You’re hiring! You’ve got your eye on this whizzbang software developer who has a track record of creating applications that are always on the vanguard of your technology niche. You do your homework, scrape the net for any detail which may allow you to craft an offer which floats his boat. You make an offer, and your new employee walks through the door two weeks later. Nirvana? Right?
Probably, maybe, should be - but it all depends on your onboarding. Far too often, onboarding, even for those companies which are deep into the security and cybersecurity sectors, is limited to pay, benefits, and responsibilities. Many include company culture and some include a security/privacy brief. Paperwork for new hires may include a non-disclosure agreement, an intellectual property (IP) declaration and any other special requirements germane to the position.
Does your intellectual property declaration form include the admonishment, DO NOT BRING THE INTELLECTUAL PROPERTY OF OTHERS, or similar verbiage? If not, it should. You want to make sure that during your onboarding, you make it clear that the intellectual property of others should not be brought into the company. There are, unfortunately, many individuals who believe that if they wrote the code or designed a board, they own their employer’s intellectual property (absent such an agreement so stipulating).
There are few experiences less enjoyable than to have to take a product off the shelf or pay outrageous royalties and fees for illegally using someone else’s intellectual property, because a member of your team inserted their code or design into your product.
Do people really do this? Sadly, with great regularity. Companies should continually scrape their own network for documents, designs and other evidence of the intellectual property of others being stored or availed on their networks.
If found, corporate legal teams should ensure the information is returned to the rightful owner, an apology provided and the items removed from the company’s infrastructure. In addition to those actions, they must deal appropriately with those responsible for the violation of the intellectual property declaration form concerning the inappropriate use of the intellectual property of others.
Employees aren’t permanent fixtures. They come and they go. When they leave, either voluntarily or involuntarily, you need to have in place capabilities to protect against intellectual property theft.
Currently, there’s an ongoing saga taking place in the courts surrounding the allegation of an entity in the autonomous vehicle sector accusing another of having and using their intellectual property. The uproar surrounds the allegation of the apparent lifting of the intellectual property by a departing employee on his way out of one company, where he allegedly used this information to create an independent and competing entity. The courts have recommended the case be referred to the Department of Justice for review of intellectual property theft.
Another case, also in the courts, involves a few employees departing from a game development company and moving over to a competitor. The complaining company accused their former employees, in no uncertain terms, that when the employees left, they left with their employer’s intellectual property in tow. The company shared with the court their forensic review of the employee’s activities prior to departure, indicative of having lifted the company’s data.
These cases are examples of companies who have internal processes in place to potentially detect the acquisition and retention of company information by departing employees. In gaming company’s case, they produced for the courts signed documentation from the employees attesting that no intellectual property was being retained by the departing employee.
Minimally, every departing employee should be reminded of their non-disclosure agreement responsibilities post-employment. In addition, every departing employee should be required to provide an attestation (and return) of all the company’s intellectual property. Some entities retain the storage devices of all departing employees for a fixed period in anticipation of potential future forensic review. Each entity has its own comfort level.
Every entity should have in-house or on-retainer/call the investigatory forensic capability to support the off-boarding process. This capability should, of course, have the ability to forensically dissect any storage device. The capabilities should also include the ability to review the data access records across the enterprise for a fixed period, prior to the employee’s departure.
Investing a bit of time and attention to detail at the time of hire and departure, will go a long way to keeping your intellectual property yours.
About Christopher Burgess
About Christopher Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher served 30+ years within the Central Intelligence Agency. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, Secrets Stolen, Fortunes Lost - Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008).