• A vice president of a pharmaceutical company is laid off after 25 years of service. Before his exit interview, he downloads key financial information, employee contacts and sales information onto a personal flash drive. Three months later, he’s hired by a competitor, where he shares the downloaded data and begins to recruit employees from his former employer.
• At a computer company, a young woman has been working with a team of colleagues on the design for a new computer chip. She feels a strong sense of ownership since she personally put in so many hours after work and on weekends. Two months later, she leaves the company to start her own business. She copies all data related to the new chip to her thumb drive before submitting her letter of resignation and clearing her desk.
• An executive who’s been working at a soft drink company for more than 20 years has access to a new recipe and package design for a beverage scheduled to hit the marketplace next year. When she’s unexpectedly laid off from her job, she sends the data containing the recipe and package design to her personal Yahoo email account as an attachment where she later downloads it. Six weeks later, she’s hired by a competitor and shares “her” idea for a new soft drink with her new employer—who’s dazzled by her plans.
Cybercrime, or computer crime, refers to any crime that involves a computer and a network. Historically, security fraud (also known as stock fraud and investment fraud) was the number one problem, according to Kris Haworth, an attorney who specializes in computer forensics (meaning she uses digital forensic science to search for and obtain legal evidence left behind in computers and storage media) at The Forensics Group
, which is headquartered in Petaluma. “But a lot of companies changed their accounting procedures to eliminate potential fraud, so we’re seeing less of this,” she says.
Embezzlement often begins with employees stealing Post-it notes and pens, but can escalate to an employee manipulating a company’s bank accounts or stealing through a business expense account. Financial fraud (stealing credit card numbers and Social Security numbers, for example) is inherent in a large company, according to Haworth. And “hacking in” to a company’s computer system is always happening in different ways, but despite the headlines, these types of computer crimes aren’t the most common.
Since the downturn in the economy, and the rise of layoffs nationwide by companies feeling the squeeze, intellectual property theft is soaring. The scenarios above are just a few fictitious examples of how easily a computer crime—particularly intellectual property theft—can be executed.
Businesses surveyed by McAfee, Inc., a security technology company in Santa Clara, found that companies worldwide lost an average of $4.6 million worth of intellectual property (IP) in 2008. Of the 1,000 companies surveyed, 42 percent said laid-off employees were the single biggest threat to their intellectual property and other sensitive data.
In the current economic climate, says Haworth, “People are getting deeper and deeper in debt, and they're getting desperate."
“This year, we’ve seen more cases alleging intellectual property theft,” says Mindy Morton, an intellectual property litigator and partner at Bergeson, LLP of San Jose. “It’s mirroring how the economy is doing, especially in Silicon Valley.”
Intellectual property is a broad term that includes a company’s trademarks, patents, copyrights and trade secrets. According to Rodger Cole, a litigation partner for Fenwick & West LLP of Mountain View, a trade secret is information that has economic value and isn’t generally known or readily ascertainable outside of a company. A trade secret could be a formula, plan design or software source code. It could also include financial, cost or pricing information; customer lists; internal market analyses or forecasts; and more.
How much money could a single employee potentially walk out the door with in intellectual property? According to Cole, that depends on the type of company, but the results could be potentially devastating to an employer: “If it’s the formula for Coke, the value of that formula is in the billions.”
According to an AP article, in 2003, two San Jose businessmen were arrested at the San Francisco Airport with suitcases allegedly stocked with trade secrets and at least $10,000 in equipment stolen from U.S. tech companies. Prosecutors said the menæboth originally from Chinaæstole microchip blueprints and computer-aided design scripts from Sun Microsystems Inc., NEC Electronics Corp, , Transmeta Corp. and Trident Microsystems Inc. They planned to start a microprocessor company with the Chinese government. The men were convicted, fined and spent time in jail, says Cole.
In another case, a group of engineers were accused of taking semi-conductor chips (which are used to operate computers, phone systems and most electronic devices) to China and distributing them. The company from which they were taken and prosecutors said hundreds of millions of dollars could’ve been potentially lost. The engineers in this particular case were convicted in a trial court.
On the horizon
Misappropriation of intellectual property continues to rise, particularly in the technology and biotech industries, says Haworth, who continues, “Any company that has valuable information should be careful. If your business is growing fast or shrinking fast, that’s when the door opens and you need to think about how you set things up to protect your intellectual property.”
“A lot of employees feel that, if they worked on something, they own it. They don’t understand that they’re doing something wrong,” says Morton.
According to Haworth, the problem is likely to get worse before it gets better.
“Twenty years ago, intellectual property was seen as mostly a problem for Silicon Valley,” says Cole. “Today, every company would agree that some aspects of its business model could be at risk. It’s a concern for every company.”
Still, it’s hard to quantify in dollars and cents how much intellectual property is lost for two reasons. “First, most companies don’t want to admit they’ve lost some of their ‘secret sauce,’” says Cole. “And second, unless a company discovers evidence of theft, they may never realize what happened.”
What’s the cost to employers in legal fees? According to Cole, that depends on how aggressive an employer is when IP theft is suspected. Generally, though, legal fees for such cases can run up to hundreds of thousands of dollars. “It’s not uncommon for a trade secret lawsuit to go to trial and legal fees to exceed $1 million,” he says.
According to a recent article in PC
magazine, the cost of dealing with cybercrime increased 56 percent in 2011, with organizations paying anywhere from $1.5 million to $36.5 million for protection and recovery, according to the Second Annual Cost of Cyber Crime study, conducted by the Ponemon Institute and funded by Hewlett-Packard.
Ponemon’s study was based on a survey of 50 organizations with between 700 and 139,000 employees. During a four-week period, organizations surveyed were hit with 72 successful cyber attacks per week, up 45 percent from 2010. Cybercrime incurs costs for detection, protection, containment and recovery, and companies also often have to pay extra for consumer compensation. On average, each 2011 attack took 18 days and $416,000 to fix, which was 70 percent higher than 2010, when it took an average of 14 days and $250,000 to recover.
In May, the White House unveiled a cyber security proposal it hopes Congress will use as a framework for legislation. Among other things, the plan includes national data breach reporting, increased penalties for computer crimes, rules that would let the private sector coordinate with the Department of Homeland Security on cyber security issues and cybersecurity audits for critical infrastructure providers.
How IP theft happens
In recent years, intellectual property and sensitive data has become a currency for financially desperate or laid-off employees. “Twenty years ago, if you wanted to steal something [from your employer], you went to the copier and walked out with paper,” says Haworth. Today, however, the crime can be easily committed through a thumb drive, Yahoo or AOL account.
According to a report by McAfee, employees who steal data do so in some cases for financial gain. But for others, it’s a way to market themselves with the competition. Employees who fear layoffs may use sensitive data to seek backup jobs with competitors, hoping to secure a new job offer with existing knowledge or data from their current employer.
“Intellectual property theft has become more extreme,” says Haworth. “For some people, it’s the Lotto. If you’re an employee, you think, ‘This is the next Google or LinkedIn.’ You think it may be worth the risk. And if you’re an employee looking for a job and using your company’s computer, you have all sorts of information and you’re desperate to get a job. This is a way to market yourself. You have the list of your company’s top 20 clients, or the source code to the Android phone, or an internal list of employees that would be valuable to your new company.”
Nevertheless, it’s unusual for companies to actively recruit an employee from a competitor as a means to obtain intellectual property, says Haworth. What’s more, if an employee does take stolen intellectual property to their new employer and is discovered, that company will usually fire the employee, according to Haworth.
Can employees conceal information they’ve taken? Not easily. “It’s harder to cover up than most people think,” says Morton. “Employees send information to a home email or put it on a flash drive, but it’s difficult to cover your tracks that way. If someone examines your computer, they can see your Internet history. You can sometimes see page images of emails.”
Morton relates a case where an employee left a computer company to start his own business. According to Morton, he took a proposal from the company where he worked, changed the names and emailed it off to another vendor. “We were able to look at the metadata [data which includes information such as dates, location and other identifying factors] and found that the computer company’s name had been deleted and the new company’s name inserted. He was clearly trying to cover his tracks. In that case, we were able to find the evidence and prevent him from causing further damage to the company.”
In another case, The Forensics Group was retained when an employee left a firm for a competitor. It was suspected that she took intellectual property with her. However, when Haworth reviewed the hard drives of the former employee’s computer, they learned that, rather than taking the information with her, she had attempted to scrub the hard drives, her email had been deleted and intellectual property had been copied through the Internet to another computer.
“In this particular case, the employee tried to get rid of everything, but we were able to recover the information. We found an Internet account and saw a complete timeline of what she’d done. It’s really difficult to completely cover your tracks,” says Haworth. “When you’re on your computer, every key stroke is recorded.”
Companies are usually more concerned about network security and someone “hacking in” to their security system, says Haworth. “But your worst potential risk are your employees, because the door is open and they’re already in.
“Ninety percent of cases settle before reaching the court,” she adds. “If you’re a company with an important trade secret, you really don’t want to be in court. You don’t want the information to be public for any reason.”
According to Haworth, she’s usually contacted when an employer already has definitive proof, but the majority of the damage has already been done.
Keeping trade secrets confidential
Is it possible to stop all trade secrets and confidential information from walking out the door? “No,” says Morton. “A determined employee can do a lot of damage, so it’s better to be proactive, not reactive. A company that’s careful and has procedures in place can do a lot to protect its business.” One example of a company that’s especially careful with its trade secrets, according to Morton, is Coca-Cola.
The exact formula of Coca-Cola’s natural flavoringsæbut not the other ingredients, which are listed on the product labelæis a trade secret. The original formula is held in SunTrust Bank’s main vault in Atlanta, Ga. According to a popular myth, only two executives have access to it, with each executive having only half the formula. Not true. While Coca-Cola does have a rule restricting access to the formula to two executives, each actually knows the entire formula and other employees know the formulation process.
Nevertheless, Coke’s billion-dollar trade secret is kept in a vault, not on the company’s computer system. “Once it’s on a computer system, it’s hard to protect that information completely,” says Morton. “And once trade secrets are out in the public domain, you can’t un-ring the bellæyou can’t get them back.”
Steps to take when you suspect IP theft
What should you do if you suspect intellectual property has left your business? According to Cole, it’s best to act quickly. First, preserve the hard drive of the computer the employee was assigned. The best way to preserve the hard drive is to unplug the computer and place it in a secure place so other people don’t have access to it.
“In 90 percent of cases, you’ll find a smoking gun—employees leaving evidence of the theft on the hard drive,” says Cole, explaining information is often stored on the company’s computer, by Gmail or Yahoo for a period of time.
Second, if the employee leaves to work for a competitor, send a letter reminding that employee of the confidentiality agreement that was signed when they came to work for you. It’s also a good idea to send a letter to the new employer as well, putting everyone on notice that there’s an investigation in process, says Cole.
Finally, if there’s any proof—for example, you’ve seen emails—get a lawyer, specifically an IP litigator. According to Cole, most companies will start the investigation in-house, but once they consider legal action they get help from an outside law firm.
What’s the best course of action in an emergency situation—for example, if there’s evidence that a former employee is about to use or disclose the company’s trade secrets? Immediately file a complaint and an application for a temporary restraining order to prevent the former employee from marketing the material.
How do you protect yourself from suspicion as an employee when leaving one company for another? There are a number of ways . “Be as open as possible,” Cole advises, “and be truthful about what you’re doing. You don’t want to mislead an employer by telling them you’re taking time off to spend at the beach and then go to work for a competitor the following week.” It’s also an important step for employees to return all company property, such as a laptop computer, flash drives, documents and more. According to Cole, it’s best to turn all computer property back to human resources during the exit interview.
North Bay businesses
What’s the best advice for North Bay businesses? “Understand this isn’t only [a problem] for Fortune 500 companies. Just about every business has information or trade secrets worthy of protection,” says Diego Acevedo, an associate with the business litigation and employment groups at Farella Braun + Martel, LLP of San Francisco.
“Whether you’re successful in protecting that information depends on the circumstances of the case and the type of business. Courts will look to see that you took reasonable efforts to keep trade secrets secret,” he says. “A small company doesn’t have to go to the extremes of Coke, but it must take reasonable precautions to protect the secrecy of the information at issue.”
For example, trade secret customer lists, which can contain contact information, product preferences and pricing history, for example, derive value from not being generally known within an industry. This information could be extremely valuable, particularly to new competitors, who need to effectively target customers they know are likely to purchase a marketed product. Acevedo recommends that, for such customer lists, small companies limit access to only those employees who need it to carry out their job function. “This could mean limiting your customer list to executives and your sales team, physically segregating the information within your office, housing the information on separate servers or implementing other technological safeguards such as firewalls and password protection programs,” he says.
“Almost every company has a customer list and, in many circumstances, it’s the lifeblood of the business; it’s often just as important as the product you’re marketing. If your customer list walks out the door, a lot of your business could potentially walk out the door.”
Acevedo further advises employers to think carefully about how to use an employee recruited from a competitor. “Large corporations are constantly vying for talent within a finite applicant pool in the same industry, especially in the tech world,” he says.
What’s the best way to protect yourself from IP theft stemming from an employee you’ve hired from a competitor? Make sure that employee is meeting his or her obligation to the former employer, says Acevedo. “And think critically about the function of his or her job so as not to infringe on the former employer’s intellectual property rights.”
The company should also carefully review any agreements that governed the employee’s previous relationship with the competitor, he adds, as those agreements often dictate the restrictions on the employee’s new job. When high-level employees are recruited from a competitor, Acevedo recommends employers think carefully about the scope of their duties and the department they’re hired into, so these new employees won’t inadvertently disclose trade secrets or otherwise breach their contractual obligations to their former employer.
Perhaps the best defense is a back-to-basics approach.
“Thirty to 40 years ago, it was easier for companies to maintain a competitive edge,” says Stephan Kinsella, a patent attorney from Houston, Texas, who’s written extensively on the topic of intellectual property. “But it’s become increasingly difficult with employee mobility, and it’s been exacerbated by a recession.”
His advice to employers? “Try to reduce employee turnover and continue to innovate.”
Cole advises employers to be proactive. “Be diligent about protecting your information and intellectual property,” he says. “As our economy is more and more based on information and information technology, the value in all businessesælarge and smallæmust rely on the protection of their intellectual property.”
“Assume your employees are acting in your best interest, educate them and be prepared if that’s not the case,” adds Haworth.
If you’re an employer, the best way to prevent sensitive information from walking out the door is to be proactive. “The more policies and procedures in place, the less likely you are to get into a crisis situation,” says Mindy Morton.
Morton and Kris Haworth recommend the following steps to protect your company’s intellectual property and sensitive data.
• Get each employee to sign a confidentiality and invention assignment agreement the day they start work. Make sure the agreement clearly describes California Labor Code Section 2870 and its requirements for an employee. Make it clear that any invention conceived or designed on company time belongs to the company.
• Educate employees about the company’s trade secret policies and have clear procedures in place concerning how to mark documents and emails for confidentiality. Make sure managers follow up with employees to ensure compliance.
• Continue to define and specify your trade secrets and key confidential or proprietary information with employees. By doing so, you’re making it clear that sharing this information outside the company is theft, and you’re not left scrambling to define it once litigation begins.
• Hold exit interviews with all departing employees and remind them of the requirements of their confidentiality and assignment agreements. Have them sign an exit interview review checklist.
• Instruct employees who have access to sensitive information not to delete anything from their computers or email servers once you’re aware they’re leaving the company. If you do let them delete information, make sure the deletions are supervised by an internal information technology professional.
• Make a forensic image of every computer used by an employee who had access to sensitive information, especially if there is reason to believe that sensitive data may have left with the employee. If email is stored on a central server, consider saving the emails for a period of time to allow recovery.