Think IP theft will never happen to you?
After finishing business school, I worked for a biotechnology company based at The University of Queensland. As part of my work on campus, I interacted with many companies and came across a case which would become commonplace throughout my career – theft of IP by departing employees.
The company concerned had employed a number of scientists to perform research, with the intent of commercialising that research to generate a Return on Investment (ROI) when it was ready to take to market. Unfortunately, once the research was effectively complete a number of researchers resigned and went to a competitor, where they were offered higher pay and more senior positions.
A short time after the former employees left that business, their new employer started pursuing patents and other IP Rights for the same research. Ultimately, the former employees were taken to court and their new employer found to have acted inappropriately. Whilst this insider threat case ultimately had a positive outcome, it was at the expense of considerable time, effort and legal fees.
Could this situation have been avoidable?
An IP breach will cost your business big time
Entrepreneurs and business leaders of startups get really invested in their business, and can sometimes develop ‘tunnel vision’ where a small number of issues consume their focus and energy.
Unfortunately, in my experience leaders who are not familiar with legal issues often fail to fully grasp what is involved in remediating any data breach and are often overwhelmed when faced with managing incident response.
To illustrate the true costs of a security incident, the 2016 Deloitte report entitled ‘The hidden costs of an IP breach’ places remediation costs in two categories:
|Above the surface |
(better known cyber incident costs)
|a) Customer Breach Notification|
b) Post-breach customer protection
c) Regulatory compliance remediation
d) Media and public relations campaign
e) Legal and litigation fees
f) Technical investigation
g) Cybersecurity program uplift
|Below the surface |
(hidden or less visible costs)
|a) Insurance premium increases|
b) Increased costs to raise debt
c) Impact of operational disruption or destruction
d) Lost value of customer relationships
e) Value of lost contracts
f) Devaluation of trade name
g) Loss of Intellectual Property
Like everything in life, timing is important. If your IP leaks before you are ready to commercialise or have formalised your IP rights, it can have disastrous effects, often resulting in a small or medium-sized businesses (SMB) being shut down. Surely more can be done?
Protecting your IP through legal mechanisms – such as patents, copyright, trademarks, plant breeders rights, circuit layout rights and ‘trade secrets’ – are very important, as is use of Non-Disclosure Agreements. But you also need to consider Information Security as part of your toolbox to protect IP.
Just because you have legal protections in place doesn’t mean your IP can’t be compromised. A worst case scenario for many organisations is that their research is leaked before they have successfully obtained a patent, or that their trade secret is published. In these situations, competitors and other actors can exploit your hard work to:
- Quickly replicate your work and bring it to market before you have obtained full IP Rights (i.e. they beat you to the patent)
- Bring a competing product to market, perhaps in jurisdications where you have not applied for IP Rights (most organisations cannot afford to lodge patents in every country worldwide, and do so selectively) which competes for market share – these products are often cheaper as R&D costs do not need to be recovered, but over time may cannibalise your market share and revenue
- Engage in successive rounds of litigation and legal red tape, aiming to exhaust your legal defence funds and bankrupt your business so as to obtain the rights for free or cheaply under licence.
Thinking “it will never happen to me” and placing your investment and hard work in the hands of blind faith is an avenue walked by many entrepreneurs and researchers, many of whom learn the hard way.
Starting early to properly protect your IP through BOTH legal and information security approaches is essential. Doing only one or the other is not suifficient.
How do VCs and Angel Investors view IP?
Whilst you may be comfortable with your current IP protection arrangements, as your business starts to grow and you need capital to scale leaders need to turn their minds to what investors will think. Investors have a scarce commodity – money – and there are a lot of companies vying to help them spend it.
Investment attraction in innovative industries requires protecting your IP. In 2015, Forbes wrote an article entitled ‘Do Venture Capitalists Care About Intellectual Property?’. The answer, as you might imagine, was a resounding yes.
The article identifies two types of Business Angels – those who invest on blind faith (perhaps a friend or family member), and those who do solid due diligence. The article quotes Brian Cohen, author of ‘What Every Angel Investor Wants You To Know‘, as saying “for many startups, the IP is the sole basis for the valuation of the company, so investors need to be confident that it is real”.
Venture Capitalists and Private Equity investors get even more serious about their IP assets:
To be positioned as an attractive investment, you need to do everything reasonable to ensure the business is as attractive as possible.
You need to protect your IP from Day One
One of the mistakes I see is that founders or company management often fail to pay sufficient attention to security. Information Security – which is broader than the more technical cyber security – is focused on your organisation’s most important information assets (that is, your research or technology), understanding who has access to them, and how they could be compromised.
Many innovative or technology companies pay attention to legal protections for their IP early, but information security and insider risk management is left until later. Some start-ups are founded by groups of friends who never consider they may fall out or have a falling out or rogue employee in the future.
The most critical elements of protecting your IP and trade secrets from an information security perspective include:
- Identifying your critical information assets
- Identify who has access to them
- Performing a risk assessment to understand how these assets could be compromised and identifying controls and control gaps in your current processes
- Implementing auditing and logging tools to facilitate detection, investigation and response to potential incidents
- Implementing a fit-for-purpose information security program to properly manage your cybersecurity, workforce (people), supply chain and business partner risks in relation to your IP
- Building an organisational culture which appreciates the importance of a positive security culture and high levels of security awareness
What can Small Medium Businesses do to mitigate these risks?
ISO27001:2022 Information Security Management System and ISO27002:2022 Information security, cybersecurity and privacy protection — Information security controls provide an excellent foundation for any business seeking to implement IP and proprietary information protection, in addition to legal avenues.
As a small organisation, it may be overkill for you to develop the complete ISMS required under 27001, but applying 27001 selectively in a measured way will help you mitigate security risks whilst at the same time providing a strong foundation to seek external investment.
This approach means your ISMS can be progressively uplifted or enhanced as your business grows and risk profiles change – in time, you will have an ISO27001 ready ISMS to seek ISO/IEC Certification should you chose or it becomes a condition of your investment.
- Cohen, B. (2013). What Every Angel Investor Wants You To Know, McGrawHill Education
- Curwell, P. (2023). 6 steps to improving security and integrity culture in the workplace
- ISO/IEC 27001:2022 Information Security Management Systems, https://www.iso.org/standard/27001
- ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls, https://www.iso.org/standard/75652.html
- Jutten, M. (2015). Do Venture Capitalists Care About Intellectual Property?, www.forbes.com
- Mossburg, E., Fancher, J.D., Gelinne, J. (2016). The hidden costs of an IP breach, Deloitte Review, Issue 19, www.deloitte.com
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.