As a corporate investigator specializing in the loss, theft and misappropriation of trade secrets, I have been asked by employees, contractors and other insiders caught misusing their employer’s trade secret how they should have handled the trade secret incident differently (i.e., better). I should caveat that the question usually came up as part of a comprehensive trade secret loss or theft investigation that resulted in an interview of the insider to gather the facts related to their actions and to understand why the employee, contractor or external partner mishandled the trade secret information. Identifying the insider motivation informs the [unfortunate] decision that HR, Legal and the plethora of other internal stakeholders must make regarding whether the person would be able to continue their employment. My answer was usually a simple recommendation that sounded something like “…don’t steal the information” next time.’
We all make ethical decisions based on our moral compasses that have been formed over time and chiseled by our parents, educators, religious clergy, spouses, friends, professors, bosses, peers, cultural norms and basic ideology of right versus wrong. And, oh yeah, our decisions on how we handle trade secrets are sometimes even guided by the compliance policies and procedures that have been instituted by our employers to help us make decisions when confronted with on-the-fly ethical calls.
I have found, oddly, that the idea of stealing information from one’s employer doesn’t seem to register to some people as actually doing anything wrong. It seems to be considered something of a non-event, a victimless crack in an insider’s moral character; as if taking trade secrets and other proprietary information was as natural and innocent as pocketing a couple of paper clips from the office for use at home.
But, pocketing a trade secret is a very serious offense and depending on what you do with it after you take it, can land in the unemployment line and sometimes even in jail.
I believe my left eye would involuntarily twitch when a subject of an investigative interview would reply with a comment such as “…I didn’t steal those 3,500 documents; I just copied them onto my thumb drive in case I needed them at my next job.” I often had to exercise control over my uber-developed sense of sarcasm and remind the interviewee of why his/her action could be theft from their employer’s perspective.
So, as a pseudo public service announcement, I wanted to share my thoughts on “How to Lose Your Trade Secrets (and maybe your job) in 5 Easy Steps” to help those who may not appreciate the ramifications of losing, stealing or misappropriating trade secrets. Please note that there are many other ways to implode your career by mishandling the trade secrets and other proprietary information entrusted to you, but not doing the following things is a probably a good start.
Step 1: Post Trade Secrets on Your Social Media
Social media has connected people in ways that were impossible just a few years ago. The speed at which information can be exchanged with others is only limited to how fast you can type or how many characters the app allows. However, the emergence of unfettered data exchange has increased the number of unauthorized disclosures of proprietary information posted to the various social media platforms. We all love to talk about our work and our accomplishments — and social media has provided us with an enormously-cavernous forum to share information with or without the authorization from the rightful owner of the posted information.
Employees, contractors and external partners should be aware that their organizations most likely have a primary point person (or an entire department) who has the responsibility for what information is to be released and, most importantly, when that information is be released, to the public. Premature (aka unauthorized) disclosure of trade secret information and other proprietary information can impact your organization’s ability to execute on its strategic plans, meet product development goals and secure intellectual property rights. You should consult your employment contract and your organization’s policies and procedures governing media relations, press releases and social media postings. There is a fine line between being proud of your accomplishments and disclosing company secrets without proper authorization…know where that line is and respect it.
Step 2: Collect as Much Data as Possible at Work
One of the scariest technological developments ever invented for security professionals and trade secret owners is the nefarious external storage device. You may know this category of security policy-busting devices as the “cute little thumb drive” that you picked-up as a freebie at your last professional conference.
But to trade secret protection professionals, these devices represent the quickest and easiest way to destroy your employer’s intellectual property rights, and possible your own career and reputation. Employees, contractors and external partners are often tempted to drag-and-drop documents from their employer-issued laptops onto these devices to keep copies of “their” documents “just in case”, including slide decks, spreadsheets, lab equipment outputs, strategic business decisions and some of the most important trade secrets the organization has to offer. Once downloaded, the insiders put the thumb drive in their bags or pockets and then take the devices home for safe-keeping. Unfortunately, out of the more than 15,000 external data storage devices that I have identified by make, model and serial number (thanks to my handy-dandy forensic software tool) during investigations, I have found that most people are horribly-ineffective at keeping track of the loaded devices. You lose them. And that’s bad.
You should consult your employment contract and your organization’s policies and procedures regarding the information security restrictions [guidance] related to the use of external data storage. If you can use personal thumb drives and other external storage devices at work, please make sure you know what your company’s expectations are when it comes to the transfer, retention and disposition of trade secrets and other proprietary information. It is highly unlikely that your employer or client wants you to keep a copy of their trade secret information on a penguin thumb drive at the bottom of your sock drawer, just as an example.
Step 3: Click on the Link — Any Link!
Phishing, schmishing…doesn’t your CISO know that your CEO might actually want you to initiate that $94,550 payment to an unknown company in Eastern Europe? It also seems perfectly reasonable that your CEO would use her Gmail email account to send you the request — plus the CEO clearly explained the urgency of the request and provided the specific instructions with the added convenience of an embedded link, and because CEOs have the time to get into the weeds of routine financial transactions. Sarcasm – it’s what for dinner.
Come on people! Would you chew a piece of gum that some stranger handed you on the train or bus just because the person sort of looked like your boss?!?! That would be gross and clicking on a harmful link is just as gross! You don’t know where that link has been. It’s unhygienic and it can easily compromise the security controls that are in place to protect the confidentiality, integrity, and accessibility of your trade secrets and proprietary information.
Don’t click on embedded links unless you are positive that the sender is legitimate. How do you confirm whether the sender of the email is legitimate? You verify. If the sender appears to be a work colleague, call them using the telephone number found in the company directory (i.e., do not call them on the telephone number provided in the email) and have a conversation about the email. If the sender is from outside your company, then go to their website and confirm that they are legitimate. Most importantly, do not deviate from normal procedures; if it seems like a strange request, it probably is.
Step 4: Chatter Like a Monkey at Professional Conferences
As a former man of mystery, I loved going to professional conferences in exotic locations (like Cleveland) to collect information from people using my secret weapon. No, the weapon wasn’t any Jedi mind trick or some paramilitary Jujitsu move. It was a simple question that almost always defeats trade secret protection protocols and brings even the toughest of secret-keepers to their emotional knees. The question was: “So, what are you working on?”
What are you working on? The time-tested question that elicits the most genuine of responses from almost everyone, and usually turns them into chatter monkeys, spewing more trade secret information than an intelligence officer, competitive intelligence professional or direct industry competitor can usually remember long enough to write down in the bathroom in the next hour.
Why does elicitation work? Humans are social beings; we enjoy it when another person expresses an interest in us. And thanks to globalization, economic drivers, and the never-ending-pressure to deliver quarterly results, our work has become a big piece of our being and our existence. There are exceptions of course, and there can be differences based on your job, sex, religion, and nationality; but for the most part, people like it when other people ask them to talk about themselves. And some people just love to talk about themselves — with or without professional prompting!
Especially for scientists, researchers, technicians, and executives, the opportunity to talk about their work is irresistible, and unfortunately, these are the same people with the greatest access to your innovations and trade secrets. The ego gets inflated and the encouraging head nods and clarifying filler questions of the elicitor prompt the talker to keep on chattering. Eventually, if the elicitation is done correctly, the talker will exceed his/her brief and provide too many details of their company org chart, their research project, their product in development, and/or their market strategy. Thank you very much.
You might be asking how you can prevent yourself from becoming a chatter monkey at your next professional conference, poster session or trade show. We have an exhaustive list at Trust Farm, but here are some highlights:
1. Don’t drink too much alcohol. Like all the other bad decisions in your life, trade secret loss often starts with a shot and a chaser. Avoid excessive alcohol consumption and dart to your hotel room if you feel your numb lips beginning to spew trade secrets.
2. Know your script. Ask your manager what you can and cannot say about your secret product in development, or your corporate strategy, or any other trade secret that you have in your head that might come up [and unfortunately out] during an elicitation attempt at the professional conference. Learn what to say and know your authorized disclosure limits.
3. Just say no. (aka Get off the X). It is difficult to tell someone that you cannot share information that exceeds your script. You must practice how to counter-elicit and be blunt. Practice telling people that what the elicitor is asking for would make you share a trade secret that is against your professional and personal ethical morals, against your company policy, and probably would violate Title 18, Section 1831, and Section 1832, of U.S. Code. Some people use humor or sarcasm. Some change the topic to something else — like squirrels. Others simply dart to their hotel room without explanation. Find what works for you and get off the trade secret disclosure X.
4. Know Yourself. If you are fat, ugly, and/or boring in real life, you should remember that you are fat, ugly, and/or boring in the magical land of the Conference. If you find someone chatting you up with compliments on your body, good looks, and/or interesting personality at your next conference, dart to your hotel room! While your ego might take a hit from this truth-telling, your elicitor might have been buttering you up to kick start your chatter monkey-ness, or worse, setting you up to compromise you via a blackmail scheme later [search “honey trap” for more info].
Step 5: Confess Your Trade Secrets During a Job Interview
The economy is coming back [slowly] and people are beginning to move onto other jobs with other companies. That’s great…and many people take the change in jobs as an opportunity to disclose their current employer’s trade secrets and other proprietary information to other companies [i.e., to competitors of your current employer]. Many people decide to plump-up their resumes with juicy trade secret information to demonstrate to potential employers how important their contributions have been to their current employers. Telephone and in-person interviews with competitors are also great ways to share too many details of the secret project that you have been working on for the past three years.
My favorite trade secret unauthorized trade secret disclosures occur when someone replies to a solicitation from an “executive search” consultant on behalf of an unnamed company in the industry and then proceeds to provide too many details of a project or program in the hope that he/she will get an interview for the less-than-descriptive job description with a company that may or may not even exist!
To prevent this type of trade secret loss, simply apply the recommendations from Steps 1-4 above. Know what you can and cannot say about your company’s trade secrets, and apply those rules and limits to your resume and/or employment candidate interviews.
Now that you know the 5 Steps to Trade Secret Loss, you probably have picked-up on a theme of the article. You should ask your employer how it wants you to handle its trade secrets; if they don’t know…well, recommend that they connect. On a personal level, know what trade secret information you have in your head and think about what you should or should not share with others. Finally, remember that there are people actively hunting for your trade secrets and that you are the first [and often only] line of defense.