If you haven’t noticed intellectual property (IP) and trade secrets being removed from your business, then you probably aren’t looking hard enough.
A general counsel in one of our service company clients recently listed the three main risks to his business as being “cyber security, cyber security and cyber security – in that order”.
A 2014 report by the Centre for Responsible Enterprise and Trade estimated the value of trade secrets misappropriated from business equates to 1-3% of the GDP of each advanced industrial nation. To put that into a UK context, that is a figure of up to £60 billion.
In our experience, the oil and gas sector is a hotbed for the misappropriation of IP and trade secrets, with the general impression that many companies in this sector find protecting sensitive information more challenging than others.
The recent Oil and Gas UK Cyber Security Seminar was again testament to the growing importance of this, especially as so many businesses continue to digitalise. The Health and Safety Executive issuing its Network and Information Security (NIS) guidance in autumn will be welcomed by industry.
What really makes the headlines is a foreign government hacking into your company’s server. That is happening and it is vital that we redouble our efforts to manage the risk. However, the greater risk is from employees and consultants – typically when leaving – removing sensitive information from your business.
In our experience, the conduct ranges from taking a few documents to enable them to cut corners in their new job, to taking copies of the company’s servers – putting them in a position to duplicate the business. By far the most common technique involves sending emails to personal email accounts while attaching sensitive documents.
Removing data on memory sticks and even on laptops works equally well. What is perhaps less obvious is exporting information using social media accounts, something that can be easily overlooked. If suspicious, a company will often review a departed employee’s emails, but perhaps not look at what he or she has been sending out via LinkedIn messages.
That can be more cumbersome for the employee, but often it goes without being detected. A challenge here is ensuring that the company can gain access to the employee’s social media accounts.
Without doubt, the hardest data theft to detect after the fact is the traditional removal of paper copies. If an employee has legitimate reasons to print information and claims that it is subsequently shredded, it is unlikely we could ever prove they have taken it with them.
We have had cases where people have been seen putting reams of paper in handbags, never to be seen again, and an employee hiding A2 engineering drawings under a jacket while they nip out for a sandwich.
So, what can be done to help manage this risk?
1. Have robust confidential information policies and contract terms in place for everyone who gains access to the company server. These policies should be made clear at induction, during the course of employment and especially at exit interviews.
2. Ensure that there is good staff awareness of the importance of protecting data and confidential information.
3. Limit the ability for non-company equipment, especially storage devices, to be used on company IT equipment.
4. Partition access to information on company servers. Avoid the default position of all employees having access to entire company servers (excluding finance and HR).
5. Look out for the latest IT solutions. Documents can be tagged, so it will be flagged if they are removed from the company’s IT system. A Scottish company called Zonefox has a product that monitors employee use of electronic documents and can detect if they are being used in a way which is out of the ordinary. The company says it offers a solution that can anticipate a data loss before it even happens.
As a priority, it is important to engage with proper IT forensics in situations where there is concern that material may have been taken. When that happens, much can be done, including securing interim interdicts and conducting a pre-action “raid” to secure evidence of a data theft without giving any notice.
The new trade secrets regulations offer legal remedies for employers seeking to close stable doors, but companies should be planning for when, not if, attempts are made to remove IP from their business.
Colin Hulme, Burness Paull