SlideShare a Scribd company logo

A Case For Information Protection Programs

M
Michael Annis
1 of 26
Download to read offline
© Husch Blackwell LLP A Case For Information Protection Programs Mike Annis & Terry Potter
Protection Programs – why have one? “There are only two categories of companies affected by trade secret theft. Those that know they have been compromised – and those that don’t know it yet.” ̶ U.S. Attorney General Eric Holder, 2013
Protection Programs – why have one?  65% of IT professionals do not know what files and data leave their firms.  57% of employees save work files to external devices every week.  50% are active/daily users of social network -- twitter, Linkedin, Facebook, etc.  60% of employees walk out with data from prior employment.  Estimated cost of data theft to an individual company averages $2million per year.
Trade Secrets to the Rescue  Classic problem ̶ the enemy from within ̶ over time, employees’ and their loyalties change  I can always rely on trade secrets and employment law to address a theft of company information, right?
What Constitutes a “Trade Secret”? Restatement (3d) of Unfair Competition Any information that can be used in the operation of a business that is sufficiently valuable and secret to afford economic value over others. Uniform Trade Secrets Act (UTSA): 1) information, including formula, compilation, program, pattern, method, device, process, technique; 2) that derives independent economic value from not being generally known or readily ascertainable by proper means by others who can obtain economic value from its disclosure; and 3) Is the subject of reasonable efforts under the circumstances to maintain its secrecy.
To Qualify as a Trade Secret Six Factor Test: 1. Extent info is known outside company; 2. Extent info is known by employees and others involved in company; 3. Extent measures taken by company to guard secrecy of information; 4. Value of information to company and competitors; 5. Amount of time, money and effort expended by company in developing information; and 6. Ease or difficulty of others to properly acquire or duplicate information.
Problems with Trade Secret Litigation  Expensive.  Difficulty in defining the trade secret allegedly misappropriated.  Difficulty in marshaling evidence and presenting of proofs.  There is always a defense, even your defendant is a dirty rotten thief.
Common Defenses to Trade Secret Misappropriation  It isn’t a secret ̶ Reasonable steps have not been taken to protect the secret nature of the info  Too much/broad access within the company  Not kept segregated/not passcode protected  Information shared with non-related third parties (i.e., pricing)  “Got it off your website” ̶ Alleged “trade secret” is not a secret within the industry – it is industry-known information (maybe disclosed in a patent)  Independent development  Reverse engineered
What is an Information Protection Program?  A customized management program to identify, define, designate, and preserve a business’ sensitive or valuable business information.
Information Protection Programs Protect More Than “Trade Secrets.” Also protects:  Confidential/Proprietary Information.  Costs/Pricing Strategies.  Research and Development.  Customer/Vendor/Supplier Information.  Employment/Workforce Information.  Database Compilations.  More…
Benefits of an Information Protection Program  Acts as a deterrent for theft in the first instance -- Diligence Creates Deterrence  Establishes Employee Expectations and Understanding  Cost-Efficient/Less Risky  Provides Assurance of “Reasonable Efforts to Protect Secrecy” of Information  Probably already have some aspects in place
What Does an Information Protection Program Look Like? Three Common Components: Contracts:  Confidentiality  NDAs  Non-Competes  Invention Rights  Assignments Policies/Systems:  New-Employee Intake Procedures  Exit Interviews  Handbooks Training/Reinforcement:  Train and Refresh  Develop a Culture of Information Protection
Setting It Up  Conduct self-analysis  Identify what you have ̶ What do you need to protect ̶ Categorize/classify by type 1. trade secrets 2. Proprietary information 3. R&D 4. Other business info 5. Audit Inventory Protections already in place (and why) ̶ What unprotected or under protected  Develop plan ̶ Who, what, when, where ̶ Set time line for development of protections  Maintain the plan
Key - Confidentiality and Non- Disclosure Agreements  Agreement not to “disclose” materials that may not be “trade secret”  Includes duty not to “misappropriate”  Know-how/proprietary information  Define “confidentiality” broadly – Missouri UTSA  Could prove to be your only line of protection
Front End Procedures ̶ Employee uptake  Thoroughly vet new employees  Execute non-compete, non-disclosure, confidentiality, and invention agreements  Execute uptake agreements − Did not bring anything with them from prior employment − Not using anything from prior employment − Are not subject to non-disclosure/no compete agreements
During Employment ̶ Periodic reminder materials sent to employees  Shows you have been “ever viligent”  Keeps secrecy/confidentiality requirements top-of-mind ̶ Provide training on a regular basis ̶ Education and training are key to successful deployment of program ̶ Teach and remind employees about the rules  Monitor usage  Passcode protect  Mark  Segregate  Educate  Reinforce culture
Back-End Procedures Exit activities  Exist interviews − Where they are going, what they will be doing  Execution of affidavits/check-in procedures – did not take anything or have returned everything they had  Review of IT activity  Audit key employees’ activities before they set off for a new job − Take care all company property and data has either been returned or destroyed − Check for suspicious computer and premises access
Employee Handbooks/Manuals  Define “secrets” and “confidentiality”  Duty to maintain secret nature of info  Define e-mail, social media, data access, transmission and copying protocols/rules  Address policy regarding use of personal technology at workplace  Identify conflicts of interest
Classify Data ̶ Create and stick to a “need-to-know” system  Restrict employees ability to access certain data  No need for all employees to be able to view a company’s research and development data or strategic business plans − Only employees with an absolute need to see such vital info should be able to do so  Have a simple, flexible policy
Limiting Access to Data  In practice, companies can limit access to certain info in a variety of ways: ̶ Locking file cabinets ̶ Marking confidential documents ̶ Creating password protected access to databases ̶ Encrypt sensitive information or data transfers
Strategies for Minimizing Leaks and Dangerous Communications  Segregate data by category.  Establish electronic protocols that catalog access to highly sensitive data and that restrict access, transfer and copy of that data to unauthorized users. ̶ Only the most senior management should be given access to the most sensitive data.  Encrypt – regardless whether sensitive data is “in motion,” “at rest,” or at an “end point,” it should be encrypted
Problems in the Information Age  External devices ̶ Risks posed by external devices are heightened with employees working remotely  Options to address ̶ Use software that allows for a secure connection to your network. ̶ Monitor employee activities on electronic devices and limit access to critical information. ̶ Make sure information on external hard drives, thumb drives or employee’s personal computers is well protected and can be recovered. ̶ Have policies in place to address if a device is lost or stolen. ̶ Monitor sizable downloads or emails with large attachments.
Limit Use of Personal Devices  Employees must understand that no internal information is to be used or transferred to any device or program that does not belong to the company.  Employees should sign a release indicating they are aware of the company’s policy and that any “private” device or program used to conduct business or that is accessed from the company will be subject to inspection, copy and seizure.  Employees should be advised that communications to and from work carry no expectation of privacy and that the company periodically monitors e-mails for compliance with its protocols.
Not All Business Is Cloud Business  Must take reasonable steps to protect ̶ Q: What is “Reasonable?” ̶ A: Look at nature of info and circumstances in which data is stored and used.  More important the data, the more security measures must be taken to protect  Highly sensitive data should not be stored with a third party.
Laws that are there to Help you  Statutory Schemes Directed at Curbing Misappropriation  State − (Uniform)Trade Secrets Act (adopted in 48 states) − Computer Tampering (RSMo §§569.095-.099 and 537.525)  Federal − Economic Espionage Act (18 U.S.C. § 832) − Computer Fraud and Abuse Act (18 U.S.C. § 1030)  (H.R. 2466 – private right of action)
Better Safe Than Sorry  Business Information is very valuable, but it is very easy to lose.  Once lost ….. probably lost forever.  Business can’t let valuable information walk out the door (or the window, or the wires, or the wireless).

Recommended

08 pdf show-239
08 pdf show-23908 pdf show-239
08 pdf show-239#TheFraudTube
 
Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011Tony Richardson CISSP
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Trade Secrets and Computer Tampering
Trade Secrets and Computer TamperingTrade Secrets and Computer Tampering
Trade Secrets and Computer TamperingArmstrong Teasdale
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
 
IT Policy
IT PolicyIT Policy
IT PolicySensewareInfomedia
 
Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOAtlantic Training, LLC.
 

Recommended

08 pdf show-239
08 pdf show-23908 pdf show-239
08 pdf show-239#TheFraudTube
 
Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011Tony Richardson CISSP
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Trade Secrets and Computer Tampering
Trade Secrets and Computer TamperingTrade Secrets and Computer Tampering
Trade Secrets and Computer TamperingArmstrong Teasdale
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
 
IT Policy
IT PolicyIT Policy
IT PolicySensewareInfomedia
 
Security and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOSecurity and Safe Keeping of Official Information by DPO
Security and Safe Keeping of Official Information by DPOAtlantic Training, LLC.
 
Next Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension Inc.
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Data Protection Presentation
Data Protection PresentationData Protection Presentation
Data Protection PresentationIBM Business Insight
 
Cloud Regulations and Security Standards by Ran Adler
Cloud Regulations and Security Standards by Ran AdlerCloud Regulations and Security Standards by Ran Adler
Cloud Regulations and Security Standards by Ran AdlerIdan Tohami
 
It Policies
It PoliciesIt Policies
It PoliciesJames Sutter
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy PresentationSarah Cortes
 
Automatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy StandardsAutomatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy Standardsautomatskicorporation
 
IT Policy
IT PolicyIT Policy
IT PolicySherri Booher
 
Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat ExperiencesNapier University
 
Information security and research data
Information security and research dataInformation security and research data
Information security and research dataTomppa Järvinen
 
DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesNapier University
 
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFETECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFEJames Wier
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Confidentiality
ConfidentialityConfidentiality
ConfidentialityJasleen Khalsa
 
Data Security
Data SecurityData Security
Data Securityankita_kashyap
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgEric Vanderburg
 
Classifying Data to Help Secure Business Information - Template fromMicrosoft
Classifying Data to Help Secure Business Information - Template fromMicrosoftClassifying Data to Help Secure Business Information - Template fromMicrosoft
Classifying Data to Help Secure Business Information - Template fromMicrosoftDavid J Rosenthal
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 
Security Awareness
Security AwarenessSecurity Awareness
Security AwarenessDinesh O Bareja
 
How to Secure Data Privacy in 2024.pdf
How to Secure Data Privacy in 2024.pdfHow to Secure Data Privacy in 2024.pdf
How to Secure Data Privacy in 2024.pdfV2Infotech1
 
How to Secure Data Privacy in 2024.pptx
How to Secure Data Privacy in 2024.pptxHow to Secure Data Privacy in 2024.pptx
How to Secure Data Privacy in 2024.pptxV2Infotech1
 

More Related Content

What's hot

Next Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension Inc.
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Cloud Regulations and Security Standards by Ran Adler
Cloud Regulations and Security Standards by Ran AdlerCloud Regulations and Security Standards by Ran Adler
Cloud Regulations and Security Standards by Ran AdlerIdan Tohami
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy PresentationSarah Cortes
 
Automatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy StandardsAutomatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy Standardsautomatskicorporation
 
Information security and research data
Information security and research dataInformation security and research data
Information security and research dataTomppa Järvinen
 
DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesNapier University
 
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFETECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFEJames Wier
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgEric Vanderburg
 
Classifying Data to Help Secure Business Information - Template fromMicrosoft
Classifying Data to Help Secure Business Information - Template fromMicrosoftClassifying Data to Help Secure Business Information - Template fromMicrosoft
Classifying Data to Help Secure Business Information - Template fromMicrosoftDavid J Rosenthal
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 

What's hot (20)

Next Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity Strategy
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Data Protection Presentation
Data Protection PresentationData Protection Presentation
Data Protection Presentation
 
Cloud Regulations and Security Standards by Ran Adler
Cloud Regulations and Security Standards by Ran AdlerCloud Regulations and Security Standards by Ran Adler
Cloud Regulations and Security Standards by Ran Adler
 
It Policies
It PoliciesIt Policies
It Policies
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
 
COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy Presentation
 
Automatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy StandardsAutomatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy Standards
 
IT Policy
IT PolicyIT Policy
IT Policy
 
Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat Experiences
 
Information security and research data
Information security and research dataInformation security and research data
Information security and research data
 
DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The Challenges
 
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFETECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
 
Data Security
Data SecurityData Security
Data Security
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
 
Classifying Data to Help Secure Business Information - Template fromMicrosoft
Classifying Data to Help Secure Business Information - Template fromMicrosoftClassifying Data to Help Secure Business Information - Template fromMicrosoft
Classifying Data to Help Secure Business Information - Template fromMicrosoft
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 

Similar to A Case For Information Protection Programs

How to Secure Data Privacy in 2024.pdf
How to Secure Data Privacy in 2024.pdfHow to Secure Data Privacy in 2024.pdf
How to Secure Data Privacy in 2024.pdfV2Infotech1
 
How to Secure Data Privacy in 2024.pptx
How to Secure Data Privacy in 2024.pptxHow to Secure Data Privacy in 2024.pptx
How to Secure Data Privacy in 2024.pptxV2Infotech1
 
NameIn this assignment, you must answer the Answer Implying .docx
NameIn this assignment, you must answer the Answer Implying .docxNameIn this assignment, you must answer the Answer Implying .docx
NameIn this assignment, you must answer the Answer Implying .docxgemaherd
 
Sample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docxSample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docxrtodd599
 
ORIENTATION PROGRAM ON INTELLECTUAL PROPERTY FOR MANAGEMENT STUDENTS .ppt
ORIENTATION PROGRAM ON INTELLECTUAL PROPERTY FOR MANAGEMENT STUDENTS .pptORIENTATION PROGRAM ON INTELLECTUAL PROPERTY FOR MANAGEMENT STUDENTS .ppt
ORIENTATION PROGRAM ON INTELLECTUAL PROPERTY FOR MANAGEMENT STUDENTS .pptmohamed abd elrazek
 
Reverse Engineer wipo_iipm_ge_07_www_809561.ppt
Reverse Engineer wipo_iipm_ge_07_www_809561.pptReverse Engineer wipo_iipm_ge_07_www_809561.ppt
Reverse Engineer wipo_iipm_ge_07_www_809561.pptDenriizkiiArif
 
The Confidentiality in the Workplace.pptx
The Confidentiality in the Workplace.pptxThe Confidentiality in the Workplace.pptx
The Confidentiality in the Workplace.pptxMeleniaCabatan3
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramFinancial Poise
 
Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfEnov8
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
 
A Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsA Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsgppcpa
 
Kevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessSirius
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
CBC GDPR The Physics
CBC GDPR The PhysicsCBC GDPR The Physics
CBC GDPR The PhysicsJason Chapman
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber securityAnimesh Roy
 
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...RIYAJAIN179446
 

Similar to A Case For Information Protection Programs (20)

How to Secure Data Privacy in 2024.pdf
How to Secure Data Privacy in 2024.pdfHow to Secure Data Privacy in 2024.pdf
How to Secure Data Privacy in 2024.pdf
 
How to Secure Data Privacy in 2024.pptx
How to Secure Data Privacy in 2024.pptxHow to Secure Data Privacy in 2024.pptx
How to Secure Data Privacy in 2024.pptx
 
NameIn this assignment, you must answer the Answer Implying .docx
NameIn this assignment, you must answer the Answer Implying .docxNameIn this assignment, you must answer the Answer Implying .docx
NameIn this assignment, you must answer the Answer Implying .docx
 
Sample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docxSample Data Security PoliciesThis document provides three ex.docx
Sample Data Security PoliciesThis document provides three ex.docx
 
ORIENTATION PROGRAM ON INTELLECTUAL PROPERTY FOR MANAGEMENT STUDENTS .ppt
ORIENTATION PROGRAM ON INTELLECTUAL PROPERTY FOR MANAGEMENT STUDENTS .pptORIENTATION PROGRAM ON INTELLECTUAL PROPERTY FOR MANAGEMENT STUDENTS .ppt
ORIENTATION PROGRAM ON INTELLECTUAL PROPERTY FOR MANAGEMENT STUDENTS .ppt
 
Reverse Engineer wipo_iipm_ge_07_www_809561.ppt
Reverse Engineer wipo_iipm_ge_07_www_809561.pptReverse Engineer wipo_iipm_ge_07_www_809561.ppt
Reverse Engineer wipo_iipm_ge_07_www_809561.ppt
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security Explained
 
The Confidentiality in the Workplace.pptx
The Confidentiality in the Workplace.pptxThe Confidentiality in the Workplace.pptx
The Confidentiality in the Workplace.pptx
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
 
Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdf
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
A Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsA Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOs
 
Ss
SsSs
Ss
 
Kevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram Security Summit
Kevin Wharram Security Summit
 
Responsible for information
Responsible for informationResponsible for information
Responsible for information
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
CBC GDPR The Physics
CBC GDPR The PhysicsCBC GDPR The Physics
CBC GDPR The Physics
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...
iSchoolConnect_Information Security User Awareness Training_16th Nov 2021.ppt...
 

More from Michael Annis

The New Patent Act & Major Changes in the Law
The New Patent Act & Major Changes in the LawThe New Patent Act & Major Changes in the Law
The New Patent Act & Major Changes in the LawMichael Annis
 
The Pitch on Patent Reform
The Pitch on Patent ReformThe Pitch on Patent Reform
The Pitch on Patent ReformMichael Annis
 
IP Assets in Bankruptcy - How to Take Advantage of Another's Misfortune and A...
IP Assets in Bankruptcy - How to Take Advantage of Another's Misfortune and A...IP Assets in Bankruptcy - How to Take Advantage of Another's Misfortune and A...
IP Assets in Bankruptcy - How to Take Advantage of Another's Misfortune and A...Michael Annis
 
New Life for Design Patents and a Quick Look at the Real Impact of Recent Sup...
New Life for Design Patents and a Quick Look at the Real Impact of Recent Sup...New Life for Design Patents and a Quick Look at the Real Impact of Recent Sup...
New Life for Design Patents and a Quick Look at the Real Impact of Recent Sup...Michael Annis
 
False Advertising in the Alcohol Beverage Industry
False Advertising in the Alcohol Beverage IndustryFalse Advertising in the Alcohol Beverage Industry
False Advertising in the Alcohol Beverage IndustryMichael Annis
 
The Rise of False Advertising and Deceptive Trade Practice Claims
The Rise of False Advertising and Deceptive Trade Practice ClaimsThe Rise of False Advertising and Deceptive Trade Practice Claims
The Rise of False Advertising and Deceptive Trade Practice ClaimsMichael Annis
 
Spotlight on Licensing - Avoiding and Limiting Risk in Agreements
Spotlight on Licensing - Avoiding and Limiting Risk in AgreementsSpotlight on Licensing - Avoiding and Limiting Risk in Agreements
Spotlight on Licensing - Avoiding and Limiting Risk in AgreementsMichael Annis
 

More from Michael Annis (7)

The New Patent Act & Major Changes in the Law
The New Patent Act & Major Changes in the LawThe New Patent Act & Major Changes in the Law
The New Patent Act & Major Changes in the Law
 
The Pitch on Patent Reform
The Pitch on Patent ReformThe Pitch on Patent Reform
The Pitch on Patent Reform
 
IP Assets in Bankruptcy - How to Take Advantage of Another's Misfortune and A...
IP Assets in Bankruptcy - How to Take Advantage of Another's Misfortune and A...IP Assets in Bankruptcy - How to Take Advantage of Another's Misfortune and A...
IP Assets in Bankruptcy - How to Take Advantage of Another's Misfortune and A...
 
New Life for Design Patents and a Quick Look at the Real Impact of Recent Sup...
New Life for Design Patents and a Quick Look at the Real Impact of Recent Sup...New Life for Design Patents and a Quick Look at the Real Impact of Recent Sup...
New Life for Design Patents and a Quick Look at the Real Impact of Recent Sup...
 
False Advertising in the Alcohol Beverage Industry
False Advertising in the Alcohol Beverage IndustryFalse Advertising in the Alcohol Beverage Industry
False Advertising in the Alcohol Beverage Industry
 
The Rise of False Advertising and Deceptive Trade Practice Claims
The Rise of False Advertising and Deceptive Trade Practice ClaimsThe Rise of False Advertising and Deceptive Trade Practice Claims
The Rise of False Advertising and Deceptive Trade Practice Claims
 
Spotlight on Licensing - Avoiding and Limiting Risk in Agreements
Spotlight on Licensing - Avoiding and Limiting Risk in AgreementsSpotlight on Licensing - Avoiding and Limiting Risk in Agreements
Spotlight on Licensing - Avoiding and Limiting Risk in Agreements
 

A Case For Information Protection Programs

  • 1. © Husch Blackwell LLP A Case For Information Protection Programs Mike Annis & Terry Potter
  • 2. Protection Programs – why have one? “There are only two categories of companies affected by trade secret theft. Those that know they have been compromised – and those that don’t know it yet.” ̶ U.S. Attorney General Eric Holder, 2013
  • 3. Protection Programs – why have one?  65% of IT professionals do not know what files and data leave their firms.  57% of employees save work files to external devices every week.  50% are active/daily users of social network -- twitter, Linkedin, Facebook, etc.  60% of employees walk out with data from prior employment.  Estimated cost of data theft to an individual company averages $2million per year.
  • 4. Trade Secrets to the Rescue  Classic problem ̶ the enemy from within ̶ over time, employees’ and their loyalties change  I can always rely on trade secrets and employment law to address a theft of company information, right?
  • 5. What Constitutes a “Trade Secret”? Restatement (3d) of Unfair Competition Any information that can be used in the operation of a business that is sufficiently valuable and secret to afford economic value over others. Uniform Trade Secrets Act (UTSA): 1) information, including formula, compilation, program, pattern, method, device, process, technique; 2) that derives independent economic value from not being generally known or readily ascertainable by proper means by others who can obtain economic value from its disclosure; and 3) Is the subject of reasonable efforts under the circumstances to maintain its secrecy.
  • 6. To Qualify as a Trade Secret Six Factor Test: 1. Extent info is known outside company; 2. Extent info is known by employees and others involved in company; 3. Extent measures taken by company to guard secrecy of information; 4. Value of information to company and competitors; 5. Amount of time, money and effort expended by company in developing information; and 6. Ease or difficulty of others to properly acquire or duplicate information.
  • 7. Problems with Trade Secret Litigation  Expensive.  Difficulty in defining the trade secret allegedly misappropriated.  Difficulty in marshaling evidence and presenting of proofs.  There is always a defense, even your defendant is a dirty rotten thief.
  • 8. Common Defenses to Trade Secret Misappropriation  It isn’t a secret ̶ Reasonable steps have not been taken to protect the secret nature of the info  Too much/broad access within the company  Not kept segregated/not passcode protected  Information shared with non-related third parties (i.e., pricing)  “Got it off your website” ̶ Alleged “trade secret” is not a secret within the industry – it is industry-known information (maybe disclosed in a patent)  Independent development  Reverse engineered
  • 9. What is an Information Protection Program?  A customized management program to identify, define, designate, and preserve a business’ sensitive or valuable business information.
  • 10. Information Protection Programs Protect More Than “Trade Secrets.” Also protects:  Confidential/Proprietary Information.  Costs/Pricing Strategies.  Research and Development.  Customer/Vendor/Supplier Information.  Employment/Workforce Information.  Database Compilations.  More…
  • 11. Benefits of an Information Protection Program  Acts as a deterrent for theft in the first instance -- Diligence Creates Deterrence  Establishes Employee Expectations and Understanding  Cost-Efficient/Less Risky  Provides Assurance of “Reasonable Efforts to Protect Secrecy” of Information  Probably already have some aspects in place
  • 12. What Does an Information Protection Program Look Like? Three Common Components: Contracts:  Confidentiality  NDAs  Non-Competes  Invention Rights  Assignments Policies/Systems:  New-Employee Intake Procedures  Exit Interviews  Handbooks Training/Reinforcement:  Train and Refresh  Develop a Culture of Information Protection
  • 13. Setting It Up  Conduct self-analysis  Identify what you have ̶ What do you need to protect ̶ Categorize/classify by type 1. trade secrets 2. Proprietary information 3. R&D 4. Other business info 5. Audit Inventory Protections already in place (and why) ̶ What unprotected or under protected  Develop plan ̶ Who, what, when, where ̶ Set time line for development of protections  Maintain the plan
  • 14. Key - Confidentiality and Non- Disclosure Agreements  Agreement not to “disclose” materials that may not be “trade secret”  Includes duty not to “misappropriate”  Know-how/proprietary information  Define “confidentiality” broadly – Missouri UTSA  Could prove to be your only line of protection
  • 15. Front End Procedures ̶ Employee uptake  Thoroughly vet new employees  Execute non-compete, non-disclosure, confidentiality, and invention agreements  Execute uptake agreements − Did not bring anything with them from prior employment − Not using anything from prior employment − Are not subject to non-disclosure/no compete agreements
  • 16. During Employment ̶ Periodic reminder materials sent to employees  Shows you have been “ever viligent”  Keeps secrecy/confidentiality requirements top-of-mind ̶ Provide training on a regular basis ̶ Education and training are key to successful deployment of program ̶ Teach and remind employees about the rules  Monitor usage  Passcode protect  Mark  Segregate  Educate  Reinforce culture
  • 17. Back-End Procedures Exit activities  Exist interviews − Where they are going, what they will be doing  Execution of affidavits/check-in procedures – did not take anything or have returned everything they had  Review of IT activity  Audit key employees’ activities before they set off for a new job − Take care all company property and data has either been returned or destroyed − Check for suspicious computer and premises access
  • 18. Employee Handbooks/Manuals  Define “secrets” and “confidentiality”  Duty to maintain secret nature of info  Define e-mail, social media, data access, transmission and copying protocols/rules  Address policy regarding use of personal technology at workplace  Identify conflicts of interest
  • 19. Classify Data ̶ Create and stick to a “need-to-know” system  Restrict employees ability to access certain data  No need for all employees to be able to view a company’s research and development data or strategic business plans − Only employees with an absolute need to see such vital info should be able to do so  Have a simple, flexible policy
  • 20. Limiting Access to Data  In practice, companies can limit access to certain info in a variety of ways: ̶ Locking file cabinets ̶ Marking confidential documents ̶ Creating password protected access to databases ̶ Encrypt sensitive information or data transfers
  • 21. Strategies for Minimizing Leaks and Dangerous Communications  Segregate data by category.  Establish electronic protocols that catalog access to highly sensitive data and that restrict access, transfer and copy of that data to unauthorized users. ̶ Only the most senior management should be given access to the most sensitive data.  Encrypt – regardless whether sensitive data is “in motion,” “at rest,” or at an “end point,” it should be encrypted
  • 22. Problems in the Information Age  External devices ̶ Risks posed by external devices are heightened with employees working remotely  Options to address ̶ Use software that allows for a secure connection to your network. ̶ Monitor employee activities on electronic devices and limit access to critical information. ̶ Make sure information on external hard drives, thumb drives or employee’s personal computers is well protected and can be recovered. ̶ Have policies in place to address if a device is lost or stolen. ̶ Monitor sizable downloads or emails with large attachments.
  • 23. Limit Use of Personal Devices  Employees must understand that no internal information is to be used or transferred to any device or program that does not belong to the company.  Employees should sign a release indicating they are aware of the company’s policy and that any “private” device or program used to conduct business or that is accessed from the company will be subject to inspection, copy and seizure.  Employees should be advised that communications to and from work carry no expectation of privacy and that the company periodically monitors e-mails for compliance with its protocols.
  • 24. Not All Business Is Cloud Business  Must take reasonable steps to protect ̶ Q: What is “Reasonable?” ̶ A: Look at nature of info and circumstances in which data is stored and used.  More important the data, the more security measures must be taken to protect  Highly sensitive data should not be stored with a third party.
  • 25. Laws that are there to Help you  Statutory Schemes Directed at Curbing Misappropriation  State − (Uniform)Trade Secrets Act (adopted in 48 states) − Computer Tampering (RSMo §§569.095-.099 and 537.525)  Federal − Economic Espionage Act (18 U.S.C. § 832) − Computer Fraud and Abuse Act (18 U.S.C. § 1030)  (H.R. 2466 – private right of action)
  • 26. Better Safe Than Sorry  Business Information is very valuable, but it is very easy to lose.  Once lost ….. probably lost forever.  Business can’t let valuable information walk out the door (or the window, or the wires, or the wireless).