Intellectual property (IP) might be one of the most valuable assets of your company. But if it’s not protected, you can be foregoing a significant advantage in the marketplace.
There are four major IP categories:
- Patents, which protect inventions;
- Copyrights, which protect artistic forms of expression;
- Trademarks, which protect brands; and
- Trade secrets.
Generally, the types of IP small businesses may be interested in protecting are unique to the kind of company and its core competencies. For example, businesses that are predicated on developing new products or technology will be interested in patent protection, while another business may be identified by its brands and would want to protect those through trademarks.
However, John P. Cornely, of counsel at Fay Sharpe, LLP, says it’s important to take a close look at everything — from catalog photographs to manufacturing processes — to ensure the security of all of your IP.
Smart Business spoke with Cornely about successful strategies to identify and protect IP.
How does a small business identify and track its IP?
In a small business, to some extent, you have IP being created by many people in your organization at many points in the workflow cycle. You want to be systematic about identifying your IP. When it comes to patents, consider using an invention disclosure form. These forms can be made available to employees, especially those involved in the invention creation process, and are used to collect the data necessary for completing a patent application — inventor’s names, the date the invention was created, a description and/or drawings of the invention and the location of records that support the invention, such as a hard drive or lab notebook.
Encourage your inventors to use the forms and have regular sessions to review inventions and the potential for protection. Regular review meetings can also assist in identifying and/or ranking the relative importance of multiple inventions.
This form system can be used with other types of IP to identify creations and have a way to systematically collect information about them.
What are important inventions to protect?
It’s most important to protect those that make a product stand out in the market. As a small business, maybe you don’t have the resources to file 100 patent applications and might only be able to do a couple each year, so it’s critical to identify where to best apply your resources. Find the aspects of your products that make them more valuable and desirable in the marketplace. Think of it in terms of what features of your products your competitors would like to copy and select strategic patent protections that will keep your competitors from doing so.
Should companies federally register their trademark?
Yes. There are procedural benefits to registering your trademarks that will help in potential infringement actions.
When you start using a trademark in commerce you naturally gain common-law rights whether you’ve registered the mark with the federal government or not. However, one of the problems is those common-law rights are limited to the geographic area in which you’re doing business. So if you’re selling a product in Cleveland, Ohio, under a specific mark, you only have common-law rights in Cleveland. A federal trademark registration extends your rights nationally. Further, federal registration of your trademark provides you with procedural benefits if there’s an infringement action.
And, much like patents, you want to register those marks and brands that are most important to you if your resources are limited.
What can a company keep as a trade secret?
Sometimes there may be an idea that’s not a good fit for patenting or that you don’t want to disclose, for example, like a process of manufacturing a product. Trade secrets are great tools for protecting some ideas because, theoretically, the protection can last forever while patents commonly expire after 20 years. However, the secret generally has to be something no one else can easily discover, for example through reverse engineering; you have to treat it cautiously and control its dissemination. Many small businesses may think they have trade secrets, but since they are not effectively treating them as such that information won’t enjoy the legal status of trade secret, which has certain advantages.
Some things are easy to keep secret, such as formulas and manufacturing processes, because only a few people have or can discover that information. If the information can be discovered from viewing or reverse engineering your product, you won’t be able to keep that a secret. One risk is that if your secret is discovered legitimately then you’ve lost your trade secret status, but if someone were to uncover your trade secret through theft or breach of contract, then you have a case.
How does a small business secure rights to the company’s IP from its employees and contractors?
While this is important, it’s also often overlooked. You want to have some language in your employee or contractor agreements that details ownership of any IP rights. Contrary to what some might think, it’s not always the small business that owns the rights to IP developed by contractors. For example, when hiring a contract photographer to take pictures for your website, the copyright for the work (i.e., the photographs) stays with the photographer unless you have a written agreement that says otherwise. That also extends to contract programmers who can retain the copyright for developed software absent a sufficient written contract to the contrary.
In general, it’s a good rule to have your agreements explicitly spell out IP ownership rights in writing up front.
John P. Cornely is of counsel at Fay Sharpe, LLP. Reach him at (216) 363-9000 or email@example.com.
Insights Legal Affairs is brought to you by Fay Sharpe, LLP
Telecommunications is a critical part of the business environment and always has been. As analog-based telecommunications become obsolete, the evolution of Internet protocol is the next long-term — and unavoidable — solution.
“Voice over IP (VoIP) has come a long way, improving call control and quality immensely since its infancy,” says Michael Louden, director of enterprise sales at Comcast. “As Session Initiation Protocol (SIP) technology matures, it has created a revolutionary ripple effect, setting universal adoption of IP Voice in motion.”
Smart Business spoke with Louden about how VoIP works, its advantages and what to consider before adopting it at your business.
What is the difference between analog voice and VoIP?
For analog voice, POTS (plain old telephone service) uses a dedicated path through the public switched telephone network and enables a connection as long as circuits are available. The network was designed to maintain a stable, high level of voice quality that is available nearly anywhere. POTS is still based mostly on a copper medium and one line handles one call at a time.
Voice over IP uses SIP in much the same way as the public switched telephone network and has similar clarity and consistency. However, there are fewer infrastructure concerns, as IP can run over multiple physical mediums, including copper, fiber or collective forms of wireless technology. As long as you can route IP traffic, you can use VoIP, and you can technically utilize any Internet connection to place calls. There is no limit to your call capacity, as long as the Internet protocol-private branch exchange (IP-PBX) and network bandwidth can support it. Another advantage is that restrictions and surcharges on long distance calling are minimized or eliminated.
How does a business know when to adopt VoIP?
There are a few key questions to ask that will give you a place to start when considering VoIP.
- Step back and take a holistic look at how the current phone system complements your business, specifically how it is utilized and what the critical functions are. Ask what employees like and dislike about the current system, as receptionist needs, executive management requirements and inbound/outbound call flow are important to consider.
- Look at the physical networking and switching. Most IP phones have two ports so you can connect both a computer and phone through the same wall jack. However, this limits the port speed of your computer workstations.
- Are your switches able to provide Power over Ethernet? PoE-capable phones conserve space by eliminating the need for AC power adapters. If not, then AC powered PoE injectors are options.
- If multiple offices are part of this equation, review interoffice communication, as the ability to extension dial between locations is sometimes overlooked.
- Are there field personnel who work from smaller satellite offices or remote locations? Teleworkers also impact call capacity. It might be worth having a phone system that allows IP or virtual private network connectivity, giving remote workers the ability to access the system as if they were on site.
- Consider whether to get a locally managed or hosted private branch exchange. The locally managed PBX is managed within your own organization by a telecom administrator or outsourced IT consultant. It’s a good solution for mid-sized to larger organizations because of scalability and control over provisions, features, handsets and ingress/egress call processing. It takes more initial capital investment but has lower operating expenses in the long run.
- Hosted PBX is a product powered by a cloud-based software phone switch, often good for small and mid-sized businesses, or businesses with multiple locations. Features are available to unite desktops, mobiles and telephones, and disaster recovery capability is possible. Hosted PBX is an operating expense with predictable costs per user.
- There are some core considerations when looking also at a service provider, including call quality control because voice quality and stability are directly affected by poor network performance, causing dropped calls, poor quality audio and loss of in or outbound audio. When considering price, look at the value of the provider as a whole and ask about network infrastructure and ownership, reputation with VoIP, how the implement/installation process works, equipment requirements and package options.
What is Metro Ethernet, and how would it impact a business?
A Metro Ethernet network, loosely defined as a regional extension of your Ethernet-based LAN, connects geographically separate sites as if they were offices in the same building. You no longer have to traverse the public Internet for interoffice communication with VoIP. Metro Ethernet also has no special interfaces because most networking equipment has at least one Ethernet interface. It uses network divergence rather than converging voice and data over a single network, which can help with bandwidth availability for both voice and data.
Fiber-based Metro Ethernet enhances business continuity, performance and stability for all types of VoIP communication. The networks are scalable, resilient and built to meet the needs of demanding networking applications.
Why is VoIP the future of telecommunications?
VoIP carries most of the world’s voice traffic today. A vast majority of the advanced services you appreciate now are enabled using VoIP such as voicemail to email, click to dial, find-me-follow-me, web-based PBX administration and more. With VoIP, telephone calls can be made anywhere an Internet connection is available.
Michael Louden is Director of Enterprise Sales at Comcast. Reach him at (610) 499-2331 or Michael_Louden@cable.comcast.com.
Insights Telecommunications is brought to you by Comcast Business Class
For many companies, intellectual property (IP) – ranging from names and logos to products, websites and beyond – can be their most valuable asset. IP is protectable under federal and state laws to ensure that it will not be copied or used by other people or organizations.
IP can be separated into four main areas: copyrights, trademarks, patents and trade secrets. It is important for a company to not only identify what IP assets they have, but also to protect them, says Robert Andris, a partner at Ropers Majeski Kohn & Bentley PC.
Smart Business spoke to Andris about performing an IP audit to ensure protection from infringement.
Why is it important for a company to clearly identify and safeguard its IP?
Each one of the forms of IP is a valuable asset in and of itself. The use of illicit IP not only deprives the true owner of a sale, if the fake goods are of lower quality than the original, it can ruin or at least tarnish the image of the IP’s true owner. In some situations, when a business allows an individual or company to infringe on or use its IP for an extended period of time without contesting that use, the first owner can lose its rights to that IP.
In order to maximize the value of IP, businesses should take the steps to register trademarks or obtain patents from the U.S. Patent and Trademark Office. Similarly, the value of any copyrighted material can be maximized by registering it with the U.S. Copyright Office. Trade secrets are not registerable, and are generally governed more by state laws.
If a business or individual starts copying a business’s software, artwork, photographs or blueprints, the business who rightfully owns the IP can’t recover certain forms of damages unless and until it files a copyright registration. To protect a company’s IP to the greatest extent possible, proceeding forward with the registration process is critical. It increases the value to the company and discourages others from infringing. To further protect IP, many companies implement a protocol of performing an IP audit on a regular basis, usually every year or every two years depending on the business.
What is an IP audit, and what steps are involved?
Audits are designed to identify and determine the status of as much of a company’s IP as possible. What this generally entails is company representatives in various areas of the business sitting down with an IP attorney to identify what advertising has gone on in the past few years, what names and logos the company has been using and what products the company has been putting out on the market over a given period of time. Further, the process involves discussing whether or not there has been any attempt to obtain IP protection for names or products used, and what products in the works contain parts that are protectable IP.
For example, if a business has a base software program that it is selling but customizes for various customers, all the variations of the software should be copyrighted separately. Once an initial audit is performed to identify all the various company assets that are protectable under the IP laws, then subsequent audits become simply a matter of updating what has already been done and finding out whether the company has moved into any additional areas.
What if a business waits too long between audits?
If a business waits until after the infringement takes place in order to register its IP, it will oftentimes significantly lessen the exposure of potential harm that could befall the infringer. If a business or individual causes extensive damage for years before the rightful owner of the IP in question registers a copyright, then that owner will not be able to recover what are known as statutory damages that can range in the area of hundreds of thousands of dollars until the date that the registration is actually issued by the copyright office. An infringer still could face some exposure for actual damages if their causation can be proven with reasonable certainty, but significant power is lost in a cease-and-desist letter that a company might send to a potential infringer. If the trademark registration, copyright registration, or the patent is in existence, it will cause a potential infringer to pause and consider whether it wants to continue that business practice or discontinue it immediately until the dispute is resolved.
How can a company educate its employees about IP?
Most employment agreements have a provision in them that provides that all intellectual property generated by an employee is the property of the company. Some companies will not only set up protocols for employees, but also put in place incentives for individuals to come forward with patentable inventions. A best practice for companies is to try to gain trademark rights for a product or service before going ahead and placing a name or logo on it. Savvy companies will want to perform an IP audit to investigate whether or not anyone else has registered a name or whether anyone else is using a name that is desired.
Robert Andris is a partner with Ropers Majeski Kohn & Bentley PC. Contact him at firstname.lastname@example.org or (650)780-1634.
Your intellectual property may be safe at home, but do those patents and trademarks sink or swim once they reach international waters? Businesses may want to pursue a patent or trademark outside the United States to preclude a competitor from using their trademark or from making, using or selling whatever is protected by their patent.
“You have to take proactive steps to protect your patents and trademarks outside the United States, because coverage is generally on a country-by-country basis.” says Scott McCollister, a partner with Fay Sharpe LLP.
“For example, if you have a patent in the U.S., it doesn’t have any extra territorial effect. Trademarks are generally similar. Some countries may have common-law rights which develop based on your use in that jurisdiction, but many countries are registration-based, so you have to procure a registration through that country’s national trademark office before you have any chance to preclude a third party from using your trademark.”
Smart Business spoke with McCollister about how companies can take their intellectual property international.
In what situations would it makes sense for a business to pursue international protection for its IP?
If a business is selling or anticipates selling in a particular territory, it may want to pursue patent or trademark protection in that jurisdiction .
Similarly, companies should consider procuring protection in areas where you and/or your competitor manufacture. Even if it’s not a large sales region, or if the products are shipped elsewhere for distribution, having patent protection in a jurisdiction where the relevant goods are manufactured can be extremely beneficial. If you or your competitor don’t manufacture or sell in a particular country, pursuing patent or trademark protection there is most likely an unnecessary expenditure of funds.
What are the main considerations for a business preparing to take its IP international?
Even in countries where you are commercially active, before you consider pursuing patent or trademark protection, you should do a cost-benefit analysis. Patents, in particular, are expensive to obtain and maintain. There are foreign agent fees, translation fees, government fees, prosecution fees and annuities.
Protecting a small volume of product sales in a country by filing a patent application probably doesn’t make a lot of sense if the cost of obtaining the patent is even a measurable fraction of the sales volume.
Furthermore, consider the lifespan of your product. If your product has a five-year lifespan, it doesn’t make a lot of sense to file an application in a country that takes years to grant a patent.
How can using a regional or international office reduce cost?
For each country you file in, you generally need a local agent who submits the patent or trademark application to that country’s patent/trademark office. Accordingly, for every national filing there are associated governmental expenditures and service fees paid to a local agent. However, using Europe as an example, we have the option of filing through a regional office, the European Patent Office (EPO), that has the ability to grant one patent that can be extended to any selected country within the European Community. In this manner, we can submit all patentability arguments before one examiner and employ only one European agent to perform the bulk of the work in the European region. Similarly, a significant cost savings can be achieved using the European Community Trademark Office to obtain a ‘European Community’ trademark registration rather than pursuing and maintaining multiple national registrations.
I also recommend using the Patent Cooperation Treaty (PCT) for international patent filings. One year after you file your U.S. application, you can file a PCT application. It is effectively an 18-month placeholder. I refer to it as a placeholder because the application cannot directly mature into a national patent. Rather, at the end of the 18-month period, you will need to file in any country (or region, if available) in which you are interested in obtaining coverage. Advantageously, during the 18-month period you receive a preliminary report on whether the idea is patentable or not.
This provides two primary advantages. First, if the review finds the idea is not patentable, you’ve spent a relatively small amount of money on a PCT application instead of a large amount of money filing the application in multiple countries.
Second, it buys you another year and a half to evaluate if the product is commercially relevant. Does it deserve protection or did it fizzle? It may have been a good idea at the time, but the marketplace didn’t accept it. Buying that extra year-and-a-half lets you evaluate how interested you really are in protecting the invention.
The same is true on the trademark side. Based on your company’s U.S. trademark filing, the Madrid protocol allows you to file on a worldwide basis through a single international agency, and have the trademark extended into countries you designate. A significant savings is achieved by avoiding hiring of a lawyer in every country.
What other steps do you recommend for businesses going international?
Assuming you satisfy these criteria and want to proceed, you can still be wise in how you spend your money. For example, procuring a patent in the eight countries with the largest economies in Europe and keeping that patent alive for 20 years is an expenditure in excess of $100,000.
However, if we pursue the patent in Germany, England, France and maybe a country where your competitor is headquartered (preferably through an EPO filing), we can achieve similar results for roughly half the cost. Moreover, your competitor may be unlikely to introduce product X in Europe if they are precluded by your patent from selling in a large percentage of the market. I believe with a little analysis we can often achieve the same result in Asia or South America, for example.
Lastly, I strongly encourage any company considering pursuit of IP coverage outside the U.S. to have an open dialogue regarding costs, risks, advantages, objectives and expectations with a patent and/or trademark attorney. Moreover, this is a complex topic and many of the observations outlined above are not applicable to all situations and can have certain limitations.
Scott McCollister is a partner with Fay Sharpe LLP. Reach him at (216) 363-9115 or email@example.com.
Small startup businesses and individual inventors often don’t take the necessary steps to protect their intellectual property. That can hurt them in the long run, even rendering them unable to profit from their own ideas.
“Many startups look at what it costs to achieve patent protection and they say, ‘I can’t afford that,’ but that is underestimating the value of IP and properly protecting it,” says Sue Ellen Phillips, a partner with Fay Sharpe LLP. “The U.S. Patent and Trademark Office has done startups, individual inventors and small shops a big favor by initiating the provisional patent filing option. It gives smaller entities a cost-effective route to protecting their innovations with time to explore their options for getting to market.”
Smart Business spoke with Phillips about some common mistakes startups make with their IP and how they can protect their innovations.
Why should startups be concerned about IP?
They should be concerned primarily because it can be a very valuable asset to them moving forward, whether it is in the form of a patent, copyright or trademark. If they develop a cohesive IP portfolio, it gives them an offensive position within their relevant market, and they can also use it defensively to keep others from encroaching on their market.
On the flip side of that concern, startups should be aware that there are third-parties out there with IP that may be the same or similar to what the start-up is developing, and that there are serious consequences to encroaching on the IP rights of those third-parties. Businesses can be fooled into thinking the way is clear by not seeing their innovation in the market – but that doesn’t mean someone else does not have patent rights relating to that innovation. Not practicing your patented technology does not mean you can’t enforce it against an infringer.
Also, a strong IP portfolio can become an asset you can license or sell. Maybe you have several streams of innovative ideas that come from your initial ‘a-ha’ moment. You decide to concentrate on line A, but you also have lines B and C. As you’ve grown and your business has become more focused, you have realized you don’t really want those other ideas, but somebody else might. If your IP has been properly protected, i.e. if you have patent coverage, it can be a good revenue source, whether you sell your IP rights outright or license them and collect royalties.
What options are available for startups to protect their ideas?
A lot of startups have financial concerns. They usually aren’t working with a big checkbook, so they should take advantage of provisional patent filing, assuming they meet the patent office criteria, and file for protection of their ideas right from the start, particularly for patentable technology.
Under the provisional filing procedures, you file a patent application defining your innovation. It’s very inexpensive and the patent office doesn’t do anything with it for one year after your filing date.
Nobody looks at it, and it is kept confidential, but you have preserved your filing date. You can also now mark your product as ‘Patent Pending.’ A year from the filing date, you must convert the provisional filing to a full utility application filing and the normal examination process begins.
This provisional patent application is especially appealing for startups, because it gives them a year to determine whether or not they can find backing, whether or not it is a viable idea they can take to market, whether they can find a licensee or buyer who wants their technology or wants to partner with them. Essentially, you have a year to get your ducks in a row.
When a startup has an innovative idea, what should the next step be?
The first step is to record every idea. This used to happen in lab notebooks. People would make sure everything was properly dated, witnessed and signed off on by someone who could verify it was their work. Today, that happens on a computer, but you still want to do it. Keep good records. Document your progress.
Then, there are three basic things the start-up needs to do.
1. Initiate the process to protect their IP, whether by preparing and filing a provisional patent application or a full utility filing.
2. Be sure your innovation does not infringe the IP rights of a third party. This step dovetails somewhat with the first. By conducting a state-of-the-art search or a freedom-to-operate search to be sure the way is clear for you to move forward, also known as doing your due diligence, you will be able to define your innovation in your patent application to achieve patentability over the art you find that may be close. This step also keeps you from finding out down the road, subsequent to any expenditure of time, effort and money to get your business up and running, that your use of your innovation is blocked by the IP rights of another.
3. Make sure you have appropriate documents and agreements in place to protect your ownership interest in your innovation. It’s very important for startups to ensure they have the appropriate ownership and confidentiality agreements in place with any third-party to which they disclose their innovation. An appropriate agreement provides for maintaining the confidentiality of any and all disclosures you may make to a third party, including an acknowledgement that they will not themselves use the information to compete with you or to help someone else compete with you. Depending on the service the third party is providing, it may be appropriate to provide for ownership of innovations that may be developed by them through collaboration with you and based on your IP. Also, be sure that your own associates and employees have signed employment agreements with these same provisions. You want to block off your technology as yours – effectively building your IP portfolio. Often, a startup or individual inventor will develop something that fits well with an existing business of a third party. Your first idea might be to take the idea to that company, hoping they will buy it or help you market it because it complements what they do. Especially in this instance, you want to make sure you have an agreement in place before you disclose anything, to prevent them from declining to do business with you and then walking away with your idea. Be careful to whom you disclose your ideas.
What all can be considered intellectual property?
Your intellectual property is not just your innovation. It’s not just the device or process, but also all the know-how you used in the developing the innovation. That can include design, manufacturing and processing, and many other aspects, even marketing.
If you are taking your idea to a manufacturer to get it produced, you will probably disclose a lot more information during a meeting than you put on paper. You need to realize that is all part of your total IP portfolio. Be sure that when you get those agreements in place they cover everything you might tell someone, give them in a physical format, or transfer to them electronically. Everything you disclose needs to be covered, not just the plans for your device.
What are some common IP mistakes startups make?
Startups often underestimate the value of doing their research and due diligence, and making sure what they are doing doesn’t encroach on the IP rights of a third-party. If they haven’t taken a look at that and they aren’t protecting their own IP, what often happens is they put a lot of time, effort and money into turning their innovation into a going concern, only to get a knock on the door from a third-party who says, ‘You’re infringing on my patent rights’ and proceeds to sue them for infringement. The legal system does not take kindly to those who do not do their due diligence and do not respect the IP rights of others.
You can lose everything you have by not respecting the IP rights of others. Of course, if you protect your IP, you can be the party knocking on someone else’s door.
Sue Ellen Phillips is a partner with Fay Sharpe LLP. Reach her at (216) 363-9000 or at firstname.lastname@example.org.
Besides people, a company’s most valuable asset is its intellectual property. Because of this, organizations must ensure that they’re doing all they can to protect this vital asset.
Smart Business spoke with Rockie Brockway, GSEC, GCIH, GSNA, Cisco TSS/Security, the security practice director for LOGOS Communications, Inc. dba Black Box Network Services, about intellectual property and what businesses should be doing to protect their valuable data.
What threats do companies face when it comes to their intellectual property?
Cybercrime has evolved over the last two decades, from brute force attacks for bragging rights in the ‘hacker’ communities to billion-dollar black and grey market profit centers. Today, we are seeing very sophisticated tools that can control millions of hacked ‘zombie’ computers for a single purpose, like mass spamming or attacking other Internet resources. And, these tools come with 800 numbers for live tech support just like any other software you might purchase at your favorite home electronics chain. The bottom line today is that it is easier and cheaper for new or developing companies to purchase stolen trade secrets in an effort to be competitive than it is to develop it themselves, and such incentive opportunities will always create markets, legal or not. This demand translates into exceptionally ingenious ways to exfiltrate critical intellectual property from organizations and presents a large challenge for the security industry as a whole to keep up with the innovations being developed as a result of these new markets.
The other primary threat to an organization’s intellectual property is geo-political in its nature — state-sponsored hacking with the intent to gather as much competitive intelligence not only through stolen IP and trade secrets but also through business methodologies in an effort to try to get a leg up on other countries in these shaky economic times.
What are some ways data can be stolen?
Lost USB sticks, stolen laptops, improper disposal of documents, disgruntled employees, third-party vendors, not to mention targeted hacking attempts and even ‘hacktivism.’ If you can think of a vector for data loss it probably can be done. But the tried-and-true threat vector in the war against data loss ends up being the human factor and social engineering, which has also vastly improved in the last decade. Today, spear and whale phishing high-impact targets, such as CEOs, presidents and board members, and getting them to navigate to a website that installs a malicious application that hasn’t been seen before is commonplace and once that foothold is in place, a little patience goes a long way. If you look at the recent slew of high-profile attacks that resulted in severe data loss like RSA, Oak Ridge Labs and others they all share the same MO — targeted spear phishing, malicious code execution, staying low and under the radar of existing security countermeasures and data exfiltration.
What preventive measures should companies put in place?
Process is key here, and the object is not to panic and throw solutions in place without having a clear understanding of what you are trying to protect, its impact on the business should they be stolen (or worse), the assets that support the business's critical data and the security compromises and risk the business is willing to accept — basic risk management, which unfortunately can be easily overlooked. This process defines the corporate security policies and comprises the strategic half of a good security model. The tactical half of the model is defined by these policies and needs to protect, detect and react to threats. Given the mobile nature of information technology, endpoint host protections are a must, and I am a big advocate of application whitelisting technology. If an organization has the ability to inventory and classify business-use applications, then whitelisting can be utilized to only allow those approved applications to be able to run on the user systems. For most organizations, malware doesn’t constitute a business-use application so it isn’t allowed to execute. And apart from the obvious countermeasures, such as firewalls and encryption use, identity and event correlation are also crucial to a strong security posture. Again, with the adoption of BlackBerrys, iPhones, iPads, Android devices and other mobile platforms, organizations cannot simply rely on their traditional perimeter defenses to protect their intellectual property. Security industry guru Richard Bejtlich recently tweeted that ‘identity is the new corporate perimeter’ and that is a very astute observation. On the correlation side, security information and event management (SIEM) systems gather, analyze and present information from network and security devices, vulnerability and identity management tools, OS and database logs and policy compliance tools and correlate and prioritize the data for not only lower administrative overhead but also for auditing and incident response.
How can businesses thwart attacks?
The answer to this question is almost always tied to the adjacent question, ‘Who is accountable if security is breached?’ Security is very subjective so there needs to be a powerful advocate within the organization that has the ability to fight the appropriate battles when necessary in order to ensure security isn’t glossed over as another optional insurance policy. That, combined with the adoption of an enterprise risk management program that weighs the business risks of everything from third-party vendor access to business critical assets to personal mobile devices on the business networks truly gives organizations the leg up on defending their business. One specific action that I highly endorse is the development of a real security awareness program, and not one that exists solely to satisfy a compliance audit checkbox. Regular awareness training can significantly reduce the potential for success of spear-phishing attacks and other social engineering efforts. Another idea is corporate peer groups, meetings of representatives of organizations in the same or similar verticals to discuss what they are seeing, what works, what does not work and share information security best practices and war stories. There is great value in measuring yourself to your immediate peers in terms of security statistics and practices.
What if, despite a business’s best efforts, IP theft occurs?
There are many variables that go into this equation, but in general, the process should go detect, disconnect from the Internet, determine the root cause of the data leakage, fix it, clean up and then resume operations. This is where the enterprise risk management program should already have answered questions like ‘Can the business afford to disconnect from the Internet in the event of a security incident?’ and ‘Should we make a public statement that could potentially harm our reputation?’ Your legal department should most definitely be involved in this process. Involving the appropriate local, state and/or federal authorities is a must. Both the FBI and Secret Service have been investigating security incidents for decades and are highly qualified to provide expert guidance during the investigation.
How can businesses ensure departing employees won’t take intellectual property with them?
The quick and dirty answer is through data loss prevention (DLP) systems. DLP systems give organizations the ability to classify certain data as important and then assign policies to those documents or files. Policies can range from very simple, such as blocking any outbound e-mails that contains Social Security numbers, to more complex rules, such as only members of the executive board are allowed to write documents classified as containing intellectual property to a USB drive. In reality, however, such systems can be cost-prohibitive to many organizations in the SMB market and many find themselves trying to piece together several disparate technologies with higher administrative overhead to accomplish similar results. Like security itself, the balance between capital expenses versus operating expenses is always going to be different from company to company and may dictate which controls are feasible and which are not.
How can businesses best handle having facilities in areas around the world that may be attempting to steal their intellectual property?
This is a continuing and evolving issue for many global organizations. Some have taken the view that any data that is accessible by users in facilities in certain countries should already be considered as compromised. For these businesses, the strategic action plan becomes one focused on designing system and network controls with the ability to enforce the principle of least privilege on the one hand but do not hinder any employees’ ability to do their jobs. Identity is critical in these situations, as is the ability to restrict who has access to sensitive information and control access to removable media. Some organizations are now deploying virtual desktop farms in these regions to address some of their concerns around losing intellectual property, so their sensitive data does not actually reside in these facilities. Others have decided that a certain level of data loss is an acceptable business risk of having facilities is these areas and keep their actual crown jewels under lock and key. At the end of the day, the business must make the decision on what is and is not acceptable and those decisions must be made through the organization’s enterprise risk management process.
Rockie Brockway, GSEC, GCIH, GSNA, Cisco TSS/Security, is the security practice director for LOGOS Communications, Inc. dba Black Box Network Services. Reach him at (440) 250-3673 or email@example.com.
As business owners and operators, focusing your attention on that which is most immediate and pressing to your company is an important leadership skill. Items that are not front and center in your mind tend to get pushed to the back where they are dealt with later. The recent news stories concerning WikiLeaks may seem like the stuff high-tech spy thrillers are made of, but there are some "teachable moments" we can use from all these headlines.
1. Attacks can come from anywhere. At some point, the senior executives from MasterCard did not consider WikiLeaks any significant threat. Once MasterCard decided not to fund WikiLeaks’ transactions, the company website found itself disabled at the hands of a coordinated denial of service attack. Today, supporters of WikiLeaks are being encouraged to download computer programs that will help launch cyber attacks against specified targets like MasterCard. We have now officially entered the age of cyber warfare.
2. What if? Now that we all know what it feels like to have our government’s secret correspondence exposed for the world to see, imagine what your company would be going through if its electronic information ended up published on the Internet for all to see. Safeguarding your company’s intellectual property is important; having a plan is crucial.
3. It’s always those closest to you. The Army private who is suspected of being the person who divulged all the information to WikiLeaks is now a textbook example of the type of internal threat organizations face every day. Statistically, data breaches are more likely to occur from within your organization than from outside. Having simple HR, internal auditing and corporate IT security policies can go a long way towards fending off an embarrassing data breach.
A WikiLeaks event may never happen to your organization. But the threats of data breach and cyber warfare are undoubtedly becoming more frequent and real every day. Organizations with even the most basic IT environments are now potential targets. The days where executives could bury their heads in the sand are now over. The stakes are the integrity and validity of your business, and there are dedicated and experienced opponents out there who can inflict real harm. Taking simple precautions now could save you a lot of headache later.
Charles Weaver is the co-founder and president of the MSPAlliance, the world’s largest professional associationand accrediting body for the Managed Services Industry. He is also the founder and CEO of Weaver & Associates, a boutique M&A firm specializing in the managed IT services industry. Author of the book “The Art of Managed Services,” Weaver has spoken at numerous conferences around the world. Baseline Magazine recently named Weaver in the top 50 Most Influential People in Business IT.
In today’s innovative and fast-paced business world, companies have to do all they can to protect their assets, processes and products. This is why the protection of trade secrets is such a vital issue.
There are laws in most states that provide a legal definition of a trade secret. All are essentially the same; the main point is that trade secrets consist of information that derives independent, economic value from not being known to competitors or others that could use that information.
“In other words, a trade secret gets its value from not being known by someone who could benefit economically from knowing it,” says Allan Gabriel, a partner in the Los Angeles office of Dykema Gossett PLLC. “A trade secret gives you protection against others disclosing or using information that has value to your company.”
Smart Business spoke with Gabriel about what constitutes a trade secret and how a company can protect its vital intellectual property.
How do trade secrets differ from patents, trademarks and copyrights?
They differ in a number of ways, most of it having to do with what they protect. A trade secret protects know-how — how you do something. The classic example of this is the formula for Coca-Cola. Other examples include our recent success in protecting software code that processes online employment tests and a sophisticated process to design automotive components.
Patents protect inventions that are useful, not obvious, and novel or new. Trademarks protect brand names — the name the public identifies with the product. Coca-Cola is the brand name for a cola-flavored beverage. Copyrights protect the expression of ideas authored by someone and fixed in something tangible — a book, a movie, or a song, for example.
What elements of a business are eligible for trade secret protection?
A trade secret can cover a formula, a process, a method of doing something, certain customer and pricing information and manufacturing techniques. There’s no exclusive list of what can be covered — if information has independent economic value that is gained by keeping it private, it could be protectable as a trade secret.
How long does trade secret protection last?
Simply put, for as long as the information remains a secret. Take again the Coca-Cola example. The formula has been around for a long time and it’s never been disclosed, so it will remain a trade secret for as long as it’s kept private. There are stories about how the formula is locked in a vault somewhere and only a handful of people actually know it. As long as this is the case, that trade secret protection will last.
This is different from a copyright, which lasts for the life of the author plus 50 years. Eventually, books and movies go into the public domain and are no longer protected by copyrights. Take for example, the holiday movie “It’s a Wonderful Life” — no one owns the exclusive rights to it anymore, which is why you see it all over television in December. Patents, on the other hand, last at most for 20 years after the patent is filed, approved and granted.
How do the courts interpret trade secrets?
In order to establish that a business has a trade secret, it has to prove that it meets the legal definition of one. You can’t register for a trade secret and get a stamp of approval from the trade secret office. To prove that you have a trade secret, you have to show that the information in question derives independent, economic value from not being known and that the information is maintained in a secret and confidential manner. You can’t just claim something is secret if it truly isn’t.
Consider a company that claims that the identities of its customers are trade secrets. If that company posts a list of its biggest and best customers on its website, then the information is public and therefore not eligible to be a trade secret. On the other hand, if a company makes an esoteric product — maybe a particular part or electronic component — and it’s hard to tell exactly who would buy it or be able to use it, then the identities of those customers could be protected as a trade secret, since a competitor could benefit economically from knowing who those customers are.
Another interesting aspect of trade secrets is that they can be negative information, meaning they can cover what not to do. For example, if a company manufactures a particular device and has a facility that’s closed to the public, and that company has spent years figuring out what manufacturing techniques do and don’t work, information regarding the techniques that don’t work could be trade secrets.
How should confidentiality agreements be crafted to protect trade secrets?
While it’s always a good idea to have confidentiality agreements to ensure that employees keep information secret, trade secret law independent of confidentiality agreements provides such protection. For example, if I worked for Coca-Cola and was one of the few that knew the secret formula, I couldn’t legally just go to Pepsi and reveal that formula, regardless of whether or not I had signed a confidentiality agreement.
Still, confidentiality agreements are important because having them represents evidence that you truly have a trade secret. You are taking reasonable steps to designate, define and protect what you feel is a trade secret. However, make sure that your confidentiality agreements are not too overreaching — you can’t say everything is a secret, like an accounting firm saying that its use of Excel spreadsheets is a trade secret. Confidentiality agreements should be narrowly drawn, specific and understandable.
Allan Gabriel is a partner in the Los Angeles office of Dykema Gossett PLLC. Reach him at firstname.lastname@example.org or (213) 457-1706.