Whether it's a loss of client lists, source code or the recipe for a company's “secret sauce,” the theft of intellectual property by employees is on the rise, costing U.S. businesses billions in lost income and profits, security experts estimate.
Moreover, this type of theft is rarely, if ever, covered by insurance because it involves loss of intangible property.
A cyber insurance policy might help a company defend against unlawful disclosure of personal information and cover the costs associated with notification of affected customers or beefing up information technology security, but crime and fidelity policies typically only cover theft of money, securities or other types of tangible property such as parts and inventory.
Recognizing the growing incidence of trade secret theft is adversely affecting American competitiveness, the White House in February launched its Administration Strategy on Mitigating the Theft of U.S. Trade Secrets, a major initiative that addresses external threats as well as internal threats from employees and other insiders.
“There's a lot of hype, unfortunately, around cyber crime — that the problem isn't inside the company, it's outside,” said Larry Ponemon, chairman and founder of the Traverse City, Mich.-based Ponemon Institute, which in February issued a report identifying the growing risk of malicious or criminal attacks perpetrated upon business or governmental organizations by employees, temporary employees and contractors.
Ponemon's “Risk of Insider Fraud: Second Annual Study” found that employee theft of data and other intellectual property remains high, but only 44% of organizations view the prevention of such insider fraud as a top security priority. Contributing to the insider risk is bring-your-own-device to work, employee access to enterprise systems from remote locations and lack of security protocols over “edge devices,” including wireless routers and Bluetooth connections.
“Companies think the vetting and background checks they do on employees conclude that their people are good. They've been there a while. They have families,'' Mr. Ponemon said. “They don't speak with a Russian accent. In reality, the big risk is on the inside as opposed to external.”
Mr. Ponemon cited as an example a case he investigated in which a longtime employee of a high-tech firm who had access to critical company information had lost nearly a dozen laptop computers over the course of a year.
“The conclusion the company reached was that he was absent-minded,” Mr. Ponemon said. “But when we did a deep dive, we found out this was all about data theft. The laptops contained sensitive information.”
In some cases, employees are deliberately taking confidential information with them when they leave to take a new job, according to another study on intellectual property theft conducted by Ponemon and commissioned by Mountain View, Calif.-based Symantec Corp.
“When people know they're going to leave their jobs, there is an uptick in copying of data to removable storage,” said Robert Hamilton, director of product marketing at Symantec. “People take information because they feel they have an ownership stake in it. They helped create the data, and therefore they think it's theirs.”
But this type of intellectual property theft is not exclusive to the high-tech industry, experts say.
“Sales people take lists of customers. Customer service reps take information about company products and accounts with them. Product management people take confidential product plans with them,” Mr. Hamilton said, referring to a 2009 lawsuit filed by Starwood Hotels & Resorts Worldwide Inc. against Hilton Worldwide in connection with the theft by two company executives of more than 100,000 confidential company documents and electronic files related to the development of its hip hotel subbrand W.
In its suit, Starwood asserted that the stolen information provided Hilton “with the means to bring a competitive hotel chain to market expeditiously and without expending tens of millions of dollars and many years on development, thereby avoiding the inevitable and costly trial and error along the way,” according to the lawsuit. “Instead, Hilton has been able to exploit the time and tens of millions of dollars that was invested by Starwood to create these materials.”
The companies settled the suit in December 2010 for $150 million in cash and hotel management contract payments and an injunction prohibiting Hilton from introducing any lifestyle hotels for a two-year period.
“You have to identify what trade secrets you have, what intellectual property you have that are really valuable and critical to the company; and if they fell in your competitors' hands, that would be a severe blow to you,” said Richard Shea, a partner at Covington & Burling L.L.P., which held a seminar on employee trade secret theft on March 12 in New York. “It could be a formula, a customer list, an idea, a manufacturing process. Although a trade secret might be patentable (and some are), a company might choose not to seek a patent, because then everybody will know what the secret is. It's something that derives its value from the fact that you know it and nobody else does. And once you know what that is, you have to figure out how to protect it.”