Late on a Friday afternoon, the China CEO of a global specialty chemical products company received a memo from the head of operations. A chief engineer who was overseeing production of a soon-to-be-launched high-end product had resigned. He gave as reason his desire to return to his hometown to manage a small family-run business.
But within one month, more than 20 other local staff members had also left. On one particular day, employees from research and development (R&D), procurement, production, quality control, and finance all tendered their resignations.
The company called in Kroll. We gathered intelligence from sources in the company’s supply chain and conducted a forensic examination of the computers used by the resigned employees. We discovered that these individuals left to follow the chief engineer, who had not, in fact, gone back to his hometown but joined a competitor instead.
Our investigation also uncovered evidence that some employees had stolen proprietary information. These included, but were by no means limited to, designs, layout of the production facility, vendor lists, marketing plans, employee contact information, management reports, and financial information – what the client rightly considers its trade secrets.
Soon after our probe, the China management team heard rumours that the rival company that had hired its old staff members would soon launch a high-end product very similar to the one the former chief engineer had supervised.
Incidents like this occur frequently in emerging markets. Companies fail to secure trade secrets, making it all too easy for wrongdoers to steal and replicate key products in a matter of weeks. In this case, the company lost market share and failed to achieve millions of dollars in forecast revenue.
In China, the healthcare, pharmaceutical and biotechnology sectors are particularly vulnerable to theft of intellectual property (IP) and information. Local and international companies are shifting from low-end to high quality product manufacturing as well as from pure production to R&D facilities. The ensuing cutthroat competition is tempting some players to resort to unethical means.
Although the theft of IP is often traced to employees, they are not the only culprits. External parties may try to obtain information through such means as hacking into computer networks and breaking into company premises. They might also be more devious. Some have set up a fictitious company to impersonate a potential big buyer and lure victims into revealing valuable proprietary information. We have also found a competitor bribing our client’s employees and vendors to act as informants.
On one occasion, whistleblower letters accused two senior employees of stealing the IP of their former employer, using it to design and launch new products. Our investigation found that it was, in fact, one of the company’s key customers that passed on the information to the accused employees, demanding that they make products at a lower cost.
Given the many possible ways that trade secrets can be compromised, it is critical to take a holistic perspective toward all threats, both internal and external, and to tailor security and controls accordingly.
The first step for companies is to understand what constitutes their own IP. The World Intellectual Property Organization (WIPO) defines trade secrets as “any confidential business information which provides an enterprise a competitive edge”. Such IP, also called “know-how”, can be difficult to control since it is usually intangible.
Making matters worse is that non-compete and non-solicitation agreements signed between companies and their employees – common tools to protect trade secrets – are difficult to enforce in Asia. Therefore, implementing robust controls and a response plan is extremely important to limit any potential damage.
But achieving a commercially reasonable level of security is no easy task. The most effective solution will include physical security, information and computer security, operational security, human resources security, and communication security.
These categories not only overlap; they are also constantly evolving. An effective solution must, therefore, encompass them all.
Based on our experience around the world, the so-called “divide and conquer” approach to IP protection – trying to address, say, computer security without integration with areas such as human resource or physical security – simply does not work. The extent of the task starts to becomes clear when you add the unique challenges relating to chemical and biotechnology R&D and production facilities, as well as understanding the laws and regulations of each country where IP is to be stored or sent.
The best place to begin is a risk assessment to look for any risk factors which can be quickly and cost-effectively mitigated. These are useful easy wins. But don’t forget other issues that may require longer term solutions. Typically, such an assessment starts with a thorough review of the current operational and technology environments along with the current state of IP protection.
It is also important not to assume that policy is the same as reality. Identifying areas where plans and policies are not actually being followed is essential. This can be done through document analysis, interviews, sample analysis, or covert and unscheduled visits.
In a recent case, the company policy was to have highly secure and centrally managed wireless data networks. However, our on-site testing found that completely unsecured wireless networks were in use, were undocumented, and were placing IP at serious risk.
Completely eliminating competitors from trying to compromise trade secrets is not a realistic goal. Neither is trying to prevent an employee from moving to a competitor or setting up a competing business.
Companies can, however, do more to mitigate the risk of loss or theft by re-evaluating and understanding what IP they have that goes beyond patents and trademarks, and how these trade secrets are created, controlled, and destroyed. Conducting an audit of business operations and facilities is another useful step in identifying vulnerabilities and fraud entry points.
Ultimately, though, integrated security arrangements need to treat trade secrets as the important pieces of IP that they are.
About the Author
Tadashi Kageyama is Senior Managing Director and Head of Investigations, Asia, at risk consulting company Kroll.