Given the wide range of laws, regulations, and guidelines—only a few of which could be covered here—how do organizations begin to navigate these treacherous waters?
CONSUMER PROTECTION: WHAT IS IT?
Organizations must build privacy and secu- rity into their systems, processes, and ser- vices from the ground up and from the top down. Education and training for all employ- ees should start on day one and be continu- ous. The time and effort required to assess cyber risk and understand data is minimal compared with the potential implications of failing to do so. Technology is constantly evolving, which means cybersecurity does
as well, and an organization’s efforts to pro- tect consumer information must similarly adapt. It is better to have considered a tool and rejected it because it substantially degrades the service offered than to ignore the vulnerability entirely. Organizations must face cybersecurity risks as an enter- prise and leverage industry experts to guide them through this quagmire of laws, regula- tions, and threats.
Fish & Richardson P.C. – Gus P. Coldebella, Principal
Protecting trade secrets in the
age of cyberespionage
The cybertheft of intellectual property (IP) from U.S. com- panies has, in the words of former NSA director and Cyber Command chief General Keith Alexander, resulted in the “greatest transfer of wealth in human history.” And the data bear that out: by some estimates, the value of IP stolen from U.S. businesses over the Internet alone is $300 billion per year—a whopping 6% of our $5 trillion total intellec- tual property assets. For certain nations, cyber espionage is a central component of their growth strategies: for exam- ple, the Report of the Commission on the Theft of U.S. Intellectual Property (the IP Commission Report) found that “national industrial policy goals in China encourage IP theft, and an extraordinary number of Chinese in busi- ness and government entities are engaged in this practice.” Cyber espionage of IP assets allows companies and coun- tries to circumvent the expense and hard work of basic research and product development—which could take years or even decades—and instead quickly pursue their economic agendas based on stolen IP, all to the detriment of U.S. businesses, jobs, and economic growth.
On May 1, 2014, a federal grand jury brought criminal charges of hacking, economic espionage, and trade secrets theft against fi ve offi cers of China’s military. The hackers are alleged to have penetrated the networks of important American companies to acquire proprietary and confi den- tial technical and design specifi cations, manufacturing metrics, attorney-client discussions about upcoming trade litigation, economic strategies, and other forms of sensi- tive, nonpublic information. What was the object of this indictment? Certainly not to get a conviction: the likeli- hood of China extraditing the defendants to the U.S. is negligible. Instead, the U.S. used the indictment to trans- mit two strong signals. First, it sent a message to China: that we are aware of this aberrant behavior—in which a nation-state aims its espionage apparatus not at another country, but at another country’s companies—and that the
patent, the registration of a trademark, and the creation/publication of copyrighted material. Cyberthieves generally set their sights on a company’s trade secrets—the one type of IP that is not readily available for the world to see.
Some companies keep their trade secrets offl ine. Legend has it that one of the most sto- ried trade secrets, the formula for Coca-Cola, is on a handwritten piece of paper in a safe in Coke’s Atlanta headquarters. But air-gapped trade secrets are rare in the Internet age. Given this, it is crucial for a company to identify and locate the trade secrets on its networks, and those that are being deposited there in the ordinary course of business. Every company has such mission-critical secrets: design speci- fi cations, chemical formulas, computer code, fi nancial algorithms, customer lists, and busi- ness plans, to name a few. Finding them is a key, and sometimes overlooked, part of a top- to-bottom network vulnerability analysis. Unless a company knows what trade secrets it has and where they are located, it cannot begin to secure them.
Once a company catalogs its online trade secrets, it should ask several high-level stra- tegic questions: How are they currently safe- guarded? Who may access them? What sys- tems are in place to alert the company that the trade secrets have been exfi ltrated or altered? These questions and the protective measures developed in response are not only important to thwart cyber attackers—but also help to prevent all types of attempted trade secret theft, whether conducted via the Internet or the old-fashioned way. They also help to best position the company if it brings litigation seeking damages, injunctive relief, or other recompense for the theft. Although the cybertheft of trade secrets has not yet yielded many judicial decisions, law books are rife with cases of companies seeking damages resulting from current or former employees spiriting off trade secrets to their next employer or to a competitor. One of the central questions in any such litigation is: did the company make reasonable efforts under the circumstances to protect the secrecy of its confi dential information? The U.S. will expose this misconduct to the
world. Second, the indictment sent a mes- sage to U.S. companies that, although past breaches and legal and reputational risk may have convinced boards and management to shore up defenses against cyberattacks involving ‘personally identifi able informa- tion,’ or PII, the most sophisticated attackers are interested in other, more mission-critical data on companies’ networks—intellectual property. The loss of trade secrets could cause more harm to a company’s reputation, value, and future prospects than a PII breach ever could. The U.S. government is signaling that companies should focus on taking immediate, reasonable steps to defend their intellectual property assets.
In a world where countries persistently attack companies and compromise of a com- pany’s networks seems inevitable, manage- ment may be tempted to throw up their hands and concede defeat. There are, however, important legal and practical reasons to fi ght. In this chapter, we explore reasonable steps companies can take to prevent the cybertheft of their IP assets, to mitigate the harm of such thefts if they occur, and to challenge competi- tors that use stolen IP assets to unfairly gain an advantage in the marketplace.