Covering Tracks

January 25, 2018

I have been running into an interesting phenomenon – more and companies are taking steps to conceal their major construction/renovation filings made with local governments. It has been going on for a while, but seems to be increasing in the last 2-3 years.

That raises two, no, three questions: Why, How, and What Can I Do About It?

Why?

Major construction/renovation filings with local governments, such as building permits, zoning applications as well as applications for state waivers, such as dealing with highway/rail access or environmental issues, are all “tells”. That is, they indicate the coming of an important action which the target, your competitor, does not want the public, and certainly its competitors, to know.

To be fair, such actions usually do not prevent the release of such information – but they substantially delay that release, whether to competitors or to the local press.

How?

Here we are not talking about abusing open records acts by tactics such as improperly claiming ordinary data is confidential or a trade secret. What is done is making the filings under other names, to foil inquiries for or even attention paid to these records. That is done in at least two ways. One is to make them under the name of a subsidiary not identified with the parent. Another is to have another party to the transaction, such as the company managing the construction project, make the filings under its own name.

Cute.

What Can You Do About It?

Well, not a lot. If you suspect that a competitor is going to engage in such a project on an existing site, you can ask the local government for filings covering the current address, as well as adjacent properties. If the issue is a competitor which may be building a new facility at a new address, then try to determine what areas are likely sites, and then follow real estate sales and leases on a micro level – checking local papers every week for “suspicious” transactions, and then drilling down at the municipal or county level, as appropriate.

Defense against CI is always improving which is why our CI strategies and processes must always try to get better, too.


Open Records?

July 11, 2017

This week, a local paper[1]reported that applicants for Pennsylvania medical marijuana licenses were permitted to submit two versions of their applications: one for evaluation by the state’s licensing authority and a second, self-redacted version, for public release.

What was released to the public was a bewildering mass of blacked-out text. In addition to blacking out notes on proximity to health care facilities, maybe, maybe, a competitive or confidential issue, they variously redacted page numbers (?), the business’ name and address (!), and the business’ expected impact on the local community, which seems to be exactly what should be released. One applicant is described as redacting “nearly its entire 186-page grower application, including [the official] instructions” (?!)

The article quoted a Marijuana trade association official who said that these companies were “looking at what their competitors are going to see” and redacted that. Page numbers? And, Pennsylvania officials say that they cannot un-redact what has been blacked out. Then, consider the questions of why a filer can ever exercise absolute control over what is disclosed from public records, and why Pennsylvania ever created this public/private record system.

Ever wonder why Open Record laws don’t work?

[1] Nicole C. Brambila, “Marijuana firms redacted many parts of applications”. Reading Eagle, July 10, 2017, A1, A3.


Off-Site Meetings

July 15, 2016

When holding any meeting or training session off-site, in a hotel or conference center, you and your firm need to apply several proven techniques to protect your competitively sensitive data (CSD).

Here are 10 easy steps to take:

  • Keep the names of meetings and their subject generic on all displays at the site, and never leave a list of attendees, badges, or meeting schedules and handouts (see below for more on this) on an unattended (at any time) registration table in the hall.
  • Is someone actually checking that everyone coming into the meeting room has a badge? If you do not spot me, you cannot stop me, can you?
  • For all breaks, either (a) secure the room from outsiders – that is, put a guard in there or lock the door when everyone is out, or (b) collect all materials from all desks and tables. Actually, doing both is better.
  • When leaving a room, particularly at the end of the day, police it yourself. Take down all flip charts and dispose of them (with the hotel, not just in a trash basket or recycling bin in the room), wipe down all white boards, remove all company equipment (including CDs or jump drives used by presenters which may have been left on a podium), and clear all tables and desks of all papers. Those should be disposed of with the hotel.
  • Do not use jump drives if you can avoid it. Why? They are easy to leave around for someone else (a competitor) to pick up. Also, a fast way for hackers to penetrate your systems is to infect a plain looking jump drive. If no one is using jump drives, then hopefully no one there will pick up a lonesome drive and boot it up at the meeting or back in the office looking to see who owns it.
  • Avoid using handouts. They are easy to lose or just drop into the (unsecured) trash or recycling bin. If there are materials to be consumed at or after the meeting, put them on a secure, password protected website so the attendees can access them.
  • Conversations about the meeting, the company, and CSD in particular, should be confined to meeting rooms. The bar is last place they should be held – and perhaps the first place I would be checking.
  • Phone calls back to the office should be conducted in the meeting rooms, or the individual’s hotel bedroom. Never, never conduct then in the halls. I may be standing near you.
  • The same is true of going over materials provided online. If I can see you, I may be able to read what is on your computer. That includes in the hotel lobby, as well as in an airport or on an airplane.
  • Who else is holding a meeting, training, etc. there? A competitor? A critical supplier or customer? While you do not have the leverage you do if you were booking a large portion of the hotel to keep them away[1], you can at least ask the hotel if any of your direct competitors (provide them with a short list) or other sensitive firms (another short list) will be there. If so, take extra care to protect everything.

Oh, enjoy the meeting.

[1] For more on security in such situations, see Rob Carey, “Meetings Security: The X Factors”, Smart Meetings, July 2016, pp. 76 et seq.

 

 


A Quick Start Defensive CI Checklist

May 31, 2016

What is competitively sensitive data (CSD)? CSD includes data from which a third party can reconstruct your trade secrets as well as data which, if accessed by competitors, would diminish your competitive advantage and/or improve theirs. That varies from firm to firm and could be customer lists, product formulations, pricing tactics, total sales and profits, or employee incentive systems.

Very few firms worry about restricting the way their competitors may be able to access CSD. Even fewer firms have formal defensive CI programs. However, there are a few simple first steps that all firms and individuals involved with CI can take to protect against their competitors’ actual or potential CI activities.

Here is a short check list to get started:

  • Identify which of your data is truly competitively sensitive.
  • Assess your current CSD inventory. In particular, check your business web sites as well as the firm’s social media sites, such as postings on YouTube and Face Book for CSD already in plain sight. Take it down at once. Check employee sites for similar leaks and alert them to take action.
  • Know where your firm produces and stores CSD, who has access to it (including third party contractors), and why they have that access.
  • Minimize your CSD footprint. Restrict access to CSD by your personnel and third parties. Base that access not on trust or previous reliability, but only on a real, current need to know.
  • Train all employees, particularly those that are customer-facing, such as sales and support, on what CSD is and how to spot efforts to get access to it.
  • Work with third parties who have access to your CSD to sensitize them to the need to protect it. Make sure your agreements with them cover this point.
  • Work with corporate security to reinforce protections against the accidental release of CSD as they do with trade secrets.
  • Make sure employees and third parties know who to notify if they suspect the possible leak or loss of CSD.
  • Don’t over react. CSD usually loses its value over time, so don’t try and protect everything from everyone forever.

Securing Off-site Meetings

November 4, 2015

The popularity of holding off-site meetings comes and goes. In some cases, their use is designed to bring together people from offices or locations that don’t normally have physical interaction. In other cases, they serve to enhance team-building. In yet others, it is to provide a measure of security not available at a company’s regular offices for matters of some sensitivity.

There are a number of simple steps that should be taken at off-site meetings to prevent the accidental release or purposeful capture of sensitive or confidential information, whether to competitors, the media, or the public:

  1. Find out who else has meetings at the site you are considering using. While you may secure your site, when your people are taking a coffee break they start talking in the hall and others may overhear their conversations. You should do this at two points: first when you’re considering retaining these site and second, just before you go there to see if things have changed.
  2. Make sure you check everyone that comes into the room. Outsiders can wander in “accidently”.
  3. If you are going to have a registration table and/or display table, consider putting it inside the room or rooms you’ll be using rather than the hall. If you place it in the hall, then you need to have somebody of the table at all times to keep the materials secured as well as to keep from prying eyes things like attendance lists, notations of incoming calls, etc.
  4. If you are distributing materials at the meeting, distribute them that the meeting, not before. In fact, distribute them in the conference room, in public halls the hotel or convention center.
  5. Clearly mark all materials as company confidential, proprietary etc. This will not stop some people from taking these materials, but will discourage those who operate on an ethical basis. It also should alert your attendees to be careful with them.
  6. Remind the people there that what you are doing is confidential, and is not to be discussed outside of the meeting rooms, including in the halls, at the bar, the pool, on the golf course etc. No discussion outside of the room means no In addition, remind them that any materials you hand out are to be handled with care. If it is a very sensitive matter you may consider having people leave materials in the room and locking it at the end of each day.
  7. Keep communications in the room secure. Have all attendees turn off all smart phones and tablets. That is aimed at keeping attendees from recording the proceedings or taking pictures, as well as communicating with outsiders. If that is not possible, ask that these instruments be put in airplane mode, so that no incoming or outgoing calls can be made. This also cuts down on distractions.
  8. When you are done with the meeting, sweep the room – yourself. Do not rely on the hotel staff for this. That means collecting all materials and notes left behind, wiping all whiteboards completely, and removing all trash from trash cans that have been the depositories for conference materials. Securing a room during the meeting and then leaving copies of the agenda with a whiteboard showing conclusions reached on a new marketing campaign is not security – it is folly.

By the way, if you’re holding the meeting on-site and it is a sensitive matter, the same cautions apply.


Competitively sensitive data

August 18, 2015

The SEC announced indictments on August 11, 2015 for insider trading. What was unusual was that these were not indictments of corporate insiders, but rather of “hackers” who had been accessing corporate press releases before they were published.[1] These hackers hacked into information on earnings and arranged for trading on the impacted stocks before the releases were made public.

“In one particularly dramatic instance on May 1, 2013, the hackers and traders allegedly moved in the 36-minute period between a newswire’s receipt and release of an announcement that a company was revising its earnings and revenue projections downward.  According to the SEC’s complaint, 10 minutes after the company sent the still-confidential release to the newswire, traders began selling short its stock and selling CFDs [contracts for difference], realizing $511,000 in profits when the company’s stock price fell following the announcement.”

This case shows the value of sensitive information which is accessed before it is made “public” and also should reinforce the need to protect such information. In this case, there was only a short period of time before the information was made public, but, for those few moments, the non-public data was worth over ½ million dollars.

For those of us in competitive intelligence, there is a similar lesson. Competitively sensitive information must be kept from your competitors, at least so long as its loss would be damaging. However, very few firms work to protect themselves against CI (and, as this series of indictments shows, not always successfully against hackers, either).

Those of us who work with CI should be the most forceful advocates for the creation and maintenance of a business-wide program to defend against the CI efforts of our competitors.[2] Such a program is an invaluable supplement to your own (offensive) CI efforts.

“If I am able to determine the enemy’s dispositions while at the same time I conceal my own, then I can concentrate and he must divide.” — Sun Tzu, The Art of War

[1] http://www.sec.gov/news/pressrelease/2015-163.html

[2] For much more on that, see John J. McGonagle and Carolyn M. Vella, Protecting Your Company Against Competitive Intelligence, Praeger, 1998.


What is public?

January 6, 2015

A recent state court case in Pennsylvania brings into focus the issue of “public”. As you know, or should know, one of the key elements of competitive intelligence is the use of public resources to develop intelligence. As I’ve said many times, public is broader than published, but this case adds a new twist.

The case involves an FBI affidavit of probable cause to search an individual’s home. The state case itself is but one element in a very complicated story[1], one of whose key elements is that the federal affidavit in question was supposed to be confidential, sealed by order of a federal court in 2006. With a series of twists that are interesting to read, but difficult to summarize, the affidavit in question was later filed by a law firm in a civil case against its former client, the subject of the search warrant (I told you it was complicated).

The state court found that this affidavit, even though sealed by order of a federal court, was a “public record”. As it turns out, the affidavit was erroneously attached to a publicly accessible section of the federal court’s docket, which was in the online docketing system. That meant that the affidavit was “left unsealed on that docket for years”. The state court determined that this made the federal affidavit a “public record”.

The lesson? Just because a document should be confidential, or even a trade secret, doesn’t mean that it cannot be used in your competitive intelligence analysis if, and I stress if, it has been made “public” in some way, even accidentally. Therein also lies a warning – to keep information and data confidential is an ongoing task where even one misstep can destroy the legal protections against its disclosure or use.

[1] For more details on the case, see Gina Passarella, “Pepper Hamilton Can’t Be Sued for Using Public Documents”, The Legal Intelligencer, January 6, 2015.