by Michael D. Sarlo
Intellectual property has been at the center of countless instances of theft and fraud in the past several years. The mass digitization of information combined with the increasing susceptibility to data breaches has made it more difficult than ever before to keep IP private. At the same time, in-house attorneys are under intense pressure to protect their organizations’ most valuable proprietary information.
Not to get too extreme here, but IP protection is more than just a corporate responsibility – it is an economic imperative. The U.S. Department of Commerce’s Economics & Statistics Administration explained that IP-intensive organizations are the lifeblood of the American economy, heavily contributing to employment and GDP growth on an annual basis.
Better IP governance frameworks are necessary to mitigate risks and enable stronger performances among innovation-centric employees and departments through management optimization. Before diving into some of the ways in which you can get a better handle on your IP management frameworks, let’s discuss some trends and statistics that surround this topic at the moment.
Rising need for stronger controls
Theft is among the greatest threats to IP today, but is just one of many moving parts that need to be covered by tight policies and governance frameworks. Here are a few stats to keep in mind:
- The IP Commission estimates that the U.S. economy loses as much as $600 billion annually to trade secret theft, software pirating, and similar IP-related crimes.
- Last May, PricewaterhouseCoopers reported that the rate of annual IP trials slowed in the past few years, but the median damages awarded hit a 10-year high at $9.2 million between 2011 and 2015.
- Some firms appear completely unprepared to protect and capitalize on their IP. For example, STOPFakes.gov explained that 85 percent of small business owners are not aware of IP protection filing requirements abroad despite selling their products overseas.
From these three stats, three things become abundantly clear: IP security and protection is not being taken seriously enough, the stakes in IP litigation are rising, and a large swath of the nation’s business leaders are in desperate need of IP management assistance.
Like virtually any other strategic matter in modern business, tight IP frameworks are defined by exceptional management of people, process, and technology.
People, process, technology
IP governance frameworks should cover people, process, and technology in an intelligent, intuitive fashion, with user-experience being the highest priority. This type of governance follows the same line of thinking as general data management, in that firms want to ensure staff members who have the right credentials gain seamless access to IP-related information.
Beginning with technology, organizations need to be leveraging a secured content management system that de-silos their IP data and places it neatly into a centralized location. Moving to process, leaders will first need to examine workflows, as well as the procedures that govern credentialing and archiving practices, to get a 360-degree view of the current ebb and flow of IP management. Opportunities to refine these activities will become apparent once that visibility is achieved.
Finally, personnel will need to be made aware of policies and trained in how to follow guidelines, and managers should be getting buy-in as early on as possible. From my experiences, you will really want to have a strong, user-driven IP governance framework in place before you begin presenting to the whole team, but it should have at least some room for adjustments to ensure personnel have a say in the final product.
When IP governance frameworks are intelligent and efficient, firms will generally be better-protected against potential leaks and security threats, as well as deficiencies or impediments that stand in the way of further innovation. Still, we need to devote a little more time to the security side of the conversation.
Mitigating insider threats
Unless you still rely on paper filing systems, you will need to take an IT-centric approach to security. First, consider the two main categories of risk:
- Insiders: This category includes any and all parties on the inside who end up being responsible for the loss, theft, or exposure of IP. Your security policies need to cover personnel from recruitment through departure, and account for malicious activities, negligence, and other factors.
- External threats: Hackers are certainly a growing threat, and more are targeting systems they know to contain IP. Today, this group includes domestic and international threats, as well as lone wolves and hacker networks.
Interestingly, most companies are far more concerned about external forces than they are insider threats. Dark Reading reported that 80 percent of respondents to a survey expected an external hacking event to lead to data theft in the next 18 months, compared to 57 percent who were fearful of internal actors. That same survey also found that 69 percent of the respondents had fallen victim to an internal breach compared to the 55 percent who experienced an external attack.
Yes, you should be scratching your head. Despite being stung by insider threats more frequently for years now, companies remain far more wary of – and focused upon – external threats. Both need to be covered in policy, but firms need to take insider threats more seriously.
To be sure, TechTarget pointed out that 56 percent of respondents to a Ponemon Institute survey did not believe bringing a former employer’s IP with them to their next job was illegal. That might be why 50 percent admitted to taking data from their former employer, and 40 percent cited plans to use it at their next place of employment. More than 60 percent stated that they uploaded data to personal devices or cloud accounts.
Whereas advanced network monitoring, authentication, encryption, and similar data security software will act as the strongest defenses against outside threats, firms need to double down on those controls when mitigating insider risk.
Here are a few potential elements of a strong IP security policy to cover internal threats:
- Exhaustive, tailored background checks for all incoming employees.
- Stringent credentialing standards for all potential IP systems, channels, data, etc.
- Deployment of monitoring solutions that track the movement of IP data.
- Regular spot checks to ensure IP data has not exited the chain of control.
- Decommissioning of user devices and accounts immediately following departure.
Employee training should also be prioritized, as malicious insiders are not the only ones who cause IP loss. Verizon’s 2015 Data Breach Investigations Report found that about one-third of all data breaches – regardless of origin – was caused by a negligent employee, CNBC reported. Staff training is one of the easiest and most affordable ways to protect IP, and all sensitive data.
Striking the balance
Finding the happy medium in which IP is completely protected from threats and still accessible is no easy task. An overly restrictive policy could lead to rogue activities, poor user experiences that hinder further innovative activity, a lack of employee engagement, and other costly calamities. One that is too loose will almost certainly lead to some form of loss or theft.
This is why your approach to IP governance needs to be structured in accordance with your specific business objectives, culture, data management strategies, and other factors. There is no one-size-fits-all answer in this conversation. While that means more work and sometimes the need for external support, those proactive efforts will always be more affordable than the alternatives: A major breach or stymied IP proliferation.
Michael Sarlo is HAYSTACKID’S Vice President of eDiscovery & Digital Forensics