Establishing policies on how to prevent data theft by employees has never been more important than it is now considering the increasing number of ways for employees to access and use data. An ex-employee from Google, Linwei Ding, was recently indicted for the theft of trade secrets from Google. The Chinese national was accused of stealing data related to Google’s AI trade secrets to share with two PRC-Based technology companies and the Justice Department saw this as a blatant theft of advanced technologies and a direct threat to national security. Despite Google’s advanced trade secret protection measures, the employee was reportedly able to remove documents for the company and smuggle them outside to serve ulterior motives of helping other companies grow.
While the employee was identified and seemingly held accountable this time, for smaller organizations, tracking their data down will usually be much harder.
Image: Freepik
Understanding The Case Against Google’s Linwei Ding
The details of the indictment by the federal grand jury were announced by Attorney General Merrick B. Garland during an event in San Fransico. Google’s Linwei Ding was accused of transferring more than 500 confidential files that contained AI trade secrets to his personal account. He was allegedly working for two companies in China, giving them an unfair advantage by providing them with the resources they needed to get ahead of competitors. The ex-employee, Google’s Linwei Ding, had been with Google since 2019, working as a software engineer who was granted access to confidential data for his work at the company. On May 21, 2022, he reportedly began copying that information into a personal Google cloud account and continued until May 2, 2023.
He had been offered a position as a Chief Technology Officer in 2022 and participated in investor meetings to raise capital for this organization. By May 2023, he even began his own company and applied to a startup incubation program to look for investors. His company documents stated that they had access to and experience with, Google’s technology, and all that was left to do was replicate it.
According to the details provided by the Justice Department, the stolen document corresponded to data on building Google’s advanced supercomputing data centers which were the basis for their ability to support all the heavy AI computing needs. Google’s proprietary hardware and software used to build these expansive systems were put at risk, including their “Cluster Management System (CMS), which functions as the ‘brain’ of Google’s supercomputing data centers.” If the ex-Google employee’s data theft is proven, he could face a 10-year prison sentence and a $250,000 fine for each of the four counts of theft of trade secrets that he has been accused of.
How to Prevent Data Theft by Employees
The Google employee’s data theft came to light and was handled so quickly largely thanks to the company’s presence as a dominant force in the U.S. It was also a result of the perceived danger to national safety if Google’s proprietary data was shared with nations that could turn on the country with the same knowledge.
However, for a smaller business lacking the presence that Google has, recovering stolen data can be much harder. Not only will it require the organization to expend a lot of resources, companies will have to work twice as hard to prove that they have a case in the first place. Instead of dealing with the consequences, it is helpful to enforce measures for trade secret protection and prevent any issues from arising at all. Learning how to protect trade secrets isn’t the easiest task as there might be multiple gaps to plug in your system for it to be effective, but the peace of mind with protecting your data, regardless of whether you’re a big or small business, can be worth it. The steps to protect trade secrets can include a couple of different aspects.
Understand What Your Data Is Worth and Identify What You Want to Protect
You can’t protect something that you don’t know is valuable. The sooner you identify what your company assets are and what is uniquely “yours,” the sooner you can put measures in place to keep it safe. Conduct company reviews and deep dives into the industry to fully understand your own services and what sets you apart from competitors. Once done, start organizing the information better, creating centralized pathways for all the data in relation to it, and then regulating who has access to the information. Trade secret protection starts after you fully identify and understand them as well as understand who might be interested in them.
Conduct Through Background Checks
This might sound excessive to some, but it can’t hurt to verify the details in relation to an employee before hiring an employee. Learning how to prevent data theft by employees will show you that there is no fool-proof solution that works every time as there might be nothing in these background checks to show that an employee might do something unpleasant. Still, you might catch some details quicker this way and have some degree of caution in your dealings with them. You might be able to avoid legal troubles and potential liabilities at a later stage and reveal details the employee had chosen to conceal about their behavior at a previous organization.
Even while working with a new agency or vendor, be thorough in your checks of their work practices and past projects to ensure they are reliable.
Use Trademarks and Apply For Intellectual Property Rights
While working out how to protect trade secrets, an important aspect of note is to protect your data even if it gets out. Many tools, products, and processes at your company could be registered under your IP rights in advance. While it won’t prevent the theft itself, it will be much easier to prove your ownership of data down the line, discouraging the misuse of such data. The more legal barriers an individual will have to jump through, the less they will be tempted to misuse your information and resources at a later stage. Do not dismiss it as too small to be stolen.
There are a lot of individuals who might be able to take your technology and find someone with a bigger budget to do it better than you, making a profit off of your company’s years of work refining the product.
Limit Who Has Access To Important Information
Not every employee at the organization might need to have access to all the documents and details within the company. Don’t become overly secretive and make it impossible for employees who need access to look at the data, but try to put filters in place so only those with permission have access to information. Ensure the access details are updated regularly and those who should no longer have access to documents are regularly removed from the access list. Often, employees who leave a company are still left with access codes that haven’t been updated since 2009, giving them room to draw from sensitive data that is no longer relevant to them.
When vendors are done with a project, ensure all the accesses that were provided to them are terminated as well. This is how to protect trade secrets from those who no longer need to access the secrets in the first place. There needs to be a proactive effort to review those who can access trade secrets and ensure that it isn’t being left open when just anyone can walk in and walk away with the data.
Use Non-Disclosure Agreements and Non-Compete Clauses Where Appropriate
A tried and tested method of how to prevent data theft by employees, is to have them sign non-disclosure agreements when they join the organization. These need to be provided upfront and the employee should be clearly onboard and shown what they are agreeing to, in order to avoid misunderstandings. If they work with sensitive information, be very clear on what they can and cannot talk about in relation to their work to ensure they don’t let something slip out by mistake.
Non-compete clauses are documents that new employees sign to prevent them from taking the knowledge of the company’s secrets to another competitor or using it to start their own business in the region. These are usually limited to a specific duration and employers often provide compensation to employees who may be unable to find work due to these restrictions. The agreements are not considered valid everywhere so make sure to look into the laws of your state to confirm whether the clause can be legally enforced. If not, they might just provide you with a false sense of security while you become too relaxed with your other security measures.
Physical Safety Measures
This one might be an obvious measure for trade secret protection but ensure your security systems at the organization are well protected. Regulate who gets access cards to which region, limit official work to company-sanctioned devices, and overall, ensure that personal devices are not used to access sensitive information. By monitoring who has access to information and when they use it, you can better understand where the information is being put to use. This can ensure that no outsiders have access to company information and it can also make it harder to take company information out of the workspace. Not impossible, unfortunately, but harder at least.
Cybersecurity Is One of the Most Important Steps to Protect Trade Secrets
Whether to prevent outsiders from misusing your information or to discourage your employees from doing the same, prioritize cybersecurity. This makes it much easier to check who is accessing information and what they’re doing with it. It also makes it easier to give permission and terminate when appropriate. In work-from-home situations especially, so much information is communicated over channels that are not secure. Try to ensure that all work communication passes through official platforms only and the necessary security measures are employed. From strong passwords on company accounts to antiviruses, do what is necessary to stay safe online.
If necessary turn to experts on how to prevent data theft by employees. Regularly audit your security protocols and conduct a thorough check of all the electronic channels at your company to ensure there are no holes in your security system.
Update Policies Regularly and Retrain Employees
Without reminders of the company policies on data security and policy, employees can either forget or feign ignorance regarding the rules. Regularly update your policies so they meet the needs of the present-day online nature of work. Once done, provide training or a refresher session on what the new policies are, and how employees need to be accountable for the data they work with.
When employees leave the company, conduct a thorough exit interview and take account of all the information and materials that were shared with them. Understand what data they had access to, whether all their documents, devices, and access keys have been returned and only then terminate the issue.
The steps to protect trade secrets all demand constant vigilance and a proactive attitude of reviewing how things are progressing at your organization. The alleged Google employee data theft case is only one example of how an organization’s data might be misused. Regardless of the industry, this could happen to any company anywhere, making it essential for each one to master how to prevent data theft by employees and outsiders.