If you ask those in charge of small- or medium-sized businesses (SMB) what their main concerns are, seldom – if ever – is the security of company intellectual property (IP) mentioned. There are reasons for that, especially in today’s business climate. SMBs are focused on keeping the business running, and securing IP does not fall under that category. It should though. There are numerous examples of stolen IP surfacing elsewhere in the world to the detriment of the victim company.
Even worse, Craig McCrohon, partner at Burke, Warren, Mackay & Serritella said, "Once taken, IP can be almost impossible to recover, and can require years of litigation and oppressive legal costs to reclaim."
Part of the reason that protecting IP is ignored, is the lack of perceived ROI. Only when there is a theft of company IP does the business see where some prior investment would have been a better choice.
How to Protect Digital IP
There are ways for companies to protect themselves, but most are designed for large corporations that have the money and people to manage the solutions.
"A few practical low-tech steps can significantly improve the chances of these companies protecting their valuable confidential information," McCrohon said.
To that end, McCrohon offered the following low-tech tips:
- Keep sensitive material locked up.
- Digital files like Word documents and spreadsheets can and should be password protected, especially those transmitted over the Internet.
- Enforce need-to-know by only giving access to sensitive documents to employees who need it.
- Use the U.S. Postal Service to mail hard copies of critical files. McCrohon also stressed to stamp the files with "Do Not Copy."
- Copyrights and trademarks may seem like an unneeded expense, but offer companies more options if disputes occur.
- IP-usage agreements between the company and business partners demonstrate the company’s commitment to securing IP.
- Employee manuals should explain the company’s position regarding the handling of IP.
- Have a guest sign-in log, monitor guest movements, and control access to sensitive areas inside the building.
- Sensitive IP from other companies should be considered stolen property unless handed over by those in a position to do so.
- Dumpster diving is a low-tech method of stealing company IP. Counter it with a low-tech solution: shred all IP documentation.
To get a second legal opinion on McCrohon’s low-tech tips, I contacted Tyler Pitchford, an appellate attorney at Brannock & Humphries and self-professed hacker. Pitchford noticed that all 10 tips emphasized what McCrohon called "habitual protection."
"When evaluating whether a company’s IP is confidential, courts look to how diligently the company protects its supposed confidential information," Pitchford said. "For example, if the company stamps documents as confidential, but the documents are left out in the open during a presentation, the court will not consider the documents confidential."
Pitchford then explained McCrohon’s report did well to stress habitual protection. It is a simple, preemptive way to demonstrate how a company treats its intellectual property, and there is legal precedence as mentioned in the paper:
- If a firm demonstrates "habitual protection" of its confidential information, it will more likely prove that the information is valuable and merits protection under the Uniform Trade Secrets Act.
- The opposite also holds true: a company that ignores strict protection of confidential information and ideas triggers a presumption of low value and little confidentiality.
The above list was shown to IT professionals working for firms where securing company secrets was paramount. They agreed, emphasizing the need to create the proper security attitude within the organization. If employees are aware that losing company intellectual property may bring the entire business down, they will think twice about what needs to be done to ensure company secrets are safe.
The above list was also shown to several small-business owners. They, for the most part, were aware of the tips, but considered them secondary. Most of the owners were in agreement that the company’s top priority is to have the CEO, president or person-in-charge be vocal in his or her support of the IP security policy.
One CEO offered an example. This CEO called a company meeting. After explaining the company’s policy regarding IP, the CEO emphasized the importance of the policy saying that every employee needed to read, understand and then sign the document outlining the terms. The CEO then signed her copy and added the document to her employee handbook in front of the employees — C-level buy-in is crucial.