A few years ago, the Symantec Corporation and Ponemon Institute released the results of a survey of employees working for companies in six countries, including the U.S., Brazil, China, France, Korea and United Kingdom. The results were remarkable. They should place every chief executive on notice of the risks of data security breaches her company confronts from internal sources, and the importance of taking affirmative steps to protect your company’s trade secrets from theft by its own employees.
So What Did the Survey Find?
- 50 percent of employees who left a job admitted to taking their former employer’s confidential information.
- 40 percent stated they plan to use that information in their new job.
- 42 percent stated it was acceptable to take the software code they wrote for their employer because they’re entitled to an ownership interest in their own work.
- 44 percent stated the person who developed the software should have the right to re-use the code for another company.
- Only 38 percent stated their manager views data security as a business priority.
- 47 percent stated that their organization takes no action when employees take sensitive information.
- 51 percent think it’s acceptable to take their company’s data because the company doesn’t strictly enforce its confidentiality policies.
These results make clear that companies are not doing enough to educate their employees about the value of their trade secrets. They’re also not doing enough to enforce their own intellectual property policies to reduce the risk of theft.
If you want to prevent departing employees from taking your company’s trade secrets to other companies with whom you who compete —intending to use those secrets in their new jobs — you must establish a clear set of trade secret protection policies. Moreover, your organization must then act quickly, consistently, and decisively to enforce them, before trade secret theft happens, because remedial action is extremely expensive and rarely fully effective.
There is no other area of your company’s business operations like the protection of intellectual property where an ounce of prevention is worth a pound of cure.
What can you do to prevent your employees from stealing your company’s trade secrets? There are a few things that are crucial.
Create a company culture that respects intellectual property rights and ensure that employees understand their obligations to the company to protect those rights. Start your prevention efforts the moment you hire each employee by inculcating them into that culture.
Require every new hire to sign an employee agreement that recites and explains the employee’s obligation to protect the company’s intellectual property rights.
Adopt an information security policy that explains that each employee is personally responsible for safeguarding the company’s trade secrets and intellectual property. The policy should make it clear that all employees have an affirmative obligation to report potential misconduct by others, which is essential to a comprehensive strategy to protect against employee theft of trade secrets.
Consider adopting a policy to discipline and discharge employees who violate your company’s trade secret protection policies. This type of policy puts employees on notice when they fail to meet the company’s expectations and gives them an opportunity to meet those expectations before being disciplined or terminated.
Consider adopting a code of conduct that every employee must agree to follow. At a minimum, the code should explain the importance of IP to the company’s development of new goods and services. It should instill respect for all companies’ IP rights, not just yours. It should explain the purposes for which the company’s IP may be used, and the prohibitions on its use. It should make clear that employees must preserve the confidentiality of IP while working for and after departing the company.
You and your management team should consistently and regularly communicate to your employees that protecting the company’s IP is central to the company’s mission. Use in-person meetings, videos and internal webinars to deliver the message. Your message should educate employees in the basics of IP protection, including types of IP, security policies, consequences of failing to safeguard the company’s IP, importance of reporting suspected violations, procedures for departing employees, responsibilities of line managers and BYOD policy.