In this Q&A, we talk with James Pooley about his new book, Secrets: Managing Information Assets in the Age of Cyberespionage. James has a wealth of experience in information security and intellectual property law. In 2009, he was appointed by the White House to a five-year term as deputy director general for innovation and technology at the World Intellectual Property Organization, a specialized agency of the United Nations. Prior to his service at WIPO, Mr. Pooley was a successful trial lawyer in Silicon Valley for more than 35 years, representing clients in patent, trade secret, and technology litigation. He has also taught trade secret law at Santa Clara University and at the University of California, Berkeley. He is a past president of the American Intellectual Property Law Association and of the National Inventors Hall of Fame, where he currently serves as chairman of the board.
Q/ Jim, you have spent many years teaching, speaking and writing about trade secret theft. How has this issue changed over the years and what makes it so important and difficult to address today?
When I first started working with clients in the early 1970s, the most threatening technology was the photocopier, and security mostly consisted of watching who went in and out of the building. The Internet and mobile technologies have changed everything. Today there are thousands of ways that confidential information can be lost or corrupted, and this shift has occurred at the same time that the importance of trade secrets – in absolute terms and relative to other forms of IP protection – has increased dramatically. As a result, care for information assets is no longer just an IT issue but has to be directed from the top of every organization.
Q/ Tell about your book – what are the key takeaways?
Even though there are excellent tools available for network breach detection, the ubiquity of threats, particularly the classical threat of internal carelessness, makes management – of people and of relationships – more important than ever. It is through good management that organizations can solve the paradox of having to protect their most valuable assets while simultaneously sharing them in global collaborations. Thoughtful strategies and careful management will also help reduce the risks that come with handling sensitive information of others and increase the opportunities for successful exploitation of the company’s competitive advantage. And although we often hear about trade secrets only when there is some sort of dispute, most lawsuits result from mistakes and misunderstandings that can be avoided. Secrets tells managers how to act on these ideas and provides context for the judgments they have to make every day in dealing with information assets.
Q/ In your book, you talk about security risks associated with the digitization of information. What steps can companies take to mitigate risks?
The first step is to understand just how much your data risk profile is changing. It’s not just the pervasive hacking, but also your employees’ mobile devices connected to the network, together with your trusted partners – often in foreign countries – who have access to your information. A comprehensive and continuing risk assessment will expose how these shifting relationships challenge your data security. External threats should be met with breach detection tools and a response plan that are adequate for the company’s exposure, but the internal threat needs broader attention, ranging from staff training to access controls, to NDA management, to travel hygiene.
Q/ Another issue you address is avoiding liability for having someone else’s trade secrets. In this era of joint ventures, open innovation and employees moving between companies, how can companies avoid this scenario?
Information security used to be about keeping the company’s secrets inside. Now it’s also about keeping them free from contamination by unwanted data. Mistakes can shut down a product line or even send executives to jail. Company policy needs to be clear about respecting the IP rights of others, and it has to be enforced in the hiring process, where managers sometimes prefer people who have inside knowledge of the competition. And special attention should be focused on consultants, who may have trouble keeping their skills and insights separated from another client’s confidential information. For collaborations, success depends on clear agreements followed by aggressive contract management to ensure that the data are always where they are supposed to be.
Q/ At CREATe.org, we promote a ‘management systems’ approach to trade secret protection. We recommend that companies embed the protection of trade secrets and intellectual property (IP) into business operations across an organization – from controlling access to confidential information based on ‘need to know’ criteria, to exit interviews, training, instituting a cross-functional team to manage this issue and other actions. Are these some of the same best practices you highlight in your book?
Yes they are, and I specifically advise those who are new at this effort to consult CREATe.org and its excellent materials. Another place to get inspiration is the NIST Framework. Although it resulted from concerns about protecting critical national infrastructure, it can apply flexibly to the information security needs of almost any business. And the NIST Framework, like the CREATe.org approach, is designed to mesh with the organization’s existing internal controls and risk management structures. These sets of best practices reflect an important reality in modern business: protection of information assets is not solely a security function, but requires strategic and operational involvement of all areas within the enterprise.
Q/ In your book, you talk about striking the balance between sharing enough information with employees and third parties to keep the “fires of creativity burning” while still guarding vital secrets. Can you provide some examples of how to do this?
We need to recognize that today’s most creative employees are also members of the “Facebook Generation,” trained by social media to want to share information and to deal casually with networks. The single most important – and cost-effective – way to deal with this reality is training. But it has to go beyond watching a video at orientation. Security education needs to be continuous, varied and professionally done. Managers’ direct participation and the use of real-life scenarios will reinforce the message: this is about preserving jobs. As you point out, there’s often a balance to be struck between security and creativity. But it doesn’t need to be a zero sum exercise. The success of companies like Apple and Google, where secrecy works to protect unannounced products or “moon shot” projects, shows that smart people can understand the value of keeping vital information inside the organization. Besides excellent training, people at those companies are provided an internal environment in which innovation is encouraged and recognized, and teams are well managed to ensure respect for different perspectives.