Arguably, both staying out of trouble and getting out of trouble are important, but many companies spend the majority of their time and resources on the latter, rather than the former.
In 2006 I wrote an article where I addressed some of the underestimated risks in relationships with third-party service providers and offered a method for conducting effective due diligence assessments of them. Almost 10 years later, one of these risks continues to ‘lurk in the shadows’, receiving, in my opinion, less attention than it deserves. The risk in question is the risk of losing intellectual property (IP) and trade secrets due to insufficient and inconsistent preventative measures. In this article I would like to suggest several key proactive measures which may help companies further mitigate the aforementioned risk, especially with the increase in incidents related to protection of sensitive information, IP, and trade secrets.
Strong contractual protections for IP, trade secrets and sensitive information should not cause complacency
Many organisations today place significant value on their reputation in the marketplace. This reputation may well be damaged by an incident involving loss of IP/trade secrets/sensitive information.
While strong contractual terms binding a third-party service provider to take appropriate care when it comes to IP, trade secrets, and sensitive information is a prudent and essential measure, taken alone, it may not be enough to prevent loss. If the third-party service provider’s management and teams are not maintaining constant awareness and vigilance, the risk of loss may well be higher than anticipated, irrespective of your contractual requirements.
As such, a greater peace of mind is achieved not only through contractual protections, but also through direct and continuous engagement with the third-party service providers prior to and after contract execution specifically on this important issue. Some suggested pre- and post-contract due diligence measures to further mitigate the risk of loss of IP and trade secrets shared with a third party service provider are as follows:
Pre-contract and post-contract due diligence measures
- Classify IP/trade secrets/sensitive information assets by criticality, based on potential loss impact (financial and reputational);
- Develop a set of requirements for protection of aforementioned assets in all formats (verbal, physical and digital);
- Develop a meaningful process for sharing only what is needed with each third-party and understand whether their controls match yours;
- Perform a litigation history search against each third-party to identify any issues relating to their governance and compliance controls;
- Speak with the third-party’s current clients to better understand their strengths and weaknesses related to protection of clients’ IP/trade secrets/sensitive information;
- Develop open-source intelligence (press, social media etc.) about the third-party’s reputation;
- Conduct site visits to validate their ability to comply with your protection requirements;
- Negotiate broad rights to audit with and without notification using a multi-disciplinary team from your side (internal audit, cyber security, operational security, risk management, business unit relationship owner, legal, compliance);
- Evaluate their incident reporting process to validate its uniformity, efficiency and effectiveness as it relates to your organisation’s need to know; and,
- Develop an exit plan should the outsourcing engagement fall short of your expectations.
- Exercise your right to audit both remotely and through site visits by using your multi-disciplinary team;
- Offer frequent (at least quarterly) training on protection controls via different methods (lectures, webinars, posters, management meetings etc.);
- Reward and make examples of compliance and enforce administrative sanctions for non-compliance;
- Engage in incident management at a senior level, depending on asset criticality and the level of negative effect; and,
- Perform root-cause analysis for identified vulnerabilities and work together with the third-party to mitigate them.
Being more proactive pre- and post-contract about protection of IP, trade secrets, and sensitive information is less about investing money than it is about investing the time to focus on what is important to your organisation and how you can take a multi-pronged approach to managing this risk vis-à-vis your third-party service providers. Actively engaging with your third-party service providers prior to and throughout your relationship, and utilising a multidisciplinary team to apply oversight, common sense and root-cause analysis is time well invested.