Loss or theft of company secrets, intellectual property, or other data has been a problem since the beginning of time. The law regarding such, the Economic Espionage Act, is a bit newer. Enacted in 1996, the Economic Espionage Act makes it a federal crime to steal trade secrets. Even so, in 2001, an article in USA Today by Salina Kahn entitled, “When laptops ‘walk away,’ company secrets go, too,” revealed that in 2000, 387,000 company laptops were lost or stolen, creating a huge security issue for those companies.
Today, the laptop is the least of your worries. Thumb or flash drives, e-mail, social media, mobile devices, the bring your own device (BYOD) epidemic, and smartphones make losing or stealing company information extremely easy.
On October 10, 2013, twelve years after Kahn’s USA Today article, USA Today published an article by Tom Kemp, writing for Cyber Truth, entitled, “The downside of smartphone kill switches,” wherein it is reported that 113 smartphones are lost or stolen every minute in the US.
Hackers are a huge threat to businesses, disrupting networks and stealing all sorts of data. This phenomenon appears to be the focus of the media as well as companies concerned about security. But, just as threatening is the employee who, either through negligence or ill intent, puts the crown jewels of the company on his or her mobile device or online.
According to a 2010 Gonzaga Law Review study of federal court cases, 85% of trade secret cases involved a former employee of the company as the person who stole or misappropriated the secrets. In many cases, the former employee or business partner was moving to a competitor or starting his or her own company.
So, what is the solution?
Perform a risk assessment, draft and implement the proper policies, and train your employees.
Perform a Risk Assessment
The risk assessment can be very simple. Identify information your company collects, processes, and stores, and the ingress and egress points. Once you know what information you have, categorize it.
If it is sensitive, e.g., proprietary information, intellectual property, or a trade secret, it should be considered top secret or given a comparable label. If it is human resources information, label it HR sensitive. Do this until you have categorized all of the information down to a rating of public, which would consist of information you freely put on the public website.
Once categorized, determine who has access to what information and whether that person has a need to know. This includes external access as well as internal. Do not overlook the vendors or partners you work with and their levels of access and security.
Establish and Implement Policies
Drafting and implementing the proper policies are your next steps, and implementing is key. If you draft policies or have an outside vendor draft them, and they go on a shelf where no one reads them, they are worthless.
The drafting phase should be used as a learning phase for the company. Beware of the companies that draft policies in a vacuum without your involvement. When drafting the necessary policies, ensure they facilitate workflow and then have employees sign to indicate they have read the policies.
In any instance where you are concerned about loss of sensitive information or trade secrets, ensure your list of policies includes at least:
- A privileges policy that limits access to information
- A social media policy explaining to employees what they are encouraged to post and not post
- A monitoring policy wherein you notify employees that their activities on company devices or with company information will be monitored
These are just a few. There are many other policies that should be incorporated or considered.
Train your employees on cybersecurity and the policies. If you explain to employees why the policies are being implemented and reveal to them the threats to information and how it can be lost and stolen, they are much more likely to accept and implement the policies.
In many cases, you are fighting an uphill battle until people are educated, because most believe that information is relatively secure. After a good cybersecurity class that reveals how vulnerable we all are to hacking, intrusions, and loss and theft of information, most people become much more cautious about how they handle information.