Protection of information constituting a commercial secret
Commercial companies generate a wealth of information that is valuable both to the company itself and to competitors. Business-critical information includes technology, know-how, inventions and developments, market research, strategic plans, and other types of data that are separate assets. Of interest to competing firms are also information about customers and counterparties.
The state recognizes information as an asset and involves it in civil legal circulation, establishing certain protection measures equivalent to measures to protect tangible assets.The specificity of methods and tools for protecting information constituting a trade secret is related to the fact that the data is reflected in electronic form and on paper.
Definition of concepts
It is necessary to distinguish between two unequal concepts. "Trade secrets" and "information constituting trade secrets" appear simultaneously in the legislation, but slightly different phenomena are implied.
The term "trade secret" refers to a confidentiality regime or a system of protective organizational measures that are established by a company to protect information from criminal intrusion or leakage. Confidentiality mode helps the company to maintain its position in the market, maintain its competitive advantage, and avoid the cost of restoring its reputation, shaken as a result of disclosure or leakage of sensitive information.
"Trade secret information" is the amount of information that a company arbitrarily determines. The information may relate to scientific, industrial, marketing activities. The real or potential commercial value of such information is increased due to its inaccessibility to third parties. With regard to information, a trade secret regime is established.
Arrays of information constituting a commercial secret are divided into four groups:
- Scientific and technical information: inventions, know-how, patents; rationalization proposals; methods of increasing production efficiency; everything related to the operation of computer networks, security standards, software, passwords.
- Technological and production information: drawings; models; equipment documentation; production recipes; techniques; description of business processes; production and marketing plans, strategies, business plans; investment proposals.
- Financial information that is not public information: management and financial accounting data; reports; information about the cost of production; cash flow calculations; price formation mechanisms; projected tax deductions.
- Business data: data on suppliers and contractors; customer information; sales plans; different strategies; consulting recommendations; market analysis data and similar information.
The gradation of the degree of confidentiality for each group includes:
- the highest degree of secrecy available only to the top management of the organization;
- strictly confidential information;
- confidential information;
- restricted information.
Ranking according to the level of confidentiality helps to better organize the access system and minimizes the risks of leakage. For example, data of the highest value will be inaccessible to a wide range of company employees, which means that it is less at risk of intentional or accidental leakage.
In order to take advantage of legal opportunities to protect trade secrets, at the first stage, the company must determine the list of information that is covered by the trade secret regime. And in the future, it is reasonable to demand that employees with counterparties comply with data protection measures and hold them accountable for disclosing information constituting a commercial secret.
In parallel with defining information, you must set the privacy mode. This means - to develop and implement a system of administrative, organizational and technical measures that will help prevent willful or unintentional disclosure or dissemination of information.
Legal regulation of the commercial secret regime in the field of civil and criminal legislation. Legal relationships are regulated by the Civil Code, in which secrecy is defined as an object of protection. Separate norms concerning the observance of the commercial secret regime are contained in the Labor Code. The Criminal Code introduces liability for deliberate disclosure of information. Thus, the company has the right to independently determine which data is information constituting a commercial secret, and its protection is guaranteed by measures of state coercion.
Before developing a system of protective measures to preserve the confidentiality of information and introducing a commercial secret regime in a company, it is necessary to determine the most likely security threats. Threats are classified as internal and external.
External threats include three groups of subjects that may be interested in obtaining information constituting a trade secret:
- direct competitors that operate in the same markets, or companies that plan to enter the same markets and carry out various scenarios of undermining the company's position;
- subjects interested in the redistribution of shares in the enterprise, raider groups, minority shareholders and other persons who can use the information obtained in the fight for assets;
- subjects that encroach on assets owned by the company: real estate, land, shares and shares. Obtaining asset data will ease the process.
Internal threats are primarily associated with the company's personnel, including top managers. Employees with access to corporate information systems can misappropriate information constituting a trade secret in order to sell, use in their own commercial projects or distribute to an indefinitely wide range of people with the aim of harming the company.
The protection system should identify all possible threats and include mechanisms for dealing with specific hazards.
The capabilities and skills of SearchInform DLP can be tested free of charge during a 30-day test.
Methods for obtaining information constituting a commercial secret
Recognition of information as a commercial secret in most cases does not mean confidentiality in the strict sense of the word, because employees, developers, customers and contractors have access to the data. Information that is classified as secret in the company's internal documents may become publicly available due to the actions of counterparties. The twofold essence of information that is recognized as confidential gives rise to not only illegal, but also legal ways to obtain data.
- Interception or organization of information leaks from telecommunication networks.
- Direct theft of documents.
- Bribery of employees.
- Studying the media, official sources of data disclosure, for example, websites where accounting statements are published, files of cases of arbitration courts. Open sources make it possible to compile a fairly accurate picture of the company's financial position and relationships with counterparties.
- Working with employees of competing companies who have a wide range of information about the activities of the target company and who answer questions without thinking about disclosing information constituting a trade secret to their interlocutors.
- If the company is a publicly traded company, its prospectus contains most of the information that is classified as a trade secret. In addition, if consultants are not bound by dissemination restrictions at release, their work will also contain a significant amount of information.
- Interviewing company employees, when answering questions that are not directly related to the activity will not violate the confidentiality regime, but will allow you to get a large amount of useful information.
- Job offer to company employees, sometimes with no intention of actually hiring a person. actual provision. Reception allows you to get a wide range of data on actual employment, responsibilities, products.
- Study of the products themselves, as well as the work of suppliers of raw materials and components.
- All types of company and employee monitoring.
- Negotiating the possible conclusion of a contract without the intention of actually concluding. The method allows not only to collect a large amount of data, but also to get the opportunity to study the production process from the inside. The information obtained in this way constitutes a trade secret, but is provided voluntarily.
Fighting these methods of collecting data complicates their legitimacy. Possible countermeasures include instructing employees, thorough checks of potential contractors, and holding negotiations outside the company's location.
The main measure for protecting information constituting a commercial secret will be the establishment of a commercial secret regime. The main activities are of an administrative and organizational nature. For example, one of the fundamental elements of the system is an employment contract, which provides for the responsibility of employees for breaches of confidentiality. Given the fact that external threats manifest themselves in the form of theft of information constituting a commercial secret from the company's computer networks, along with administrative ones, it is necessary to introduce technical measures to guarantee the completeness of protection.
Administrative and organizational measures
First of all, administrative and organizational measures are aimed at informing employees about what information is classified as a trade secret, and what non-disclosure obligations are assigned to personnel.
Another goal is to make sure that the company has complied with all legal requirements and has shown prudence. This will strengthen the position in the event of a possible lawsuit against the thief of trade secrets or the ordering party of the kidnapping who benefited from a criminal act.
Administrative measures include
- Issuance of an order on the introduction of a commercial secret regime. The document defines the main parameters of the protection system and the persons responsible for organizing protective measures.
- Determination of the list of information related to commercial secrets. Often the authors of the documents include in the list all the information they know of existence. This is the wrong way to go, as much of the data is publicly available, such as published reporting. In case of litigation, too wide a list of data may serve as a basis for recognizing the entire list as inappropriate to the trade secret regime. It is more advisable to limit the list of really valuable information. Information from the constituent documents, most of the data on the staffing table, labor regime, information on compliance with environmental and fire requirements cannot be classified as confidential.
Development of a system of local regulations that will ensure compliance with the confidentiality regime and protection of information constituting a commercial secret. In addition to the main document - the provisions "On commercial secrets" - regulations can be developed on working with electronic computers, on the procedure for providing information to counterparties and government agencies, the procedure for copying documentation, standard contracts with counterparties, annexes to employment contracts and others.
The regulation should include sections dedicated to the listing of information defined as a trade secret; the procedure for amending the list or general criteria by which information is recognized as a commercial secret; a list of ranks and levels of admission of persons with the right to operate with confidential information; the procedure for working with documents and information bases that are carriers of information constituting a commercial secret; the rights and obligations of ordinary users and persons who have been entrusted with the functions of ensuring the secrecy regime; the order of storage, accounting and destruction of various media.
In addition, the regulation should contain measures of responsibility for non-compliance with the requirements. The rest of the documents developed in accordance with the regulation should not contradict it. Company employees must be familiar with the position. The legislation does not oblige to involve the trade union or other representative bodies of the labor collective in the development of the document, but if necessary, their opinion can be taken into account.
- Determination of the circle of persons who have the right to work with materials that contain information constituting a commercial secret, and the level of access. At this stage, organizational measures must interact with technical ones, since the clearance levels are implemented in the IT structure of the company. For more reliable protection, it makes sense to assign a security clearance not only in terms of the degree of information value, but also in terms of industry nature. Authorized persons, who are determined at the level of an order of the executive body, should be notified that the information entrusted to them is a commercial secret, and warned about the possibility of dismissal and other sanctions for its disclosure.
- Development of employment contracts and contracts with counterparties, which contain a rule on the protection of commercial secrets. The contract with employees must include a clause that warns about liability for disclosing confidential information and about the company's right to oblige the employee to compensate for material damage. The law also allows you to specify in the employment contract the period starting after the termination of the employment contract, during which the employee is not entitled to disclose information that has become known in connection with the performance of labor duties. Usually the term is three years. The employee must be familiarized with the list of information under the signature. The presence of a personal signature certifies that the employee is fully aware of responsibility and is ready to bear punishment in the event of disclosure of information.
- Inclusion of confidentiality clauses in contracts with counterparties in cases where information entrusted to the counterparty or its employees in connection with the fulfillment of the terms of the contract constitutes a commercial secret. Counterparties of this kind can be audit, consulting, appraisal and other companies. The clause in the contract should oblige to fully compensate for the damage caused by the disclosure of secrets.
- Functioning of the “commercial secret” stamp to protect confidential information and means of identification of copies of documents. This does not protect documents from being copied in order to transfer information to potential customers, but limits distribution to a wide range of people in the public domain.
- Special modes of using telecommunication equipment, copying devices, external e-mail, the Internet. An employee's access to resources should be based on requests with a justification for the need for use. Requests should be coordinated at the level of the employee's management and security services.
- Strict control over the use of accounts on networks only by account holders with a warning that the transfer of a password may serve as a basis for dismissal due to "disclosure of commercial secrets."
Among the technical measures to protect information constituting a commercial secret, first of all, programs are considered that allow to completely protect the information perimeter from leaks, unauthorized copying or data transmission. These tools include DLP systems and SIEM systems.
DLP class systems are configured in such a way as to exclude information theft by internal users as much as possible. SIEM-class systems detect threats and identify various information security incidents, allowing for complete risk management and protection against intrusions through the external security perimeter.
Technical measures of protection include all methods of encoding and encrypting data, establishing a ban on copying, controlling employee computers and monitoring the use of accounts.
Legal ways to protect trade secrets
If all the leak occurred and the spread of confidential information could not be avoided, it becomes necessary to bring the culprit to justice and compensate for the damage. This is only possible through the courts. Dismissal on the basis of “disclosure of commercial secrets” can also be challenged in court.
There are many examples in Russian judicial practice when the court takes the side of the company. For example, the Moscow City Court recognized the dismissal of an employee who transmitted data on the volumes of supplies by e-mail. She was dismissed on the basis of subparagraph "c" of paragraph 6 of Part 1 of Article 81 of the Labor Code of the Russian Federation - disclosure of secrets protected by law. And in another case, the Moscow City Court reinstated the violator of the trade secret regime at work, since the defendant company did not provide an employment contract with the plaintiff, the internal labor regulations contained, in the court's opinion, unclear wording, and the commercial secret clause or other regulatory documents and were completely absent from the company.
Such examples emphasize the need to be attentive to the regulation of issues related to the establishment of a commercial secret regime. Then the company can not only protect important business information, but also recover financial losses in the event of an incident that can lead to customer churn, loss of position in a competitive environment and undermining reputation.