Naomi Fine is founder and CEO of Pro-Tec Data, and the author of Positively Confidential: 10 Proven Steps to Protecting Confidential Information, Private Data, and Intellectual Property in Today’s Interactive Business World.
It’s scary to imagine your company sharing its most precious secrets with a group of people as large, diverse, and unrelated as a village. It would be much more comforting to imagine your business world as a place where only a few trusted insiders, who know each other from working together for years, hold the keys to your company’s competitiveness. Yet, most of what your company does to design, manufacture, market, sell and maintain products and services requires a village – a collaboration among employees from various functions, along with contractors from several agencies, and vendor representatives from product, material and service suppliers. This often globally-dispersed and temporal village creates and shares information and ideas, some of which are trade secrets. If just one person in that village, whether a company employee, contractor, consultant, or customer representative, fails to adequately protect the information, its value and its potential for becoming intellectual property is lost.
But why worry? In most cases these corporate villagers are bound by nondisclosure agreements (NDAs). Doesn’t an NDA ensure that each individual who signs one will maintain the secrecy of information?
While an NDA is an important legal contract that binds the signer to keep confidential information confidential, it typically does not provide clear guidance about how the signer should accomplish this responsibility. In the course of my work over the past three decades as an expert on trade secrets and information protection for hundreds of Fortune 2000 companies, I have reviewed thousands of NDAs. Yet I have seen less than a handful that have included answers to any of the following questions:
•How should the recipient determine if someone else needs to know the information?
•Should the recipient treat different types of confidential information, with different levels of sensitivity, differently, and if so, how?
•How should the recipient classify and label confidential information?
•What digital security should the recipient apply to the information? Is a password sufficient?
•What physical security precautions should the recipient take? Is a locked drawer required? Can the recipient travel with the information?
•How should the recipient store and dispose of the information?
These are only a few of the many questions that should be asked and answered by collaborators who develop, access or share confidential information. If your company doesn’t empower all collaborating villagers to answer the questions, your company risks forfeiting its trade secrets and competitive advantage.
One of my firm’s Fortune 500 software development clients did their best, using technology, to create an environment where individuals would not need to ask and then provide subjective answers to these questions. They set their information technology systems to restrict electronic access to their research and development servers to only those who were authorized to receive the confidential software, files, and folders stored on them. The senior manager for a very sensitive project had both the server and documents for the project encrypted. An administrator inserted a footer on all document templates so that they included, by default, the appropriate information classification and confidentiality notice for the project files. Yet, despite these and physical security safeguards the company had in place, information about their secret new project was leaked to the press.
Each individual villager had signed an NDA, yet few knew what specific safeguards they, individually, should have applied to the highly sensitive information. Several (in addition to the contractor who disclosed project information to the journalist) did not understand that revealing positive news about the project to a reporter was inappropriate and likely to cause the company to suffer severe damage.
The “village” was a project team of qualified, high-functioning collaborators including contractors (one was a company retiree), several consultants, a supplier, and two interns, all of whom were familiar with the project conceptually, although they didn’t all have access to all of the confidential project files on the project server. Twenty-seven out of 30 employees on the project had received information protection training. Of those, only six had received the training during the three years prior to the leak. The retiree had not received any instruction about how to protect company confidential information since long before his retirement, which was two years before the incident. Neither the consultants nor the interns had been given any instruction on how to protect the company’s confidential information. The supplier had been given “Supplier Guidelines” along with a copy of the NDA he signed with his employer. The “Supplier Guidelines” included directives similar to those in the NDA, such as “use at least the same degree of care to protect Customer information as you do to protect your own similarly sensitive information, but in no case less than reasonable care.” When I asked one supplier representative how he interpreted this directive, he confided that he had “no clue what it meant.”
The leak cost the company its time-to-market lead for a new product, tarnished the company’s stellar industry reputation, and caused the loss of valuable intellectual property. The contractor who leaked the information, and his company, were terminated by the company.
Prior to this devastating incident, the company was reluctant to invest in helping their contractors, suppliers and interns to protect the company’s information. They reasoned that information protection education for non-employee workforce members should not be their responsibility.
It doesn’t take a big investment to give collaborators the reason and recipe to prevent costly, embarrassing, and avoidable losses as they innovate, solve problems, and create intellectual property. But it does take engaging the whole village.