Saving Your New Intellectual Property from Theft
Patents, trade secrets and confidentiality agreements are mere words on paper to the scientist, engineer or executive intent on deception and theft.
And if you have outsourced your research & development efforts overseas to countries with unenforced intellectual property laws and cultural norms that ignore individual property rights, then the intent to deceive and thieve isn’t even present — in their eyes, your intellectual property may already be their intellectual property.
Rise in IP Theft
Every other week seems to bring out a story of industrial espionage — in aerospace, technology or biopharmaceuticals. A Kiplinger news story in January 2007 noted that cyber-thieves are increasingly working behind the scenes to sell and deliver American and European company secrets to overseas competitors.
In the meantime, there has been a rise in overseas outsourcing from pharmaceutical, medical device and biotechnology companies looking to reduce expenses. While some of this is in manufacturing, the majority of outsourcing so far has been in research & development and in clinical trials, providing non-company personnel direct access to a firm’s developing intellectual property.
At the end of 2007, the Department of Commerce’s International Trade Administration released its summary of countries with whom it is struggling to advance US intellectual property protection. While China may come as no surprise, few executives are aware of the second-class status of their intellectual property in India, Israel, the Philippines, Thailand and Mexico.
While these reports set the stage on the international scene, what is also on the rise is trade secret theft inside a company. Recent lawsuits involving former executives of medical device firm Kinetic Concepts, aerospace giant Boeing and tech firms Quantum3D and SAP should give you pause for thought.
Joel Brenner, former national counterintelligence executive in the Office of the Director of US National Intelligence, has discussed a great shift toward increasing espionage reliance on private sector employees during a recent speeches. His main point: employees of US and European companies can make quick cash by selling electronically-stored documents to overseas organizations simply through a few email clicks and web-based payments.
In my November 2008 webinar, Preventing Intellectual Property Theft by Contractors and Partners, I gave attendees current estimated marketplace value of different components of confidential information – from private contact information all the way through prototype blueprints and the formulation of a promising new drug or biologic.
Gone are the days of dark street corners and cash-laden briefcases; today, IP theft occurs with the click of an email and an online bank deposit—it’s far safer, far faster and far more difficult to detect.
So what to do?
Decide What to Protect
When called in to conduct an audit of R&D controls or IT controls (usually under the guise of a mock FDA audit), one of the first items I ask my clients for is a list of the types of information they consider critical to business operations. After more than 16 years, not a single executive has shown me even a simple list typed on a single sheet of paper. If you do not know what you need to keep safe, how do you expect to protect it?
The first step is to identify the information you need to protect. Consider prioritizing your efforts on truly proprietary information such as unique processes, formulations, home-grown software, customer details, and so on.
The simplest way is to ask your colleagues, “What do we have that gives us a competitive advantage (or will allow us to have a competitive advantage, in the case of new products) that no one outside of our company knows about?” I also encourage you to ask your outside counsel and patent attorneys; they will also be able to give you specific insights, especially if you have not put all of the details in your patent applications.
When you’ve identified this information, it is time to explore where that information exists. Sadly, you may be in for a surprise.
Segregate SOP Information
In an ideal world, no one individual would be able to put together the puzzle pieces of your intellectual property by themselves. Unfortunately, in their zeal to detail out procedures, quality departments inadvertently place step-by-step instructions to recreating intellectual property in standard operating procedures (SOPs).
I have seen this most often in SOPs that tackle formulations, mixing, assembly (for medical devices), and even in-process or post-assembly quality testing.
Conduct a review of your SOPs that relate in some way to your intellectual property. Look for any detailed Step 1, Step 2, etc. processes that would give a knowledgeable person enough to duplicate your product … or get 90% there.
Revise your SOPs to eliminate any trade secret-revealing step-by-step details, making sure to still capture the process and its regulatory and quality requirements. This is a fine line to walk, but a necessary one. If you are not sure how to go about this challenging task, bring in an industry expert.
If you are using a contract manufacturer (CMO)—especially for new product pilot production or clinicals—this review (and revisions to SOPs) is absolutely essential. You may also want to take this review one step further and look at the CMO’s internal SOPs related to production of your product. Their SOPs may very well spell out your IP in step-by-step fashion. If nothing else, this should be part of any supplier quality due diligence or critical supplier audit program.
A 2002 University of California-Berkeley’s School of Information study calculated an interesting ratio: for every piece of information available in front of you, there are an estimated ten pieces of directly related information (rough drafts, notes, raw data, copies, various iterations, presentation summaries, etc.) stored elsewhere.
Think about this in the context of a blueprint or formulation of a new product yet to be launched. Do you know where in your company – or in your development partner’s company – all the various iterations of that blueprint or formulation are stored? What about those left accidentally lying about? If I were to tell you the number of times over the past three years during mock FDA audits I’ve conducted during which I found very confidential documents lying in open, shared areas near copiers and printers, you would have a pretty precise idea of how many audits I’ve conducted.
I recommend to my clients that they work with their legal counsel, records management groups, information technology (IT/ICT) teams, and development project personnel to put together a matrix of their stored intellectual property to ensure they’ve accounted for it all – and have published policies and contractual terms and conditions that govern its control. This can be a lengthy process, but if you know exactly what to do and how to do it, then it can be easy. In corporate workshops and consulting engagements, I caution that while perfection is ideal, a capture rate in the 90th percentile is usually “good enough.”
Communicate to Personnel
If your personnel – particularly those that deal with outside vendors and suppliers – do not know that particular information is confidential, they may not know not to share it (or at least to ask permission before sharing it).
This does not mean you spell out the particulars of your trade secrets or intellectual property, but rather you note that (in the case of a drug, for instance) the formulation is considered highly confidential and will only be shared with certain individuals. I recommend you also clarify that information supporting the creation and testing of the product “may be confidential as well” and provide a point of contact (such as your patent counsel) to seek further clarification. While stating that something “may be confidential as well” is not akin to marking it “confidential” or “trade secret,” I’ve found that this ambiguity (“Hmm…is this confidential too?”) does give people pause, and thus serves as another check on critical knowledge leakage.
Work with your computer department to ensure that access to the information is restricted and monitored. In the stories I tell in my corporate workshops, I make it clear that simply restricting access is like expecting a locked door to prevent burglaries. Some level of monitoring is necessary to deter a would-be thief, stop them in the act, or catch them afterward. While there are many tactics to take advantage of French philosopher Michel Foucault’s Panoptikon theory when it comes to preventing intellectual property theft, one of the first is informing all personnel that the company has monitoring in place, just as a burglar alarm company places a “protected by” sign out in front of a building.
Deciding what to protect, finding it, communicating its importance to personnel, and then ensuring your SOPs are not inadvertently providing step-by-step trade secrets recipes are only a few of the tactics to master when it comes to saving your intellectual property from inadvertent disclosure or theft. Fundamental to all of this is recognizing that the greatest threat is not without, but within.
Ignoring the realities of internal risks ignores reality: employees do not work for you for their lifetime; contractors come and go; and outsourced partners grow stale. In the end, money is always more tempting than any corporate mission statement.
Are you ready?Adapted from an article published in SmarterCompliance 2(2), February 2008