Open Records?

July 11, 2017

This week, a local paper[1]reported that applicants for Pennsylvania medical marijuana licenses were permitted to submit two versions of their applications: one for evaluation by the state’s licensing authority and a second, self-redacted version, for public release.

What was released to the public was a bewildering mass of blacked-out text. In addition to blacking out notes on proximity to health care facilities, maybe, maybe, a competitive or confidential issue, they variously redacted page numbers (?), the business’ name and address (!), and the business’ expected impact on the local community, which seems to be exactly what should be released. One applicant is described as redacting “nearly its entire 186-page grower application, including [the official] instructions” (?!)

The article quoted a Marijuana trade association official who said that these companies were “looking at what their competitors are going to see” and redacted that. Page numbers? And, Pennsylvania officials say that they cannot un-redact what has been blacked out. Then, consider the questions of why a filer can ever exercise absolute control over what is disclosed from public records, and why Pennsylvania ever created this public/private record system.

Ever wonder why Open Record laws don’t work?

[1] Nicole C. Brambila, “Marijuana firms redacted many parts of applications”. Reading Eagle, July 10, 2017, A1, A3.


Off-Site Meetings

July 15, 2016

When holding any meeting or training session off-site, in a hotel or conference center, you and your firm need to apply several proven techniques to protect your competitively sensitive data (CSD).

Here are 10 easy steps to take:

  • Keep the names of meetings and their subject generic on all displays at the site, and never leave a list of attendees, badges, or meeting schedules and handouts (see below for more on this) on an unattended (at any time) registration table in the hall.
  • Is someone actually checking that everyone coming into the meeting room has a badge? If you do not spot me, you cannot stop me, can you?
  • For all breaks, either (a) secure the room from outsiders – that is, put a guard in there or lock the door when everyone is out, or (b) collect all materials from all desks and tables. Actually, doing both is better.
  • When leaving a room, particularly at the end of the day, police it yourself. Take down all flip charts and dispose of them (with the hotel, not just in a trash basket or recycling bin in the room), wipe down all white boards, remove all company equipment (including CDs or jump drives used by presenters which may have been left on a podium), and clear all tables and desks of all papers. Those should be disposed of with the hotel.
  • Do not use jump drives if you can avoid it. Why? They are easy to leave around for someone else (a competitor) to pick up. Also, a fast way for hackers to penetrate your systems is to infect a plain looking jump drive. If no one is using jump drives, then hopefully no one there will pick up a lonesome drive and boot it up at the meeting or back in the office looking to see who owns it.
  • Avoid using handouts. They are easy to lose or just drop into the (unsecured) trash or recycling bin. If there are materials to be consumed at or after the meeting, put them on a secure, password protected website so the attendees can access them.
  • Conversations about the meeting, the company, and CSD in particular, should be confined to meeting rooms. The bar is last place they should be held – and perhaps the first place I would be checking.
  • Phone calls back to the office should be conducted in the meeting rooms, or the individual’s hotel bedroom. Never, never conduct then in the halls. I may be standing near you.
  • The same is true of going over materials provided online. If I can see you, I may be able to read what is on your computer. That includes in the hotel lobby, as well as in an airport or on an airplane.
  • Who else is holding a meeting, training, etc. there? A competitor? A critical supplier or customer? While you do not have the leverage you do if you were booking a large portion of the hotel to keep them away[1], you can at least ask the hotel if any of your direct competitors (provide them with a short list) or other sensitive firms (another short list) will be there. If so, take extra care to protect everything.

Oh, enjoy the meeting.

[1] For more on security in such situations, see Rob Carey, “Meetings Security: The X Factors”, Smart Meetings, July 2016, pp. 76 et seq.

 

 


A Quick Start Defensive CI Checklist

May 31, 2016

What is competitively sensitive data (CSD)? CSD includes data from which a third party can reconstruct your trade secrets as well as data which, if accessed by competitors, would diminish your competitive advantage and/or improve theirs. That varies from firm to firm and could be customer lists, product formulations, pricing tactics, total sales and profits, or employee incentive systems.

Very few firms worry about restricting the way their competitors may be able to access CSD. Even fewer firms have formal defensive CI programs. However, there are a few simple first steps that all firms and individuals involved with CI can take to protect against their competitors’ actual or potential CI activities.

Here is a short check list to get started:

  • Identify which of your data is truly competitively sensitive.
  • Assess your current CSD inventory. In particular, check your business web sites as well as the firm’s social media sites, such as postings on YouTube and Face Book for CSD already in plain sight. Take it down at once. Check employee sites for similar leaks and alert them to take action.
  • Know where your firm produces and stores CSD, who has access to it (including third party contractors), and why they have that access.
  • Minimize your CSD footprint. Restrict access to CSD by your personnel and third parties. Base that access not on trust or previous reliability, but only on a real, current need to know.
  • Train all employees, particularly those that are customer-facing, such as sales and support, on what CSD is and how to spot efforts to get access to it.
  • Work with third parties who have access to your CSD to sensitize them to the need to protect it. Make sure your agreements with them cover this point.
  • Work with corporate security to reinforce protections against the accidental release of CSD as they do with trade secrets.
  • Make sure employees and third parties know who to notify if they suspect the possible leak or loss of CSD.
  • Don’t over react. CSD usually loses its value over time, so don’t try and protect everything from everyone forever.

Securing Off-site Meetings

November 4, 2015

The popularity of holding off-site meetings comes and goes. In some cases, their use is designed to bring together people from offices or locations that don’t normally have physical interaction. In other cases, they serve to enhance team-building. In yet others, it is to provide a measure of security not available at a company’s regular offices for matters of some sensitivity.

There are a number of simple steps that should be taken at off-site meetings to prevent the accidental release or purposeful capture of sensitive or confidential information, whether to competitors, the media, or the public:

  1. Find out who else has meetings at the site you are considering using. While you may secure your site, when your people are taking a coffee break they start talking in the hall and others may overhear their conversations. You should do this at two points: first when you’re considering retaining these site and second, just before you go there to see if things have changed.
  2. Make sure you check everyone that comes into the room. Outsiders can wander in “accidently”.
  3. If you are going to have a registration table and/or display table, consider putting it inside the room or rooms you’ll be using rather than the hall. If you place it in the hall, then you need to have somebody of the table at all times to keep the materials secured as well as to keep from prying eyes things like attendance lists, notations of incoming calls, etc.
  4. If you are distributing materials at the meeting, distribute them that the meeting, not before. In fact, distribute them in the conference room, in public halls the hotel or convention center.
  5. Clearly mark all materials as company confidential, proprietary etc. This will not stop some people from taking these materials, but will discourage those who operate on an ethical basis. It also should alert your attendees to be careful with them.
  6. Remind the people there that what you are doing is confidential, and is not to be discussed outside of the meeting rooms, including in the halls, at the bar, the pool, on the golf course etc. No discussion outside of the room means no In addition, remind them that any materials you hand out are to be handled with care. If it is a very sensitive matter you may consider having people leave materials in the room and locking it at the end of each day.
  7. Keep communications in the room secure. Have all attendees turn off all smart phones and tablets. That is aimed at keeping attendees from recording the proceedings or taking pictures, as well as communicating with outsiders. If that is not possible, ask that these instruments be put in airplane mode, so that no incoming or outgoing calls can be made. This also cuts down on distractions.
  8. When you are done with the meeting, sweep the room – yourself. Do not rely on the hotel staff for this. That means collecting all materials and notes left behind, wiping all whiteboards completely, and removing all trash from trash cans that have been the depositories for conference materials. Securing a room during the meeting and then leaving copies of the agenda with a whiteboard showing conclusions reached on a new marketing campaign is not security – it is folly.

By the way, if you’re holding the meeting on-site and it is a sensitive matter, the same cautions apply.


Competitively sensitive data

August 18, 2015

The SEC announced indictments on August 11, 2015 for insider trading. What was unusual was that these were not indictments of corporate insiders, but rather of “hackers” who had been accessing corporate press releases before they were published.[1] These hackers hacked into information on earnings and arranged for trading on the impacted stocks before the releases were made public.

“In one particularly dramatic instance on May 1, 2013, the hackers and traders allegedly moved in the 36-minute period between a newswire’s receipt and release of an announcement that a company was revising its earnings and revenue projections downward.  According to the SEC’s complaint, 10 minutes after the company sent the still-confidential release to the newswire, traders began selling short its stock and selling CFDs [contracts for difference], realizing $511,000 in profits when the company’s stock price fell following the announcement.”

This case shows the value of sensitive information which is accessed before it is made “public” and also should reinforce the need to protect such information. In this case, there was only a short period of time before the information was made public, but, for those few moments, the non-public data was worth over ½ million dollars.

For those of us in competitive intelligence, there is a similar lesson. Competitively sensitive information must be kept from your competitors, at least so long as its loss would be damaging. However, very few firms work to protect themselves against CI (and, as this series of indictments shows, not always successfully against hackers, either).

Those of us who work with CI should be the most forceful advocates for the creation and maintenance of a business-wide program to defend against the CI efforts of our competitors.[2] Such a program is an invaluable supplement to your own (offensive) CI efforts.

“If I am able to determine the enemy’s dispositions while at the same time I conceal my own, then I can concentrate and he must divide.” — Sun Tzu, The Art of War

[1] http://www.sec.gov/news/pressrelease/2015-163.html

[2] For much more on that, see John J. McGonagle and Carolyn M. Vella, Protecting Your Company Against Competitive Intelligence, Praeger, 1998.


What is public?

January 6, 2015

A recent state court case in Pennsylvania brings into focus the issue of “public”. As you know, or should know, one of the key elements of competitive intelligence is the use of public resources to develop intelligence. As I’ve said many times, public is broader than published, but this case adds a new twist.

The case involves an FBI affidavit of probable cause to search an individual’s home. The state case itself is but one element in a very complicated story[1], one of whose key elements is that the federal affidavit in question was supposed to be confidential, sealed by order of a federal court in 2006. With a series of twists that are interesting to read, but difficult to summarize, the affidavit in question was later filed by a law firm in a civil case against its former client, the subject of the search warrant (I told you it was complicated).

The state court found that this affidavit, even though sealed by order of a federal court, was a “public record”. As it turns out, the affidavit was erroneously attached to a publicly accessible section of the federal court’s docket, which was in the online docketing system. That meant that the affidavit was “left unsealed on that docket for years”. The state court determined that this made the federal affidavit a “public record”.

The lesson? Just because a document should be confidential, or even a trade secret, doesn’t mean that it cannot be used in your competitive intelligence analysis if, and I stress if, it has been made “public” in some way, even accidentally. Therein also lies a warning – to keep information and data confidential is an ongoing task where even one misstep can destroy the legal protections against its disclosure or use.

[1] For more details on the case, see Gina Passarella, “Pepper Hamilton Can’t Be Sued for Using Public Documents”, The Legal Intelligencer, January 6, 2015.

 


Information security

August 12, 2014

 

One biggest problems for those of us who are sensitive to the power of competitive intelligence is realizing how much competitively sensitive information from your business is potentially available to your competitors. One of the most interesting things about this is the fact that major problems in this are come most often from two sources:

  • Senior members of your business that know more competitively sensitive information than others do, but are not sensitive to that. In other words, the higher they are, the more they may inadvertently release.
  • You.

You? Yes. Let me give you a couple of quotes which I find relevant (and amusing):

  • From a retired US military officer, just this past weekend, talking to a news reporter about current international developments (I paraphrase) “I’ve talked to many of my friends in the military intelligence establishment, and they are telling me….”
  • From the fictional British barrister Rumpole of the Bailey: “Lawyers and priests deal largely secrets, being privy to matters which are not meant for the public view. I don’t know how it is in the religious life… but barristers are mostly indiscreet. Go into Pommeroy’s Wine bar [a lawyers’ hangout] any evening with when the Chateau Fleet Street [a cheap wine] is flowing and you may quickly discover who’s getting a divorce or being libelled (sic), which judge got which lady pupil in the club, or which Member of Parliament relaxes in female apparel.”[1]

What they should tell us is that as we become privy to sensitive information, we have a tendency to share it. Unfortunately, we may also lose perspective on with whom we share it, talking with friends, relatives and those with whom we do business, in and out of the company. And then they share it….

Let me give you a short example of what I mean (company name deleted to protect the…speaker):

At an annual meeting of SCIP (then the Society of Competitive Intelligence Professionals, now Strategic and Competitive Intelligence Professionals), the CEO of a large consumer products company addressed a special session of about 150 SCIP members. He was accompanied on stage by his CI team leader.

In his remarks, he described how the company was going to reorganize, with particular emphasis on how that reorganization would eventually impact the CI team as well as all of its various major product lines.

Sitting in front of me were 2 employees from a key competitor, looking shocked. When they recovered, after asking me “Does he know where he is?”[2], they began taking notes with a vengeance.

At the same time, the CI team leader tried to vanish into the chair. You see, the team leader was unaware of the details of the CEO’s remarks – not to mention the fascinating, detailed overheads which accompanied it. The commitment of the CEO was that his speech could be video recorded and made available to all SCIP members, featuring of course, the great overheads. It was. The team leader, following the speech, tried desperately to keep that distribution from happening. All the leader was able to do was get a 3 month delay, thus delaying, but not defeating, my friends in the row ahead of me.

So, in terms of CI security, keep in mind what the cartoon sage of the 60s and 70s, Pogo said: “We have met the enemy and he is us.”[3]

[1] John Mortimer, “Rumpole and the Official Secret”, in The Second Rumpole Omnibus, 1987, p. 513.

[2] He most certainly was warned. The head of CI at another competitor, presiding over the session, introduced the speaker, noting slyly that he was certainly “very, very familiar” with the speaker.

[3] Walt Kelly, “Pogo”, 1970, http://www.thisdayinquotes.com/2011/04/we-have-met-enemy-and-he-is-us.html