“Information wants to be free.” – Stuart Brand
Stuart Brand, the creator of the Whole Earth Catalog, is famous for saying in 1984 that “information wants to be free,” which became a battle cry for anti-intellectual property activists. But this is what he actually said:
“On the one hand information wants to be expensive, because it’s so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other.”
Not exactly a Marxist manifesto. But the shorter version of his words took on a life defined by others. In fact, it has been used in different ways. For the anti-IP crowd, it is a political expression of the idea that the benefits of information should be freely open to society as a whole, and not corralled by intellectual property laws to the benefit of a few. But it also can be taken as a neutral observation of a simple fact: once information has been transmitted to a new place outside the control of the originator, it will naturally propagate toward wide distribution, eventually into the public domain.
That process is a good thing if you are an academic trying to advance the state of knowledge and make a reputation for yourself at the same time. However, if you run a business that depends on data to drive success — and what business doesn’t these days? — this tendency of information assets to escape is a major, perhaps existential, risk. Given that those assets are handled by human beings, the management challenge can feel a lot like trying to contain . . . a virus.
Indeed, one of the reasons that Brand’s quote went viral (sorry) is that it attributes human desire to information (it wants to be free), just as we describe a virus in anthropomorphic terms (it wants to find a home and propagate; it wants to mutate).
The metaphor is not perfect. After all, a virus, unlike bacteria, is rarely considered valuable or helpful. But I believe the comparison is apt and useful in many ways, not least as a mnemonic device to help us stay focused on the difficult but necessary discipline of caring for the integrity of the company’s most valuable property, just as we care for our individual health.
So stay with me as we look at several main areas of overlap between trade secret management and pandemic response. To begin with, let’s recognize that our concerns are not only about our own information propagating outwards, but also about blocking unwanted information from infecting our data systems. So our control systems are naturally tuned toward containment: keeping our data in and others’ data out.
Policies and procedures: your immune system. When was the last time you checked up on the health and performance of your company’s strategy and tactics for maintaining the integrity of your data assets? In fact, are you sure you know what your data assets are? Just like human systems, no two companies are exactly the same in their information security risks. As things settle in following the current crisis and we begin adapting to a new normal, this is a great time to engage in a fresh risk assessment exercise and recalibrate your systems to align with the new environment.
Employees: your behavioral system. While our body’s systems are programmed, the workforce needs training and attention to ensure that it is on alert for risks and makes good choices every day. As regards confidential information, this is a particular challenge not only because employees are distracted by other priorities, but also because they often can connect to the company’s systems through their own phones and tablets, which they then use at home to engage with social media, a system which trains them to share.
It’s not that they intend to cause problems. But just consider the two times of greatest risk with a mobile workforce: when they are coming and when they are going. New hires can be like people infected with a virus but exhibiting no symptoms: they are carriers, but in this case the source of contamination and infection is their former employer, where they were entrusted with access to valuable information that may be relevant to what you are asking them to do. And then when they leave, they carry your trade secrets in their heads as they walk out.
In between those two high-risk moments, you have the opportunity to increase their awareness through training, so that their behaviors are more cautious when it comes to handling sensitive information. As with your Fitbit, there are monitoring systems that can help you understand how well they are complying with your information hygiene instructions.
Outsiders: social distancing. As Ryan Lilly said, “For any creative thought to be contagious, it must first be worthy of a sneeze.” When senior engineers or sales people attend conferences, your company’s important information can easily be exchanged through casual contact. For more organized third-party contact, there is protection available in the form of nondisclosure agreements that permit communication at a respectful distance. But here too we have to pay careful attention, both to how those protections are designed and how they are used, to make sure they perform as intended.
Disputes: falling ill, with luck briefly. When infection with another’s trade secrets occurs, in either direction, great efforts will be made to reduce the fever and recover. The alternative is to go to the hospital (court), which ironically can risk intensifying the symptoms. Happily, almost all patients recover and use the experience to reconsider their health habits.
Misappropriation: mutation. One of the frustrations of dealing with a virus is that it can mutate rapidly to stay ahead of treatments and cures. Similarly, when secrets are stolen, the misappropriator rarely incorporates them into its own systems or process in the same way they were deployed by the victim. Instead, the information is used indirectly, to inform and accelerate development, and the original information has morphed beyond recognition. Reconstructing what happened becomes a research project of its own.
As companies grapple with the consequences of the current economic and social disruption, they will face fundamental changes in how we do business. But self-isolation is not an option. In the information economy, unlike the pre-industrial cottage shops of the 17th century, we need to share. The key is to balance that need with the risks it creates. We should expose our information only to those who need access, and who have acquired the protective gear of confidentiality agreements, training and other controls.