Trade Secret Governance: Content Security
THE TRADE SECRET GOVERNANCE MODEL
Information Security is hardly a new topic, but as technology continues to develop and business-related content morphs into ever-new and ever-expanding formats, the responsibility to control and secure Trade Secret data moves beyond IT’s traditional role of securing corporate infrastructure.
It is no longer enough for content-intensive business units to assume the INFOGOV protocols put in place by IT will automatically cover every instance and one-off. While perimeter-edge security, anti-hacking and intrusion detection all remain purely technical responsibilities, data protection and custodianship must be shared by both content owners/creators and those charged with overseeing how sensitive content is handled properly. This brings it directly into the purview of Trade Secret Management.
TOOls of the Trade (Secrets)
There are a number of industry standard tools that should be vigorously applied to trade secrets and the systems and processes used to access them.
- Encryption – Cryptographical encoding to secure content at the document/database/network/physical drive level.
- Multifactor Authentication – Process by which user identification requires 2 or more pieces of evidence, typically where only one is knowledge (something they know like a password) and the other is either something they have (secure token or smart card), something they are (biometrics) or something independent from them such as a confirmation code sent via a separate communication.
- Pessimistic Access Control – File or system level access protocol where access is universally restricted by default and granted only on a minimum-requirement level and on an as-needed basis based on specific role or documented business need.
- Certified Hosting – A verification protocol where all hosting systems, internal and external, are required to meet applicable certification standards such as ISO270001, SSAE-18 SOC Type 2/3, etc)
- Retention Control – An established policy governing how data is proactively removed on a scheduled basis after it is no longer needed or when granted access has expired or been revoked.
ENcrypt, encrypt, ENCRYPT
Encryption can be a powerful tool but it must be diligently applied and managed. The assumption that data is secure simply because the file is encrypted is a dangerous one to make. Encryption must occur in as automated a fashion as possible and across as many aspects of the data’s lifecycle as possible.
Rather than rely on users to actively take steps to save files through an encrypting system, policies can be set to enforce all devices (including mobile phones, tablets and personal devices) be configured to encrypt their drives at the physical layer. Most standard manufactures of laptops and mobile devices offer this setting. By using user policy rules, a company can push this out as a requirement and deny access completely to unencrypted devices.
And yet still, this only addresses files when they are stored on an encrypted drive. Data, even the most sensitive data, is legitimately shared and transmitted on a daily basis. It is important to make sure that those transmission options are also encrypted through the use of VPN tunnels, encrypted email clients, private file sharing protocols and the like.
Lastly, like any strong lock, encryption is only as strong as the security around its keys. Every type and level of encryption comes with its own unique cryptological key. These must be carefully tracked and administered with the same level of accountability as the data they are used secure.
Oversharing encryption keys out of convenience is a common bad practice that undermines the global level of data protection throughout the system as well as every business and compliance assumption made about the governance process.
Proper key management also includes the replacement of keys, either routinely based on a key’s scheduled expiration date (which is set in proportion to the sensitivity of the data it protects) or proactively due to a suspected compromise. Symantec’s market research reported that 50% of employees take confidential information with them when leaving a company. By properly refreshing and archiving keys throughout the enterprise, the risk of old keys maintaining unwanted access can be mitigated.
READ THE CASE STUDY
The Hack of Sony Pictures
DATE: DECEMBER 2014
In late 2014, hackers targeted Sony Pictures for a global cyber assault. On November 24, 2014, after gaining access through a poorly configured piece of IT infrastructure, hackers deployed a special unrecoverable deleting algorithm across Sony’s network, destroying 48% of the desktop computers and 54% of the servers world-wide. And they stole the data contained on all of them.
The hackers then released it all through various internet sites. This data contained not only sensitive business information, embarrassing emails, and salary and social security information for all Sony employees, but it was also full of intellectual property and trade secrets: unfinished movie scripts, draft notes, production memos, budget projections and full copies of unreleased films.
Sony lost its IP in the form of big-budget movies being released online. It suffered massive brand damage when embarrassing emails and documents were made public. It was exposed to significant legal liability when passport information and Social Security numbers for tens of thousands of employees were published. It had issues with its own employees when employee performance reviews, disciplinary details from personnel files and the exact salary for every employee was posted online. They also saw their stock price fall dramatically when the hack was made public.
Cybersecurity is a well-known threat in the business world, and while IT and security experts manage the risk of infiltration and disruption, Legal should be specifically concerned with threat content exposure plays to IP and trade secrets.
This is particularly true of trade secrets. The theft of patent details can result in expensive drawn out litigation to reestablish the patent owners’ rights, but trade secrets instantly become unprotectable once they lose their secrecy.×