Hardly a week goes by without a new hack or cyber breach being reported in the news, and companies are spending lot of time and attention in improving their IT security. But as companies set out to “raise their game” in protecting their confidential information from cyberattacks, it is important to understand and act on the fact that cybersecurity is not just a technology issue.
Cybersecurity initiatives increasingly have legal as well as practical consequences – including for protecting the value and competitiveness of such items as “trade secrets” – and the trend, in line with such voluntary initiatives such as the NIST Cybersecurity Framework, is to look more holistically at relevant management processes and people issues throughout a company, not just its IT protections, to assess and address the adequacy of cybersecurity.
Cybersecurity is coming under the scrutiny of a variety of laws and regulations. These range from direct regulation of data security in the financial and health care sectors, to more general securities, shareholder derivative and “unfair competition” laws used to sue companies for inadequate cybersecurity when vital data gets hacked. (A 2016 whitepaper from CREATe.org summarizes this “rising tide” of legal scrutiny of cybersecurity.)
For trade secrets in particular – a company’s confidential business and technical information that adds value and enhances competitiveness precisely because it is kept secret – good cybersecurity provides an important legal as well as a practical benefit.
Trade secrets are defined in U.S. and many countries’ laws as valuable confidential information as to which “reasonable steps” or “reasonable efforts” have been taken to keep it secret. This definition is important because if a court determines that a company has not made such “reasonable efforts,” the court will not treat information as a trade secret and won’t give it any legal protection even if it is stolen or otherwise misappropriated.
Cyber hacking and theft of trade secrets is very much on the rise – up 56 percent year-on-year according to IBM’s 2016 Cybersecurity Landscape survey. Trade secrets cases involving cybersecurity issues thus are also on the rise, and courts have started to look at companies’ cybersecurity efforts to determine whether “reasonable efforts” have been taken.
For example, courts in trade secrets cases have already looked at such things such as a company’s identity and access management (such as password protection, “need to know” access, and secure server storage), data security measures (such as USB stick use restrictions and distribution controls), perimeter and network defences (including firewalls, data encryption, and online use restrictions), and activity monitoring, as evidence of the required “reasonable efforts” to protect trade secrets. As a company is implementing and improving its overall cybersecurity, therefore, it is of vital importance to understand and adequately address the cyber risks posed to its trade secrets in particular.
Cybersecurity is also evolving both as a technical and a legal matter in the trend to take a holistic risk-management approach to protecting a company’s confidential information. This involves dealing not just with technical protections, but also the people and process issues that need to be well managed in every area that deals in any way with trade secrets and other confidential information at a company.
This trend is perhaps best illustrated by the growing take-up in the U.S. of the NIST Cybersecurity Framework, a set of guidelines that recent Dell/Tenable surveys found is being used by 82 percent of U.S. government IT and security professionals to improve cybersecurity, and is viewed by 70 percent of private-sector professionals as a leading practice.
The NIST Framework is focused on risk-assessment and not merely technology based. It does not just recommend that particular technical protections be implemented. Instead, it calls for a company’s overall priorities, cybersecurity risks and responses to be identified and prioritized, and for specific cataloguing, implementation and ongoing monitoring and review to be carried out in a whole range of areas.
The growing trend to implement cybersecurity in more holistic ways as outlined in the NIST Framework may in the future also provide additional legal protections for companies who do so. Although the NIST Framework is by definition voluntary, PwC has noted, “In effect, the Framework may become the de facto standard for cybersecurity and privacy regulation and may impact legal definitions and enforcement guidelines for cybersecurity moving forward.”
In short, cybersecurity – done well – helps provide needed technical, people, process and now legal defences for a company’s trade secrets and other confidential data. For more information, see CREATe.org’s recent whitepaper, The Importance of Cybersecurity for Trade Secret Protection.