Cyber security is becoming increasingly important, especially in regard to Intellectual Property (“IP”) protection. Many businesses store IP on computers which are vulnerable to cyber-attack. Hackers may access valuable IP and infringe it, use it to extort or blackmail businesses or pass it on to competitors. This can instantly erode the IP’s value and litigation is unlikely to fully restore the pre-attack position. Consequently, businesses need to ensure that their IP is appropriately ring-fenced to minimise its vulnerability.
Cyber security refers to steps taken to protect computers, networks and systems from malicious bodies. With the growth in digital media such as smartphones and tablets, company networks are becoming more portable. As companies become increasingly digitalised, many businesses now store IP on their systems, including technical drawings showing potential designs and copyright, ideas for future trademarks, patents and software codes. If a business’s value is in its IP (such as, for example, those focusing on e-commerce) then the value of the company can be instantly reduced if its IP is not cyber-safe.
There are different types of cyber-attack including hacking (be it nuisance hacking to corrupt a system or hacking purely for financial gain) and the ‘advanced persistent threat’ (where an individual gains access to a system and remains undetected for a lengthy period of time). Although stories of cyber-attacks are fairly common it is widely considered that most instances go unreported. Businesses are often afraid of the adverse PR impact an IP theft has - it highlights a flawed security system and it may take years for a business to regain the confidence and trust of its customers.
Poor storage of IP may render it valueless. For instance if ideas for possible trademarks are stored on a vulnerable network, hackers may access them and could potentially use or register them (or versions thereof) for themselves. This use or registration may prevent later registration of a trademark by the victim of the theft due to ‘earlier rights’ that may have arisen as a result of the theft. The victim may need to rebrand completely as a result, which can be expensive. Considering patents, in order to protect an invention, the invention must be novel and must not have been disclosed to the public. If the invention has been made available to the public it is not possible to apply for a patent. If the potential patentable invention data is not stored safely a hacker could access a system and disclose an invention to the public and prevent a business from filing a patent or being granted a patent. This is a particular problem if a company is heavily reliant on patents (such as an engineering or R&D firm). Such steps may give competitors an advantage. A similar problem may arise in relation to designs. A registered design application will be refused if the design is not new or does not have individual character. A hacker accessing a prototype design and disclosing it may thus render the design no longer new and lacking individual character.
This shows that poor cyber security of IP can erode a business’s competitive advantage and can destroy valuable IP.
Whilst most countries have laws that prohibit the theft of IP, relying on such laws alone is unlikely to provide a business with comprehensive protection. Laws differ from country to country and tracing perpetrators is also notoriously difficult, hence the mantra ‘prevention is better than cure’ is directly applicable. Businesses should prioritise taking steps internally to safeguard IP.
Firstly, businesses should try and ensure that they are ‘proactive’ rather than ‘reactive’ in their IP security. This involves paying attention to their existing cyber security network which protects IP and considering ways in which it may be improved. Businesses might consider the possibility of engaging an ‘ethical hacker’, who, with the consent of the business, will try and gain access to IP in order to evaluate existing defences. This will reveal loopholes and defects.
Secondly, businesses should consider conducting an audit of their IP. By asking themselves what types of IP they have, how it is currently stored and protected, who has access to it and whether or not it is being passed to third parties (like sub-contractors or outsourced agencies), businesses may identify flaws. The answers to these questions can shape next steps.
Thirdly, businesses may consider having steps in place that prevent ex-employees from retaining access to IP. Smartphones, laptops and tablets should be confiscated immediately on termination of an employee contract. Network log-in codes and passwords should also be updated regularly to prevent unwanted access onto systems.
Finally, precautions should also be taken to reduce third-party access to networks and systems, for instance the scope of access outsourced IT maintenance bodies have. Networks should be managed closely so that access is only given to the area of the network that needs maintenance. If unrestricted access is granted to IT maintenance bodies, they may be able to freely ascertain and view IP. Instead, access should be curtailed, logged and audited carefully. This is likely to reduce the possibility of future problems or flag up attempted violations.
There are a plethora of potential issues that cyber security and IP protection pose to businesses. This article does not purport to address all those issues but does highlight some factors businesses should consider.