A Practical Approach to Protecting Trade Secrets

CIO - Trade secrets are increasingly becoming a company's most valuable assets, and not surprisingly, threats to those assets have increased concomitantly. The greatest threat to company data is, of course, not outsiders but a company's own employees A company's ability to protect against rogue employees (as well as against unintentional harm) is governed by both federal and state laws, which vary by jurisdiction and, worse, are in a state of flux in many of those jurisdictions.

As with most security challenges, it isn't possible to eliminate the threat. But working together, your IT department and company counsel can and should maximize the establishment and implementation of trade secret protections. Here's how:

Define the Problem

Your company must understand the scope of the problem in order to mitigate its effects. A "trade secret audit" --which includes steps similar to those in any security audit--is a critical tool your company can use to ascertain what confidential information it currently has. Confidential information is defined more broadly than true trade secrets.

To read more on this topic see: Fed Agencies Push New Security Audits and More Than Half of Fired Employees Steal Data.

Though they come in all shapes and sizes, most trade secret audits include the following elements: (i) determination of which information ought to be protected; (ii) review of the procedures already in place to protect that information; and (iii) analysis of the sufficiency of those protections, including identification of gaps in the existing protections, both generally and as applied to the specific information to which the gaps pertain.

The sufficiency of the existing protections turns largely, on the value of the information along with the practical need for and cost of properly protecting it. For example, while Coca-Cola quite properly takes extraordinary measures to protect the secret formula to Coke, no one would expect Coca-Cola to take similar measures to protect trade secrets with only marginal value.

Establish a realistic protection program

After your company has completed assessing the scope of the problem, you can develop a comprehensive protection program. Such a program commonly involves a combination of policies, procedures, and contracts, as well as the IT infrastructure necessary to support each. While these programs share many general characteristics, each is unique to the particular requirements of your company, including the nature of your company's confidential information, the number and circumstances of your company's current and planned personnel, your company's corporate culture, available financial resources, and overall IT infrastructure. In its most basic form, a proper protection program involves:

(1) computer safeguards, including appropriate levels of access

(2) security measures for all electronic technologies such as USB drives, flash cards, smart phones, FTP sites and social media sites)

Reprinted with permission from

This story is reprinted from CIO.com, an online resource for information executives.
Story Copyright CXO Media Inc., 2009. All rights reserved.