain in the possession of former employees;
• Perform regular data backups;
• Protect the workstations: install an automatic locking mechanism that, when workstations are left unattended, will automatically log off and render the workstation password protected;
• Consider a surveillance system;
• Train your employees;
• Perform backgrounds checks for employees and vendors, where appropriate;
• Restrict or limit access: only allow employees who need access to perform that job duties access to intellectual property; and
• Make protection of confidential or proprietary information part of your corporate culture.
Consider insurance
Depending on the company’s insurer, the coverage offered and purchased, and the company’s level of risk, it may be wise to consider obtaining insurance to protect the company’s business interests and its sensitive data. Data breach coverage can provide a company with access to professionals who can assist with complying with regulatory requirements, providing guidance on how to prevent a data breach, and how to handle a breach if it occur. Speak to your insurer to determine whether this coverage is right for you.
What if theft occurs?
No matter how robust your security measures, it is impossible to be 100% secure. If cyber-attacks or data breaches occur at your company, you should be prepared to respond appropriately. Responsive steps may include performing a forensic investigation of pertinent systems to identify the accessed, disturbed and/or stolen intellectual property, notifying any involved party, reviewing user accounts, gather all backup information available (e.g., surveillance footage), and questioning employees where appropriate.
Conclusion
The good news is that the very technology that creates more gateways to proprietary data also makes it possible for companies to limit access only to those workers who need specific information. In fact, controlling access provides additional legal protections. Courts often examine, for example, whether a business has limited access to only those files an employee has a legitimate need to know, implemented password protections for sensitive files, controlled remote access to confidential information on the office computer system and informed employees of the company’s right to monitor their electronic communications.
A small business’s trade secrets are as critical today as early weapons were to the survival of ancient civilizations. Employers in 2014 must deploy an arsenal of electronic weapons to retain their competitive edge and protect the secrets on which the business depends.
***
NOTE: This document is intended for general information purposes only. It is not a complete or all-inclusive explanation, and it should not be construed as legal advice on any specific facts or circumstances. These topics are highly complex and require fact-intensive analyses. You are urged to consult legal counsel concerning your situation and any specific legal questions you might have.