Cybersecurity is of significantly increasing concern, both to businesses and government. Recent widely-reported cybersecurity breaches have further heightened awareness of this issue. Government regulators, like the SEC and FTC, have pressed for greater cybersecurity efforts – with the latter’s authority in this area being recently upheld by the Third Circuit in FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).
Much of the expert advice on how to analyze and bolster cybersecurity suggests major involvement of the business’ management, and overlaps with assessment of the business’ intellectual property positions and strategies. Such overlaps suggest that significant synergy and efficiencies can be achieved if cybersecurity and intellectual property efforts are coordinated.
As cybersecurity becomes an increasing concern for many companies, increased involvement of IP counsel in strategy determinations becomes not only appropriate, but will likely be demanded by their clients. In this post we examine commonalities and differences between both types of efforts and how IP counsel can work together with the business’ cybersecurity team to service a client.
Cybersecurity: Concerns And Strategies
Cybersecurity experts have identified five major threat sources: nuisance hackers – usually young computer savvy individuals looking to create annoyance for mere fun; competitors and disgruntled employees targeting specific companies for information to use in business; state-sponsored attackers, who may target specific businesses or industries for strategic purposes; organized criminal groups who view cyber-crime as a lucrative enterprise; and “hacktivists” who view hacking as a means to further a political agenda, e.g., by revealing sensitive or embarrassing information about their target.
Common cyber attack tools include introducing programs (viruses, malware, spyware) through some portal into the protected system; “phising” – use of fraudulent means and exploitation of human weakness and naïveté, to acquire key sensitive information (password, social security numbers, etc.); and generalized attacks to cause denial-of-service results.
Once the problem is identified, what strategies should be implemented to combat it? A leading consulting firm, in a paper entitled “Meeting the Cybersecurity Challenge,” (Available at [http://www.mckinsey.com/insights/business_technology/meeting_the_cybersecurity_challenge_) has identified four key recommendations.
- Cybersecurity Must Be Addressed At The Most Senior Levels
Effective analysis and implementation of cybersecurity requires an understanding of how the business’ sensitive information is used. Leaving security to only the IT department no longer works.
- Cybersecurity Must Be “Business Back” Rather Than “Technology Forward”
This is the key recommendation. The focus must be on what is important to the business, not where in the technology infrastructure an attack or leak might happen.
In order to identify the “crown jewels” of a business, you must first understand the nature of the business. The company can then decide what is an appropriate level of security for particular information, depending on its importance to the business.
- The Focus Must Move From Protecting the Perimeter to Protecting Key Data
Design of cybersecurity infrastructure has to be reoriented “from devices and locations to roles and data.”
- Refresh Cybersecurity Strategies To Address Evolving Business Needs And Threats
Both the business and cyberthreats are constantly evolving, and both assessments and strategies have to evolve with them.
IP Audits and Counseling
IP audits assess the intellectual property position of a company: (1) what IP assets it owns; (2) how they are secured; (3) what efforts the company is making to monetize those assets, either through licensing or direct use; (4) what efforts the company is making in enforcing its IP rights (either informally or through litigation); (5) whether the IP protection strategy adequately fits the needs and position of the business.
The last category is particularly broad and encompasses a wide range of technological and business issues. It requires a thorough understanding of not only the client’s business, but also how it relates to competitors and other actors (suppliers, customers, employees, government and other third-party sources of intellectual property) and how its technology needs may evolve over time.
An IP audit needs to first understand the parent position of the company and where it is going before assessing whether its current IP strategy is serving it well and how it can be improved. There are numerous published checklists that can be used to facilitate such an audit. The audit team should not lose sight of the end goal: to assess how IP is being used to protect the business position of the company and whether and how that service can be improved.
How IP Counseling and Auditing Can Be Used To Aid Cybersecurity
Steps in an IP Audit and a cybersecurity analysis substantially overlap. Both require a thorough analysis of a business and how information and other intangibles are used in the business before proceeding to ascertain how best to serve the business with other tools (IP law; cybersecurity technologies). At the same time, the questions the analyses seek to answer diverge somewhat based on different goals.
We identify the following major areas where an IP audit and a cybersecurity analysis would likely overlap, and then also point out in each area where the information needed and analysis performed diverge:
- Identifying IP
The first step in any IP audit is to inventory the intellectual property of the company, both in existence, and still in pendency. Besides compiling basic identifying information (patent or registration numbers, due dates on pending applications, inventors or authors, expiration dates, system for payment of maintenance fees on patents), the audit also ensures that the foundation basis for the rights is properly secured: assignments of rights from inventors and authors have been obtained; priority dates for trademarks are properly evidenced; marking of products with pertinent legal markings is being done, etc.
With respect to trade secrets, the audit would identify them and catalog what steps have been take to keep them confidential – employees with access have signed confidentiality agreements and access to the trade secrets are appropriately limited. (The latter is discussed more in depth below.)
Both IP counsel and the cybersecurity team need to appreciate that “intellectual property” has overlapping but distinct meanings in each field. In the legal field, it means intangible information in which a business has property rights. In the cybersecurity field, however, it means any information used in a business that needs to be kept confidential. These are not always the same.
Of the four most common forms of intellectual property (patents, copyrights, trademarks and trade secrets), only trade secrets are required to be kept confidential. Patents by definition are disclosed to the public and by definition trademarks are symbols that are used to market goods and services to the public. As for copyrights, while they reach unpublished works, they are more generally used to control published works, and so they usually involve nothing secret. These forms of intellectual property rarely need to be kept secure.
This is not always appreciated by cybersecurity experts; the authors are aware of a recent article on cybersecurity that listed patents as among the information a company needs to protect from hacking! The authors seem unaware that patents are public knowledge easily downloaded from Google Patents and the PTO website.
On the other hand, more subtly, even technology subject to patents may have trade secret or other confidential information associated with it that may require cyber protection. For example, it is possible to disclose an invention in a patent application, but still keep secret later-developed know-how about implementing the technology.
For another example, patent applications by law are kept confidential for at least 18 months at which time they are published (even if they never issued). Until published, the information in such an application could still retain trade secret status and give the company an important business advantage, such as an ability to get to market earlier than competitors with a new product.
If an IP audit is to benefit the cybersecurity team, it should identify what parts of the IP need to be kept secure and which do not.
Conversely, IP counsel must appreciate that the range of legally protectable intellectual property may differ from the range of confidential or sensitive information a company must secure from cyber crime. By legal definition, a trade secret must confer some economic or competitive advantage on its owner based on the fact that it is not generally known. One can imagine many forms of information that are sensitive that do not meet that definition.
A retail chain might compile the names, addresses and credit card numbers of its customers; a healthcare provider, the medical histories of its patients; many companies maintain information about compensation and benefits of high level executives. All of these likely need to be maintained as highly secure, whether or not they are proprietary trade secrets.
- Verifying Support Documentation
It is a truism that legal rights must be papered over, and this is no less true of intellectual property rights. Among other things an IP audit should review are (1) whether agreements are in place with inventors and authors assigning rights to the company; (2) whether confidentiality provisions are in place for those who have access to trade secrets (and whether the trade secrets are adequately identified to the users); and (3) whether documentation about origination of intellectual property – lab notebooks showing conception and inventorship – is secure.
Compilation of this information can be invaluable to cybersecurity consideration. Agreements with authors and inventors allows the cybersecurity team to understand where sensitive information is generated, and how it is conveyed to the company for use. This could be particularly important for ongoing research and development, which might utilize email and other electronic collaboration, for example.
Confidentiality agreements help identify who has access to sensitive information, and thus allows focus of security on information infrastructure used by these personnel. Documentation of origination can itself be highly sensitive – it is both the source for and embodies the intellectual property – and may need heightened security.
- Economic Assessment Of IP And Business
An IP audit should include an assessment of the economic exploitation of the company's intellectual property. The audit first examines the company’s revenue streams and what intellectual property assets support or protect each profit center. The goal is to identify which intellectual property is most important to the company in terms of facilitating the most lucrative parts of the business.
This allows, for example, prioritizing of spending on securing and enforcing intellectual property rights. At the other end, an audit examines whether intellectual property is being fully exploited, or whether it might be better monetized through licensing, for example.
Such an economic assessment would be crucial, of course, to the kind of “business back” cybersecurity assessment discussed above. Identifying which IP assets are most valuable allows the cybersecurity team to prioritize their efforts and make sure that the company’s “crown jewels” receive the highest level of security.
- Audit Of Security Measures For Trade Secrets
To protect information as a trade secret, the company must subject it to “reasonable efforts” to maintain its confidentiality, which varies by context. An IP audit that includes trade secrets would assess: (1) who has access to the information; (2) where documentation (both paper and electronic) that includes the secrets is kept and how it is kept secure; (3) what confidentiality agreements are in place with employees, and whether access is limited to certain personnel, and if so on what basis; (4) whether trade secrets are shared with outside parties such as licensees, suppliers and other contractors, and if so what confidentiality agreements are in place to secure them; (5) is there a system in place to identify and mark sensitive documents or information as proprietary and confidential (and is such a system applied discriminately to what is truly confidential); (6) does the company emphasize the need for confidentiality with employees and officers who do have access, and conduct entrance and exit interviews that include discussion of need to keep information confidential; (7) are employee computer resources kept secure, including on termination – for example ensuring that laptops are either returned or that confidential information is wiped.
Such an assessment would, of course, be invaluable to the cybersecurity team; it would allow it to understand the location and flow of sensitive information within and without the company. The team can then determine what technological security measures need to be executed around this information flow.
The work of the cybersecurity team could also help ensure the legal protection of trade secrets. While there is no set standard for the “reasonable efforts” required to maintain trade secret status, clearly the better protected information is, the more likely a court will find that the information retains trade secret protection.
In fact, courts have come to view some measure of cybersecurity as routine and even necessary (if not necessarily sufficient) to maintain trade secret status. Compare Charter Oak Lending Group, LLC v. August, 127 Conn.App. 428 (App.Ct.2011) (finding a trade secret where each employee had access only to information regarding her own customers, information was encrypted, and servers carrying information were locked) with DS Parent, Inc. v. Teich, 2014 WL 546358, 9 (N.D.N.Y. 2014) (Plaintiff’s pricing information not protected as a trade secret, because information was on computers that were not password protected and were available to all employees with computer access, including non-sales personnel in the engineering and laboratory departments).
Of course, what is sufficient to retain legal protection may not be sufficient security for business purposes – the business position may demand more than the efforts be minimally “reasonable.” A security regime that keeps the data secure 90% of the time might be legally sufficient, but it is dubious if most businesses (and, where applicable, government regulators) would accept that figure.
- Assessing The State Of The Art
An IP Audit may also seek to understand the company's IP as it relates to the relevant field of technology: what is currently known by competitors and the field in general, and the direction in which the technology is developing. How different is the company's intellectual property from what is generally known in the field, and thus what value does it add? What alternatives (whether IP protected or not) do competitors offer? What new developments does the R&D department see being created that could improve or even supplant the current IP?
Such an assessment could help the cybsecurity team in several ways: (1) help further focus the understanding of what is priority IP to protect; (2) help identify competitors, and thus possible threats of breaches of security; and (3) enable the cybersecurity team to understand from where new ideas are likely to originate, and focus its security efforts there.
Both IP and cybersecurity efforts encompass the need to understand and assess how information is generated, used, and secured by a business. Although their purposes differ, these efforts can be complementary. If cybersecurity requires participation of upper-level management and application of a “business back” approach, then we suggest that IP counsel would be in a position to make valuable contributions to the security effort.
A previous version of this post appeared in the New York Law Journal, September 25, 2015