![[IPWatchdog Logo]](https://ipwatchdog.com/wp-content/themes/IPWatchdog%20-%202023/assets/images/temp/logo-small@2x.png){kind=logo}
7 “Valuable information can be found everywhere in most companies, and we can’t protect it all with maximum effort, or the business would collapse under the weight of the effort. We have to understand where we get competitive advantage from data, and try to categorize it according to its value.”
“Data that is loved tends to survive.” — Kurt Bollacker
In last month’s post, Part 1 of this series, we considered the view of European academics that trade secrets are not “intellectual property” because they don’t give the power to exclude others, like patents, copyrights and trademarks do. But considering that trade secrets are treated throughout the world like a kind of property – they can be transferred and taxed, and stealing them is considered theft – we concluded that what matters is not exclusion, but control. It is the ability to control access to secret data that can give companies an advantage over others that don’t know about it.
We considered the example of an Armenian family that has managed to keep – and profit from – the secrets of making the very best orchestral cymbals for four centuries. They did this by sharing only within the family, where presumably they had available some compelling ways to enforce trust.
For the rest of us in the modern, globalized and digital economy, we have what looks like an impossible task. How do you protect the company’s secrets when they are zooming around the globe at the speed of light and accessible by thousands of employees, contractors, partners and vendors, each with a small supercomputer in their hands? More specifically, what do you do when those people go home in the evening and use those same little devices to participate in various forms of social media, where they are relentlessly instructed to share the most molecular details of their lives with hundreds or thousands of “friends”?
Before we try to answer those big questions, here’s a comforting thought. What the law expects fits nicely with what the owners of a business should expect: that management will do what is “reasonable under the circumstances.” Okay, you might say, that is just an abstraction meant to dodge the problem. But there is some instructive guidance behind the “reasonableness” standard.
Balancing Security and Risk
It starts with recognizing that perfect security is not feasible in today’s data blizzard. The more people we trust with access, the greater the risk. But in order to compete in fast-moving markets, we can’t go it alone. Today’s innovation and commercialization usually require large teams, including external partners. So being “reasonable” means accepting that risk.
Besides the imperative to share, we also have to confront another reality of risk: security measures almost always come at a cost. It’s not necessarily about money, but about convenience and productivity. Think about two-factor authentication, where in addition to your normal password you have to wait for a special one to be generated and sent to your personal device. Now think about doing that 50 or 100 times a day, as you go through each office door and engage with each software program or database. It adds up. Most businesses can’t afford the efficiency loss that results from placing maximum protection on all forms of data.
So it’s pretty clear that we can’t have it all when it comes to information security. “Reasonable” means thoughtful management of the risk of losing control over your data, while not letting the perfect be the enemy of the good. So how does a business do that? Here are some observations grounded in the law and in sensible business management.
Weighing Value, Threat and Cost
To begin with, recognize that “reasonable under the circumstances” refers to the unique circumstances of your business and the risks faced by your information assets. There is no one-size-fits-all checklist of “best practices” that applies across the board. If you think that checking off a list of security techniques is enough, or if you’re worried that you’re not doing everything on some list, forget that. What matters is the circumstances you are in, measured by three things: value, threat and cost.
Valuable information can be found everywhere in most companies, and we can’t protect it all with maximum effort, or the business would collapse under the weight of the effort. Instead, we have to understand where we get competitive advantage from data, and try to categorize it according to its value. This is not necessarily value in the absolute sense, measured by currency. Instead, knowing relative value will help inform decisions about what level and kinds of security are needed. The algorithm that powers a critical business process might deserve more attention than a marketing strategy.
Inventory Your Assets by Category
Assessing value could be as simple as picking the top 10 or 20 trade secrets that cause you concern. To do that, you need to know what you have. But don’t be put off by fear that an “inventory” of information assets has to be a logistical nightmare, like the hardware store shutting down for several days in order to count all the individual nuts and bolts. Instead, the idea is to organize your data into categories that reflect similar kinds of value, such as tools, databases, strategies, R&D records, information about customers, financial data, and information entrusted to you by others.
The next step is to assess the threat, or risk, faced by the different kinds of confidential information you need to manage. Here there are two kinds of threat. First, there is risk of loss or leakage that can reduce or destroy competitive advantage. We can refer to this as “outbound” risk. In contrast, but often equally important, is “inbound” risk, that is the possibility that your information may become contaminated by unwanted data from outside the business. Most commonly, this sort of infection happens through hiring from competitors; but it can also come in through poorly managed confidential business relationships like a potential acquisition.
In order to thoroughly understand your risks, of course, you need to estimate the likelihood that the bad thing might happen, as well as its impact on the business if it does. Hiring an engineering manager from a direct competitor to lead an identical project will represent a substantial danger of potentially serious harm; while providing secret drawings to a trusted vendor without negotiating a non-disclosure agreement (NDA) may be more acceptable. Making these distinctions will help management focus not just on the hazards but about how much risk might be acceptable in the name of efficiency.
Once you know what you have and the array of threats you contend with, you can begin to consider where to focus your attention and allocate your resources. In this part of the process you consider the ways in which you might reduce the potential for harm, measuring the cost (in terms of money or operational friction) against the value of the information in question. In recruiting the engineering manager, for example, you might consider not only providing warnings and getting assurances about unwanted transfer, but also, if the perceived risk warrants it, providing the new hire with independent counsel to reinforce the message and to better distinguish between the skill he can apply and the trade secrets he can’t.
Protection: Simplicity versus Complexity
Many other decisions about information security will be taken in this way. Should the company adopt a labeling system for confidential information that applies multiple levels of restriction, or will a simpler system result in better compliance? Does a different risk environment in overseas facilities call for a different kind of employee training there? Should NDAs be managed centrally, or should business managers be allowed to negotiate special terms? Should access to various systems and databases be controlled for each application, or is universal access with passwords enough? Should we install software on employees’ phones to ensure they don’t share company secrets?
If you’re thinking that what I’ve described here is just classical business risk management, you’re right. The process of considering value, risk of loss and cost of mitigation techniques is how most companies approach caring for their assets and opportunities. For some, the analysis is more ad hoc than strategic, while others increasingly look outside the organization for help in designing a comprehensive data protection program.
The most important takeaway is this: your information is your property, and without due care its value can diminish or disappear. But you have control over it. Pay attention and be aware of your options. That is the “reasonable” thing to do.
Image Source: Deposit Photos
Image ID: 60064033
Copyright: wayne0216
![[Advertisement]](https://ipwatchdog.com/wp-content/uploads/2024/04/Patent-Litigation-Masters-2024-sidebar-early-bird-ends-Apr-21-last-chance-700x500-1.jpg)
![[Advertisement]](https://ipwatchdog.com/wp-content/uploads/2021/12/WEBINAR-336-x-280-px.png)
![[Advertisement]](https://ipwatchdog.com/wp-content/uploads/2021/12/2021-Patent-Practice-on-Demand-recorded-Feb-2021-336-x-280.jpg)
![[Advertisement]](https://ipwatchdog.com/wp-content/uploads/2021/12/Ad-4-The-Invent-Patent-System™.png)
Join the Discussion
7 comments so far.
Anon
February 26, 2020 02:52 pmangry,
Once again, your feelings are noted (you have absolute control over those).
And once again, your feelings provide NO basis for you to pontificate on matters of fact and law.
For someone who “does not care,” you sure spend an awful amount of time focused on a singular take-away — a take-away mind you that is what the Efficient Infringers WANT as a take-away.
If you truly did not care and simply wanted to turn YOUR back, you would have done so — and been quiet about it.
But you appear to definitely ‘care’ about a very specific message.
One may rightly wonder just why you spend so much time and energy not only peddling that message, but seeking (oddly enough, only through emotion and without reason) to denigrate anyone that advocates the use of reason and has a different message than your Efficient Infringer one.
angry dude
February 26, 2020 01:27 pmAnon @4
Dude,
Are you Liberal Arts or English major ?
The (lots of) crap you write is just not helpful at all
We are at the very late stage of cancer here … as far as US patent system is concerned..
BP
February 26, 2020 11:32 am@3, angry dude
“the ‘land of the free’ is not free anymore”, so true, affirmed yesterday where federal agents can use children playing along the Rio Grande for target practice. Per a SCt majority, “nothing” stopping that activity. All for our “safety”, “what’s next” is already here (unless you’re in a certain technocratic class).
Anon
February 26, 2020 11:30 amWhile Mr. Pooley is certainly a much better (and more thoughtful) writer, a response on another thread to an individual clamoring for a state of ONLY Trade Secrets bearing reprinting here (typos corrected):
“Trade Secrets Only” is nothing more than a rallying cry of the Efficient Infringer.
As a life long student and practitioner of innovation, I understand that trade secrets have a pragmatic place in the real world — make no mistake about that.
But as is often the case, trade secrets are an enemy of the means of promoting innovation that simply should not be so callously abandoned.
Asking that more than mere emotion be applied, that critical reasoning be used to understand each of the current state, the various players in the current state, and their respective drivers, and why the path of patents are in fact critical to protecting and promoting innovation is NOT too much to ask.
Additionally, it does not take too much critical reasoning to draw suspicion to someone that emphatically would deny reason and rest solely upon emotion in order to advocate for a certain path.
It does not take much thought to see the internal inconsistency of ‘being enraged’ by a stated ‘unfairness,’ and then throwing reason to the winds and riling emotions that merely bring about a desired state of those same parties that ‘caused’ the unfairness in the first instance.
Let me add:
There is nothing wrong with emotion.
There is everything wrong with unbridled emotion that eclipses ANY sense of reason.
angry dude
February 25, 2020 09:47 pm“Destroy the patent system and resort to trade secrets? It’s a direction viewed favorably by some federal judges, as part of the corporate state.
Corporate control of trade secrets = corporate control of humans”
What’s next ? A police state ? A totalitarian regime ?
Been there… escaped to “the land of the free”… only to discover that the “land of the free” is not free anymore
BP
February 25, 2020 08:08 pmTrade secrets are important and this post is informative, however, it’s biased toward corporations. Some lawyers do represent humans and that’s getting harder all the time.
“providing the new hire with independent counsel to reinforce the message and to better distinguish between the skill he can apply and the trade secrets he can’t.”
Hard to believe “independent counsel”, more likely “spy counsel”.
“Should we install software on employees’ phones to ensure they don’t share company secrets?”
Hmm, sounds like the Staatssicherheitsdienst.
Destroy the patent system and resort to trade secrets? It’s a direction viewed favorably by some federal judges, as part of the corporate state.
Corporate control of trade secrets = corporate control of humans.
As we have seen in Silicon Valley, companies, including Apple and Google, suppressed engineers’ wages and were ordered to pay hundreds of millions of dollars for practices that included “no-poach” lists – lists that were part of a scheme whereby companies agreed not to recruit each others’ employees.
Is that how you manage the risk of trade secret theft? Illegal collusion?
Recommendation: Part 3, how do we balance corporate desires with human rights?
Anon
February 25, 2020 07:31 pmI will say this: you spin this well.
To take the necessary and make it into a plus – that’s some nice writing here. (not snark)