session 602 exploring the evolution of access: classified, privacy, and proprietary restrictions
TRANSCRIPT
Session 602
Exploring the Evolution of Access: Classified, Privacy, and Proprietary Restrictions
The Proprietary Nature of Private Enterprise
Sarah A. Polirer
SAA Conference
August 27, 2011
3SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Talking points
Define
Information types & examples
Risk management & impact of loss
Information classification
Access matrix
4SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Food for thought
ASIS 2007 study “75% of most organization’s value and sources of revenue
creation are intangible assets, intellectual property competitive advantage… and likely to be bought, sold, disseminated, shared, licensed, or traded as part of the transaction.”
Ocean Tomo Intellectual Capital Equity 2011 study “estimates the value of intangibles at around 81% of S&P 500
companies’ value – a significant portion of which is represented by patented technology, trade secrets, proprietary data, business processes and go to market plans”.
5SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Food for thought
Foley, Foley & Lander 2006 findings “In the 1970s, a typical company’s market capitalization was 80%
tangible assets and 20% intangible assets. Now the typical market capitalization is 15% tangible assets and 85% intangible assets.”
“Trade secrets are estimated to comprise 80% of the assets of ‘New Economy’ companies.”
“estimated that the value of trade secret information held by US publicly-traded companies alone is more than $5 trillion.”
–
6SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Defined
Proprietary – “belonging to ownership; belonging or pertaining to a proprietary
(owner) who has legal right or exclusive title to property, business, etc.”
Proprietary Information– “in trade secret law, information in which the owner has protectable
interest”
Proprietary Rights– “those rights which an owner of property has by virtue of his
ownership… title and possession and is an interest or right of one who exercises dominion over a thing or property”
7SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Legal Definition Federal Acquisition Regulation (48 CFR 27.402 Policy)
– “A property right or other valid economic interest in data resulting from private investment. Protection of such data from unauthorized use and discloser is necessary to prevent the compromise of such property right or economic interest.”
Economic Espionage Act (18 USC 1831-39)
– defines trade secrets and gives them protection under federal law along with patents, creative works and copyright
39 U.S. laws– remedy under theft of trade secrets
State laws and Case law
8SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Information Types Financial information
– pre-released information
Marketing & Advertising– market share and planning
information
Sales & Product specifications– demographics– customer-related information
(also HIPPA related)– strategic business planning
Legal and Compliance– mergers, acquisitions,
divestitures– Minute books – patents, trademarks, trade
secrets, copyrights
IT information– system information
Research & Development– technical specifications
Human Resources– personnel information
9SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Examples Financial Information
– accounting including assets, expenses, costs, profit, margins
– audit – pre-released financial reports – budgets, quotas and targets– tax information– sales and order volumes prior to
quarterly/annual releases– specific products sales
information, orders or projections
Marketing & Advertising– product-introduction plans and
dates– market share and competitive
position– short and long term market
strategy or customers
Sales & Product information– vendor names/relationships/
demographics– production and inventory levels– future plans and sites– material costs– statistical information– chemical formulas– manufacturing processes– sales demographics & prospects
lists– business processes
10SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Examples Legal
– merger, acquisition, divestiture plans and related data
– litigation information – pre-released business strategies– pending investments and
investment strategies– Board meeting minutes – shareholder information
IT information– systems information– product descriptions & standards– source codes– business plans– security plans
Research & Development– technical and performance
specifications– technical reports– product plans– projects in progress– project problems or product code
names
Human Resources– benefits– employee identification
information– payroll– personnel personal information– philanthropy
11SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Impact of loss Reputation
Image
Goodwill
Competitive advantage
Core technology
Profitability
12SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Risk Management
Identify the information– Quantify the information’s value– Cost-benefit analysis– Regulatory requirements (e.g. SOX, FASB)
Assess threats vulnerability Assess impact of loss if disclosed Identify existing/planned security controls Determine information rank Prioritize risk
13SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Classify Information
Based on findings of Risk– Impact of disclosure– Ownership/Access Rights– Security Mechanism– Examples
• Public• Private/Confidential• Proprietary
– Levels of Proprietary
14SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Information Classification Matrix
Classification Code
Classification Examples of Information
Instructions for Use
P1 Could benefit competitors
Not yet published
P2 Information that has significant value
Proposals, internal documents
P3 Extremely sensitive
Trade Secrets, strategic planning
P4 Highly confidential by law
HIPPA
P0 General Business –Open
Published and reportable
• Who• Storage/Labeling• Handling• Distributions• Destruction• Security Systems
15SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Rate Risk Factors
Risk Levels based on Information Classification
01234
P0 P1 P2 P3 P4
Information Type
Lev
el o
f R
isk
16SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
Handling AccessFormat/ Activity P4 P3 P2 P1 P0
Access Requirements – internal
Approval by Approval by Approval by Approval by No approval needed
Access Requirements – external
Approval by Approval by Approval by Approval by Approval by
Faxing/ e-mail
Password Protected
Recipient Mailbox or Attended
Receipt
Password Protected Recipient
Mailbox or Attended Receipt
Approval by No Restrictions No Restrictions
Copying Permission Permission Approval by No Restrictions No Restrictions
Labeling
Label Any Media, and
Confidentiality Stamp plus
I nternal Labels
No Label Required Only Confidentiality
Stamp
No Label Required Only Confidentiality
Stamp
No Label Required Only Confidentiality
Stamp
Release Date Plus Classification
Release to Third Parties
Approval, Non-Disclosure
Agreement, or Duly Executed
Contract Protects Confidentiality
Approval, Non-Disclosure
Agreement, or Duly Executed
Contract Protects
Confidentiality
Non-Disclosure Agreement, or Duly Executed Contract
Protects Confidentiality
Non-Disclosure Agreement, or Duly Executed Contract
Protects Confidentiality
No Restrictions
17SAA - August 27, 2011 Sarah A. Polirer, CA, CRM
THANK-YOU