“Data that is loved tends to survive."— Kurt Bollacker
In last month’s post, Part 1 of this series,we considered the view of European academics that trade secrets are not “intellectual property” because they don’t give the power to exclude others, like patents, copyrights and trademarks do. But considering that trade secrets are treated throughout the world like a kind of property – they can be transferred and taxed, and stealing them is considered theft – we concluded that what matters is not exclusion, but control. It is the ability to control access to secret data that can give companies an advantage over others that don’t know about it.
We considered the example of an Armenian family that has managed to keep – and profit from – the secrets of making the very best orchestral cymbals for four centuries. They did this by sharing only within the family, where presumably they had available some compelling ways to enforce trust.
For the rest of us in the modern, globalized and digital economy, we have what looks like an impossible task. How do you protect the company’s secrets when they are zooming around the globe at the speed of light and accessible by thousands of employees, contractors, partners and vendors, each with a small supercomputer in their hands? More specifically, what do you do when those people go home in the evening and use those same little devices to participate in various forms of social media, where they are relentlessly instructed to share the most molecular details of their lives with hundreds or thousands of “friends”?
Before we try to answer those big questions, here’s a comforting thought. What the law expects fits nicely with what the owners of a business should expect: that management will do what is “reasonable under the circumstances.” Okay, you might say, that is just an abstraction meant to dodge the problem. But there is some instructive guidance behind the “reasonableness” standard.
It starts with recognizing that perfect security is not feasible in today’s data blizzard. The more people we trust with access, the greater the risk. But in order to compete in fast-moving markets, we can’t go it alone. Today’s innovation and commercialization usually require large teams, including external partners. So being “reasonable” means accepting that risk.
Besides the imperative to share, we also have to confront another reality of risk: security measures almost always come at a cost. It’s not necessarily about money, but about convenience and productivity. Think about two-factor authentication, where in addition to your normal password you have to wait for a special one to be generated and sent to your personal device. Now think about doing that 50 or 100 times a day, as you go through each office door and engage with each software program or database. It adds up. Most businesses can’t afford the efficiency loss that results from placing maximum protection on all forms of data.
So it’s pretty clear that we can’t have it all when it comes to information security. “Reasonable” means thoughtful management of the risk of losing control over your data, while not letting the perfect be the enemy of the good. So how does a business do that? Here are some observations grounded in the law and in sensible business management.
To begin with, recognize that “reasonable under the circumstances” refers to the unique circumstances of your business and the risks faced by your information assets. There is no one-size-fits-all checklist of “best practices” that applies across the board. If you think that checking off a list of security techniques is enough, or if you’re worried that you’re not doing everything on some list, forget that. What matters is the circumstances you are in, measured by three things: value, threat and cost.
Valuable information can be found everywhere in most companies, and we can’t protect it all with maximum effort, or the business would collapse under the weight of the effort. Instead, we have to understand where we get competitive advantage from data, and try to categorize it according to its value. This is not necessarily value in the absolute sense, measured by currency. Instead, knowing relative value will help inform decisions about what level and kinds of security are needed. The algorithm that powers a critical business process might deserve more attention than a marketing strategy.
Assessing value could be as simple as picking the top 10 or 20 trade secrets that cause you concern. To do that, you need to know what you have. But don’t be put off by fear that an “inventory” of information assets has to be a logistical nightmare, like the hardware store shutting down for several days in order to count all the individual nuts and bolts. Instead, the idea is to organize your data into categories that reflect similar kinds of value, such as tools, databases, strategies, R&D records, information about customers, financial data, and information entrusted to you by others.
The next step is to assess the threat, or risk, faced by the different kinds of confidential information you need to manage. Here there are two kinds of threat. First, there is risk of loss or leakage that can reduce or destroy competitive advantage. We can refer to this as “outbound” risk. In contrast, but often equally important, is “inbound” risk, that is the possibility that your information may become contaminated by unwanted data from outside the business. Most commonly, this sort of infection happens through hiring from competitors; but it can also come in through poorly managed confidential business relationships like a potential acquisition.
In order to thoroughly understand your risks, of course, you need to estimate the likelihood that the bad thing might happen, as well as its impact on the business if it does. Hiring an engineering manager from a direct competitor to lead an identical project will represent a substantial danger of potentially serious harm; while providing secret drawings to a trusted vendor without negotiating a non-disclosure agreement (NDA) may be more acceptable. Making these distinctions will help management focus not just on the hazards but about how much risk might be acceptable in the name of efficiency.
Once you know what you have and the array of threats you contend with, you can begin to consider where to focus your attention and allocate your resources. In this part of the process you consider the ways in which you might reduce the potential for harm, measuring the cost (in terms of money or operational friction) against the value of the information in question. In recruiting the engineering manager, for example, you might consider not only providing warnings and getting assurances about unwanted transfer, but also, if the perceived risk warrants it, providing the new hire with independent counsel to reinforce the message and to better distinguish between the skill he can apply and the trade secrets he can’t.
Many other decisions about information security will be taken in this way. Should the company adopt a labeling system for confidential information that applies multiple levels of restriction, or will a simpler system result in better compliance? Does a different risk environment in overseas facilities call for a different kind of employee training there? Should NDAs be managed centrally, or should business managers be allowed to negotiate special terms? Should access to various systems and databases be controlled for each application, or is universal access with passwords enough? Should we install software on employees’ phones to ensure they don’t share company secrets?
If you’re thinking that what I’ve described here is just classical business risk management, you’re right. The process of considering value, risk of loss and cost of mitigation techniques is how most companies approach caring for their assets and opportunities. For some, the analysis is more ad hoc than strategic, while others increasingly look outside the organization for help in designing a comprehensive data protection program.
The most important takeaway is this: your information is your property, and without due care its value can diminish or disappear. But you have control over it. Pay attention and be aware of your options. That is the “reasonable” thing to do.