You Suspect IP Theft, Now What?
In December of last year, I wrote about steps you could take to protect your organization from IP theft. Many steps are deceptively simple, such as creating information hierarchies, limiting access to critical data, and deploying information monitoring solutions all help. However, specific efforts to counter IP reflect the changing nature of security in general.
|What to Do After a Theft Occurs|
1. Get a computer forensics expert to find and recover critical information.
2. Notify the former employee that IP will be protected.
3. Communicate with the employees new employer, notifying them that you will actively protect your IP.
4. Communicate with customers if necessary.
5. If all else fails, turn to the courts.
Circling the Wagons
Border security is no longer sufficient, since most IP theft is initiated from within the organization. No security strategy can fully protect against motivated insiders. What if IP theft is initiated by an executive who should have access to critical data, for example?
Another issue is the notion of an organizational insider is changing. Contract workers, partners, and outsourced labor all fall under the insider umbrella.
Outsourcing can be particularly difficult to handle, said Ed Gaudet, vice president of product management for Liquid Machines, a provider of enterprise rights management solutions. In India and China, for instance, their laws dont address intellectual property problems.
If and when it comes time to sue, will you have the legal support to do so?
With outsourcing, most organizations worry about piracy, i.e. IP will be used for product counterfeits. Fortunately, that type of IP theft is not nearly as common as theft involving customer information.
Ninety percent of the cases I see are customer list related cases, said Robert Yonowitz, a partner in the law firm Fisher & Phillips, LLP. Typically, someone in marketing or sales jumps to a competitor and promises to bring along business. Employees believe, mistakenly, that they own the customer relationships.
Taking customer information, unlike piracy or patent infringement, resides in an IP gray area. After all, how do you decide who owns something as nebulous as a business relationship?
In many states, non-compete and non-solicitation agreements give ownership to the organization, but in some states, such as California, non-compete clauses arent enforceable. The employee can retain the relationship as long as it doesnt involve a solicitation.
Take the example of a sales manager leaving for a new job and sending out an announcement along with new contact information.
Is the announcement of a departure to a customer simply that, an announcement, or is it a solicitation? asked Todd Stefan, Executive Vice President, Setec Investigations, a computer forensics service provider.
It can be difficult to tell, so our advice is to avoid dealing with issues like this reactively. Proactively protect yourself through legal documents, training, technology and systems. More importantly, take the time to know what your employees are doing.
Attitude is a big part of the problem. A 2004 survey of 400 business professionals conducted by Ibas, a data recovery and computer forensics company, found that nearly 70% of respondents admitted to having stolen some form of IP when leaving a job. Over 30% left with sales presentations and proposals, while 30% also took along information from customer databases.
The most troubling finding was only 28% thought IP theft was completely unacceptable. In other words, most business professionals believe they have a right to certain types of IP, and they think it is ethical to take the information with them.Changing Attitudes
Changing attitudes is hard to do through security solutions alone. Experts like Stefan advocate employee training, but even with proper training in place and with employees having a clear definition of IP ownership, the problem is too big to leave to education alone.
Too often, Stefan says, organizations dont really know what an employees job entails. So they dont notice large files being emailed, and they arent concerned when the employee accesses information unrelated to the job at hand. In other words, organizational complacency is as much of a problem as employee attitudes.
Usually, the theft of customer information is about more than just taking along names and addresses, Stefan said. A more typical case involves what I call the customer playbook, which includes such things as the buying habits of the customer, contract terms, the expiration dates on contracts, and the status of negotiations on deals that havent closed.
Once you dig deeper into the theft, the act looks less vague, and the former employee wont be able to chalk it up to simply maintaining a relationship. If your former employee continuously contacts your customers close to the end of a contract, you should be suspicious.
Once you suspect IP theft, though, how do you counter it? Is suspicious selling behavior enough? How much evidence is needed to prove your case?
Five Steps to Counter IP Theft
1. Conduct regimented exit interviews. Do more than a verbal interview; also discuss the persons computer usage.
2. Have an anti-deletion policy and deploy anti-deletion software on network servers.
3. Run forensics and perform audits of email, web and computer usage.
4. Treat a trade secret like a trade secret. Put safeguards in place to protect critical information. For instance, dont make the mistake of giving every sales person access to the whole customer list. Instead, restrict access to their accounts.
5. Utilize appropriate surveillance, such as monitoring software that tracks employee access to sensitive databases and triggers an alarm for suspect behavior, such as when someone compresses a large file, copies many files, or disseminates critical information.
When an employee leaves, they usually know theyre going thirty-to-sixty days ahead of time, which is when most theft happens, Yonowitz said. The company wont know of the employees plans until well after the employee does, meaning preventing theft can be tricky.
Ideally, you want to head employee off at the pass and not involve customers, Yonowitz said. The problem is that most employers are not doing simple things like monitoring email usage. They are not training employees properly. They dont adequately explain what information belongs to company.
With the proper systems in place, inappropriate behavior will raise alarms well before the employer knows of the employees intention to leave. If this sounds like Big Brother flexing his muscles, its important to remember that surveillance and monitoring neednt be intrusive.
Simply saving emails can be crucial, but saving email doesnt mean you need to scrutinize every single one. You simply need to have access to them if a problem arises.
If you experience an incident, its important that your actions dont destroy the very information youre trying to protect, Stefan warned. If you find a smoking gun, make sure you take the steps so that it will be admissible in court, if it comes to that.
By logging onto a former employees computer, you are trampling on the crime scene. Better to just have policies in place to save things like email, browsing histories, and access to key databases and let a forensics expert take it from there.
Remember, computers house a ton of information, Stefan said. When an employee leaves, dont reformat hard drive and put it back in circulation. If its a contentious termination, take the drive out and buy a new one for that PC. A few dollars spent on a new hard drive could be the difference between winning and losing an IP theft case.