A Blueprint for Secure Intellectual Property

Keeping an eye out: protecting your IP might mean more than you think.
Keeping an eye out: protecting your IP might mean more than you think.
Ilya Kazi, Mathys & Squire
Ilya Kazi, Mathys & Squire
Ed Gaudet, Liquid Machines
Ed Gaudet, Liquid Machines
Duncan Pithouse, DLA Piper
Duncan Pithouse, DLA Piper
Organizations like Coca Cola need to keep the lid shut on their IP.
Organizations like Coca Cola need to keep the lid shut on their IP.

The founders of file-swapping website The Pirate Bay hit headlines recently as they went on trial for copyright infringement. They claimed they never laid their hands on the bullion – a bounty of bit torrent files, including illegal copies – insisting that they were merely providing an index or search engine. Interestingly, it transpired that the judge belonged to several intellectual property and copyright protection groups – the same organizations that representatives of the entertainment industry had sat on. As a result, the case may be sent to retrial. Such trials can twist or turn, simply because it can be hard to define the constituents of intellectual property, and when it is being abused.

“I think in organizations it’s very common that individuals will underestimate the value of IP,” remarks Mike Paquette, chief strategy officer of intrusion prevention system provider, Top Layer. “Plans to a missile, schematics to a circuit board are obvious IP, but most will underestimate what they have.

“We think of it historically as designs and recipes. Today many organizations find that they have less tangible items – customer lists, prospect lists that are not traditionally thought of, but which are also essential to organizations,” says Paquette.

A recent McAfee study of 1000 senior IT decision makers worldwide, Unsecured Economies: Protecting Vital Information, indicates that respondents reported losing intellectual property worth an average of US$4.6 million per firm due to security breaches in 2008. The total loss of intellectual property among respondents during these 12 months excluding losses due to piracy came to $559m. According to respondents, it costs an average of almost $600 000 per firm to respond to each security breach concerning the loss of vital information such as intellectual property.

"Because the world itself is going online, IP is itself interpreted online."
Phil Thompson

The Problem with Patents

Patents can act as one form of defense for some intellectual property. A patent will give protection to an invention for 20 years, but it does not necessarily stop a source developing on that patent.

As Phil Thompson, partner and founding member of White & Black Legal warns, the danger from the security breach perspective is that if you were to submit a patent application, a data leak resulting in the theft of confidential information “would render any patent application invalid”.

There are alternatives to patenting for securing intellectual property, says Thompson, such as that which can be found in the protection of the coveted Coca Cola recipe. Rather than divulge protected information, the soft drink manufacturer ensures that only a limited number of people know the formula. In the world of web design, people often insert deliberate errors in a code so they can see if another designer has copied and pasted the code onto their website.

Whatever tricks are available, ultimately, it’s about training, says Thompson. “Clients need to consider who in their organization needs to view their confidential information. A good case in point is a customer list. Frequently in organizations there’s no protection in customer lists.” Thompson advises that organizations should consider “whether all staff need to see the customer list, and do they need to see all of the customer list? All these checks and balances in place will help”.

"Encryption is...an absolutely necessary step in protecting IP in the foreseeable future, but not sufficient to protecting IP."
Mike Paquette

Keeping Pace

The issues surrounding intellectual property have followed other forms of information in the accelerated evolution from paper, to networks, to the world wide web. “Because the world itself is going online, IP is itself interpreted online,” says Thompson.

It’s important, then, that legislation is able to keep pace.

As partner and specialist in software patents at Mathys & Squire, Ilya Kazi is well positioned to observe intellectual property’s place on the online world, and the dangers involved – including the ease of publishing.

“Simplistically people are more careless with emails than say writing a letter. They are not always sent through the right checks or channels,” Kazi says.

He observes that the threat of “a designer bragging about a great project” can constitute a breach of confidence.

“It might not be a problem over a pint of beer in a pub, but might be a problem if there’s a traceable record,” he says, adding that “I can confidently predict that within five years there will be a patent case of something being written on Facebook which is brought into a disclosure which was damaging.”

Often, data is given freely over the internet, and in some cases it can be a good marketing move. Kazi notes that “In some cases, there’s a preconception that you’re a complete communist or a total capitalist; that you’ll be happy with a free-for-all or you won’t. The reality is that you just have to be a bit more careful.

“The point is what you’re doing is real. What you’re doing is affected by real laws,” and because the internet is international, that includes “laws in every country whose laws you’ve never read or studied or taken advice on”.

Style Over Substance

Even simple IP protection such as patenting can bring global disparities, according to Kazi. “If you file a business application in the US, then file the same one in the EU, you can run against the buffers. If there’s not enough detail [in the US patent], and you want to file [the same application] in the EU, you can be snookered.”

Kazi advises that organizations in the US seek EU specialists “otherwise it’s not easy to enforce your patent in the UK”.

He adds that the UK has one of the “harshest standards at the moment” in computer software.

“The prime minister has said that ‘Digital Britain’ must be at the heart of the economic recovery. If this is to be the case, it is a serious problem that the UK intellectual property office (IPO) is out of step with the US and the rest of Europe in applying an unduly harsh approach to patenting innovation in the software field,” states Kazi.

“It has even been explicitly criticized by the UK’s own Court of Appeal. The issue adds costs and uncertainty to businesses seeking investment and protection in the UK. If the prime minister wants to make this happen, he can and should move to make the UK IPO return to helping, rather than hindering, innovators in this area.”

Kazi continues, “There’s a lot of education that can be done. You need to perform a very cynical analysis of what you’re designing. Find the bits that you can patent. You have to show that [your application is] technology, not business.”

Daniel Smith, managing director of travel operator Tours4 Ltd has had first-hand experience at the obstacles presented by intellectual property protection in the UK.

"In some cases, there's a preconception that you're a complete communist or a total capitalist. That you'll be happy with a free-for-all or you won't. The reality is that you just have to be a bit more careful."
Ilya Kazi

“For Tours4, our main IP is in our branding. We have several divisions including Tours 4 Sport, Tours 4 Schools and Tours 4 Students, but unfortunately we can’t trademark these as they are descriptive names,” he says. “We have previously tried to trademark the phrase ‘Tours4’ but had our application turned down by the IP registrar. As far as I’m aware, you cannot protect any sports or travel services unless they are contracted by professional teams or organizations, such as the rugby world cup.

“The only way we can currently protect our brand is by protecting our websites, and as such we’ve bought over 120 domains with the ‘Tours 4’ prefix,” Smith continues. “We do also have a piece of tailor-made software which has been developed specifically for use within Tours4. We own the copyright to this software as we have bought it outright. Therefore it is now a valuable asset within the business.”

According to Smith, staff at Tours4 do not come into contact with valuable intellectual property, and everything of a sensitive nature is kept on a password-protected hard drive which only the directors have access to. However he states that “IP is quite a vague area…especially where service companies are concerned. The main thing I can protect is the brand; however I can’t trademark it so I’m open to potential infringement of our trading names.”

Regarding legal advice, Smith comments that “IP and trademark lawyers seem to be expensive for the service they offer, so apply to the Patent Office direct which costs $330. A trademark lawyer could charge four times as much and still have the same result. For a new business this seems like an unnecessary cost when the Patent Office give out plenty of free advice and information on IP protection.”

Out of Your Hands

Tours4 is currently in discussions with a company with regards to a potential investment, and although they’re only in preliminary discussions, they’ve signed a confidentiality agreement ensuring that neither side can disclose any information on the other before, during or after any discussions. Such agreements are utterly vital when dealing with secondary organizations, not least when considering outsourcing.

People tend to outsource for two reasons, according to Duncan Pithouse, a partner with DLA Piper: expertise and cost-savings. Pithouse emphasizes that “an exit strategy is key”.

“If you were coming to the end of your contract and you’d got limited rights, that would fundamentally affect the price you pay on your second outsourcing. The second supplier may have to reinvent the wheel,” says Pithouse.

Nevertheless, there is a case for businesses putting their intellectual property in the hands of others. According to the McAfee study, respondents estimated that intellectual property worth approximately $17m per firm is stored, accessed and managed overseas. While this may be for reasons of less expensive labor, supply chain efficiency and better expertise, it might also put intellectual property at risk due to legal, cultural and political differences.

Persistent Protection

The best way to protect intellectual property is to avoid exposure to those who do not need to know, and there are several technologies that can assist with this.

“Encryption is and has been used to protect both transmission and storage. It’s an absolutely necessary step in protecting IP in the foreseeable future,” says Top Layer’s Paquette, “but not sufficient to protecting IP”.

Paquette stresses the importance of intrusion detection and prevention.

“Both the beauty and challenge [of encryption] is that while encrypted information is relatively safe, when you need to use it, you decrypt it, and that’s where the risk elevates,” he says, observing that “if a computer is compromised in the first place, malicious software may be able to access information as it’s being typed in.”

Although Paquette believes there is a place for data loss prevention (DLP), he also cites it as being a ‘less mature’ technology. “If data is encrypted, it can be difficult for DLP to pick up on key phrases. The technologies can work against each other”.

Pithouse of DLA Piper adds digital rights management to the list of measures to protect intellectual property – the ability to only play certain copyrighted material on certain systems. iTunes is a clear example of this, as a restriction that has protected Apple’s revenue stream. However, Pithouse notes “a recent relaxation in digital rights technology,” pointing out that Apple has released non-protected material, albeit with the stipulation that a higher price is paid for the song itself. “It’s difficult to surmise why they are doing that.”

Perhaps most in line with the values of intellectual property is enterprise rights management (ERM), heralded by Ed Gaudet, senior vice president of corporate development and marketing at ERM software provider Liquid Machines, as “the persistent protection of data – regardless of where the data goes”.

With ERM, “access is protected by encryption and content gets protected,” says Gaudet. Information distribution is subject to a set of policies depending on the requirements of the company such as ‘internal only’, ‘corporate default’, or ‘top secret’.

“Where we differ to other companies is that our policies are role-based,” adds Gaudet. “You and I can have access to data even though we’re in different roles.”

He compares ERM to DLP, which despite being “really good at locating [information] and classifying it,” can throw up false positives. “In DLP, once data leaves the boundary you don’t have control. With ERM, you do.”

Gaudet adds: “You don’t want to give IT the key to the kingdom either. DLP they can access, but ERM they can’t unless they have the correct policy.”

The best approach, says Gaudet is to marry the two technologies, and ensure that “Security is shared across the organization. This is where the market is really moving.”

What’s hot on Infosecurity Magazine?