The Key to Keeping Your Trade Secrets Safe? Focusing on Metadata
November 30, 2022
Since the mid-1980s, there has been a significant shift in what drives a company’s value, from physical assets such as buildings and machinery to intangible assets like intellectual property. For many, that IP includes trade secrets — information whose value to the business rests in the fact that no one else knows it. Exposing that information might result in a loss for the business.
Think about a popular soft drink’s secret formula, or the proprietary seasoning recipe for a well-known fried chicken franchise. While many have tried to copy them, those secrets remain essential to the value of the companies.
Organizations are increasingly recognizing the value of their intellectual property, and they’re growing more concerned about the risks surrounding it. Aon’s 2022 Executive Risk Survey saw valuing/protecting intellectual property ranking ninth among the top risks worrying executives, up from 16 in 2021.
Intellectual property also includes such items as trademarks and patents — valuable assets to an organization. But by registering those assets, the business is exposing them. Trade secrets, while intellectual property, are in a different category.
“You don’t necessarily register a trade secret to say that you own it,” says Scott Swanson, security advisory practice leader at Aon Cyber Solutions. “Ownership of a trade secret starts with proving it exists followed by the person or entity with legal or title to the trade secret. Add to that, notice and access. It is the access part that really plays into meta data and keeping it reasonably secret within an organization.”
Protecting an individual’s or company’s trade secrets requires addressing both insider and external threats, Swanson says, including inadvertent exposure by oneself or from people within the organization. An essential part of that effort is accounting for the trade secret’s metadata — those tiny bits of information that, if exposed, might be assembled by outsiders to reveal valuable confidential information.
Trade secret metadata can be targeted by external — or internal — bad actors. But metadata can also be vulnerable to inadvertent exposure.
In many cases, it’s employees who have accidentally revealed trade secret metadata — at conferences and trade shows, for example — thinking that the information isn’t confidential. “Your insider threat can often be people who are going to conferences and want to brag about some of the great stuff they’re doing,” Swanson explains. “They’re potentially exposing information that they shouldn’t be sharing by writing these papers and doing these presentations.”
Conference presentations like this often lack any sort of internal review for valuable metadata and how they relate to identified existing trade secrets, says Swanson.
“More often than not, these individuals aren’t bringing their presentations to legal and asking, ‘Is there anything here that might be exposing us?’” Swanson says.
Organizations therefore must have in place policies, procedures, governance and technical measures to protect their intellectual property. It’s also important to understand who has access to elements of the organization’s trade secrets, and insiders given access to valuable metadata must be made aware of its value. Similarly, if the legal department manages evidentiary proofs of ownership and protection to bolster a position in trade secret lawsuits, they should be involved with the secrecy, valuation, and reasonable efforts to maintain trade secrets’ secrecy and confidentiality.
Understanding What’s Valuable
Guarding trade secrets begins with understanding exactly what an organization wants to protect. With disparate bits of information moving through different departments — such as data about sales, marketing or accounting — organizations must look for any trade secret metadata that might be among the information. Which of those bits, if put together, could provide enough detail to reveal a trade secret, allowing a competitor to replicate it or benefit from it?
In an era of growing cyber threats, organizations must also align their cyber security investments with their efforts to protect trade secrets.
“If you’re spending $1 million on cyber security and the value of your trade secret is $100 million, maybe you should be spending a little bit more to identify and protect that metadata,” says Swanson. “A trade secret is sensitive information, and that’s what we’re looking to protect with cyber security.”
Part of the Organizational Culture
Protecting trade secrets and metadata is not only an important security practice — it’s also a reflection of an organization’s approach to planning and information sharing.
Swanson says he doesn’t see enough examples of organizations engaging in “if-then” exercises focused on whether competitors could use metadata for misappropriation or to reengineer their trade secrets to gain a competitive advantage. Organizations should conduct annual trade secret risk assessments alongside their regular cyber hygiene reviews, he says. “It’s just the little things of knowing what you have and how to protect it and who might be able to gain access to it internally or externally.”
Protecting Critical Assets
Trade secrets can be among companies’ most valuable assets. Recognizing how they might be exposed and taking steps to protect them — even avoiding unintentional exposure of bits of metadata — is critical.
“If organizations have good leadership and they’re governing those things, whether it’s their information security or how they’re protecting their trade secrets, setting that culture is paramount and that will usually help reduce trade secret problems,” says Swanson.