The costs of an IP breach

8 minutes

Think IP theft will never happen to you?

After finishing business school, I worked for a biotechnology company based at The University of Queensland. As part of my work on campus, I interacted with many companies and came across a case which would become commonplace throughout my career – theft of IP by departing employees.

The company concerned had employed a number of scientists to perform research, with the intent of commercialising that research to generate a Return on Investment (ROI) when it was ready to take to market. Unfortunately, once the research was effectively complete a number of researchers resigned and went to a competitor, where they were offered higher pay and more senior positions.

people sitting inside well lit room
Photo by Pixabay on

A short time after the former employees left that business, their new employer started pursuing patents and other IP Rights for the same research. Ultimately, the former employees were taken to court and their new employer found to have acted inappropriately. Whilst this insider threat case ultimately had a positive outcome, it was at the expense of considerable time, effort and legal fees.

Could this situation have been avoidable?

An IP breach will cost your business big time

Entrepreneurs and business leaders of startups get really invested in their business, and can sometimes develop ‘tunnel vision’ where a small number of issues consume their focus and energy.

Unfortunately, in my experience leaders who are not familiar with legal issues often fail to fully grasp what is involved in remediating any data breach and are often overwhelmed when faced with managing incident response.

To illustrate the true costs of a security incident, the 2016 Deloitte report entitled ‘The hidden costs of an IP breach’ places remediation costs in two categories:

Above the surface
(better known cyber incident costs)
a) Customer Breach Notification
b) Post-breach customer protection
c) Regulatory compliance remediation
d) Media and public relations campaign
e) Legal and litigation fees
f) Technical investigation
g) Cybersecurity program uplift
Below the surface
(hidden or less visible costs)
a) Insurance premium increases
b) Increased costs to raise debt
c) Impact of operational disruption or destruction
d) Lost value of customer relationships
e) Value of lost contracts
f) Devaluation of trade name
g) Loss of Intellectual Property
Mossburg et al (2016). The hidden costs of an IP breach

Like everything in life, timing is important. If your IP leaks before you are ready to commercialise or have formalised your IP rights, it can have disastrous effects, often resulting in a small or medium-sized businesses (SMB) being shut down. Surely more can be done?

Protecting your IP through legal mechanisms – such as patents, copyright, trademarks, plant breeders rights, circuit layout rights and ‘trade secrets’ – are very important, as is use of Non-Disclosure Agreements. But you also need to consider Information Security as part of your toolbox to protect IP.

court room bench
Photo by Zachary Caraway on

Just because you have legal protections in place doesn’t mean your IP can’t be compromised. A worst case scenario for many organisations is that their research is leaked before they have successfully obtained a patent, or that their trade secret is published. In these situations, competitors and other actors can exploit your hard work to:

  • Quickly replicate your work and bring it to market before you have obtained full IP Rights (i.e. they beat you to the patent)
  • Bring a competing product to market, perhaps in jurisdications where you have not applied for IP Rights (most organisations cannot afford to lodge patents in every country worldwide, and do so selectively) which competes for market share – these products are often cheaper as R&D costs do not need to be recovered, but over time may cannibalise your market share and revenue
  • Engage in successive rounds of litigation and legal red tape, aiming to exhaust your legal defence funds and bankrupt your business so as to obtain the rights for free or cheaply under licence.

Thinking “it will never happen to me” and placing your investment and hard work in the hands of blind faith is an avenue walked by many entrepreneurs and researchers, many of whom learn the hard way.

Starting early to properly protect your IP through BOTH legal and information security approaches is essential. Doing only one or the other is not suifficient.

How do VCs and Angel Investors view IP?

Whilst you may be comfortable with your current IP protection arrangements, as your business starts to grow and you need capital to scale leaders need to turn their minds to what investors will think. Investors have a scarce commodity – money – and there are a lot of companies vying to help them spend it.

Investment attraction in innovative industries requires protecting your IP. In 2015, Forbes wrote an article entitled ‘Do Venture Capitalists Care About Intellectual Property?’. The answer, as you might imagine, was a resounding yes.

The article identifies two types of Business Angels – those who invest on blind faith (perhaps a friend or family member), and those who do solid due diligence. The article quotes Brian Cohen, author of ‘What Every Angel Investor Wants You To Know‘, as saying “for many startups, the IP is the sole basis for the valuation of the company, so investors need to be confident that it is real”.

Venture Capitalists and Private Equity investors get even more serious about their IP assets:

“ Many founders make mistakes in the first 12 months of business that cost them dearly as they build their companies. These mistakes revolve around intellectual property, founding team members, initial product that is built and market validation.”

Quoting Entrepreneur-turned-VC Mark Suster in Jutten (2015)

To be positioned as an attractive investment, you need to do everything reasonable to ensure the business is as attractive as possible.

white paper with print on a typewriter
Photo by Markus Winkler on

You need to protect your IP from Day One

One of the mistakes I see is that founders or company management often fail to pay sufficient attention to security. Information Security – which is broader than the more technical cyber security – is focused on your organisation’s most important information assets (that is, your research or technology), understanding who has access to them, and how they could be compromised.

Many innovative or technology companies pay attention to legal protections for their IP early, but information security and insider risk management is left until later. Some start-ups are founded by groups of friends who never consider they may fall out or have a falling out or rogue employee in the future.

The most critical elements of protecting your IP and trade secrets from an information security perspective include:

  • Identifying your critical information assets
  • Identify who has access to them
  • Performing a risk assessment to understand how these assets could be compromised and identifying controls and control gaps in your current processes
  • Implementing auditing and logging tools to facilitate detection, investigation and response to potential incidents
  • Implementing a fit-for-purpose information security program to properly manage your cybersecurity, workforce (people), supply chain and business partner risks in relation to your IP
  • Building an organisational culture which appreciates the importance of a positive security culture and high levels of security awareness

What can Small Medium Businesses do to mitigate these risks?

ISO27001:2022 Information Security Management System and ISO27002:2022 Information security, cybersecurity and privacy protection — Information security controls provide an excellent foundation for any business seeking to implement IP and proprietary information protection, in addition to legal avenues.

As a small organisation, it may be overkill for you to develop the complete ISMS required under 27001, but applying 27001 selectively in a measured way will help you mitigate security risks whilst at the same time providing a strong foundation to seek external investment.

This approach means your ISMS can be progressively uplifted or enhanced as your business grows and risk profiles change – in time, you will have an ISO27001 ready ISMS to seek ISO/IEC Certification should you chose or it becomes a condition of your investment.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Prototype product protection: a step by step guide

What is prototyping?

A prototype is a draft version of a product that allows you to explore your ideas and show the intention behind a feature or the overall design concept to users before investing time and money into development” ( Prototyping is an essential step in product development as it provides an opportunity to qualify feedback from potential customers, size the market, inform investment and financial decisions, and support go/no-go decisions.

Photo by Karol D on

Not every product idea will be a commercial success, meaning innovators can spend a lot of money on new product development without financial return. Prototyping helps minimise this risk by regular and repeated feedback. The generic product development process begins with the idea (ideation), which leads to development of a Product Definition prior to prototyping. identifies two categories of prototype:

  • Low-fidelity prototypes are often paper-based and without user interactions. They are prepared quickly and are cheaper than high-fidelity prototypes whilst helping potential users understand the product concept and how it might benefit them. Feedback collected from user interviews (customer interviews) should be incorporated into the iterative new product development process to inform the Minimal Viable Product (MVP).
  • High-fidelity prototypes are effectively early models of the future product. They are as realistic as possible with working components, meaning they are often expensive to produce and may require support from the product developer’s supply chain to design and build custom components. The need for custom components may require suppliers to develop their own prototypes and perform custom R&D as a prerequisite for being able to produce their customer’s new product, adding to development timelines and commercial complexity. There may be multiple iterations of high-fidelity prototypes, with latter models being closer to the model which will go into production and on to a product launch for sale.
Photo by Andrea Piacquadio on

How are prototypes vulnerable? What are the risks?

Part of the challenge with protecting prototypes is the need to balance secrecy with feedback. Failure to provide adquate secrecy or protection could mean innovators lose commercial advantage or are usurped by competitors who are faster, more agile and better resourced. However, the flip side of any product is that it needs to be tested and product developers need as much real life feedback as possible, both from customers on whether the product meets their needs and also real-life applications on whether the product solves the problem as intended under realistic conditions.

The inherent risks associated with a prototype are a reflection of how advanced the prototyping activity actually is. At the early stages, risks are primarily associated with information security and personnel security, where leaks or compromises can occur which tip-off the market to what is under development. As prototypes are produced and tested, these risks remain but new risks including physical theft or loss and third party or supplier risks also come into play. The spectrum of risks is illustrating in the following figure and overlaid on the reseach and development process:

(c) Paul Curwell (2022). Prototype Product Protection illustrated: Security risks aligned to the R&D process

Taking steps to ensure legal protections for your Intellectual Property, such as Patents, Copyright or Design Rights are addressed is an important step in prototype protection, but these legal protections are not the sole actions required. Litigation cases can turn into a ‘war of attrition’ with the winner having the deepest pockets, so reliance on a purely legal strategy may not be prudent. Selected security and fraud risks which also need consideration include:

  • Physical theft of the prototype – which can occur during storage, production, transport and field trials.
  • Theft of test data, plans or designs – arising through virtual (cyber) and physical (e.g. paper, human) vectors.
  • Theft or disclosure of pricing and commercial data – this is likely of particular interest to competitors and ‘fast followers’, but potentially also to industry media and investors.
  • Contract Manufacturer agreements – outsourcing may confer less control over your information and who has acess to it. Additionally, there are many examples of contract manufacturers with undeclared conflicts of interest or a lack of integrity who disclose this information to third parties or competitors irrespective of any legal agreements in place.
  • Theft or unauthorised use of tooling, molds etc for production – parts of your supply chain, including contract manufacturers, may use your custom tooling or manufacturing molds intended for developing the prototype for unauthorised manufacturing activities during periods of factory downtime. Tooling agreements which specify ownership of IP, and access control associated with tooling, are essential to manage product diversion risk.
  • Third Parties – many businesses will need to involve their suppliers in prototyping and new product development. This requires providing information, access to designs or prototypes, and go to market plans and timelines, all of which are commercially valuable and potentially market sensitive if the company is publicly listed. Use of external experts including product development specialists, product engineers, graphic or industrial designers, product quality consultants, computer-aided design (CAD) specialists can increase the chance of success. However, the more people ‘in the know’ the greater the opportunity for compromise.
  • Data Management and Information Protection – ideally, much of your product development information will be online rather than paper-based to provider greater control over access, versions, and dissemination. A data management plan incorporating risk-based data security and information protection is essential, and being able to evidence appropriate security and protections can give greater confidence to business angel, venture capital and private equity investors to fund product development.

In addition to these inherent risks, two contextual factors influence your risk exposure, being time and the number of people who are in the know. As with anything you want to keep under wraps, the longer the time you need to keep something secret the more effort required. The quicker you go from ideation to commercialisation, the less the chance of compromise or accidental disclosure. Related to time is the number of people ‘in the know’. Typically, longer product development timeframes mean more people in the know. There is presumably a relationship between the number of people who know and the likelihood of intentional or unintential compromise.

Photo by Senne Hoekman on

Most importantly with prototype protection is that it’s not just the prototype itself which needs protecting: it’s also information pertaining to it, as well as any externally-facing indicators of what you are doing that can tip off competitors which need to be carefully managed.

The prototype threat and risk assessment

Some industries are much more competitive and cut-throat than others, with competition arising not just from business competitors but also nation states. Innovators, research managers and commercialisation teams are often reluctant to talk about security, but according to ‘The report of the Commission on the theft of American Intellectual Property’ (2013), the cost of IP theft in the USA alone is likely to exceed US$300 billion.

The ongoing theft of IP is “the greatest transfer of wealth in history.”

GENERAL KEITH ALEXANDER, Commander of the United States Cyber Command and Director of the National Security Agency

Industries with commercially lucrative or national security applications at the cutting edge of science, technology, engineering and mathematics and some consumer sectors are most likely to be targeted, with targets ranging from applied research through to trade secrets, prototypes and commercial information. Understanding who might be interested in obtaining information about your prototype (‘threat actors’), such as competitors, competitive intelligence collectors, media, and foreign governments, is a crucial first step. A threat assessment can help identify these actors, understand their tactics and level of sophistication (their capability and intent), and provide insights on how they are most likely to target your R&D.

A Risk Assessment complements the Threat Assessment. Risk Assessments look inward and focus on what can go wrong (risks) and what is present to prevent this (internal controls), whilst threat assessments focus on the outside looking in. The bottom line is that every material risk should have adequate control coverage, with the most critical assets (including people, information and physical items) having multiple redundant layers of protection. Threat and Risk Assessments provide a strong foundation for a Prototype Protection Plan.

Photo by Pixabay on

Developing the Prototype Protection Plan

The Prototype Protection Plan (PPP) documents what steps a business will take to protect prototype versions associated with a given new product development project. This plan considers the threats and risks identified through the assessment process (above), and outlines the ‘who, what, when, where, why and how’ of each risk treatment option. The PPP should cover the full spectrum of risks – physical, cyber, information/ IP, personnel (insider threats) and supply chain.

Better practice involves assigning a dedicated security manager for the duration of the project (either full or part-time), whose role includes not only coordinating the overall PPP program but is also able to assess, investigate, evaluate and respond to incidents and potential compromises. Industries where products have rapid product life and profit cycles may also undertake a variety of counterintelligence practices given the level of ongoing scruitiny performed by competitors.

In summary, as outlined in this article protecting your prototype takes effort, however in many cases the benefits from doing so exceed the costs. Failure to properly identify, understand and manage these risks can lead to a loss of market share, future revenue, shareholder returns and brand damage, whilst being overzealous with security can mean your business never gets out of the starting blocks in its product development race. This balance must be carefully managed in prototype security.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.