Michael Chertoff
As corporations face a growing litany of threats to their networks and precious trade secrets, former U.S. Department of Homeland Security Secretary Michael Chertoff has this piece of advice for the C-suite: “What you really want to ask yourself is, What do I want to protect?”
Chertoff, now senior of counsel at Covington & Burling, delivered his words of wisdom on preventing corporate espionage at a firm panel discussion entitled, “Employee Trade Secret Theft: The Threat from Within.” During the same week when senior U.S. officials sounded further alarms on cyber attacks, the former cabinet member said CEOs and boards can’t simply view cybersecurity as a “technical problem.”
“In reality, decisions about cybersecurity involve profound questions of policy and governance—who gets access, what kind of devices are allowed in the network, what deserves the most protection, and what deserves less protection—that strike at the very heart of business decision making,” Chertoff said at the event, which was held in New York City.
But it’s not only digital intrusions that can threaten the sanctity of a company’s business processes, negotiating positions, research information, and other trade secrets.
“Good, old-fashioned spying and thievery remain still very important,” Chertoff emphasized. Last month, the White House released a report [PDF] outlining its strategy for mitigating the theft of U.S. trade secrets, which included examples of employee theft from companies such as DuPont, General Motors, Cargill, and Dow Chemical.
Chertoff added that safeguarding corporate secrets is a balancing act between, “what is the most cost-effective and least oppressive way to safeguard the most critical assets.” The assets that need to be most protected will differ in every organization, Chertoff said. And he cautioned that trade secret theft isn’t limited to any one industry.
“We’ve seen a wide variety of the kinds of data and information that are being extricated,” he said. “It is simply not true to believe that only high-tech companies are victims of this.”
As corporations determine just what they need to protect, they’ll also want to plan a holistic approach to information security, according to Covington attorneys.
Inadvertent actions by employees can easily jeopardize trade secrets. Among the most common threats are spear phishing (in which employees unknowingly open or download malware) and use of thumb drives, which can infect a company’s network. “Both of these are just employees not paying attention to what they’re doing,” said Washington, D.C.-based partner David Fagan.
The sharing of seemingly innocuous work details on Facebook or Twitter can also put trade secrets at risk. “We see a lot of inadvertent disclosures of private or sensitive” data through social media, said Lindsey Tonsager, an associate in the firm’s privacy and data security practice in Washington, D.C.
The attorneys also recommended reviewing company policies with an eye toward mitigating trade secret risk, such as “what controls you need to put in place for a particular individual when they’re leaving” the company, Fagan said.
While companies commonly have policies around hiring employees, he said, “what we’ve observed is fewer companies have as organized an approach in off-boarding people.”
The ability to bring your own device to work also “raises all sorts of complicated issues that have an effect on trade secrets,” Tonsager said. One policy consideration here, for example, is to make sure employees are on notice that the company can remote-locate or remote-wipe a lost device that may contain sensitive information.
Partner Richard Shea, who chairs Covington’s employee benefits and executive compensation practice, said employers should give employees advance notice with regards to privacy expectations. “You need to tell them whether they have an expectation of privacy or do not have an expectation of privacy in their use of company computers, in their use of networks, their use of email,” he said.
Providing such notice is, in part, a warning to employees, Shea said. But, in a more positive light, it also helps create an “ethos of compliance,” he said.
If employees understand that the company’s viability, and their job, “depends on protecting critical assets from being stolen or accidentally released,” Shea said, “everybody would cooperate.”
