Printer Friendly

Keeping the lid on secrets.

IN THEIR CONTINUOUS EFFORTS TO ENHANCE profits, today's companies are developing a profusion of new, highly sophisticated products such as video telephones, 3-D video games, supercomputers and wonder drugs for a broad range of illnesses. However, as has been the case since the beginning of time, the company with an original product or idea must invariably contend with competition from other firms. Although fair competition plays a healthy role in this process, in 1979 the Uniform Trade Secrets Act was established to allow a company or inventor to protect any new formula, compilation, program, device, method or technique.

For the risk manager, the management of trade secrets is of crucial importance to the organization because the revelation or uncovering of this classified information can result in a significant loss to the organization. Therefore, the immediate question for the risk manager at a company with a new product or idea should be: "Can our innovation be considered a trade secret?" To qualify as a trade secret, the information supporting a new product, idea or plan must be documented or identifiable, unavailable in public sources, disclosed only to those who have a duty to ensure its secrecy and known as a secret by those who possess it. Besides meeting these four criteria, the company must also possess stated and impartial evidence demonstrating that it has taken efforts to prevent the information's unauthorized disclosure.

For the majority of companies seeking trade secret status for a new idea or product, this fifth criterion can be difficult to satisfy; if a legal conflict arises between two companies over which one created a new product or marketing plan, the company that was actually responsible for the innovation must prove to the court that it did everything possible to protect it. Therefore, if the company's only "impartial evidence" that it is protecting an idea is a confidentiality statement buried somewhere in the reams of application forms a new employee must sign, this may not be enough. Similarly, a company-wide trade secret statement is also likely to be inadequate, since it is subject to interpretation by attorneys and the courts. As a result, the risk manager must ensure that the company has programs in place that both safeguard new ideas and are documented so as to provide proof of these protections to the courts. To be effective, these programs must first determine if a trade secret is vulnerable to exposure and, if so, then provide the appropriate risk prevention measures to safeguard it.

Before developing these programs, the risk manager and the company must work together to determine whether certain information or ideas should be classified as trade secrets or merely sensitive information such as salary information, marketing surveys and production costs. Although this decision can often be difficult to make, a general rule of thumb is to treat as a trade secret all information that would prove injurious to the company if it were released to the general public.

Risk managers should realize that trade secrets and sensitive information are lost in three ways: accidental exposure by an employee entrusted with its possession, intentional theft by an unauthorized outside agent, and internal theft by an ex-employee or a disgruntled worker who has access to the information.

ACCIDENTAL EXPOSURES

Most trade secrets are lost through accidental exposures. Among the cases of accidental exposure, most are due to negligence on the part of employees who are entrusted with the secrets; exposure occurs when these employees fail to caution associates and co-workers about the importance of the information and the dangers of revealing it. Accidental exposures may also occur when the creators or presenters of a new product, idea or plan fail to take the necessary precautions to keep the information secure.

Accidental exposures generally arise from three sources: presentations or communications by the company's sales or marketing personnel; conversations between the company's employees and outsiders, especially a competitor's staff members; and contact with outside salespeople who glean information from unwitting company personnel. In each of these cases, the employees responsible for the leak do not wish to harm the company; the disclosure is either entirely accidental, or the employee does not realize how damaging the leak is to the company.

Sales presentations can pose a significant threat to company secrets. Consider the zealous salesperson who is eager to inform a potential customer about a product in order to ensure him or her of its value. During the presentation, the salesperson alludes to the changes that are forthcoming on this particular product. Then, in the heat of his enthusiasm, the salesperson excitedly tells the prospect about new product ideas that the company is working on. The result? The unwitting disclosure of sensitive company information on the new product line.

The exposure can then spread to the company's competitors, who may use this opportunity to investigate these proposed product ideas. The competition may even use any ideas it uncovers to create its own version of the new product, thus diminishing the market impact of the first company's product innovation.

To curtail the exposure of sensitive information during sales presentations, the risk manager should heed the advice contained in the phrase: "Don't disclose until they need to know." In other words, although personnel in the sales and marketing departments need to be able to tell clients about new ideas or projects that the company is developing, any sensitive information should be withheld from these departments until the appropriate time. With this in mind, risk managers should implement functional controls such as eliminating the mention of any sensitive information in new product notices, limiting the flow of sensitive information to the sales force and tightening access to labs and demonstration centers.

Accidental exposures can also occur when a company's current employees, on friendly terms with a competitor's workers, inadvertently leak data or prospective marketing plans. This situation is relatively common: A company's employees who have been in the industry for years may have also worked for a competitor. Since most personal friendships do not end after an employee leaves a company, a firm's workers may continue to have contact with a competitor's employees. When these workers discuss their jobs after hours, an information leak may result.

A more disturbing situation is when employees engage in a planned, open discussion of company plans and ideas with a competitor's staffers. Often, these employees have no malicious intent, nor do they fully realize the danger of the disclosure; they merely mention the sensitive information to their colleagues in order to elevate their status in the social group. However, the competitor's employees who catch wind of the information will then use it for their own gain, which usually entails notifying their superiors about it.

As in the case with sales and marketing personnel, it is best to follow the "don't disclose until they need to know" philosophy. Since there is no possible way to keep all sensitive company information secret, the risk manager must create an awareness program that informs personnel who work with sensitive information that it should not be disclosed to outsiders. Additionally, the company should develop a well-defined, industry-specific disclosure program that addresses the legal and ethical ramifications of disclosing sensitive company information; these policies should be reviewed with staff members on an annual basis.

Outside salespeople also constitute a threat to company secrets. These salespeople attempt to learn all they can about a company and its competition in order to demonstrate how the product they sell is going to give its purchaser a competitive edge. In this process, the salesperson will gather as much information as he or she possibly can about each company; often, someone the salesperson meets will inadvertently reveal sensitive or secret information that the salesperson will use in future presentations. Although in these cases the salesperson generally has no malicious intent - he or she merely wishes to use the information in order to appear knowledgeable to clients and to increase sales - the loss of the secret information can be devastating to the company.

Risk managers should realize that sales representatives who call on a company are there to sell a product. As a result, lax company policies that lead to providing these salespersons with more information than they need could lead to a loss of sensitive information. And even though the company may benefit from any information that the sales representative has on the competition, the person whom the salesperson deals with will feel obligated to provide similar information, some of which may be confidential. With that in mind, risk managers should create an education program that informs employees about these dangers. The program should also warn employees that conversations about new projects or marketing strategies should be kept to a minimum, and that leaving sensitive materials on desk tops is one of the most common ways for vendors to gain confidential information. The risk manager can also implement a review of telephone conversations with outside vendors to reduce the possibility of trade secret exposure.

CORPORATE: SPYING

Corporate spying has been romanticized in books and films for years, but it truly exists, so risk managers should not discount its potential impact on the bottom line. Although spying represents only a fraction of the cases where sensitive company information or trade secrets are divulged, it is usually the most damaging to a company. Since the effects of spying can be so destructive, companies must develop a stringent internal program to protect all sensitive information and materials. The aim of the program should be to eliminate all risk of loss and provide adequate protection safeguards. Typically, the corporate spy is an information specialist who will use any means necessary to obtain the desired information; the spy can either be a hired professional or a company staff member. Although spying methods vary widely from company to company, they generally fall into five categories.

The first, computer espionage, is fast becoming a standard method for corporate spies to use in their efforts to obtain a rival's secrets. Often, computer hacks are hired by a rogue company to gain access to a competitor's files. In one situation, a company that was about to test market a new product in the Kansas City, Missouri, area discovered that two cases of the product had been drop-shipped to a competitor; this had been done by altering the delivery location on the computerized shipping orders. The company later proved that an outsider had invaded the computer program and changed the delivery location on the form.

Recruiting scams are another common spying technique. An example of this scam is an "exclusive personnel representative" who contacts a company executive, saying that he or she would. like to discuss a job opening. Considering today's tight job market, many executives would decide to at least talk with the recruiter. The standard routine is for the recruiter and the executive to meet at an upscale restaurant for a brief interview. The recruiter then queries the executive about the company's current projects and future marketing and product plans. After the meeting, the recruiter thanks the executive, promises to call soon and the two go their separate ways. Of course, the so-called recruiter never calls - and any sensitive information that he or she managed to obtain is now in the possession of the competitor.

Infiltration of company premises constitutes the third form of corporate espionage. All too often, offices, plants, factories and other facilities have inadequate security or are left completely unprotected. As one risk manager for a chemical company said about his company's plant, "You might as well hang a welcome sign on the front of the building, because anybody can walk in here." Corporate spies can use any number of methods to enter a company's premises; at company factories and plants, some spies have been known to put on a hard hat, carry a clipboard and blend in with their surroundings. Another method that spies use to acquire secrets from a competitor is by searching through the company's discarded trash.

Romantic relationships are the fifth way that spies can acquire sensitive information from a company. Paramours have been used as spies to obtain secret information since the days of Samson and Delilah; in the context of corporate espionage, employees romantically involved with someone outside the company have been tricked into revealing sensitive information and company secrets. Other love relationships can also lead to trouble; examples are the employee who divulges sensitive information to a spouse or lover who then spreads it to outsiders, and the executive who imparts secrets to a 1over within the company who later breaks off the relationship and leaves for the competition.

Different measures are necessary to deal with each spying technique. To combat computer espionage, risk managers should look into purchasing and implementing a computer security system. Computer professionals and retailers can make recommendations on the specific equipment and procedures necessary to protect the company's computer network from saboteurs and hackers. As for safeguarding a company's premises from outside infiltration, among the proven methods are entry control systems, stringent security procedures, an employee identification program and, to keep trash snoopers at bay, paper shredders. Legal prosecution can also be an effective weapon against spies; for example, trespassing charges should be levied against unauthorized persons found on the premises or seen sifting through the company's trash.

Risk managers will have to develop and employ different measures to protect the company from the phony recruiting and romantic spying techniques. Because these situations involve human foibles and relationships, the best way to curtail them is through employee education and awareness programs.

INTERNAL THEFTS

Besides protecting the company's trade secrets from external thefts, the risk manager must also be on the lookout for thefts that occur within the organization. For example, employees who leave the company to work for a competitor can take the organization's secrets with them; if the employee was fired, this danger is likely to increase. In addition, a disgruntled employee within the company can also represent a danger to company secrets; if these employees have access to computer files, new product ideas or sales and marketing plans, they can get their revenge by taking this information and providing it to a competitor.

Although there is little that the risk manager can do to prevent a staff member from leaving to work for a rival firm, there is one sure way to safeguard sensitive company information: Upon hiring a new employee, the company can have the individual sign a disclosure statement. Whenever an employee attends a disclosure program, the company should document it; this step provides proof to the court that each employee was given awareness training about the importance of not divulging confidential company information.

When an employee is terminated, company policy should dictate that the employee sign a written non-compete agreement, which prevents the employee from taking company secrets to a new employer. Concerning disgruntled employees, the company should first try to determine the causes of the person's disenchantment and attempt to resolve them; whenever it is possible, the company should also consider transferring the employee to a department that does not work with sensitive information. The primary function of the risk manager is to protect all company assets. Perhaps the company's most valuable asset is the sensitive information that keeps it ahead of the competition. Risk managers should help the company develop proactive and consistently applied programs designed to prevent the loss of sensitive information or trade secrets. To this end, the company should - 1. Identify the job positions within the organization that are involved with sensitive information or materials. When hiring for these positions, the company should screen all applicants and scrutinize them for honesty, motivation and the ability to authoritatively handle confidential information.

2. Institute a standard, companywide policy declaration on trade secrets and confidential materials. This declaration should include policies and procedures for dealing with sensitive information and the measures taken to protect them.

3. Require all employees to sign and accept non-disclosure covenants and to accept responsibility for the protection of trade secrets and sensitive data.

4. Create awareness programs that include mock scenarios that reveal to employees the risks posed by divulging confidential information to outsiders.

5. Ensure that all security measures are being followed and that paper shredders are available and working. 6. Require retiring, terminated or resigning employees to return all pertinent documents, keys, computer codes and other means of gaining access to the company or company information.

7. Implement programs aimed at determining if sensitive documents or information are regularly left unprotected. Secretaries, administrative assistants and even executives are known to leave valuable and sensitive information in the open.

Lance J. Ewing is the loss control administrator, office of risk management, for the school district of Philadelphia, PA.
COPYRIGHT 1992 Risk Management Society Publishing, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:protecting trade secrets
Author:Ewing, Lance J.
Publication:Risk Management
Date:Nov 1, 1992
Words:2790
Previous Article:The future of health care technologies.
Next Article:Calling attention to the late notice problem.
Topics:


Related Articles
Can you keep a secret?
Lost secrets = lost profits.
Strategic planning for protection of business secrets under the Uniform Trade Secrets Act.
Trade secret safeguards.
Complying with the Economic Espionage Act.
When is a trade secret not so secret? The deficiencies of 40 C.F.R. Part 2, Subpart B.
Enforcing Restrictive Covenants and Protecting Trade Secrets.
Safeguarding secrets.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters