New Draft Regulations for the Protection of Databases

Trade Secret Theft, Corporate Espionage or anything else you want to call it has been getting a lot of press recently. (See here and here.) C. Frank Figliuzzi, the head of the U.S. Federal Bureau of Investigation’s counterintelligence division, testified that based on the FBI data, "economic espionage losses to the American economy total more than $13 billion." See article here. The Center for Responsible Enterprise and Trade (CREATE) recently issued a white paper detailing some of the problems and possible solutions to trade secret theft.

There are a number of weak links in corporations that allow bad actors to steal company secrets: unencrypted networks and databases, hack attacks, and theft of data by employees or contractors. Some companies refuse to completely outsource operations due to the threat of data theft by companies located in the home country of the outsourced plant, so they are choosing captive sourcing instead. In captive sourcing the parent company builds and operates the plant in another jurisdiction but they are still subject to threat of competitors hiring their employees away and with them, valuable trade secrets. Many countries do not have robust legislation making trade secret theft illegal, giving companies little recourse after being victimized. CREATE has a number of suggestions for companies to help prevent trade secret theft. They suggest that companies:

1. Conduct a strategic assessment of the company's trade secrets.
2. Undertake appropriate pre-contractual due diligence.
3. Employ strong contractual protections.
4. Utilize appropriate operational and security measures.
5. Take appropriate action after a business relationship has ended.

Some of the specific suggestions include clearly identifying in contracts what information the company deems confidential and requiring the counterparty to restrict, monitor, and record employee access to sensitive information, and specifying that the company has a right to audit the counterparty to measure compliance. Also, depending on the country it may be important to have a forum selection clause identifying a friendly forum for any IP or trade secret disputes. Because some countries do not recognize the concept of a third-party beneficiary, companies should also consider entering into confidentiality agreements with key employees of the counterparty. If subcontractors will be used, the company might want to retain approval rights and ensure that any confidentiality agreements flow down to the subcontractor and any violation is the responsibility of the contractor. Other security measures such as monitored physical access to confidential data, encrypted or expiring files, separate computer systems for sensitive information, keeping certain systems disconnected from the internet, and instituting computer use policies to allow the monitoring of data transmissions.


It is interesting to note that in its second version of draft regulations regarding the protection of privacy, ILITA, the Israeli Law, Information and Technology Authority (Israel’s data protection authority) recommended many of the same security measures regarding the protection of sensitive information stored in databases. If formally implemented, the regulations will require companies to:

1. institute a data security protocol that describes the database structure, access privileges, security measures, provisions for periodic audits and what access privileges subcontractors have been granted.
2. ensure that its systems are kept in a secure location which prevents access for unauthorized users; Owners of medium and high security databases must document all entries and departures from database system facilities as well as all equipment that is taken into or out of those sites;
3. conduct a security audit at least once every two years to certify compliance;
4. tightly control Employee access to data and passwords must be changed immediately upon termination of an employee;
5. conduct periodic training sessions for employees, commensurate with the scope of their duties, on database settings, security procedures, and the data security provisions under the law;
6. implement a mechanism for automatic documentation that will enable inspection of all login attempts to the system including: username, date and time, scope of access, and components accessed, to be kept for 24 months;
7. implement automatic documentation of events that raise suspicions of data breaches or unauthorized access;
8. report serious security events to the Registrar of Databases as well as any steps taken in remediation;
9. implement security measures that take into account the special vulnerabilities of mobile devices;
10. disconnect the database system from the Internet or other public network unless appropriate measures are taken to protect against unauthorized intrusion or malware that can cause damage or disruption to the system;
11. encrypt the transfer of information over a wireless network, public network or the Internet using conventional encryption methods;
12. segregate systems that access the database from other systems used by the database owner;
13. explicitly list in a contract with the subcontractor:

a. The data and systems that the subcontractor may access and for what purpose;

b. The types of activities the subcontractor may perform on the data;

c. The term of the relationship with the subcontractor and the subcontractor’s requirement to return and destroy any data upon termination;

d. The subcontractor’s data security obligations under these Regulations;

e. That the subcontractor’s employees must sign non-disclosure agreements to protect the security of the data;

f. The subcontractor’s obligation to include all of the relevant provisions of the Regulations in any contract with any subcontractor of his;

g. The subcontractor’s obligation to report to the database owner, at least once a year, of his execution of his obligations under these Regulations and to inform the owner of any data security event.