The theft of U.S. trade secrets was costing American companies billions of dollars a year in lost sales when President Bill Clinton signed the Economic Espionage Act into law on Oct. 11, 1996. Although theft of proprietary data and products has been designated a federal criminal offense, it occurs every day, according to John C. Smith, president of the John C. Smith Group High Technology Investigations & Security Consulting of Silicon Valley and Roseville, Calif.
For eight years, Smith served as the senior criminal investigator for the high technology theft/computer crime unit in the Santa Clara County District Attorney’s Office, working high-technology crime in the Silicon Valley. Smith also helped thwart perpetrators of industrial espionage as corporate security manager for Netscape and myCFO; additionally, Smith served as a senior investigator for 3Com.
Smith investigated one case where a disgruntled former employee gained access to the corporate network through a security hole, erased the manufacturing database and made hidden changes in the system, which halted operations for two days.
In another instance, an unscrupulous individual wanted schematics and manufacturing/process information to establish a competing company. He hired an employee from the already existing company as a consultant, who, in turn, brought the needed information to the new company.
There was also the case of the business associate who paid a professional visit to a company, downloaded its entire customer database onto his laptop and sent it to his company in Europe.
One devious employee acquired proprietary documents regarding his employer’s new technology before quitting and obtaining jobs where he used the documents to advance within the new companies.
Particularly in an industry that relies on creative solutions, it’s easy to find manufacturers and distributors along the independent supply channel with their own war stories. Years ago, two “toner salesmen” found wandering around inside the back of Phoenix-based Trade Printers’ production plant turned out to be employees from a competiting company who were checking out Trade Printers’ patented integrated label design. According to Gary Stewart, co-founder and owner, the competitor subsequently launched its own integrated label. Even today, Rick Heinl, president of Repacorp Label Products, Tipp City, Ohio, is currently preparing a legal battle to protect one of his company’s proprietary label products.
Industry innovators such as Special Service Partners, Neenah, Wis., and Chicago Tag & Label, Libertyville, Ill., pointed out that the very process of providing quotes on custom-designed solutions can put proprietary products at risk. Once end-users have been supplied with a proposed design solution and pricing, there is little to keep them from sharing the sensitive information with a distributor’s competition to see if another source can provide the product at a lower rate.
But, as Smith pointed out, “In today’s business environment, where many businesses rely on personal computers and use the Internet to conduct business, some of the most devastating losses are caused by people authorized to be inside a business. Studies, and my experience investigating trade secret thefts in Silicon Valley, have shown that practically all of the thefts and illegal copying of proprietary data, such as client lists, financial data or other types of important, confidential information, have been done by employees and other people employed by the victim business who had access to the network.”
Smith has even worked on cases of disgruntled employees who deleted company data and then tried to negotiate a raise or other compensation to return a copy of the deleted data. “In many instances, erased data may be recoverable by a computer forensics expert. In several proprietary theft cases, I was able to recover deleted files that showed former employees had developed business plans for a new competing company, as well as documents showing clients how to switch to the new company,” he added.
The good news is that there are criminal and civil laws for companies to pursue in an effort to recover misappropriated datum and to prevent it from being used against them. Of course, the best defense is a strong offense, and for most organizations, this means education and preparation throughout the enterprise. In 2004, Smith complied a document titled “Reporting & Planning Guidelines—Industrial Espionage & Network Intrusions” (available at www.jcsmithinv.com) that serves as a valuable tool for those looking to identify and protect against unscrupulous acts. The guidelines include important “Dos” and “Don’ts” that apply wherever valuable proprietary data need to be protected, whether it is sophisticated software or dynamic label designs.
For example, in both civil and criminal cases, for proprietary material to be considered secret, organizations must be able to prove that adequate steps were taken to protect it. Such steps include requiring non-disclosure agreements of employees, contractors and others with access to the protected material, and requiring non-employees to sign contracts describing their access. Companies should also conduct thorough exit interviews and collect all documents from terminated employees. Other suggestions include:
• Maintaining secure and locked facilities
• Requiring badges for employees, and visitor passes and escorts for all outsiders admitted into the facility
• Ensuring that all sensitive documents are marked and numbered, and maintaining logs tracking who is issued what documents
• Utilizing a need-to-know policy on who can access proprietary material, and restricting on a need-to-know basis access to networks where proprietary data are kept
• Password-protecting computers and networks where important data are kept
Smith also cautioned against immediately confronting or speaking with suspects, thus avoiding an opportunity for them to hide or destroy evidence, yet stressed the need for quick, covert action. “It has been my experience that in most technology theft cases, more technology has been taken than was originally thought stolen,” he noted. “Immediately consult corporate security managers and/or local law enforcement agencies to learn your options before evidence can be lost. When appropriate, file a civil law suit and seek an injunction. Also, secure evidence—including locking away any computers that may have been used—and establish a chain-of-possession to ensure that it is admissible.”
Smith went on to say that an organization is less likely to be victimized if it adopts security policies to protect systems and data, makes security policies known to all in the organization, makes methods for reporting suspicious incidents easy and confidential and plans its reaction to intrusions and losses. “Written plans should be approved by corporate legal, corporate security, management and the computer/network manager,” offered Smith. “Organizations should also involve employees in their plans’ development, since employees know organizational weaknesses and how to exploit them.”
Making it known that offenders will be criminally and civilly prosecuted can’t hurt, either. “Analyze the major threats to the organization and consider how to deal with them,” continued Smith. “These will most likely include persons authorized to be on the premises.”
Headquartered in northern California, Smith accepts inquiries from across the country. He can be reached via e-mail at john@jcsmithinv.com or by cell phone at (916) 768-7533. “However, if you suspect you have a problem involving an insider, I suggest you phone rather than e-mail,” he advised.