awesome good morning John good afternoon Ryan good morning afterno yeah thanks for joining today um we got a fascinating conversation over the next hour here uh my esteemed guest John prior uh former Auctioneer trade secret specialist and uh IP you know practitioner and um and Ryan I’ll let you guys do in John why don’t why don’t you kick things off and then Ryan we’ll talk about his P Tim Tim’s the only person in the world that would introduce me as an Auctioneer uh you’re you’re very you’re very good at it so well no to to be fair uh I think people kind of you guys particularly liked the fact that I have a sort of English accent and that that it seemed to go down quite well Tim and I used to work at IAP IP and patent brokerage and uh we we had some really good times over about a four-year period uh where we put our Honda our IP and particularly our patent skills and then you know since then we’ve both gone separate ways to a degree we’ve both gone through the M the top four consultancies me on the IP side and I think Tim more on the cber information data side and then we sort of reconvened back in uh I focus a lot on trade secrets and Tim’s coming at trade secrets from the from the Cyber and the data side so yeah very excited about today’s discussion so that’s me sorry over to you Rama Ryan okay well thank you so much um I’m the odd man out I’m actually the boots on the ground kind of guy that that uh you know tries to to run these programs that are dictated to me so I do my best uh my background is Army Counter Intelligence I spent 26 years in the United States Army the last 16 years I was a counter intelligent special agent uh worked in the jsaw community worked in um other classified programs uh R Counter Intelligence programs both in the United States uh Europe and in Korea for three years and so great background in Counter Intelligence and so let me Define Counter Intelligence before I go forward because I think there might be some misunderstanding of what Counter Intelligence is and in its simplest forms I would say it’s the practice of keeping enemies outside your walls while catching the ones inside and so that we are purely about protecting uh protecting intellectual property protecting organizations the employees facilities and that’s all our whole stick uh we’re not the guys that go out and try to steal other people’s information that’s that’s not our job uh we’re on the protection side of it after leaving the Army in 2016 I went straight corporate and I built Counter Intelligence and Insider threat programs which is a word again that we’ll discuss later I have personal feelings about it but I I did set these programs up at both the Cerner Corporation and chids so I did that for about eight or nine years and now I’m the Executive Vice President for uh commercial offerings at a Counter Intelligence company called I EXN Solutions thank you Tim over to you awesome awesome uh yeah so a little bit of my background um John and I met um it’s been quite a while 2010 call it the Heyday of the patent monetization World um selling selling and auctioneering patents uh patent licenses IP and um I went off to work at the lyd for a couple years and during that time I transitioned over into cyber security and cyber security you know really focused on um call it right aoom detection uh you know helping in the sock which is you know 247 monitoring for for threats and things like that uh for incidents um and uh then I went off uh into the call it the channel uh the term MSP manag service you know provider outsourced it providers um so working with small businesses medium-sized businesses and startups uh so it kind of shifted shifted things a little bit and during that time uh it’s interesting because like there’s really been this collision with IP and cyber security and and maybe John can talk about that a little bit but patent you know people used to or companies used to really depend on patents to drive their intellectual property strategy which is a very public process right you you are declaring your claims you’re declaring your inventions you’re declaring your kind of specs so there’s been this shift over into trade secret and trade secret is all about keeping things confidential right and keeping things that are proprietary inhouse um so it really falls directly kind of into that fits nicely into that cyber security bucket and I think you know Ryan’s history is great with Counter Intelligence and as you said keeping the good you know the assets inside the house and keeping the bad guys out uh really lines into that so what are we talking about today I I think you know this an interesting subject line which John and I are we were kicking around um about a month ago is privacy data is a liability um and I guess we we could we could talk about that a little bit and and proprietary data is an asset and I think a lot of cyber security efforts are really focused on pii Phi PCI you know regulated privacy data and keeping that safe and you know for argument sake most companies I don’t think spend equal amount of investment or or effort on protecting proprietary data uh which John will talk about what is proprietary data what is Trade Secrets and maybe we can talk about you know why you know why we’re making this argument that it doesn’t get quite the same love that uh that privacy data does so John do you wanna do you want to kick that off like what is what is proprietary data or what are Trade Secrets yeah yeah I mean why why so important I mean as Tim’s Tim’s already said you know when we’re back in the the ha of patent monetization uh you know he worthwhile investing a lot of money in patent without any doubt uh there were then some changes at the US uh us PTO the US courts uh which made it less easy for you to uh to sort of assert your patents in the US courts and and it’s gone so far the pendulum has swung so far now that in 78% of the cases now bear in mind if you’re taking your patent to court you believe it’s a really good pattern so if you’re asserting that pattern it’s not one of your weak ones it’s one of your good ones 7 % of those uh those claims in those patents are found to be invalid by the very people that granted you the patents in the first place so you know 7 80% almost of patents are found to be invalid pretty much uh By The Very people who granted them in the first place so you cannot rely on patents anymore you you definitely need patents don’t get me wrong but you cannot rely on them and then you know overriding that as as Ryan’s going to tell us and Tim will allude to is the fact that uh information flows have been happening at the most exce you know excessive rates in the last 20 years facilitated of course by the internet uh and that means that information which has always flowed easily is now flowing far more easily and so governments have got behind Trade Secrets as a way to contain and sort of protect that information so patterns have sort of faded a little bit if you like Trade Secrets have really risen strongly and so proprietary information does cover Technical and Innovative information like tra uh like patents but it also covers commercial information uh for example you know customer list for example for example your your profitability information pre-release uh and all that kind of good information within the business uh launch information and so on and so forth so it covers a whole range of things and and the point is that you know many people on today’s podcast might actually object to as saying well actually there’s too much focus on on per uh privacy data rather than proprietary data and I would substantiate that statement by saying that actually although you think you’re protecting some of your proprietary data you haven’t taken the steps to protect and defend it using Trade Secrets legislation and we can come on to that later and that really is the KN and the Nu the issue so let’s you know let’s just put our cards on the table we’re now in the day and the age where the vast majority of the value of any business is intangible protected by IP most people have substantial data information confidential and sensitive information assets that should be protected by Trade Secrets but unless you take the basic steps you will not stand up in court and defend those as Trade Secrets and you will probably lose that flow of information back to you Tim awesome yeah so Trade Secrets right and I talk about this all the time every organization could be a nonprofit could be a literally a church could be a you know restaurant right they all have Trade Secrets none of that is patentable right I mean patent standards have gotten tougher right the Alice decision you can kind of walk through Myriad like all these major decisions um it’s gotten harder and harder to patent things and at the same time trade secret litigation and John and I like to work backwards from these big cases thinking Monday Morning Quarterback what could we have done four years ago to a one in court and really you know prevailed on our IP rights um so trade secret litigation and and uh case law has is really you know pointed to what are these distinct things that I can do at my organization to protect my IP and proprietary data um you know that that that the ROI is just there and while it’s it’s start it started to diminish in the patent world in the trade secret world it’s gotten a lot better um but you know yeah yeah that’s I think that’s really our our conversation here um we could talk about you know why there’s this divide right between um proprietary uh data not getting the same kind of love right um privac we talked about what is privacy data PCI Phi very easy to Define and capture and classify right uh Social Security numbers got nine nine digits it’s easy to figure out where is this where are the social security numbers sitting in my data stack uh what do we need to do to protect them we told the board and SE Suite we’re going to protect these things because if we don’t we’ll get in trouble um by Regulators right um so it’s harder to do that for proprietary data there’s a lot more Nuance there’s a lot more fuzziness uh as John and I like to talk about in terms of like what is valuable data from the proprietary side um um chances are it’s probably not insur insurable and maybe it is maybe it isn’t maybe your maybe your coverage covers that but think about most post breach uh you know what is the focus on it’s usually on privacy data right like getting in trouble um you know post litigation you have to do credit monitoring on individuals right like everything’s still focused on this like privacy aspect so um any any thoughts on that Ryan you know in terms of why why we why we named this podcast kind of what we did and why there’s this big divide I think really in terms of these two data types yeah I think you’re right I mean it’s a compliance thing so we have rules that guide how certain types of information must be protected and the standards that they must be protected to um and then there’s a litigation on the back end of it whenever that information is compromised in some way so I think that’s the it it almost feels as if that’s the motivation between behind security uh in general and you know I think it’s a I think we should take a look at security holistically and consider all bits and pieces of data and information that we have whether it’s Phi PCI personal information pii and proprietary information I mean it’s it’s all about securing the organization securing the employees securing the clients and doing the things required to to secure it not just comply with some some regulation or some standard uh out in the corporate environment awesome yeah John John any follow-ups on that the I mean these were my thoughts I put on the slide right like if someone steals your proprietary data there’s not a lot of regulations that are going to say you’re in trouble there’s not a lot of regulations that say you need to disclose your proprietary data breach just like there was you know when you leak uh Social Security numbers when you leak credit cards um the damages aren’t probably immediate right like you can’t say personal data was breached like that employee who walked out with the deck that builds a company and starts a new you know new successful unicorn that might not materialize for four or five years um so it’s like I said this this idea of proprietary data and what’s valuable and what’s kind of misappropriated or runs out the door it’s you know like I said regulation the immediacy of it the insurability of it um the breach uh you know the breach Duty the duty to disclose that there was a breach um it’s really not there and it’s it seems like you know employees walk out with things all the time and probably don’t get caught so what are your what are your thoughts on that John yeah I mean uh I just want to give you a quote actually uh on ndas uh it’s from a US lawyer uh there is however an an inherent problem with non-disclosure agreements you can have all the non-disclosure Provisions in the world but if your key person goes to work for one of your competitors and access has access to information that is directly competitive that is directly valuable to the company and works for a direct competitor I don’t think any ndas are going to protect that information and although people will say they will abide by an ND NDA I I don’t believe it and this is from a top Trade Secrets lawyer so I think if you take that as your premise you know we come back to your fuzzy information definition you know what is this information and what is what is flowing and how is it flowing and and who’s looking after it you know if you it’s a fiduciary duty in the United States Tim and uh and Ryan that if you have a data hack data breach you have to within eight days I think it is 10 days s days something like fill in some form it might be called an 8K uh to to report what what’s been what’s been taken right I I don’t know I don’t know any companies have done that as yet you’ll probably know better than I but uh but that sort of suggest to me that either two things one one they don’t want to reveal that they’ had most people don’t want to reveal they’ve had a breach right first and foremost secondarily if they do they probably don’t know what’s being breached and that comes back to the sort of identification data tagging and and so on and so forth and then just picking up on something that you I think you were mentioning Ryan uh in the UK we have ISO 27,000 And1 and I guess in the US Tim you you work on sock 2 quite a lot uh but ultimately it’s down to it’s it’s not about the training well it is about the training and it’s not about the sort of compliance with various standards it’s about the lived experience and I was at a trade secrets conference last week and uh we were under chatam house rules but I don’t think this is an is issue to reveal Seaman actually said they train all of their people every year on trade secrets and IP because it’s not a one-off it has to be a lived experience people have to understand that you give that information away that could be profit impacting that could impact your bonus that might even be existential for your lineup Etc and and until that sort of inculcates the the culture of the organization then you are at risk all the time and that comes back to one of the themes today and that’s the the Insider threat which I know you you have a big issue with Ryan and you can you can come to that yeah no that’s awesome so I’ll dive into that and I think we could probably go I could skip ahead of slide I think Insider threat um might be how we describe how Trade Secrets you know are misappropriated right um and it’s a it’s a little bit of a loaded term and I’d love for Ryan to kind of jump on that jump on that one but um you know let me let me skip ahead I think I have a slide on that yeah what what is Insider threat right so um why don’t you jump on that why don’t you clear the air a little bit Ryan I’d love to address the the previous slide before I move into Insider yeah that’s great yeah fall into the gaps yep the falling into the gaps because you had cyber security risk and HR outlined but if we take a look at a a corporate security program a holistic security program we actually see that security and especially whenever it comes to information security proprietary data uh the compliance data that we have to that’s regulated you have information security you have cyber security physical security wrapped around that you have Personnel security uh and then you also have uh operation security when your employees are out uh doing this thing and then compliance is wrapped around that as well so what we’re actually looking at when you say falls into gaps I think it’s a very important point that needs to be highlighted because if all of these different security functions and HR and legal and compliance are not talking to each other things do fall through the Gap because there might be something relevant that happens on an HR side we’ll see Insider threats gu hate that term uh but we’ll see you know people that are doing bad things within the organization there is a triggering event that typically happens you know they got passed over for promotion they didn’t get the pay raise they expected they have a falling out with their boss and then it translates over and we start to see the activity on the cyber security and the risk side so there’s huge gaps between all of these different security functions that happen in the corporate environment now I like to say that Counter Intelligence is the glue that binds all of this together so we’re taking ex taking a look externally at the threats that are attempting to try to collect and gather that information whether it’s nation states criminal organizations competitors business competitors or just an individual that wants to go set up his own company and then we’re we’re taking a look at the inside of the organization to see if there’s any indication or any type of activity moving in that direction so we try to fill the Gap with Counter Intelligence and and that’s what we did in the government uh and it was it was highly effective totally different scenario where uh in government we have true uh data classification programs we have information that’s segmented off in different uh Network environment ments and then you also had a personal security program that was continuous monitoring and vetted now did we still have problems within that environment absolutely but it’s way better than what I’ve seen done on the corporate side and I think we could do much better if we kind of learned from the government and employed that in a corporate environment so thank you for giving me an opportunity to to address this slide if there’s any rebuttal or any clarification please feel free to beat me up no not at all I’ll actually pile on a little bit and and John I think will as well um it’s very interesting right so you have IP attorneys right who work with general counsel and legal I should put legal on here as well um you’ve got conferences that talk about HR and then you have like trade secret conferences um which John just recently attended I think last week and the people in that room not aren’t necessarily uh you know cyber security people and then the cyber security people talking about Insider threat which I’ve gone to several call it conferences or roundtables aren’t the you know maybe there’s a lot generally you don’t see like the legal people there the HR people so the overlap between these groups and talking about this very problem which which I think is a very big deal that is largely as we just said on the prior slides why isn’t it disclosed why isn’t it showing up in you know figures right we we do hear about like Insider threat which I think is much of the problem because it’s getting misclassified uh as a different problem but what we’re talking about right here is what John just talked about you know 90% of company’s value is intangibles and are we actually protecting it so John do you want to jump on that before we jump into Insider threat uh no I I I I’m really looking forward to to Ryan’s sort of piece on inside of thre I mean just just uh at this conference there’s a company in the world with an enormous number of Trade Secrets and uh it’s like several hundred thousand and the the guy’s been the guy that assistant general Council been doing trade SEC program since 2013 uh and several hundred thousand trade secs and he basically says 80% of my risk is inside a threat 80% of my risk of information sensitive information leaving this organization is is from people inside the business and that’s what he’s extremely focused on that and ensuring he gets on the other side really good Innovation but yeah 80% of his his threat he sees as inside it so over to you Ryan on the on the on the the terms we should use a different time yeah so and one more thing before you jump into that Ryan I challenge anyone who’s listening to this podcast to do a job description look on Insider threat use that term then do one on privacy and then do one on trade secret protection or something like that you will see the job descriptions are very defined and they don’t these silos are not being broken so go ahead yeah here’s here’s a good one on Insider threat which which is our favorite term yeah yes I this term so much so I actually remember the first time I ever heard the term Insider thread and it was in November of 2008 I was in the heidleberg military intelligence field office I was running a Counter Intelligence program uh in support of US Army Europe and a memo came across our desk that said okay from now on out Army Counter Intelligence will be the proponent for Insider threat now of course you can imagine that created quite the dust up in the Army Counter Intelligence community because nobody had ever heard of an Insider threat I mean we were used to dealing with spies and terrorists and international uh you know arms traffickers and uh drug lords and that sort of thing but here’s this new term Insider threat so the first thing we did was send back a response of okay please define The Insider threat because what is it if you ask 10 different Insider threat professionals they’ll tell you 10 different answers well it’s workplace violence it’s you know uh self-motivated uh domestic terrorism it’s International terrorists spies it’s the person that breaks into the Burger King you know in the local community I mean it’s anything that you want The Insider threat to be and so I I think by misnaming it Insider threat we’ve actually done a great deal of D damage you know to the overall security Community now I know that since then whole Industries have been spawned to address this thing called Insider threat and most of it’s been looked at from a cyber security standpoint you know you have dat loss prevention tools you have loging you have all of these different things but we know uh depending on what classification of Insider threat you’re looking at and there’s probably a dozen there the risks and threats are going to uh unfold in like dramatically significantly different ways and I’ll just give you uh for instance uh people that are going going to do workplace violence they’re going to communicate a threat verbally to somebody uh it’s not going to be caught in cyber security logs they’re going to make a social media post that communicates that they’re going to do something significant and drastic they may even have a Manifesto that they post online and so that’s totally different than The Insider threat that’s a data thief or you know stealing your intellectual property and going to walk it over to your competitor and so by just bundling all of this up you’re asking a security professional to understand and know how each one of these Insider threats are going to unfold and I think it’s done significant damage to the overall security architecture that we have in the community um so I don’t like the term I know some people have hung their hat on it uh but I wish we would get back to calling things and classifying different threats and risk as appropriately and that that’s my soap boox I’m going to get off of it uh I know I’m about to get a bunch of hate mail oh actually it’s already coming in on LinkedIn yeah you know the interesting thing is Ryan and you didn’t even mention the the negligent Insider threat right so like if you pull up an article right now they’ll tell you that Insider threat is$ trillion dollar whatever right and when they say negligent they meant like I fell for a fishing link right like and I’m human error well cyber security I mean computers do what they’re told like isn’t all of cyber security human error somewhere like like misconfigurations uh excessive access right like they call it human error right so I think once again I you just mentioned kind of like uh you know like a sabotage or a spy as opposed to someone who’s maybe didn’t know that like I can take this deck Deck with me to the next employee and and do better job do do a better job of my job or or help the company right so as you said these intents are vastly different and they’re all under the same umbrella they’re they’re getting published in reports uh you know so and I I think as we talk about if we’re gonna talk about say from a Counter Intelligence perspective and this is the one that I I mainly focus on I’m looking at that person that’s going to steal your intellectual property or proprietary information and walk out the door with it that also includes in tional knowledge I mean just being in contact with the conversations that you have with other experts within the corporate environment that information that is proprietary too and as John alluded to the NDA is great but who abides by that and how do you enforce it it’s so hard to do these days anyhow um I mean it’s it’s nice you can threaten people with it as they walk out the door but they still already have inside information to all of the the inner workings of whatever company they’re leaving and they’re taking it to the next place so I we can start to see if we if we classify correctly and and get away from this Insider threat term um and go with something different I I’m used to the word spy maybe that’s not appropriate but I mean if we just take a look at that person that’s going to take your intellectual property now we can start doing pattern analysis we can start having real conversations with HR uh we can have real conversations with executive um actually we can get ahead of it we could be proactive in it just through like culture surveys you show me the the the team within your organization that has the lowest culture score or has what they call toxic leadership I will tell you that’s where you’re going to find the most turnover one and number two that’s where all of your intellectual property is going to flow out the organization or that’s the highest risk of having uh intellectual property flow out so I I think there’s proactive steps that could take if we classify it right and get away from this nebulous term of Insider threat so again soapbox issue uh but I I think it’s very very important and critical that we get to an understanding of what we’re actually dealing with and then address it appropriately yeah awesome yeah is the what exactly are we talking about right so and as I said I think it’s the those intentions and behaviors and you just mentioned culture which is huge huge in terms of call left of boom right and people use that term in cyber security being proactive being preventative being hardening as opposed to RAB boom trying to hunt these things down and find them afterwards right r and i a lot of if so going back to what I was saying about looking at Insider threat jobs you’ll find I think or you’ll find inside threat Hunters right that are looking you know likely more RAB boom um as well like oh maybe we can use uh user Behavior analytics and and patterns and things like that so I it’s it’s always harder to find things afterwards right it is and and we have an over Reliance on the technology I mean it’s great I love the technology I love data loss prevention I love uaba platforms I’m not throwing shade on any of those but they’re not the end all be all and just for a couple of examples uh with DP uh I would I could almost tell uh well I I could tell from Friday afternoon about 18 or 6:00 pm. in the evening when everybody goes home uh to Monday at 6:00 a I would manually pull the logs from the DLP solution and go through them manually because that would help me identify gaps in our data uh DLP alerts and settings our rule set and what we would see is signaling event it’s an employee that sends an email uh from their work uh email address to their personal email address with the word test only that’s a signaling I mean we know that something’s following that another good one is resum you know they would send their resume out over the weekend always happened between the hours of Friday at 6: pm to Monday at 6: a.m. and it typically happened on Saturday and I think it’s psychological that they think okay well nobody’s monitoring my network activity over the weekend and so you’ll start to see these data exfiltration events happening on Saturday and on Monday morning we would just block it off and War Room it and then we could identify uh who are the people that were going to leave who are the people that were disgruntled and who were the people that were going to steal your intellectual property now if we know that ahead of time if we’re proactive in our approach we can get ahead of this you know maybe even have a conversation with them or shut their network access off or however that works but there’s a lot of things that we can do if we’re not over reliant on alerts and incident response and move to a proactive approach to securing the organization awesome yeah we and I have a slide here at the end Ryan that you can kind of jump in and talk about maybe we’ll talk about how this all fits together right employee contracts John can talk about ndas and IP IP acknowledgement and that recurring training and kind of like as you said how do you how do you merge the um deterrence and the kind of behavior nudges we’ll call it uh hope and then as you said I think it’s great you you’re getting signals as well um Corporate America you know you’re not reading the you’re not reading the signals that this guy’s sending his resume out over a weekend uh he probably not happy there so um are are his incentives aligned is he making enough money is he happy at his job right so I think it’s it’s all I think this all fits together and these silos those points you raised those couple of points you raised there Tim are absolutely fundamental aren’t they and you know it comes down to having a happier employee who’s productive and is engaged and has got objectives and so on and so forth and every other aspect is is satisfied so just a quick question for you Ryan how do you balance the sort of sense of the snooper uh you know at my activity versus you know keeping me motivated and engaged how do you how do you balance that in an organization with you sort of access to my my exfiltration activities on a Saturday afternoon you yeah it’s uncomfortable and you know it’s one of those necessary evils um now understanding that employees come into an organization and consent to this monitoring um and and we do monitor even if it’s not a manual process but we have cyber security Technologies all across the board and they’re be monitored uh employees are also monitored by their managers they’re monitored by their co-workers uh so it’s it can get to be too big brother-ish and I think that there’s points in time when it should be switched on and points in time where you leave it alone and I’ll tell you some great examples uh during bonus and evaluation time you need to really start honing in on your manual searches because that’s whenever the greatest amount of turnover is going to happen when there’s any rumors of layoffs or significant reductions in forces and and that sort of thing you’ve got to switch on the manual look um and other significant events for example a CEO that’s going to turn over or another key leader within the ex or executive team is going to walk away uh people start to feel anxiety and angst about the future uh I I think whenever you have those times within the organization or when the culture is bad you need to start switching on the manual uh is it a big brother-ish yeah slightly but we have to we have to take steps to to mitigate our risk and the the key point to all of it uh especially from my point of view is discretion being as discret as possible uh and having oversight and control from legal and HR to make sure that we don’t overstep our boundary and if we have oversight and control from the legal nhr departments uh we have the prosecutor which is legal and we have the defending Council which is HR and we can work through that situation to make sure that we’re not violating anybody’s privacy rights yeah good good answer good answer it’s a it’s a fine balance but as you say I keep coming back to personally you know the day you enter the company the day you started the company you have you sit down NH HR whoever invites you in welcomes you in talks you through the above you know what you what do you create here his own by us you know these are the stipulations about what you can and can’t do with our data and then as they leave same sort of conversation uh all recorded of course because that that way you’ve got evidential proofs that the person can’t did have a reasonable level of understanding support by everything else of contracts and training and so yeah yeah very very interesting but I think and we talked about this before we went live but I I think it actually starts before the hiring process before the the onboarding process yeah yeah you know unfortunately in most cases uh during the hiring process security is not brought in so there’s very rarely a Security review of any background checks or any previous information a resume scrub that sort of thing it’s all done at the HR level and I love HR folks I mean they’re fantastic but once that employee is hired and given access security Now inherits the problem and so unless we have some buyin in the hiring process you know before we bring somebody on board I think it’s unfair to the security professional have expectations that they’re going to protect an organization now what is an individual so they have their own personality traits their own motivations their own vulnerabilities they have significant life events that they’re taking care of from a security standpoint especially from a counter intelligence standpoint we we have to have an understanding of what that is because that all of those different things bring risk and as security and Risk Managers U not knowing beforehand and inheriting it after the fact puts us in a very uh reactive State yep y so I jumped into this busy busy slide but I think uh just for argument sake here um John knows the uh the red the red boxes pretty well um from an IP advisor and and strategy perspective um and then a lot of the tools here and I’m missing some Ryan uh certainly um enforcing those uh policies governance directives whatever you want to call them uh best practices really of of getting these things in place as you say kind of on board preon board as you said the hiring process which I is even better um kind of figuring out what what are the outcomes are um and we’ve I I’ll step back a little here but John um for most of the audience I I think most of them are pretty Savvy listeners understand what proprietary data is and what actually falls under Trade Secret um protection right so you you can enforce right like so we’re we’re not we’re talking about any kind of data right failure Data customer logs uh absolutely right customer lists you know anything anything’s proprietary if you don’t want to if if you wouldn’t publish it on your LinkedIn page right now it’s it’s covered under Trade Secret law and it should be covered under IP acknowledgement non-confidentiality agreements like all these red boxes right and getting that employee I think in the right spot from day one uh of what their expectations are and what their duties are and also Bri I think Ryan and forming them by the way we’re not only telling you this this is your duty but like we’re also trust but verify we’re going to use modern cyber secur tools to monitor this uh you know monitor compliance right monitor um you know we’re going to look at logs and and you know hopefully we’ll make it obvious as well like we’re going to have cyber security training and then when you try to send something you’re not allowed to chend you’re not allowed to send outside of the company you’re going to get a little popup right little toast right it says are you sure you want to send this proprietary data out the door into a competitor I don’t know maybe a partner maybe you know maybe a colleague um so like I said holistically this is a busy chart but it all kind of fits together and a lot of these roles as we said HR legal risk um they all need to work together uh to build a you know a cohesive culture right so you um people don’t understand their they understand IP is important understand you know as I said every organization has IP it could be a municipality right it could be doesn’t have to be a corporation could be any kind of organization um and you know yeah I think yeah go ahead John yeah I think you know they you know back to your point earlier that it’s fuzzy every organization has IP most organizations and most specialists Engineers devalue what they’ve done right ah it’s not not that important it’s not that valuable and and then when you get a patent attorney to look at it they go wow where you get somebody who really is you know knowledgeable on Innovation they go yes this is definitely an inventive step this is definitely a move forward uh this is really valuable information but I think if people devalue what they do that that is an issue to start with and so the you know I I did mention to I just want to step back to this you know what is a definition of a trade secret and what what CR just going to ask you that I was like trade Secret’s a loaded term as well because people think it’s the Coca-Cola recipe in the vault right yeah yeah and and they go listen you know I’m not I’m not I’m I’m not I’m not Ryan Rambo I’m not James Bond I’m not incorporate Espionage I’m not a spy so that doesn’t relate to me whatsoever you know so I I think that is an issue and it’s a terminology issue as well rard welcome your thoughts on that but just very quickly so trade secret definition very simple it’s business related commercial customer list profitability information or technical information secondly it must not be widely known I.E it’s a secret and the company’s taking steps and measures reasonable measures is the term to maintain its secrecy right then thirdly the fact that it’s a secret must have actual or potential economic value advantage to the business so if all of those steps are met it’s a trade secret it’s very very Broad and then I just wanted to to touch on the US courts look at something called e proofs eona proofs did the tra this is where most fall over yeah we’ve had a trade secret set this happened to Zam they went to court with Boeing they won 72 million uh they Boeing appealed so we don’t think there was a ever there’s no evidential proof that that that that treade secret was there in 2017 or whenever it was and soonam fell over they couldn’t demonstrate that they had it they probably did but they didn’t document it they didn’t date stamp it they didn’t have that existence you know existence information that we would stand up in court and without that you don’t have a trade secret case and this is what go back to my original Point yes we’ve got Trade Secrets and yes we’re taking care of proprietary information are you really would it stand up in court can you show it ex at a c point in time can you demonstrate irrefutably that you own it there clear ownership here uh was notification there were people trained were they contracted were they put on notice that this was a trade secret and put your points you know from the Cyber and the information site did they have access do we have demonstrable proof that they accessed and they were able to to to sort of exfiltrate this particular piece of information because without those no case and so most cases are falling over at the moment on did it exist was it documented is it date stamped did exist it on 5th of May 2017 or what it was because without it you know you’re going to lose your 72 million and these are Big cases Tim and we talked about this back in the day when we were doing the patents there was some big settlements in you know several hundreds of million well there trade secret cases are enormous by comparison now I mean I was looking back to 2008 with the Kevlar case when an employee left the business joined a competitor 922 million 922 million 18 months in jail for the perpetrators significant and then we just had a couple of recent cases hi is classic amongst those cases and I can talk about that but that’s that’s the extr territorial aspect of trade so yes it happened in the States but we’re going to take it to where else this information flow to to Singapore and to China as well and we’re going to we’re going to see recourse from those jurisdictions as well uh what was the big one the pegga versus apion a two billion doll case two billion doll case apparently somebody was a spy was put in the the competitor Organization for 10 years to feed information back 10 years uh uh so so Tim yeah so definition of trade secret really important and and having demonstrable evidence that it is a Traer you’ve taken those steps if you haven’t taken those steps it’s not going to stand up in court you don’t have recours yes so doing the a lot of these best practices here on the left right you you’re going to have a good case four years down the road um and I think it’s it’s even wider than that you said commercial value right like a lot of times we’re not thinking it has commercial value but like I said failure data what are the things we tried that took six months that cost a couple million bucks that didn’t work out that has extreme value right like competitor finds that out and they’re like yeah hey we could just skip skip ahead right like and I guarantee that information is given away really lightly all of the time because perceptibly fuzzily it doesn’t have value Y and and there we we you talked about some of the federal cases but there’s state courts as well and employee contract law starts to like overlap here right like in terms of you know employee obligations uh right like there’s it’s almost it’s the battle is being fought in different J jurisdictions of different courts so um some are a little easier on marking things as you have to say that that was in the trade secret Ledger whatnot and some of them are just like oh this guy violated his employee agreement so so yeah yeah and and as we you know the erosion of non-competes and we talked about this previously you know uh it’s it’s really Trade Secrets and what you guys do from the data side and the tracking side and security side is is so so important in order to be able to uh to monitor access and demonstrate Pro to prove that there has been uh there has been a breach and so awesome yeah and I actually had to fill out a deposition for court because the the court didn’t believe that we were monitoring everybody uh in the organization that that this was uh that we didn’t have the capability or the desire to do that monitoring and you see on the right hand side I actually had to pull each one of the tools that we were using by name what their purpose was and then how we used the alerting to track and monitor user activity across the network and so it’s critically important for us to support your case by proving out that what we do on the on the right hand side of this chart is actually taking place so one other point I want to make here which I I think is interesting um so what is it going to cost to put in a lot of what we just talked about I think in the last 20 minutes in terms of trade Seeker protection proprietary data protection if you notice you know most of these elements already exist right everyone has employment agreements everyone has the Cyber tools and I think it’s just stepping back and saying you know we’re GNA focus on proprietary data as well as privacy data um you know in terms of leakage so I don’t think this is that expensive I think that you can put in many of the elements that you need to Prevail in a trade seceret case if you actually do get in one a couple years down the road and it’s it’s really important right like like you can put these elements in they’re already here how do you tune them how do you point them how do you use the talents that Ryan’s learned over the last 30 years in terms of protecting all data right um so very quickly if I may just jump in you know fundamental to the whole of this for me is uh identifying the valuable information you know it doesn’t take long you can sit down over lunch and you can go okay so what would we least like to lose what would we least like the competitor to get their hands on how at risk are we of losing that information at the moment and there suddenly you start to get some priorities from there so you know what is the sensitive and valuable information and then Tim I I’d really like to hear about from and and Ryan from your side how you tag that and then how you arguably hide it because you know I’m really concerned now for my uh for for businesses at the moment because if you haven’t identified the sensitive information the valuable information tagged it processed it secured it uh then AI tools are going to be finding it before you even realize that it was valuable and and making use of it and so you know I I really would just like to hear from you guys how you tag data and and then how you so we’ve tagged this is a trade secret top secret most sensitive information how do we then hide it from external hack external sort of AI tools and so on how do we make sure it’s it’s masked or it’s hidden what what technology is there to to support in the area I’m I’m glad we made it 49 minutes without talking about AI sorry yeah this is great right like we we really kind of laid down the fundamentals and now we’re kind of of running into this be swarm of what AI could be um I’ll let Ryan speak but I mean generally like I said earlier it’s very easy to tag nine digigit Social Security numbers credit card numbers whatnot and and call that critical data from a traditional riskmanagement cyber security perspective when it comes to proprietary data and labeling it it’s very hard I’ve seen some really cool Solutions out there that are using L llms and we can get into like should I even turn an llm on before that but Ryan you want to jump on that one maybe yeah I was going to say the same thing it’s it’s a problem especially for a company that’s been around for 30 years trying to go back through all of that data and tagging it uh 30 years worth of dabing I mean it could be 16 17 terabytes worth of information just out of floating around you know in different locations but I have seen some really cool tools that are entering the market that are that you can uh do keyword searches you like hey if it says financial or dollar or you know Phi or or something like that it can go through your network and tag that information now was at 100% no but even if we get to a 60 70% solution we’re still better off than we were yesterday so some great tools on the market uh if anybody’s interested in in learning about that uh just reach out to me and I don’t want to put it on you know Public’s face and be a an advertisement for them but uh but I do know that they’re out there and and that they’re working uh but again you know and if you don’t understand what it is that you’re you have to protect very very difficult uh to protect yeah I I’ve I’ve spoken to corporations G giving some paid speeches and this is starting to overlap a little bit with like Innovation programs right like tagging things and labeling things that you think are important um it isn’t it it isn’t as as a manual exercise it’s almost impossible to like reverse kind of 30 years of of sunken data that’s unstructured unsorted untagged unclassified um a lot of the solutions I’m seeing are just in time right they’re popping up like while you try to send an email while you try to kind of send it out the door um you know one of the boxes on the right here has manage browser DLP Sim like all solutions that Ryan deals with like these things are looking at the data flow in motion um not at rest right like and and trying to stop there but still you know all very important elements of supplying you know a trade secret attorney or you know making sure that the culture is in place and I I love what Ryan said as well about kind of like uh seeing the T leaves and like realizing you know left a boom before there is a problem um a lot of these things are great deterrents right and they’re they’re The Smoking Gun if there is a trade secret case like you there was a popup and a toast that basically said don’t send this and you sent it anyway and you knew you were under obligation so um you know there’s there’s a lot you can do to position yourself um to protect proprietary data so John you uh I know we’re running out of time here but um one more one more thought before maybe we go into last last thoughts yeah uh I have a a sort of I’m actually really interested Ryan classification of Trade Secrets classification of of sense of information and know what what was what do you think is is is best I I run with very simple top secret secret confidential and then either public and published or just public you know because information moves down and eventually it’s going to be public or published potentially what what do you and I’m and I’m doing that primarily on the information the proprietary information side of things but I re ize also that over here in the organization there’s an information security side of things that has some form of classification as well and ideally we’re going to bring those together so I just wonder what your best practi is on uh you know classification what you think is a good sort of standard and and how we bring you know privacy into into proprietary uh from a classification side I’m glad you waited to ask me the easy question last no but I I agree with you I’m more comfortable with top secret secret and confidential that’s what we used in the government and it was all based off of damage you know top secret you know if it was compromised it would cause severe damage you know secret some damage and confidential okay it’ be damaging but we’ll get past it we need to define those same terms in the corporate environment and I have seen it where it’s proprietary you know no release uh trade secret no release confidential and then for a lack of a better word uh instead of unclassified they would just say you know public use or or something like that I don’t like those terms as much I I don’t think it speaks to the amount of damage that losing that information can cause uh so if I was to give advice I would love to go with some top secret secret confidential uh classifications and I think it’s important too because if you’re going to interact with law enforcement in any way and these cases are a legal we have to have common terms that we can talk back and forth to our government partners with and whenever we tell them that hey this is a trade secret and they’re like okay well what does that mean to me just say okay it’s top secret now they get it and yeah I think it just makes it easier if we’re speaking in common terms yeah I like that a lot yeah couple minutes left here uh go around the horn closing thoughts um John you want to go first uh yeah I I feel like this is such a fascinating area I really want to do some more in this area I think it’s bringing together Two Worlds but but as you said Tim it’s not it’s what did you say you know mining the gap between Legal Information Security cyber security proprietary information HR business R&D engineering it’s a big ask it’s bringing all those different parts of a business together together on one theme which ultimately to me is culture uh but that’s not an easy an easy thing to achieve so I’m going to let Ryan conclude and you conclude on how to do that oh another easy question no I uh um thank you so much I think this is an important conversation I would love to talk uh maybe in future iterations about operation security you know what is it like when an employee takes their laptop mobile device and travels to a high-risk country um you know those operational things when they attend a conference when they’re going to other client sites and that sort of thing uh because I think it’s as important as cyber security but it gets neglected because we you know it’s just doing business but fascinating talk I could do this all day I just love it that much so thank you John thank you Tim for inviting me on fascinating conversation awesome awesome so I’ll wrap up and uh I think one thing I want to point out is that this is a trem tremendously big opportunity as well I I think we we tried to illustrate that it is a problem proprietary data protection is also a massive opportunity for IP attorneys for cesos to talk about why they need more budget why they need um you know what they’re actually protecting because I think this largely gets even in terms of risk management if you look at a risk Ledger and a um you know you’re looking at uh what’s the holistic risk of the business I think this get this just get it gets missed right like the key elements of this and so I think it’s a I think it’s a huge opportunity for legal it’s a huge opportunity for cyber external you know IP Council um John and I are really you know we’re really excited about this I think it’s hasn’t been a straight road either right like it’s been um a little bit of trying to understand kind of what is the problem who needs to be involved what are the key elements and Ryan you know your detail and kind of you being on boots on the ground and understanding where what’s really effective I think it’s been really helpful as well so um but after that that’s that’s all I got um I uh I can’t wait to have you guys on thank you again for coming and uh I’d love to talk about the operational aspects because I think you know how do you do this is uh the more people know the more they can implement it and and build as we said a strong cyber security IP and data protection culture so until next time thank you very much thanks Tim thanks Ryan thanks everybody Che