These days any business generates huge amounts of information that is of value both to the company itself and its competitors. Important information includes know-how, inventions, market research, strategic plans, customer data, contractors’ information.
The specifics of methods and tools for protecting information constituting a trade secret are related to the fact that different pieces of data are stored in electronic form and on paper.
Information constituting a trade secret
- Scientific and technical information: inventions, know-how, patents, methods for increasing production efficiency, everything related to the operation of computer networks, security standards, software, passwords.
- Information of a technological and production nature: drawings, blueprints, models, equipment documentation, production recipes, description of business processes, production and marketing plans, strategies, business plans, investment offers, and plans.
- Information of a financial nature that is not public: management and accounting data, reports, information on the cost of production, cash flow calculations, pricing mechanisms, projected taxes.
- Business information: data on suppliers and contractors, customer information, sales data and plans, market analysis, recommendations from consultants.
The grading of confidentiality may include:
- The highest degree of secrecy, such information should be available only to the top management of the organisation.
- Strictly confidential information.
- Confidential information.
- Restricted access information.
Adopting several levels of confidentiality helps to build a better access and privilege control system and minimises the risks of data leakages. For example, data of the highest value will be inaccessible to a wide range of company employees, which means that they will be less exposed to the risk of intentional or accidental data leakage.
To take advantage of the legal opportunities to protect trade secrets, at the first stage, the company must determine the list of information that constitutes trade secrets. After the classification of information, it is important to develop and implement a system of administrative, organisational, and technical measures that will help prevent the deliberate or unintentional disclosure or dissemination of information.
Before developing a system of protective measures to preserve the confidentiality of information, it is necessary to determine the most likely security threats. Threats can be divided into internal and external.
External threats have to do with different parties that may be interested in obtaining information constituting a trade secret:
- Competitors that operate in the same markets or companies that plan to enter the same markets and which may plan to implement various scenarios of undermining the market positions of the company.
- Parties interested in the redistribution of shares in the enterprise, minority shareholders and other people who may use the information received in the struggle for money of assets.
Internal threats are primarily associated with company personnel, including top managers. Employees with access to corporate information systems can collect information that constitutes trade secrets in order to sell or use it in their own commercial projects or distribute to a wide range of people in order to harm the company.
The protection system should identify all possible threats and build mechanisms for dealing with specific dangers.
Methods for obtaining trade secrets
Classifying some information as a trade secret in some cases does not mean confidentiality since employees, developers, customers, and contractors have access to different pieces of data. Information that is classified as secret in the company's internal documents may be made public due to the actions of contractors and or employees. The twofold nature of the information that is recognised as confidential gives rise to not only illegal but also legal ways to obtain trade secrets.
- Interception or organisation of information leaks from telecommunication and computer networks.
- Direct theft of digital or paper documents.
- Bribery of employees.
- Studying the media, official sources of data disclosure, for example, websites where financial statements are published, as well as complaints and published court files. Open sources allow us to get a fairly accurate picture of the financial situation and the relationship of the company with its counterparties.
- Questioning employees of competing companies who have a wide range of information about the activities of the target company.
- Interviewing company employees with questions that do not violate the NDA, but that may help to obtain a large amount of useful information.
- Making job offers to company employees. Several stages of the admission process allow getting a lot of information about responsibilities, products, processes, systems.
- Studying the final products, as well as the materials from suppliers of raw materials and components.
- Negotiations on the possible agreements with the target company. This method allows not only to collect a large amount of data but also to get the opportunity to study the production process from the inside. The information obtained in this way is a trade secret but often can be provided voluntarily.
To fight against such methods of collecting data is not easy. Possible countermeasures include training of employees, thorough verification of contractors, conducting business negotiations outside the company's location.
The main measure of protecting information constituting a trade secret will be the establishment of a trade secret regime. The main activities are administrative and organisational. For example, fundamental elements of the system are an employment contract and a non-disclosure agreement that provide for employee liability for violation of confidentiality.
Taking into account the fact that external threats manifest themselves in the form of actual stealing or copying information from the company’s computer networks, along with administrative measures, it is necessary to implement technical measures to guarantee full protection.
First of all, administrative and organisational measures are aimed at informing employees about what information is considered a trade secret, and what non-disclosure obligations are imposed on them.
Another goal is to ensure that the company has complied with all the requirements of the law and industry standards and has been prudent by implementing all possible protection mechanisms. This will strengthen the position in the event of a possible lawsuit against the actual data thief or those who ordered the theft.
Administrative measures include:
- Creating a policy that introduces a trade secret regime. The document should define the main parameters of the protection system and the persons responsible for the organisation of protective measures.
- Creating the list of information related to trade secrets. Often authors of such documents include in the list all the information they know. This is the wrong way, since plenty of data is publicly available, for example, published financial or other reports. It is better to limit the list of truly valuable information. For example, confidential information cannot include information about working hours, information on compliance with environmental or fire protection requirements.
- Developing a system of local regulations that will ensure compliance with the confidentiality regime and the protection of information constituting a trade secret. Besides the main document “On trade secrets,” additional provisions can be developed covering the work with computer devices and networks, procedures for providing information to contractors and government agencies, procedures for copying the documentation, etc.
- Determining the list of people who have the right to work with information constituting a trade secret and the level of access. At this stage, organisational measures should interact with the technical ones, since access levels are implemented in the company's IT infrastructure.
- Preparing employment contracts and standard contracts with contractors that contain a paragraph about the protection of trade secrets. It is important to include a clause in the employment contract that warns of liability for the disclosure of confidential information. Some NDAs specify the period after the termination of the employment contract during which the employee cannot disclose information that has become known to him while performing his labour duties.
- Inclusion of appropriate paragraphs into the agreements with contractors in cases when the information entrusted to the counterparty or its employees is a commercial secret.
- Special regimes of using telecommunication equipment, mobile devices, photocopiers, email, and the Internet. The access of the employee to the company resources should be based on the application describing the need. Applications must be agreed upon by the upper management and security department.
- Strict control over the use of computer networks accounts with a warning that the transfer of a password may serve as the basis for dismissal due to "Disclosure of trade secrets."
Among technical measures aimed at protecting trade secrets, systems that protect the information perimeter from leaks, unauthorised copying, or transmission of data can be considered. These tools include DLP systems and SIEM systems.
DLP systems can be configured in such a way as to minimise the theft of information by internal users. SIEM systems identify threats and identify various information security incidents, allowing full risk management and protection against intrusions.
Technical security measures include all methods of encoding and encrypting data, prohibiting copying, monitoring employee computers, and monitoring account usage.
Dominique Rene, PR Manager, Techshielder