UK: On Lockdown - How To Protect IP Through Securing Data And How To Use The Latest Technologies Without Losing Your IP

Last Updated: 20 November 2012
Article by Frank Jennings

This article was first published in the November edition of Intellectual Property Magazine.

Digital innovations in global communication and mass data exchange are changing the way organisations work and it is important to consider how your business can take advantage of technological developments without opening yourself up to leakages, espionage or giving away commercial advantage.  Following interviews with several businesses, in June 2012 DMH Stallard published a report, Secure Your Data – Protect Your Business, highlighting data security best practice.  The majority of the businesses we spoke to, thought they had appropriate measures in place, but when probed more deeply, we identified risks that they had not identified or eliminated. 

Data and IP on a personal device

Traditionally, an employer supplies its employees with devices for business use.  With the recent surge in demand for smartphones and tablet computers, employees are increasingly seeking to use their own devices for business.  This "consumerisation" of IT means employees, who have bought a device they actually want to use and are familiar with, wish to use that device at work.  In our interviews, businesses indicated that either they are persuaded by the cost savings – that is, the upfront capital cost of purchasing the device – or are keen to encourage employee productivity and satisfaction and are promoting BYOD or "Bring Your Own Device" Plans in the workplace.  We also identified that as employees had a personal interest in the device and the data saved on it, they were more aware of and concerned about protecting the device and its data.   

BYOD presents problems too.  In particular, it raises the issue of ownership of data on a device.  An employer will claim to own business-related data on the device, but will likely acknowledge that the employee will own his data on the device.  As it is a personal device, the employee will likely carry it with them everywhere.  If they lose the device, it could fall into the hands of someone who would seek to use the business data to their advantage.  Also, IT departments, used to supporting Microsoft and Blackberry, can find they are being asked to cater for iOS and Android systems too but they do not necessarily have the resource to do this.  Perhaps they will need to obtain official training or even a licence agreement from the manufacturer.  Maybe the solution is to require the employee to obtain support from the place they bought their device.  Of course, once again a third party – the party providing the support – will have access to the confidential business data held on the device.  Finally, an employee who changes job will take their device with them and the employee could use that information to a competitor's advantage or even the new employer could get access to the information on that device.

An employer could reduce risks like these by 'partitioning' the device, by installing software which separates the device for work and personal use.  Even if the personal 'partition' has no security, it is possible to have this for the work 'partition'.  Further, the employer could ensure that very little data is stored on the device itself, with data stored centrally on its server.  The employee would access virtual data on the work partition when he needs it and, when he has finished, the work partition would close and the data would disappear from the device.  If the employee loses the device, or it is stolen or he takes it with him at the end of his employment, the employer can disable the work partition and prevent access to the centralised data.  Some applications allow remote wiping of business data on the device.  This will reduce the risk of files and information, about clients or the business, being taken with them.  We found that employers forget or do not take the seemingly obvious step of blocking access rights to staff as they leave and do not undertake regular reviews to check this and revoke permissions.

There are other concerns too.  For example, ownership of the device itself might be called into question if the employer provides a contribution to the employee when buying the device.  Also, if the employee creates intellectual property rights on the device, then having a dual-purpose consumer and business device can complicate the usual question of who owns the rights. 

Data and IP in the cloud

Increasingly, businesses are adopting cloud solutions as an affordable, scalable and flexible approach to data storage and processing.  A cloud solution can provide a business with instant access to additional data storage without the need for it to incur a large upfront cost. This reduction in capital expenditure coupled with freeing up precious physical space gives business the flexibility to rent services specific to its requirements and allows it to store data centrally for accessing remotely, anywhere at anytime.  Not every cloud solution is the same.  A public cloud solution provided to a global customer base on the basis that it is cheap does not necessarily or automatically offer an enhanced level of resilience or data security.  Also, if a cloud provider can keep its costs down by running the solution from the cheapest jurisdiction, then this is likely to mean that the data is transferred outside the protective area of the European Economic Area.  That transfer could be to a jurisdiction which is not on the European Commission's safe list of countries and, unless the transfer is done subject to appropriate contractual safeguards, then the business, as ultimate controller and owner of the data, could find itself in breach of EU data protection legislation.  Further, it is worth remembering that not all jurisdictions have yet implemented appropriate measures to protect IP with some businesses concerned about corporate or even state espionage on data held by a cloud provider in their country.

Some businesses interviewed highlighted concerns over US cloud solutions.  For example, the US Safe Harbor scheme is a self-certification scheme and a business should check their cloud provider's credentials and seek evidence of their compliance before the data transfer takes place.  Additionally, many businesses are concerned about the USA Patriot Act.  This grants the FBI access to data held within the US and beyond.  In 2011, Microsoft UK clarified that, as it is a US-headquartered business, it would respond to a request under the Patriot Act.  This access by the FBI is not new and is, of course, subject to safeguards such as for the prevention of terrorism, but many data controllers are concerned about this access. 

To deal with these types of issues, a business could store its data locally or implement a hybrid cloud solution where it stores all confidential or valuable data onsite and moves less important data and applications into a cloud solution.  This segmentation and categorisation of business data according to confidentiality and value could mean a more complex but ultimately more secure cloud solution.  We talked to one business that kept its "crown jewels" as they called it, including credit card, payment and customer data, at an ultra secure data centre in London and used a public cloud solution for data of low value, using a SaaS (Software as a Service) email solution for staff email.  Segregating data can also be useful to limit employee access to certain types of data.  Businesses can identify and specify what data the cloud provider must store within the EEA and elicit reassurances from the provider that it will undertake back-up and support also in the EEA.  As many cloud solutions are provided by US companies, data is often automatically transferred to these jurisdictions.  A business should consider encrypting data held in a cloud solution.  Alternatively, it could 'tokenise' its data, where it stores the sensitive data onsite but obscures it (by way of a token identifier) when transferring data to the cloud. 

There are other risks too.  Although a business may have carefully thought out its official cloud strategy, its employees may be circumventing this.  A business embracing BYOD should also identify where data on that device will be held.  Further, the employer should identify whether its staff are using solutions such as Dropbox or Google Docs to store documents, Evernote to take and share notes on meetings or ideas and Gmail or Outlook.com for emails.  The best approach might be to make employees aware of what is and is not expected of them, by putting clear policies in place and communicating them to the employees.  Staff often do not consider the risks to data and IP.  One tool that could prove useful is a "survey of truth" to find out how employees actually use and move data.  Often, business data and IP policies which are so strict as to make it harder work for employees to do their jobs, can end up encouraging employees to circumvent those policies.  By engaging with staff, it may be possible to implement a strategy that allows for use of cloud solutions while also reducing risks to data and IP by embracing a solution staff are comfortable using.

Data and IP in social media

The use of social media has become a part of everyday life for many and, increasingly, a way of doing business.  Businesses can use sites such as Facebook, LinkedIn and Twitter to build up contacts through social encounters or through networking to promote its business and its activities.  As with everything, careless use of social media by employees can give rise to risk. For example, an employee using the 'Check In' facility on Facebook to tell friends where they are, might disclose confidential or sensitive information inadvertently, like an appointment with a client or more specific details about a confidential project a business is undertaking for a client. 

Another area of difficulty is who owns social media contacts built up during an individual's employment.  Laura Kuennsberg, a BBC reporter, was well known for her coverage of the 2010 UK general election and built up about 67,000 Twitter followers to @BBCLauraK.  On leaving to go to ITV, there was, in her own words, much "frenzied conversation" about whether she could take her followers with her to her new job at ITV.  Apparently, an "entirely amicable" agreement was reached, where all her followers of @BBCLauraK were transferred to @ITVLauraK.  It is unlikely that every business in that situation would be quite so willing to allow this to happen and would argue that, by using the business trade mark, the followers belong to the business not the individual.

Protecting IP and data in technology

Clearly, in the ever-changing business environment, technology offers advantages but a business should ensure these are not to the detriment of its data and IP.  To take advantage of the latest technologies without putting data and IP at risk, a business must consider the following:

1. Engage with staff to identify what they need to do and identify a means to allow them to do this
2. Introduce and enforce policies to protect business data and IP to reduce the likelihood of innocent (or deliberate) damage to data and IP
3. Audit your most valuable data and IP and identify how (and where) best to store it
4. If data and IP are to be transferred outside the EEA, adopt measures to reduce the risks

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.