The pandemic has pushed the corporate workforce to remote locations, which has resulted in increased risk to corporate data. As corporations rise to the challenge of responding to this risk, compliance officers, CISOs, and leaders should look to revamp disjointed and siloed approaches to protecting corporate data. The past few years have seen a notable expansion of trade secret laws resulting from a new federal trade secret act in the U.S., the passage of stricter trade secret regimes in Asia, and the harmonization of trade secret protection in Europe with the EU trade secret directive. With these new laws has come a noticeable uptick in trade secret civil and criminal cases. Like traditional compliance risks, theft or loss of information can lead to loss of valuable R&D, business disruption, loss of competitive advantage, reputational damage, and – if an employee improperly uses a third-party’s trade secrets – costly civil or criminal litigation. While ransomware, hacking, and phishing schemes often get the most news coverage, insider theft represents the vast majority of data loss.
By Steve Grimes, Co-leader, and Sheryl Falk, Co-leader, Winston’s Global Privacy & Data Security Practice
The Importance of a Cross-Functional Team Approach
In our view, a Chief Information Security Officer cannot – on her own – sufficiently mitigate the risks posed by insider threats. The task of building and maintaining a robust information security system to mitigate against internal theft requires cross-functional input, execution, and maintenance. While the critical work of protecting infrastructure and equipment is led by the Info Security team, IT, Human Resources, Legal, and other functional groups have a role to play in successfully protecting the company’s resources. This is especially true as it relates to insider threats, where a company’s own employees or trusted partners steal, lose, or divulge the company’s information.
For example, Human Resources needs to be involved in the training, education, hiring, on-boarding, and off-boarding procedures. R&D and business leaders need to make crucial decisions about designation and access to confidential information. They should also be integrally involved in the design of information security systems and the execution of processes that build the systems. Legal needs to be involved in the drafting and execution of confidentiality agreements, supplier agreements, NDAs, as well as incident management, investigations, and pursuing potential legal remedies if and when theft occurs.
There also needs to be communication between and amongst these groups. For example, Human Resources may work with IT on credential management to disable access for departing employees or alert Legal if an employee with access to valuable information resigns to work for a competitor. IT can advise if company devices are outstanding so that Legal can trigger an investigation, decide to preserve the employee’s devices, or send a letter to the new employer, alerting them of the employee’s ongoing confidentiality obligations. However, in many companies, these functional groups have not historically worked together to develop a cohesive, strategic, and tailored approach to data security. Instead, each group addresses areas of the problem that fall within its silo, leading to inefficient and sometimes counterproductive outcomes. Additionally, some functional groups outside of Legal — such as Human Resources — are not trained on the critical role they play in data security, such as ensuring the prompt collection of a departing employee’s laptop, leading to data leakage theft.
Companies have started to coalesce these different functional groups under a unified leadership structure. The implementations and reporting structures vary, from task forces to steering committees, to “trade secret leadership.” But the goal is the same: to align the functional groups to one unified and smart approach for protecting company assets and preventing employees from using or uploading confidential information belonging to a former employer. This “reverse threat” of a current employee bringing confidential information from a former employer into the business environment is a real risk. That’s because corporations are typically the “deep pocket” on the wrong side of a trade secret theft lawsuit. A cross-functional, unified approach to protecting corporate information will be viewed as a best practice.
Building an Operational Strategy
Companies spend significant amounts of money developing confidential and proprietary data and must implement security measures to protect the data from theft or loss. While many corporations focus on information security to protect against outside cyberattacks, most data theft occurs from insiders. Because employees need access to corporate data to do their jobs, a company must consider which additional data security measures are necessary to allow employees to work. At the same time, there is an obligation to protect trade secret data, including, for example, tracking if confidential or proprietary data leaves the system. This is not just a best practice; it is required. Trade secret regimes worldwide require a company to demonstrate that it took “reasonable measures” to protect their data before they can claim trade secret protection over its information. While “reasonable measures” is not a well-defined term, courts are looking at the overall robustness of an organization’s approach to data security to determine whether a trade secret right has been established.
To address this threat and ensure that reasonable measures are in place, we recommend a cross-functional team to develop an operational strategy. This high-level operational plan allows the team to identify risk and reach consensus on priorities, strategic response, implementation, responsibilities, and accountability. Building consensus around a well-thought-out approach – including identifying data protection strategies designed to protect data from insider threats and allocating resources – is a key step toward effective trade secret protection.
Further, a company’s ability to respond to data theft and minimize what can be catastrophic and costly consequences – depends on the implementation of measures to detect, investigate, and contain any such theft long before it occurs. The operational plan should address data theft response so that a company is well-positioned to respond swiftly and efficiently.
Focusing on Trade Secret Audits
We counsel clients to be proactive in protecting corporate data by conducting a data security audit to identify and protect confidential and trade secret information. The audit should not just focus on the technical aspects of the systems (though technical audits and strategic roadmaps are integral aspects of most information security programs), but also approach protection from a cross-functional, proactive perspective looking at preventing theft, detecting theft, and responding to suspected theft. By assessing the maturity of technical systems and processes and the human side, companies will be able to determine their risk to information theft more accurately and be well-positioned to mitigate that risk in a coordinated approach.
These audits involve identifying the corporate trade secret information, how the data is handled, and who has access to such data. The audits consider a review of the data security provisions in place to restrict and protect data, and a review of policies, processes, and procedures. Audits also include analyzing the enforceability of the company’s standard confidentiality agreements and assessing information security measures, including interviews with key stakeholders.
While the contours of such an audit vary depending on a company’s size, international presence, industry, type of workforce, nature of its trade secrets, and risk tolerance — all companies need to be addressing this risk from the perspective of cross-functional groups.
Here’s a typical scenario. When a key employee is off-boarded, does HR ask probing questions about confidentiality and the employee’s next move? Does HR notify Info Sec when an employee has given notice so that heightened monitoring may be employed? Does R&D fully utilize logs and data access restrictions for higher prioritized information? Do the Legal and InfoSec teams have a protocol for investigating potential misconduct that maximizes evidentiary value while also preserving legal optionality? Have hiring managers been trained about the risks of soliciting competitive information?
The answers to these types of questions, and many others, have a direct bearing on the success or failure of a data security program but may fall within several groups, besides the purview of the CISO.
Furthermore, systems or protocols to improve how the company answers these questions or address data theft require buy-in and implementation by employees outside of the InfoSec team. A company must take a cross-functional approach to data theft to minimize data theft and maximize its ability to respond to (and mitigate the consequence of) a theft that does occur.
As the workforce changes how employees interact with corporate data, companies should bring together the key stakeholders to develop an operational plan to address information security from insider threats and conduct a trade secret audit to protect its valuable data.
Companies that bring teams together and form an operational strategy are more likely to protect data than the best-intentioned silo approach.
This story first appeared in the November 2020 issue of CISO MAG.
About the Authors
Steve Grimes is co-leader of Winston’s Global Privacy & Data Security Practice. He is a former federal prosecutor, an experienced trial lawyer, and a former Chief Compliance Officer and senior litigation counsel for a global publicly-traded Fortune 500 company. Steve’s practice focuses on compliance and data security counseling, sensitive internal investigations, government interactions, and complex disputes. Steve’s in-house experiences greatly aid his ability to provide tailored and pragmatic service to his clients.
Sheryl Falk is co-leader of the firm’s Global Privacy and Data Security Practice and is recognized as a leading lawyer in privacy, data security, and trade secrets. She brings significant expertise and strategic thinking to help clients comply with quickly changing privacy laws and protect data, investigate data security incidents, and handle data privacy and trade secret litigation. One of the first attorneys in the U.S. to be certified in computer forensics, Sheryl is a former federal prosecutor and Certified Information Privacy Professional and has been recognized in Legal 500.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.