Trade secrets are increasingly becoming a company's most valuable assets, and not surprisingly, threats to those assets have increased concomitantly. The greatest threat to company data is, of course, not outsiders but a company's own employees A company's ability to protect against rogue employees (as well as against unintentional harm) is governed by both federal and state laws, which vary by jurisdiction and, worse, are in a state of flux in many of those jurisdictions.
As with most security challenges, it isn't possible to eliminate the threat. But working together, your IT department and company counsel can and should maximize the establishment and implementation of trade secret protections. Here's how:
Define the Problem
Your company must understand the scope of the problem in order to mitigate its effects. A "trade secret audit" -- which includes steps similar to those in any security audit -- is a critical tool your company can use to ascertain what confidential information it currently has. Confidential information is defined more broadly than true trade secrets.
Though they come in all shapes and sizes, most trade secret audits include the following elements: (i) determination of which information ought to be protected; (ii) review of the procedures already in place to protect that information; and (iii) analysis of the sufficiency of those protections, including identification of gaps in the existing protections, both generally and as applied to the specific information to which the gaps pertain.
The sufficiency of the existing protections turns largely, on the value of the information along with the practical need for and cost of properly protecting it. For example, while Coca-Cola quite properly takes extraordinary measures to protect the secret formula to Coke, no one would expect Coca-Cola to take similar measures to protect trade secrets with only marginal value.
Establish a realistic protection program
After your company has completed assessing the scope of the problem, you can develop a comprehensive protection program. Such a program commonly involves a combination of policies, procedures, and contracts, as well as the IT infrastructure necessary to support each.
While these programs share many general characteristics, each is unique to the particular requirements of your company, including the nature of your company's confidential information, the number and circumstances of your company's current and planned personnel, your company's corporate culture, available financial resources, and overall IT infrastructure. In its most basic form, a proper protection program involves:
(1) computer safeguards, including appropriate levels of access
(2) security measures for all electronic technologies such as USB drives, flash cards, smart phones, FTP sites and social media sites)
(3) restrictions and protocols regarding access to and use of facilities that store confidential information
(4) technology use policies
(5) confidential information use and preservation policies
(6) protocols for handling departing employees, including computer and network access, cell phones, facility access, and the like
(7) post-departure reviews of possible security breaches, and
(8) restrictive covenants, such as noncompetition agreements and nondisclosure agreements.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.