Master thesis defence Shu Pei Oei

1. Risk Management Practices and their applications in Intellectual Property Management and Trade Secret Management Master Thesis Intellectual Property Law and Management, 2022, University of Strasbourg 1 Dr. Shu-Pei Oei European Patent Attorney In-house Patent Counsel

2. What is Risk Management for today’s IP Manager? Trade Secret Theft? MIPLM 2022 | CEIPI | Shu-Pei Oei © 2

3. What Frameworks are available from which today’s IP Manager can operate? ❑ OECD Principles of Corporate Governance ❑ Open-Source Standards ❑ Normative Risk Standards ❑ Academic Publications ❑ Commercial Consultancies MIPLM 2022 | CEIPI | Shu-Pei Oei © 3

4. ❑ OECD Principles of Corporate Governance Principle VI.D.1 (OECD (2015) Principles of Corporate Governance “An area of increasing importance for boards and which is closely related to corporate strategy is oversight of the company’s risk management. Such risk management oversight will involve oversight of the accountabilities and responsibilities for managing risks, specifying the types and degree of risk that a company is willing to accept in pursuit of its goals, and how it will manage the risks it creates through its operations and relationships. It is thus a crucial guideline for management that must manage risks to meet the company’s desired risk profile.” MIPLM 2022 | CEIPI | Shu-Pei Oei © 4

5. ❑ Open Source Standards Open Compliance and Ethics Group (OCEG) Governance, Risk and Compliance (GRC) Capability Model: Principled Purpose “A principled purpose is perhaps the most basic starting point for principled performance. Defining your highest purpose via mission, vision and values guide everything that the organization does.” Principled People “Leadership, the workforce and extended enterprise must comprise principled people who have strong character, and who consistently direct their energies toward a principled purpose.” Principled Pathway “Break down silos and leverage common capabilities in every key system that keeps an organization on track including governance, strategic management, performance management, risk management, compliance management and audit management systems.” MIPLM 2022 | CEIPI | Shu-Pei Oei © 5

6. ❑ Academic Publications ❑ Commercial Consultancies ❖ Provide Transitions from Traditional Risk Management to IP Risk Management. ❖ Wide Range of Views on what constitutes IP Risks. ❖ Reference to the ISO 31000 risk standard varies. https://www.linkedin.com/pulse/what-correct-standard-ip-risk-management-donal-o-connell/ Cheung, Benny C.F. & Wang, W.M. & Xu, X. & Willoughby, Kelvin. (2014). A Knowledge-Based System for Assessing and Managing Intellectual Property Managerial Risks for Small-and-Medium Sized Technological Enterprises. International Journal of Intellectual Property Management. 7. 10.1504/IJIPM.2014.062795. MIPLM 2022 | CEIPI | Shu-Pei Oei © 6

7. ❖ A Generic Risk Management Standard exists – ISO 31000:2018. ❖ There is no IP Risk Management standard. ❖ There are 2 separate IP management standards - The DIN 77006 & The ISO 56005 ISO 31000:2018 Listed under Biography in ISO 9001: 2015 ISO 9001:2015 Listed as Normative reference in DIN 77006:2020 ISO 56005:2020 IP Management Standards DIN 77006:2020 Innovation Management Approach Quality Management Approach Risk Management Approach ❑ Normative Risk Standards MIPLM 2022 | CEIPI | Shu-Pei Oei © 7 “the distilled wisdom of people with expertise in their subject matter and who know the needs of the organizations they represent”. - International Standards Organization

8. Risk Management is part of Governance & Compliance . Accountability, Integrity, Independence Financial Risks & Costs Operational & Non-Financial Risks Compliance with Local Laws Quality Management To public, private stake holders, tax payers, shareholders Credit, liquidity, or market risks, impact on credit ratings M& A, Valuation IT, Outsourcing, environmental, health and safety risks Jurisdictions, Regulations, Courts Internal or Independent audits for monitoring financial and operational risks Given the rise in share of intangible assets in organizations (Ocean Tomo, 2020), IP risk Management MUST logically, also be a part of Governance & Compliance. Ocean Tomo: https://www.oceantomo.com/intangible-asset-market-value-study/ MIPLM 2022 | CEIPI | Shu-Pei Oei © 8

9. What could an IP Risk Management Framework (IPRMF) look like? ❑ On which IP management standard could the IPRMF be based? ❑ Where do existing IP management standards stand on risk management? ❑ Are they harmonised with the ISO 31000 risk standard? ❑ Are their risk teachings harmonised with each other? MIPLM 2022 | CEIPI | Shu-Pei Oei © 9

10. Methodology: Basis: DIN 77006 Identify risk themes Compare Determine if Terminology and Concepts are harmonised Start End ISO 31000 ISO 9001 ISO 56005 Compare Terminology Harmonised Similar Unsupported Contradictory Basis: DIN 77006 Compare Concept Harmonised Easily Inferred Not easily inferred Contradictory Complementary Unsupported ISO 31000 ISO 9001 ISO 56005 End Overview Granular MIPLM 2022 | CEIPI | Shu-Pei Oei © 10

11. Results ❑ Risk mentioned 44 times in the DIN 77006 ❑ 26 Risk Themes in the DIN 77006 Harmonised Easily Inferred Not easily inferred Contradictory Complementary Unsupported MIPLM 2022 | CEIPI | Shu-Pei Oei © 11 (Thesis pages 19 to 55).

12. 🗸 🗸 An IPRMF could be based on the DIN 77006 since it is the broader than the ISO 56005, and due to existing harmonisation with the ISO 9001 & ISO 31000. In terms of risk teachings, the DIN77006 is largely harmonised with the ISO 31000, but not with the ISO 56005. What could an IP Risk Management Framework (IPRMF) look like? MIPLM 2022 | CEIPI | Shu-Pei Oei © 12

13. Selected Highlights from study of 26 Risk Themes FRAMEWORK Design Implementation Evaluation Improvement PDCA PROCESS Risk Assessment Risk Treatment Monitoring & Review Recording & Reporting PDCA IP RISK TREATMENT Formulate & Select Plan & Implement Assess Effectiveness Decide Take Further Treatment PDCA 1. Plan-Do-Check-Act (PDCA) ▪ Central to DIN 77006 & ISO 9001. ▪ Terminology not explicitly used, but easily inferable throughout the ISO 31000. ▪ But not in the ISO 56005. MIPLM 2022 | CEIPI | Shu-Pei Oei © 13

14. Selected Highlights From study of 26 Risk Themes 3. Definition of Risk DIN 77006 ▪ Effect of Uncertainty ▪ Effect - Positive or Negative ISO 31000 ▪ Effect of Uncertainty on objectives ▪ Effect- Positive or Negative or both. 16. Definition of IP Risk Management 17. Sources of IP Risk Management 18. Sources of IP Risks 19. Examples of IP Risk Management 20. Examples of IP Defence 2. Divergence in the DIN 77006 & ISO 56005 MIPLM 2022 | CEIPI | Shu-Pei Oei © 14

15. (1) SCOPE (2) NORMATIVE REFERENCES (4) CONTEXT (5) LEADERSHIP (6) PLANNING (7) SUPPORT (8) OPERATION (9) PERFORMANCE EVALUATION (10) IMPROVEMENT (3) TERMS & DEFINITIONS (1) SCOPE (2) NORMATIVE REFERENCES (4) PRINCIPLES (5) FRAMEWORK (6) PROCESSS (5.2) LEADERSHIP & COMMITMENT (5.3) INTEGRATION (5.4) DESIGN (5.5) IMPLEMENTATION (3) TERMS & DEFINITIONS (5.7) IMPROVEMENT (6.2) COMMUNICATION & CONSULTATION (6.3) SCOPE, CONTEXT, CRITERIA (6.4) RISK ASSESSMENT (6.5) RISK TREATMENT (6.6) MONITORING & REVIEW (6.7) RECORDING & REPORTING ISO 31000 ISO 9001 P D C A (5.6) EVALUATION ? ? ? ? ? ? ? ? Structure of the ISO 31000 vs High-Level Structure (HLS) of the ISO 9001 Figure 1, ISO 31000:2018 MIPLM 2022 | CEIPI | Shu-Pei Oei © 15

16. (1) SCOPE (2) NORMATIVE REFERENCES (4) CONTEXT (5) LEADERSHIP (6) PLANNING (7) SUPPORT (8) OPERATION (9) PERFORMANCE EVALUATION (10) IMPROVEMENT (3) TERMS & DEFINITIONS (1) SCOPE (2) NORMATIVE REFERENCES (4) PRINCIPLES (5) FRAMEWORK (6) PROCESSS (5.2) LEADERSHIP & COMMITMENT (5.3) INTEGRATION (5.4) DESIGN (5.5) IMPLEMENTATION (3) TERMS & DEFINITIONS (5.7) IMPROVEMENT (6.2) COMMUNICATION & CONSULTATION (6.3) SCOPE, CONTEXT, CRITERIA (6.4) RISK ASSESSMENT (6.5) RISK TREATMENT (6.6) MONITORING & REVIEW (6.7) RECORDING & REPORTING ISO 31000 ISO 9001 P D C A (5.6) EVALUATION Structural Integration of the ISO 31000 with the ISO 9001 using “10 principled pathways” of integration Thesis: Pages 65 to 67 From Risk Management Quality Management to MIPLM 2022 | CEIPI | Shu-Pei Oei © 16

17. 1. PDCA Cycle 2. Assessing Risks and Opportunities as Part of Planning 3. Process- Oriented Approach 4. Risk-Based Thinking 5. The Definition of “Risk” 6. The relationship between “Risks and Opportunities” 7. Addressing Risks and Opportunities as the Purpose of Management 8. Address Risks and Opportunities to achieve Continual Improvement 9. Aims of Actions to Address Risk and Opportunities" 10. Risks and Opportunities for Products and Services 11. Leadership and Commitment by Top Management" 12. Impact on Value Creation 13. Integration with other Processes 14. Scope 15. Role of the Organization 16. Definition of IP Risk Management 17. Sources of IP Risks 18. Examples of IP Risk Management 19. Examples of IP Defence 20. Understanding Needs and Expectations of Employees and Interested Parties 21. Analysis and Evaluation 22. Management Review 23. Risk Minimalization as Essential 24. Hazards 25. Documenting the Risk Assessment Optional 26. Non-Conformity and Corrective Action (1) SCOPE (2) NORMATIVE REFERENCES (4) CONTEXT (5) LEADERSHIP (6) PLANNING (7) SUPPORT (8) OPERATION (9) PERFORMANCE EVALUATION (10) IMPROVEMENT (3) TERMS & DEFINITIONS (6) PROCESSS (6.2) COMMUNICATION & CONSULTATION (6.3) SCOPE, CONTEXT, CRITERIA (6.4) RISK ASSESSMENT (6.5) RISK TREATMENT (6.6) MONITORING & REVIEW (6.7) RECORDING & REPORTING ISO 9001 P D C A 26 Risk Themes 5, 24 12 11, 20, 23 14, 15 2, 6, 7, 9, 10 13 21, 22, 25 8, 26 16, 17, 18 19 1, 3, 4 INTRODUCTION (1) SCOPE (2) NORMATIVE REFERENCES (4) PRINCIPLES (5) FRAMEWORK (5.2) LEADERSHIP & COMMITMENT (5.3) INTEGRATION (5.4) DESIGN (5.5) IMPLEMENTATION (3) TERMS & DEFINITIONS (5.7) IMPROVEMENT ISO 31000 (5.6) EVALUATION INTRODUCTION IP … with 26 Risk Themes MIPLM 2022 | CEIPI | Shu-Pei Oei © 17

18. (5.1.2) IP Strategy (6.1.2) IP Risk Management (8.4.2) IP Generation (8.4.5) IP Transactions (8.1) IP Administration (8.4.3) IP Enforcement (8.4.4) IP Defence (7.3) IP Awareness (9.3.1) IP Reporting IP Research & Analysis IP Risk Management IP Generation IP Acquisition IP Maintenance IP Exploitation IP Landscaping IP Risk Management IP Creating IP Portfolio IP Commercialisation IP Acquisition IP Management that contributes to Innovation Management (ISO 56005 Fig. 1) IP Management (ISO 56005 Fig. 3) IP Processes (DIN 77006) IP Strategy Structural Integration of the DIN 77006 with the ISO 56005 ❑ Differences in terminology ❑ Inconsistencies within the ISO 56005 Unified Understanding of IP Management Solves to MIPLM 2022 | CEIPI | Shu-Pei Oei © 18

19. Open-Source Standards OECD DIN 77006 ISO 56005 ISO 9001 ISO 31000 IP Risk Management Framework based on the ISO 31000, ISO 9001, DIN 77006 (& ISO 56005) MIPLM 2022 | CEIPI | Shu-Pei Oei © 19

20. PLAN DESIGN Leadership and Commitment IP Risk Assessment PRINCIPLES FRAMEWORK DO IMPLEMENTATION CHECK EVALUATION ACT IMPROVEMENT Scope, Context Criteria IP Risk Treatment Risk Identification Risk Analysis Risk Evaluation Recording & Reporting PROCESS Monitoring & Review Communication & Consultation PLAN DESIGN DO IMPLEMENTATION CHECK EVALUATION ACT IMPROVEMENT Integration Formulate & Select Plan & Implement Assess Effectiveness Decide Take Further Treatment Achieves Combination of Risk Management and Quality Management Visualisation of the ISO 31000 integrated with the ISO 9001 MIPLM 2022 | CEIPI | Shu-Pei Oei © 20

21. Visualisation of IP Risk Management Framework (DIN 77006 centric approach) DIN 77006, 0.4 PDCA Cycle MIPLM 2022 | CEIPI | Shu-Pei Oei © 21

22. What other Risk Standards are applicable to IPRM? IP Strategy IP Risk Management IP Awareness IP Administration IP generation IP Enforcement IP Defence IP transactions IP Reporting Yes (Y) Potential (P) No (N) ISO 31000:2018 Risk management — Guidelines y y y y y y y y y 9 0 0 ISO/IEC 31010:2019 Risk management — Risk assessment techniques y y y y y y y y y 9 0 0 ISO 31073:2022 Risk management — Vocabulary y y y y y y y y y 9 0 0 ISO 31022:2020 Risk management — Guidelines for themanagement of legal risk y y y y y y y y y 9 0 0 ISO/IEC 27005:2018 Information technology — Security techniques — Information security risk management y y y y y y y y y 9 0 0 ANSI B11.19-2019 PerformanceRequirements for Risk Reduction Measures: Safeguarding and other Means of Reducing Risk y y y y y y y y y 9 0 0 SA/SNZHB 89:2013 Risk management - Guidelines on risk assessment techniques y y y y y y y y y 9 0 0 GB/T27921-2011 Risk management--Risk assessment techniques (TEXTOF DOCUMENTIS IN CHINESE) y y y y y y y y y 8 0 0 SIS-ISO/TR 18128:2015 Information and documentation - Risk assessment for records processes and systems (ISO/TR 18128:2014, IDT) (Swedish Standard) n y n y y y y y y 7 0 2 DS/EN 62198:2014 Managing risk in projects - Application guidelines p y p p y y y p y 5 4 0 IEC 62198 Ed. 2.0 b:2013 Managing risk in projects - Application guidelines p y p p y y y p y 5 4 0 ANSI/ASIS SCRM.1-2014 Supply Chain Risk Management: A Compilation of Best Practices y y n n y y y n n 5 0 4 ETSI GR F5G 010 V1.1.1 (2022-04) Fifth Generation Fixed Network (F5G); Security; Threat Vulnerability Risk Analysis and countermeasurerecommendations for F5G y y n y y n y p n 5 1 3 CYBER; Methods and protocols; Part 1: Method and pro forma for Threat, Search Hits Many. What gaps need to be filled? Full List: Thesis - Pages 75 to 76 MIPLM 2022 | CEIPI | Shu-Pei Oei © 22

23. Sampling of 3 Expert Opinions on IP Risk 3 Expert Opinions from public & private sources (redacted for publication) Vs Potential Supplementary Standards KEY: ISO 27005: Information Security Risk Management ETSI TS 102 165: Cyber: Methods and Protocols ISO/TR 18128: Information and Documentation ISO 31022: Guidelines for the Management of Legal Risk ANSI/ASIS SCRM.1- 2014: Supply Chain Risk Management ISO 22380: Security and Resilience- General Principles for Product Fraud Risk and Countermeasures ▪ 1. A presentation entitled “IP Management at TK”, by Stephen Wolke from Thyssen Krupp. ▪ 2. A book entitled “Intellectual Property Risk Management” by Donal O'Connell, founder and Managing Director of Chawton Innovation Services Ltd. ▪ 3. A presentation by Uwe Schaberg to students of the Master of Intellectual Property Law and Management (MIPLM) at the Center for Intellectual Property Studies (CEIPI). MIPLM 2022 | CEIPI | Shu-Pei Oei © 23 ❖ Presentation by S. Wolke (Thyssen Krupp)1 ❖ IP Risk Management book by D. O’Connell2 ❖ Risk Lecture by U. Schaberg3 REDACTED

24. White - Space in the DIN 77006 Wolke (Thyssen Krupp) O'Connell Schaberg DIN 77006 (IP Services) third-party copyrights applicable requirements for the protection of know-how national and international legal requirements contracts (license and usage agreements) contracts (employment contracts) contracts (with temporary workers) contracts (with suppliers), contracts (customers) contracts (cooperation partners and academic partners) contracts (confidentiality agreements) ownership — detection and avoidance of infringement risks; — checking freedom to operate/right to use (FTO); — monitoring the IP activities of third parties, including: — monitoring third-party IP rights, literature research; — monitoring the legal status of third-party IP rights; — regularly checking and updating the search profiles and criteria applied; — checking for infringement of third-party IP rights during development; — continually checking for infringement of third party IP rights during the life cycle of products, services and business models; — monitoring and assessing the achievement of desired exclusivity positions according to the IP strategy; — taking actions to protect existing know- how, for example, against destruction, diffusion, unauthorized access or disorder; — recommending actions to control IP risks and bring about decisions by interested parties; — documenting the risk assessment, if necessary, by integrating it into existing risk management systems. 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 Trade secret loss risk Risks with keeping information secret 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 Risks with employee know- how Know-how Theft 🗸 🗸 Infringement of 3rd party IP rights 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 Infringement risk (FTO) 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 Risks associated with dirty IP data 🗸 - IP Administration 🗸 Having too narrow a definition of IP, ignoring valuable assets 🗸 Risks with “Soft” forms of IP 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 IP in contracts risks IP terms and conditions in Agreements 🗸 🗸 🗸 🗸 🗸 🗸 🗸 🗸 IP risks with non- obvious agreements 🗸 🗸 🗸 🗸 Risks associated with IP licensing IP Out-licensing Program 🗸 🗸 Risks associated with jointly owned IP 🗸 🗸 🗸 Risks with open- source software Embracing Open Source Software 🗸 🗸 Getting involved in Open Innovation - IP Transactions - IP Awareness 🗸 🗸 IP risks associated with interoperability standards Being involved in standardisation activities - IP Transactions 🗸 Risks from changes in the tax rules linked to IP - IP Administration 🗸 IP risks from key suppliers The use of subcontractors - IP Enforcement 🗸 Risks from online counterfeiters - IP Enforcement, - IP Transactions 🗸 🗸 🗸 Invalidity of IP rights - IP Administration 🗸 🗸 Publishing activities of the organisation - IP Administration Too-Less [sic] IP * less leverage due to lack of signiicant IP portfolio - IP Strategy - IP Defence DIN 77006 (6.1.2 Sources of IP Risks) - IP Risk Management - IP Generation - IP Awareness - IP Defence - IP Transactions - IP Awareness - IP Strategy, (Risk Identification) - IP Awareness DIN 77006 (Actions to Address risks and opportunities, IP Risk Management A.6.1, A.6.1.1) 3 Expert Opinions Vs DIN 77006 ▪ Sources of IP Risks (6.1.2) ▪ Actions to Address risks and Opportunities (A6.1.1) ▪ DIN 77006 IP Processes MIPLM 2022 | CEIPI | Shu-Pei Oei © 24 REDACTED

25. ISO 27005 ISO/TR 18128 Supplementary Risk Standards Open-Source Standards OECD DIN 77006 ISO 56005 ISO 9001 ISO 31000 MIPLM 2022 | CEIPI | Shu-Pei Oei © 25

26. Enhanced-IPRMF for Trade Secret Management ISO 27005 Information Security Risk Management ISO 31022 Guidelines for the Management of Legal Risk ISO 22380 Product Fraud Risk and Countermeasures ISO 31000 Risk Management- Guidelines MIPLM 2022 | CEIPI | Shu-Pei Oei © 26

27. Trade Secret Risk Management Knowledge/ Innovation Management Legal Requirements • Knowledge assets are of value to an organization if it increases an organization’s ability to earn economic rents1. • Knowledge leaks that hurts an organization, are losses of information that is valuable, rare, inimitable and non- substitutable (VRIN)2 Characteristics Inherent to Information itself Behavioural Requirements 1 Aaker, D.A. (1989), “Managing Assets and Skills: The Key to a Sustainable Competitive Advantage 2 Ahmad, A., Bosua, R. “Protecting Organizational Competitive Advantage: A Knowledge Leakage Perspective”, (2014) • “not generally known” • “Economic value” • “reasonable steps to keep it secret” Derived from legal definitions e.g. EU Trade Secrets Directive, Defend Trade Secrets Act (US) MIPLM 2022 | CEIPI | Shu-Pei Oei © 27

28. Trade Secret Risk Management based on ISO 31000 “Identification, Classification, Valuation, Protection” Adapted from M. Halligan, Trade Secrets Litigator ISO 31000 Risk Management- Guidelines MIPLM 2022 | CEIPI | Shu-Pei Oei © 28

30. INTERNAL External ISO 31022 Legal Issues Details Inter-Departmental Involvement 5.2.2 External Context of Legal Risk Jurisdiction ▪ Environmental and cultural differences among different jurisdictions, ▪ Application of federal or nationalTrade Secret laws (e.g., US), Directives (e.g., EU), ▪ Conflict of laws and the mutual recognition of laws ▪ Identification of the applicable jurisdiction may also require consideration. ▪ Legal Department communicates withTop management to shape corporate & IP Strategy, ▪ Further communicates requirements of laws within IP department, R&D, & IT Table C.1 Assessing Likelihood of Legal Risk Event Enforceability of Laws ▪ Expectation in court to enforceTS laws As above Adequacy of Training for Legal Risk Implications ▪ Awareness of employees ofTrade Secret risks ▪ Extent of incorporation into day-to-day functions ▪ Legal Department communicates with HR, Top Management Counterparty Risk ▪ Likelihood of breach of duty to maintain secrecy ▪ Breach of contract (e.g., employment contract, NDA) ▪ Default of responsibility ▪ Legal Department responsible for quality of contracts, clauses (Table E.1) ▪ Whole of organization approach to IP awareness ▪ IT department to be in the loop Table B.2 Table Legal Advice Received ▪ From External and Internal Counsel ▪ Protection of legal information from becoming public information in some jurisdictions ▪ Legal Department ▪ ExternalCounsel ▪ Top Management Registrable IP right (e.g., Patent) Defensive Publication Trade Secret General Knowledge Cost Transaction Costs Fixed -High Fixed- Low Variable Opportunities Revenue Licensing Fees None Licensing Fees None Risk Issues Time to Public Known (legal time limit) Known (publication time limit) Unknown Predictable (Industry diffusion time) Knowledge Requirement High Low High Low Knowledge Value Value from the right to exclude others using knowledge. Knowledge prevents others from obtaining an IP right (e.g., patent). Value in keeping information secret. Value as a public good. Value Variability Value changes over time, and as public awareness or demand grows. Value does not change. Hard to measure. Value changes based on innovation diffusion. Value as a public good. Risk vs Opportunity Value vs Cost Maintenance cost independent of Patent value. Costs do not change with value. Cost increases with increasing value. Costs do not change with value. Abandon when PredictedValue < Cost PredictedValue < Cost PredictedValue < Cost - NA - Scope, Context, Criteria ISO 31022 Guidelines for the Management of Legal Risk MIPLM 2022 | CEIPI | Shu-Pei Oei © 30 • Applying Risk-based thinking, • Risk vs Opportunities • As purpose of management

31. Identification of Trade Secrets Risks related to Legal Proofs Risks of TS leaks during Innovation MIPLM 2022 | CEIPI | Shu-Pei Oei © 31

32. Classification of Trade Secrets Class Score Name Definition Protection Guidelines Action 4 Top Secret ▪ “Exceptionally grave” consequences to organization if asset were compromised ▪ Designated Custodian ▪ Restricted & Monitored Access ▪ Biometric Access ▪ Labelled as Top-Secret ▪ NDAs ▪ No Electronic Storage ▪ No Cloud Storage ▪ No licensing ▪ “take reasonable measures to keep such information secret” ▪ Inform IP department ▪ Legal Department ▪ IT ▪ Building Security 3 Trade Secret ▪ Meets Definition of Trade Secrets according to 6- factor test. ▪ Critical to business ▪ “Serious damage” to organization if asset were compromised ▪ Designated Custodian ▪ Restricted Access ▪ Restricted users ▪ Electronic Copies require password and ID access ▪ Labelled as confidential ▪ NDAs ▪ Importance of secrecy reiterated ▪ Disposal standards ▪ Storage and Backup standards ▪ Encryption ▪ No Cloud Storage ▪ “take reasonable measures to keep such information secret” ▪ Inform IP department ▪ Legal Department ▪ IT ▪ Building Security 2 Confidential ▪ Information that should not be made available for general public access, but whose secrecy is not as critical as Trade Secret ▪ Access allowed only on internal server ▪ User login and password required ▪ IT- basic cybersecurity precautions ▪ 1 Public ▪ Information that can be made public with minimal or no adverse consequences if made public ▪ No restrictions or basic regulations ▪ No restrictions or basic regulations ISO 27005 Information Security Risk Management MIPLM 2022 | CEIPI | Shu-Pei Oei © 32

33. Valuation of Trade Secrets 𝑣𝑎𝑙𝑢𝑒 = σ𝑡 𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝐼𝑛𝑐𝑜𝑚𝑒𝑑−𝐶𝑜𝑠𝑡 1+𝑊𝐴𝐶𝐶 𝑡 WACC: weighted average cost of capital Incomed: Expected Income discounted for risk = risk free income x (1-discountA x impactA) x (1- discountB x impactB). t: time (in years) Example Using Reasonable Royalty Rate MIPLM 2022 | CEIPI | Shu-Pei Oei © 33 Legal Risk (Trade Secrets) Description of Threat Threat Source Status ▪ Does the trade secret meet the legal requirements? ▪ Is it distinguished from general knowledge? ▪ Is it of economic value? Internal (Legal context) Invalidity Ownership ▪ Have rights been properly assigned? Internal/External (Laws, Employee Contracts, agreements) Scope ▪ Has the trade secret been defined with sufficient particularity? Internal/External (Laws, Contracts, agreements) Enforcement ▪ Have “reasonable measures” been taken to protect trade secret ▪ Can we “prove misappropriation by improper means” Internal (Disgruntled employee) External (Espionage) Circumvention ▪ How easy is it to be Reverse Engineered? ▪ How easy is it to derive it independently Arriving at knowledge independently (growth of industry knowledge) Freedom to Operate (FTO) ▪ How many people are allowed to use the Trade Secret? ▪ How many people know about the trade secret? Improper behaviour, Unawareness, joint ventures 7 Pillars of Risk Value = f (Income, Cost, Risk factors) behaviour Knowledge legal

34. Protection of Trade Secrets Threats & Vulnerabilities Assessment ISO 27005 Information Security Risk Management MIPLM 2022 | CEIPI | Shu-Pei Oei © 34 Type Threat Vulnerability Department Hardware ▪ Unprotected Storage ▪ Lack of care of Disposal ▪ Uncontrolled copying ▪ theft of media or documents ▪ IT Software ▪ Lack of identification and authentication ▪ Poor password management ▪ Loss of information ▪ IT Physical ▪ Lack of physical protection of doors, windows, rooms ▪ Theft ▪ Building Security Network ▪ Espionage ▪ Misappropriation ▪ IT Personnel ▪ Lack of monitoring ▪ Lack of awareness ▪ Reneging on contractual agreement ▪ Misappropriation ▪ Loss of information ▪ HR, IP, Legal

35. Determine Jurisdiction, Laws, Courts ISO 31022 Legal Risk Register, Legal advice received Identification of Trade Secrets ISO 31022 Trade Secret legal criteria ISO 27005 Identification of Trade Secrets according to legal criteria Classification of Trade Secrets ISO 27005 Identification of Threats, Asset Value, Likelihood, Impact Protection of Trade Secrets ISO 27005: Protection according to Measure of Risk, or Threat Ranking ETSI TS 102 165: Cyber: Methods and Protocols, proportional to measure of risk and/or threat ranking Valuation of Trade Secrets Legal IP IP, Legal, HR IT Legal IP, R&D IP, Finance Tools Departments Objectives DIN 77006 IP Strategy IP Enforcement IP Transactions IP Administration IP Awareness IP Risk Management IP Generation IP Risk Management IP Risk Management ISO 22380: Detecting Fraud Risk, Motives for Fraud, Types of Fraudsters Supplementary Standards in Trade Secret Risk Management MIPLM 2022 | CEIPI | Shu-Pei Oei © 35

36. In conclusion, this thesis… 🗸 Developed an IP Risk Management Framework (IPRMF) achieving harmonisation between IP Management, Quality Management & Risk Management. 🗸 Explored the possibility of an enhanced-IPRMF using Supplementary Standards for specific IP risks. 🗸 Applied the enhanced-IPRMF towards a multi-disciplinary risk management context, namely, Trade Secret risk Management. 🗸 Used the enhanced-IPRMF as a springboard for developing further analysis processes for Trade Secret Risk Management. MIPLM 2022 | CEIPI | Shu-Pei Oei © 36

37. Everyone has to start somewhere. Maturity Model. PEOPLE LEGAL FINANCE TECHNOLOGICAL PROCESS/ ORGANIZATIONAL STAGE 1 DISORGANIZED ▪ No overview of staff ▪ No coordination between departments ▪ No Trade Secret committee ▪ No In-house knowledge of Trade Secret Law ▪ Businesses use external contractors ▪ Not strategically aligned with IP management ▪ No security controls ▪ No overview of staff No coordination between ▪ No support from top management ▪ No awareness ▪ No budget STAGE 2 REPEATABLE ▪ Trade Secret Leadership Established ▪ Informal Communication with Interested parties ▪ Available in-house legal support ▪ Supported by external consultants ▪ Ad hoc updating and meeting ▪ Some security controls ▪ Minimal documentation ▪ Basic awareness of risk policies ▪ Basic awareness of IP rights ▪ Ad hoc Reporting STAGE 3 DEFINED ▪ Some formal roles and responsibilities established ▪ In-house legal lead external consultants in clear direction ▪ In-house legal team leads strategy discussion ▪ All financial procedures concerning IP are aligned with IP department (e.g., tax, valuation, mergers, acquisitions, budgeting, relevant revenues) ▪ Controls and documentation established ▪ Responsibilities assigned but reliance on individuals ▪ Teams and leadership appointed and defined ▪ Accountability measures in place STAGE 4 MANAGED ▪ Dedicated resources and awareness ▪ Clearly defined roles and responsibilities ▪ Most trade secret operations supported in-house ▪ Legal team well integrated with top management, R&D, HR ▪ Detail processes and transfer of information between departments established ▪ Controls are monitored ▪ Compliance checks in place ▪ Able to test processes and measure performance ▪ Able to improve based on performance indicators STAGE 5 OPTIMIZED ▪ IP culture and awareness supports information security skills and technology ▪ Legal team works to set IP strategy ▪ Well integrated with technology, automated renewals ▪ Well-integrated with performance metrics ▪ Strategic alignment with IP department ▪ Aligned with global strategy ▪ Tax optimised ▪ Controls are automated ▪ Prediction technologies in place ▪ Continuous Improvement ▪ Management processes are integrated with technology ▪ Management processes are integrated and coordinate across business units MIPLM 2022 | CEIPI | Shu-Pei Oei © 37

38. The End. MIPLM 2022 | CEIPI | Shu-Pei Oei © 38 With grateful thanks to my supervisors, Prof. Dr. Alexander Wurzer & Mr. Thibaud Lelong Dr. Shu-Pei Oei shupei@oeipatents.com Linkedin.com/spoei

Master thesis defence Shu Pei Oei

You are reading a preview.

Check these out next

Master thesis defence Shu Pei Oei

More Related Content

Similar to Master thesis defence Shu Pei Oei (20)

More from MIPLM (20)

Recently uploaded (20)