Much has been written on limiting IP theft. Most commonly used tools are contracts, policies or through technological or physical protection.
All staff should sign some form of an employment contract. Where IP is concerned, this contract should clearly state where ownership lies. It’s best to not only include an assignment of IP to the employer, but also a confidentiality clause and obligations on the employee to return copies of IP on termination.
In extreme cases when parting with staff with access to sensitive or valuable IP you might consider a forensic examination to ensure that IP has not been taken or copied.
Employment contracts should be backed up by employee policies, by specifying that the employee must adhere to these policies as a condition of employment.
These policies should set out clear guidelines for protecting the company's IP and may include:
- a clear desk / clear screen policy that requires employees to clear their desk, lock their computers or log off entirely when leaving their desk. It can also apply to portable devices and specify how they may be used in public spaces
- document security policies, such as requiring that IP never be printed, emailed or moved outside of the office (including in electronic form)
- physical security policies regarding storage of IP
- information barriers, ensuring that IP is only accessible on a "need to know" basis. This can include splitting up information for a product across multiple teams so that no members of a single team can act alone to recreate the product
- a requirement that collaborative teams are used for the development of any IP
- IT security policies, dealing with such issues as infrastructure security, encryption, passwords and user privileges.
Technological or physical security
The final line of protection is technological or physical security. These avenues should support and enforce the relevant policies.
This may be as simple as safes or locks. Or may extend to information security practices such as:
- restrictions and logs documenting access to commercially sensitive code bases, documents and information
- restrictions on using smartphones or other employee electronic devices
- bag searches, or requiring bags be left in lockers
- backup procedures
- encryption of IP
- dividing IP access and storage amongst different geographical locations
- ensuring employee devices (mobiles and tablets)used to access IP can be remotely locked down and securely erased
- restrictions on use of printing, email, laptops, web-based uploading and USB sticks
- systems which hold any IP or information are not connected to the internet or other unsecured networks.
These protections are particularly important when there is a fluid workplace environment. Often the best protection is to ensure that the IP cannot be taken outside the workplace in the first instance.