Calculator showing risks

Editor’s Note: This article is part two of a seven-part series titled “A Business Leader’s Guide to IP”, in which we will focus on the strategies, opportunities, and impact you can achieve by integrating IP as a core element of your overall business and innovation strategy. As each article is published, we will update links here:


A Business Leader’s Guide to IP:
Part 2 – Sound Strategies to Mitigate Your Risks

 

Intellectual property (IP) is widely recognized as a major component of a firm’s valued assets, particularly within the ever-evolving and innovation-driven technology sector. However, it is precisely this value that makes IP a potential and unique source of risk.

In our last article, we provided an overview of three of the most significant IP risks to which technology companies are exposed, focusing on theft, diminished market share, and compromised leverage for licensing, financing, sale, and M&A opportunities.

Here, we’re continuing the series with an in-depth look at the first of these risks and a discussion of the strategies that technology leaders can develop to prevent and/or mitigate them.

 

The Shifting Landscape of IP Risk Assessment & Response

As technology evolves, so too do the methods thieves devise to access and appropriate IP. Where in the past the most significant source of potential IP theft was perhaps a discontented or opportunistic partner or employee with access to physical documents, today’s IP is subject to increasingly sophisticated attempts at theft from a variety of internal and external sources.

The digital revolution has widened the range of potential perpetrators from those with physical access to just about anyone with the technological savvy to breach data security systems, from current and past employees to market competitors, individual cyber attackers, and even hostile foreign states.

Beyond that, however, the scope of theft has also increased exponentially. A recent article highlights the difference in the sheer volume of data that can be stolen in one event, contrasting the 7,000 pages of top-secret Pentagon documents leaked to The New York Times by Daniel Ellsberg in 1971 to the 2016 leak of the Panama Papers which constituted 2.6 terabytes of data including 3 million database files, 2.1 million PDFs, and 4.8 million emails. The shear speed and magnitude of IP theft’s ability to cause harm has grown exponentially, which is why smart companies need to do all they can to prevent it.

 

Identify, Locate and Track Your IP Assets and Points of Risk

The first step toward preventing IP theft is in identifying your IP assets requiring protection. The best method for performing this action is to execute an IP audit. An intellectual property audit is a comprehensive, enterprise-wide review of a company’s IP assets. IP audits can enable your business to identify, preserve, and enhance its IP.

In addition, it can empower the company to make improvements in its IP management through correcting defects identified in how IP rights are defined and catalogued as well as any issues with agreements related to ownership of IP assets; identifying risks that your solutions and innovations could infringe upon another entity’s IP assets; and apply sound methods for IP asset management execution. In short, the IP audit will encompass both the IP assets themselves as well as IP agreements, policies, procedures and practices.

It’s also important to understand that, even in this digital age, there is an essential and often overlooked physicality to the presence of IP assets, often creating unseen points of risk. This is something which your Chief Security Officer or Chief Information Security Officer (CSO/CISO) can address in cooperation with legal counsel and executive management.

IP details are often contained in documents that are printed, scanned, copied and faxed — not to mention emailed, shared via Slack or Teams, discussed on recorded video calls, and more. Every one of these devices today stores and records images and data pertaining to the documents and content being processed, often transmitting that information to an offsite location or server.

Cloud applications and file-sharing services represent another essential point of weaknesses, as do mobile devices such as company-issued laptops, iPads and mobile phones — not to mention personal devices that connect to the company’s networks through popular Bring Your Own Device (BYOD) initiatives.

 

Map, Prioritize, Define and Label Your IP Assets

Once all IP assets have been identified and catalogued, it’s essential to classify and prioritize assets across the enterprise. This begins with a cost-benefit analysis of IP risks vs. costs of protection and determining what levels of IP protection should apply to a given asset or asset class. Mapping IP assets enables senior management to understand how different kinds of assets, applied to different areas of the business, can affect your risk profile.

For example, a new design innovation that consists of both engineering and user experience components and which is applicable to two of the company’s three highest-value business domains, would be prioritized very highly and warrant maximum investment in its protection. The key here is to identify the type, nature, scope and applicable focus areas for each asset, and then use a decision matrix to assign a level of value, a level of risk and a level of protection to each.

 

Labeling and Protecting Trade Secrets and Non-Disclosed Innovations

It’s important also to think of IP protection strategy in terms of two kinds of assets – those that are publicly disclosed in patent applications or trademark registrations, and those which are not, or not yet, available in the public domain. These latter include trade secrets, R&D strategies, new technologies still in development, and innovations that have been filed as patent applications but have not yet been published by the Patent Office (typically within the first 18 months from filing).

It is critical to make this distinction because once a patent application or trademark filing is published, that information is shared publicly. While still vulnerable to counterfeiting with its own set of problems, disclosure is a non-issue for anything already in the public domain. On the other hand, if a trade secret or other non-disclosed innovation or innovation strategy is accidentally or nefariously made public or counterfeited, you will face myriad problems – determining the scope and nature of what was taken; identifying and quantifying the damage against your market share and reputation if another party uses that innovation; and possibly losing your rights to the legal protection that innovation would otherwise warrant.

A critical first step for any of your non-disclosed and emerging innovations is appropriately labeling those which are sensitive and confidential assets as well as identifying the risk level associated with unintended disclosure of each of those assets. Labeling eliminates the risk of future claims that an actor simply didn’t know that a given asset or piece of information was sensitive.

Labeling is only a first step. Protecting your trade secrets requires proactive planning. Clear protocols for how employees handle sensitive information, both physically and electronically, need to be established and enforced with vigor. Employment agreements, especially for those in positions working with or developing these key innovations, must include stringent non-disclosure and non-compete clauses in addition to clearly established ownership rights in favor of the organization. Any breach of these such clauses must be demonstrably prosecuted. Agreements entered into with suppliers, manufacturers, or other external partners must include similarly appropriate clauses to maintain the secrecy and rights to the innovation at issue.

In addition to these legal and policy provisions, consideration should also be given to the development of designated facilities designed to safeguard a company’s most valuable secrets. One example is the use of SCIFs (Sensitive Compartmentalized Information Facilities) which are designated rooms/locations in which mobile devices are not allowed; walls are soundproof; digital access to wireless and wired networks is rendered impossible; and assets are cross-checked and inventoried on the way in and on the way out. Going to such lengths is not a sign of paranoia. Rather, if an IP asset in your business is worth potentially hundreds of millions of dollars, investing in its protection seems like a small price to pay when viewed in this context.

 

Create Multiple Layers of IP Protection through Defense-in-Depth

In the field of physical asset protection, security professionals often refer to the concept of defense-in-depth. For example, a nuclear power generating station may constitute a high-risk physical asset and its defense-in-depth strategy may include a variety of layers such as perimeter monitoring cameras; intrusion detection sensors; an armed guard station; vehicle protection barriers; and anti-explosion engineering for all critical structures on the site. In the same way, we can (and should) plan to apply multiple layers of IP protection as part of our IP theft prevention model.

Suppose we have a new hardware product whose core engineering is highly valuable and truly innovative, i.e. it consists of mission-critical IP assets. At the same time, this product has to be built with components made by third-party suppliers; packaged and marketed by personnel in our company from a wide range of departments and functions; and sold by distributors in multiple countries, some of whom might have the technical capability to deconstruct the product and attempt to steal both its functionality and its designs. In this scenario, how can we protect our IP with multiple layers of protection?

We begin by identifying the points of risk and then applying appropriate strategies to each element. In our example, the core innovation may consist of components that have multiple inventions that should be covered by both utility and design patents. In addition, when packaged in the unique user experience we’ve prepared, there may be further design patent considerations as well as elements to be identified and protected as trademarks or copyrights. Collectively, these protections make up the IP core of the product itself, which is now being protected from multiple angles.

In addition to these three core IP protection measures (patents, trademarks and copyrights), there is also much more to consider and act upon. As stated above, employees involved with the new project (even in non-technical departments) should be operating under employment agreements that protect the company’s clearly defined IP assets. Furthermore, nondisclosure agreements (NDAs), ownership agreements, brand protection requirements and other contractual protections should be applied to third-party partners, contractors, distribution and sales agents; and others involved in the supply chain or delivery channels for the new product.

 

Bringing it All Together

As we can see, IP risk and theft prevention starts with a well-organized strategy for IP asset protection.

Step one is to identify, locate and track your IP assets through a comprehensive organizational IP audit. Step two is to then map, prioritize and label those assets based on their sensitivity and the risk their public disclosure poses to the business. And step three is to capture the best practices from proven security philosophies such as ‘defense in depth’ to create and manage multiple layers of IP protection, applied at the correct level of intensity based upon the risk profile and enterprise value associated with each IP asset.

By taking this systematic approach, you position your enterprise with strength when it comes to pursuing growth through the power of innovation in a high-risk world.

>> Please join us for the next article in this series,
A Business Leader’s Guide to IP: Part 3 – Combating Theft of Your IP Assets <<

 

Michael Dilworth

Image Credit: Mike Lawrence (Flickr @ Creative Commons)


This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. The opinions expressed in this article are those of the author only and are not necessarily shared by Dilworth IP, its other attorneys, agents, or staff, or its clients.