RISKVUE ARCHIVE | FEATURE STORIES

Trends In Intellectual Property Loss

Intellectual property loss may be defined as any theft or misappropriation of an organization’s intellectual property or proprietary information,¹ such as copyrights, patents, trademarks, trade dress and trade secrets. The following information from the TRENDS IN INTELLECTUAL PROPERTY LOSS SURVEY REPORT, conducted by the American Society for Industrial Security’s (ASIS) and Pricewaterhouse Cooper, highlights the importance of and methods for safeguarding proprietary information.

Types and Extent of Misappropriations

Over 45% of respondents reported some negative impact to their business as a result of intellectual property loss. The average company responding reported 2.45 incidents with estimated losses per incident of over $500,000. Total potential losses from incidents may exceed $4.4 billion for all respondents combined. According to the report, this year the total potential losses for the Fortune 1000 “may reach $45 billion by straight-line extrapolation of these results”. The report states that such figures are similar to estimates made by the FBI and other authorities.

Types of IP Losses

The companies surveyed said their highest risks were associated with customer lists/data, financial data, research and development data, strategic plans, unannounced product specs, and manufacturing data. High technology respondents believe that the unauthorized disclosure of proprietary product specifications is their greatest potential for loss, whereas financial/insurance respondents fear the loss of client lists and data the most.

Impact of IP Losses

The top areas negatively impacted by intellectual property losses included loss of competitive advantage, loss of market share, loss of revenue, increases in research and development costs, damage to corporate image, higher insurance premiums and increased legal costs. Respondents ranked damage to corporate image and increased legal costs as their greatest concerns.

Groups That Pose Greatest Threat To Intellectual Property Internal Threat

The ASIS study reaffirms what most experts on safeguarding intellectual property already know: that those persons with whom the organization has a trusted relationship pose the greatest risk. Insider corruption is still considered to be the greatest cause of IP loss, though the dynamics of this threat have changed since last year’s report. Whereas theft and unauthorized use or disclosure of proprietary information by current and former employees were the top concerns facing companies in last year’s survey, this year respondents perceived on-site contractor employees and original equipment manufacturers (OEMs)² as the greatest threat to corporate proprietary information.

According to the ASIS report, the threat of losing intellectual property to OEMs and on-site contractors is confirmed by many of the cases brought under the Economic Espionage Act of 1996. In several of these cases, the indicted individuals were formerly contracted staff members or temporary employees of the victimized company.

External Threat

Similar to last year, respondents considered external threats, such as domestic and foreign competitors, computer hackers, the media and intelligence services, to pose only a minor to low level of threat. Nevertheless, most respondents strongly agreed that the Internet, computer networks and related technologies have created significant new threats to sensitive proprietary information. Since 90 percent or more of proprietary information can be found in digital form in most companies, huge risk can be created when company systems are connected to the global Internet.

Safeguarding Intellectual Property (SPI) Programs

Most companies responding to the survey reported that they view their guidelines for safeguarding proprietary information as effective, though such guidelines are not always fully implemented throughout the corporation. The report cites cultural, legal and sociological factors as potential drawbacks in establishing effective guidelines in global corporations. A thorough intellectual property loss-control program requires a formal, company-wide policy on protecting proprietary information. Such a policy should address personnel and client issues, as well as physical security safeguards.³ The following guidelines should be included in a thorough SPI program:

Personnel and Client Safeguards

• Establish procedures for reporting losses of intellectual property or proprietary information.
• Require new employees to sign non-disclosure agreements.
• Release or make information available to employees only on a need-to-know basis.
• Inform employees of their duties to protect their employers’ proprietary information, even after leaving the organization.
• Explain how to deal with “pretext calls,” where a competitor seeks to gain sensitive information through unsolicited phone queries.
• Implement procedures on how to deal with the media.
• Conduct pre-publication reviews of technical literature produced by employees to ensure that no proprietary information is released to the public.
• Institute non-disclosure agreements with vendors.

Physical Security Safeguards

• Classify or clearly identify proprietary information.
• Conduct an audit to ensure that intellectual property is properly identified and protected.
• Issue procedures on how to secure proprietary information while off-site; for instance, during travel or at industry trade shows.
• Ensure security of data transmitted via phone, fax and e-mail, including encryption of data over the Internet.
• Restrict access to worksites through use of property passes, identification badges or physical barriers.
• Restrict access to copy machines.
• Control storage of proprietary information.
• Ensure controlled destruction of information.
• In addition to a formal, written policy, employees should receive training on protecting proprietary information as a part of their orientation with the company and such information should be included in employee handbooks.

Conclusion

The results of the ASIS report support what we at The Risk Management Letter have stated in previous issues: that intellectual property loss is a serious risk that can have a potentially catastrophic effect on an organization’s bottom line. Other highlights of the report are:

• The Internet and associated technologies are perceived as significant threats to every company’s ability to protect the confidentiality of their proprietary information.
• Businesses of all sizes are affected. Although the majority of the reporting businesses had $6–$15 billion or greater annual revenues, smaller companies were also negatively impacted by information loss.
• The greatest known losses to American companies are in manufacturing processes and research and development information.
• The number of reported incidents has increased dramatically since last year’s report.
• Consistent mechanisms and processes for determining the value of proprietary information are not in place at most Fortune 1000 companies.
• Assigning value to intellectual property, while difficult, will help determine the magnitude of loss and how much can be spent for protection.

Because insurance for intellectual property loss often is not available or is inadequate, risk identification and loss-prevention techniques should be the primary focus of any Safeguarding Intellectual Property (SPI) program. 

Copies of the TRENDS IN INTELLECTUAL PROPERTY LOSS SURVEY REPORT are available for $39.00 each by calling ASIS at 703-519-6200.

Notes
¹ The survey defines proprietary information as information that is not within the public domain and by which the owner has taken some measures to protect. While commonly referred to as trade secrets, this information is typically protected under both State and Federal law.
² OEMs are the companies that provide components, sub-assemblies and the like.
³ Of these many safeguards, respondents ranked training and employee awareness, non-disclosure agreements (NDAs) for vendors, contractors and employees, and controlled destruction of information as the most important.

riskVue | The webzine for risk management professionals
November 1999