You Suspect IP Theft, Now What?

By Jeff Vance

(Back to article)

Intellectual property (IP) theft drains billions of dollars from the U.S. economy each year. The U.S. Chamber of Commerce pegs the cost at $250 billion annually, and most analysts believe the problem will continue to worsen. From a security standpoint, countering IP theft dovetails with another difficult security problem: Insider threats.

In December of last year, I wrote about steps you could take to protect your organization from IP theft. Many steps are deceptively simple, such as creating information hierarchies, limiting access to critical data, and deploying information monitoring solutions all help. However, specific efforts to counter IP reflect the changing nature of security in general.

What to Do After a Theft Occurs

1. Get a computer forensics expert to find and recover critical information.

2. Notify the former employee that IP will be protected.

3. Communicate with the employee’s new employer, notifying them that you will actively protect your IP.

4. Communicate with customers if necessary.

5. If all else fails, turn to the courts.

FREE IT Management Newsletters

Circling the Wagons

Border security is no longer sufficient, since most IP theft is initiated from within the organization. No security strategy can fully protect against motivated insiders. What if IP theft is initiated by an executive who should have access to critical data, for example?

Another issue is the notion of an organizational “insider” is changing. Contract workers, partners, and outsourced labor all fall under the insider umbrella.

“Outsourcing can be particularly difficult to handle,” said Ed Gaudet, vice president of product management for Liquid Machines, a provider of enterprise rights management solutions. “In India and China, for instance, their laws don’t address intellectual property problems.”

If and when it comes time to sue, will you have the legal support to do so?

With outsourcing, most organizations worry about piracy, i.e. IP will be used for product counterfeits. Fortunately, that type of IP theft is not nearly as common as theft involving customer information.

“Ninety percent of the cases I see are customer list related cases,” said Robert Yonowitz, a partner in the law firm Fisher & Phillips, LLP. “Typically, someone in marketing or sales jumps to a competitor and promises to bring along business. Employees believe, mistakenly, that they own the customer relationships.”

Taking customer information, unlike piracy or patent infringement, resides in an IP gray area. After all, how do you decide who owns something as nebulous as a business relationship?

In many states, non-compete and non-solicitation agreements give ownership to the organization, but in some states, such as California, non-compete clauses aren’t enforceable. The employee can retain the relationship as long as it doesn’t involve a solicitation.

Take the example of a sales manager leaving for a new job and sending out an announcement along with new contact information.

“Is the announcement of a departure to a customer simply that, an announcement, or is it a solicitation? asked Todd Stefan, Executive Vice President, Setec Investigations, a computer forensics service provider.

“It can be difficult to tell, so our advice is to avoid dealing with issues like this reactively. Proactively protect yourself through legal documents, training, technology and systems. More importantly, take the time to know what your employees are doing.”

Attitude is a big part of the problem. A 2004 survey of 400 business professionals conducted by Ibas, a data recovery and computer forensics company, found that nearly 70% of respondents admitted to having stolen some form of IP when leaving a job. Over 30% left with sales presentations and proposals, while 30% also took along information from customer databases.

The most troubling finding was only 28% thought IP theft was completely unacceptable. In other words, most business professionals believe they have a right to certain types of IP, and they think it is ethical to take the information with them.

Changing Attitudes

Changing attitudes is hard to do through security solutions alone. Experts like Stefan advocate employee training, but even with proper training in place and with employees having a clear definition of IP ownership, the problem is too big to leave to education alone.

Too often, Stefan says, organizations don’t really know what an employee’s job entails. So they don’t notice large files being emailed, and they aren’t concerned when the employee accesses information unrelated to the job at hand. In other words, organizational complacency is as much of a problem as employee attitudes.

“Usually, the theft of customer information is about more than just taking along names and addresses,” Stefan said. “A more typical case involves what I call the ‘customer playbook,’ which includes such things as the buying habits of the customer, contract terms, the expiration dates on contracts, and the status of negotiations on deals that haven’t closed.”

Once you dig deeper into the theft, the act looks less vague, and the former employee won’t be able to chalk it up to simply maintaining a relationship. If your former employee continuously contacts your customers close to the end of a contract, you should be suspicious.

Once you suspect IP theft, though, how do you counter it? Is suspicious selling behavior enough? How much evidence is needed to prove your case?

Five Steps to Counter IP Theft

1. Conduct regimented exit interviews. Do more than a verbal interview; also discuss the person’s computer usage.

2. Have an anti-deletion policy and deploy anti-deletion software on network servers.

3. Run forensics and perform audits of email, web and computer usage.

4. Treat a trade secret like a trade secret. Put safeguards in place to protect critical information. For instance, don’t make the mistake of giving every sales person access to the whole customer list. Instead, restrict access to their accounts.

5. Utilize appropriate surveillance, such as monitoring software that tracks employee access to sensitive databases and triggers an alarm for suspect behavior, such as when someone compresses a large file, copies many files, or disseminates critical information.

“When an employee leaves, they usually know they’re going thirty-to-sixty days ahead of time, which is when most theft happens,” Yonowitz said. The company won’t know of the employee’s plans until well after the employee does, meaning preventing theft can be tricky.

“Ideally, you want to head employee off at the pass and not involve customers,” Yonowitz said. “The problem is that most employers are not doing simple things like monitoring email usage. They are not training employees properly. They don’t adequately explain what information belongs to company.”

With the proper systems in place, inappropriate behavior will raise alarms — well before the employer knows of the employee’s intention to leave. If this sounds like Big Brother flexing his muscles, it’s important to remember that surveillance and monitoring needn’t be intrusive.

Simply saving emails can be crucial, but saving email doesn’t mean you need to scrutinize every single one. You simply need to have access to them if a problem arises.

“If you experience an incident, it’s important that your actions don’t destroy the very information you’re trying to protect,” Stefan warned. “If you find a smoking gun, make sure you take the steps so that it will be admissible in court, if it comes to that.”

By logging onto a former employee’s computer, you are “trampling on the crime scene.” Better to just have policies in place to save things like email, browsing histories, and access to key databases and let a forensics expert take it from there.

“Remember, computers house a ton of information,” Stefan said. “When an employee leaves, don’t reformat hard drive and put it back in circulation. If it’s a contentious termination, take the drive out and buy a new one for that PC.” A few dollars spent on a new hard drive could be the difference between winning and losing an IP theft case.