jd-photodesign - stock.adobe.com

How to tackle intellectual property crime

Crimes against intellectual property are big business for organised crime groups, commercial competitors and foreign states alike. In the first of a series of legal columns, David Cowan offers a practical approach

Intellectual property (IP) industry associations are pushing for more focus on fighting IP crime. The rapid rise of IP crime, and accusations by the US made towards China in the battle for tech supremacy, have led to greater attention being focused on what is often portrayed as a “victimless” crime.

It seems increasingly apparent that the IT industry needs to act, both to protect business and respond to public policy concerns. IP crime affects the computer industry both in terms of developing and deploying legitimate innovation, and in the use of technology to commit crimes. But IP crime doesn’t just benefit criminal organisations, it also aids foreign intelligence services and commercial competitors.

Law enforcement agencies – including Interpol, Europol and the FBI – have been taking IP crimes very seriously for some time now and are pushing global initiatives.

IP crime is the manufacture, sale or distribution of counterfeit or pirated goods, such as such as patents, trademarks, industrial designs or literary and artistic works, for commercial gain. International trade in counterfeit products stands at 3.3% of global trade, according to the OECD and the European Union (EU)’s Intellectual Property Office 2019 joint report Trends in trade in counterfeit and pirated goods. This is up from 2.5 %, or as much as €338bn, according to 2013 data.

The problem is big, but is about to get bigger. Last week, Europol published the EU serious and organised crime threat assessment (EU SOCTA 2021). Published every four years, the report states that the threat of serious and organised crime is at its high point, exacerbated by the Covid-19 pandemic and the potential economic and social fallout expected to follow.

Responding to the Europol report, the International Trademark Association (INTA), along with other IP trade association bodies, issued a statement demanding that IP crime be put higher on the list of priorities. Citing Europol’s current priorities for its European multidisciplinary platform against criminal threats (EMPACT), INTA says the current EMPACT 2018-2021 priorities do not include IP crime or counterfeiting, noting that environmental crime was deemed a higher priority.

The problem is global, but there are many best practices that individual computer businesses can utilise to protect themselves. It is often said that charity begins at home; well, the same is true of the obverse.

Getting access to IP is commonly done by attacking the weakest link, which means targeting employees, whether it be a disaffected programmer, a crew operator at sea or an opportunistic office manager. Given the focus on insider crime, the FBI identifies six behavioural indicators that an employee could be stealing a company’s intellectual property:

  1. Unnecessary or authorised taking home of proprietary material.
  2. Showing undue interest in matters outside the scope of the employee’s duties.
  3. Working odd hours without authorisation, remotely accessing the computer network.
  4. Unexplained affluence.
  5. Unreported foreign contacts.
  6. Short trips to foreign countries for unexplained or unusual reasons.

However, employees are only one, albeit significant, part of the access challenge. The Alliance for Gray Market and Counterfeit Abatement (AGMA), a California-based non-profit organisation tackling the global impact of intellectual property rights issues, has identified six key areas of focus as “must-haves” to protect digital IP on a basic level:

  1. Access control policies and procedures: Imperative to review access to all applicable systems to identify risks, and outline controls placed on both direct and remote access to computer systems to protect networks and data.
  2. Event logging: Essential to maintain a healthy system and see what is happening.
  3. Monitoring and reporting: Monitor and identify trends or transactions outside of norms or expectations on an ongoing basis and be ready to take immediate enforcement actions.
  4. User awareness and training: Information security awareness training is an effective tool against IP theft.
  5. Design security: The seeds of failure are sown at the beginning, so to ensure success, security should be at the core of design from conception to market, and throughout the lifecycle of a digital asset.
  6. Continuous improvement: Digital IP requires constant monitoring, risk reviews and continual enhancement of security policies and controls.

Ensuring the robustness of the protocols in place becomes critical in crisis situations – which may include product deadlines, customer crises or fast-approaching sales goals – as haste and impatience often undermine protection protocols to break down, and this should be included in all crisis response and also in crisis communication.

Another solution to deploy is what I call the IPLAW approach:

  • Identify: Make an inventory of your most valuable IP, who has authorised access and what parameters apply.
  • Programme: Create and implement an insider threat programme, with a dedicated team, supported and resourced from the top with participation of all stakeholders.
  • Look: Monitor the IP integrity of your IP by deploying effective tools such as network monitoring software and data loss prevention tools to manage identity and access to management controls – look at AI applications to identify or warn of insider threat risks.
  • Augment: Technology solutions must be accompanied by human intelligence that is objective and evidence-based analysis used to interpret technical data and behaviour patterns.
  • Warn: Be wary of the diversity of external threats, for example when attending industry events, brief employees on security concerns in terms of conversations they might have, presentations they give, and protection of products and equipment on display.

David Cowan is an associate lecturer in law at the National University of Ireland Maynooth.

Read more on Hackers and cybercrime prevention

Data Center
Data Management