In the wake of urban unrest in the early 1960s, local governments imposed nightly youth curfews, and a Massachusetts legislator suggested that all radio and television stations begin their 10:00 evening programming with an announcement: “It’s 10:00 PM. Do you know where your children are?” The phrase was quickly picked up across the country and became a common (and sometimes mocked) cultural artifact of the era.
The idea that parents need to be reminded of their responsibility for their children’s safety and well-being may seem quaint or silly. But parents can get distracted, and there’s little harm in prompting someone to pay attention to a risky circumstance.
For modern business, if you can indulge the metaphor, we may think of data assets as the children of the enterprise, at least in the sense that valuable information is vulnerable to loss or compromise. Reminding companies of the need to be vigilant makes a lot of sense.
That is exactly what the Securities and Exchange Commission has tried to do with its December 2019 Guidance on “Intellectual Property and Technology Risks Associated with International Business Operations.” Although specifically directed at public companies, the advice is equally applicable to private corporations and startups, since management always has a fiduciary obligation to care for corporate assets.
The document begins with an observation applicable to almost every business. “The increased reliance on technology, coupled with a shift in the composition of many companies’ assets from traditional brick-and-mortar assets towards intangible ones, may expose companies to material risks of theft of proprietary technology and other intellectual property, including technical data, business processes, data sets or other sensitive information.”
These risks, the SEC points out, are particularly acute when doing business in foreign countries or dealing with foreign partners. However, the underlying concern is comparable for many domestic transactions, where information has to be shared with others in order to extract value from it. We might expect that the SEC will at some point broaden its guidance accordingly.
In the meantime, having been reminded that it’s a dangerous world out there and that our trade secrets need careful monitoring, how do we even begin to think about it? In other words, how do we know what secrets we have in the first place? And since we’re talking about any competitively useful information, how do we get our arms around the potentially millions of bits of it that help drive the success of any single company?
This is where the parent/child metaphor becomes a bit challenging to apply. Measured against most of the rest of nature, humans tend to have just a few offspring, making it relatively easy to keep track of them. The most fecund of invertebrates, the ocean sunfish, can produce 300 million eggs at a time, although only a tiny fraction of them are fertilized. But consider the African driver ant, where a single queen can lay 3 to 4 million eggs a month, most of which actually hatch. How can she possibly know where they are, no matter what time of day it is?
Let’s leave this fascinating metaphor by recognizing that businesses don’t need to specify each discrete piece of data, but only the ones that matter, what we often refer to as the “crown jewels.” When thinking of trade secret management, don’t fall prey to the notion that you have to identify everything that could prove useful to the business. Even a hardware store doing inventory doesn’t count individual nails. You can count all of your patents, but not all of your secrets – at least not comprehensively.
In an earlier article, we looked at a process of risk analysis to inform a company’s trade secret program, balancing value, threats and mitigation options. That process naturally begins with understanding the dimensions of the property that you’re dealing with. So how do you do that?
A number of tools have appeared in recent years to help companies create a secure “catalog” of secrets. For example, “WIPO Proof,” offered by the World Intellectual Property Organization, provides the ability to time stamp a file to later prove its existence, using blockchain technology. Other services add forms and checklists to enable a company to sort its secrets by priority. But I believe that the most promising emerging methodology consists of a guided process for creating a flexible catalog that describes assets sufficiently to communicate real value, but without disclosing them.
One example of this approach is the Trade Secret Registry. (Disclosure: I have helped to design this system.) Assets of the “crown jewel” variety are defined through a descriptive label tagged permanently to a file that contains the details and remains undisclosed. Relative values are established in a way that does not compromise future litigation. Room is provided for additions and modifications that reflect product lifecycle management.
Ideally, a trade secret catalog should establish the basis not just for informed decisions about access and other risks, but also about unlocking the value of the asset through internal development or other commercialization. We are past the time when the classical corporate patent committee passed innovations only for patenting, leaving trade secrets on the scrap pile. Now, systems for tracking secrets need to enable proactive management to be sure that commercial value is realized.
One dimension of these more robust systems is the ability to bring previously nebulous trade secret information into a category of “recognized” assets that can be insured and also used as collateral for loans. Specifically, companies that certify the integrity of the cataloging process can also act as intermediaries to procure insurance against trade secret loss or liability. And they can deploy the same assets to procure non-dilutive debt financing.
Do you know where your trade secrets are? Finding out may put you ahead of the next SEC bulletin. And it may actually be easier than tracking your own kids.