When Intellectual Property Goes Out the Front Door

Posted on by Christopher Burgess

According to a 2012 survey by the Japanese Ministry of Economy, Trade, and Industry (METI) referenced in The Asahi Shimbun, it was revealed that of the 3,000 Japanese companies polled, 13.5 percent have had their intellectual property (IP) leaked or have suspected a leak over the past five years. The Asahi Shimbun goes on to describe how IP is being stolen by a variety of entities, both foreign and domestic. And no industry sector is immune, as the affected entities ranged from steel manufacturers to electronic equipment companies, to many in between.

A Case in Point

An interesting case that recently percolated to the top of the headlines involved a former SanDisk subsidiary employee who allegedly purloined the intellectual property from both SanDisk and SanDisk's joint venture business partner, Toshiba. Both entities have brought suit against the individual, Yoshitaka Sugita, who was arrested in Japan in mid-March 2014. The SanDisk suit, filed in California Superior Court, contemporaneously with the Toshiba suit, filed in Tokyo District Court, alleges that in 2008 SK Hynix, a Korean firm, induced an employee (Sugita) to obtain the two companies' trade secrets and bring these secrets with him when he departed the Toshiba/SanDisk joint venture and went to work for SK Hynix. Sugita left SK Hynix in 2011.

A review of the SanDisk complaint, obtained by Orrick's Trade Secrets Watch blog, notes that Sugita downloaded more than 10 gigabytes of data prior to his June 2008 departure. The data loss prevention technologies of 2008 may or may not have detected download(s) of the data by an employee. Nonetheless, with the Japanese press estimating the value of Toshiba's information procured by its business partner (and competitor) SK Hynix at approximately US$975 million, one can understand and endorse Toshiba's intention to "construct a more robust system for protecting its intellectual property and preventing its loss."

When Off-Boarding Employees

No doubt the construction of a new system will include taking advantage of formal off-boarding of employees. This process should involve an exit interview with a few key steps that all strong off-boarding programs should include:

  • Review the IT logs of data accessed over the previous 90 days for appropriateness and anomalous data acquisition or attempts (those 403 errors can sometimes be a wonderful warning flag for the data protection teams).
  • Review the employee's connected devices (hard drives, thumb drives, phones, etc.). Have these devices been returned and accounted for? In the case of devices with data storage, has the data been accounted for?
  • Request that the employee sign an attestation that she reaffirms the provisions of the nondisclosure agreement and has returned all IP.
  • If there is evidence of data theft and the departing employee does not return the stolen IP, in addition to pursuing legal remedies, an informational letter should be sent to the new employer asking them to be mindful to return any IP that may inadvertently appear with their new employee. This letter puts the new employer on notice, as well. (The ethical company will return the IP and destroy any copies of it.)

While the above may not thwart every employee attempt to break trust and abscond with intellectual property, it certainly goes a long way toward ensuring that every departing employee has had the opportunity to return any IP that he may inadvertently (or purposefully) have in his possession, and it ensures that the company consistently reviews for activity indicative of IP theft.

Christopher Burgess

, Prevendra Inc.

data security forensics & e-discovery law

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community