Risky business--sharing knowledge may be dangerous to your corporate health

Have you ever noticed how much simpler it is to find out about publicly traded companies than it is to discover operational data for private companies? As someone who plies his trade measuring the performance and strategies of business rivals, I am presented with distinctly different views of firms engaged in very similar businesses depending on whether they're public or private.

The task of keeping such strategically sensitive information secret from existing or potential competitors is the reason many of the most influential companies in their respective industrial sectors--from SAS Institute to S.C. Johnson--remain privately owned. When the need to IPO to raise capital (and your company's profile) is secondary to the desire to maintain confidentiality of secret or proprietary information--such as inventory turnover, cash flow, gross profitability, annual financial results, changes in business strategy or even patent applications--a firm might choose to forego the risks associated with public reporting. In large part, public reporting is done, in compliance with such regulators as the Securities and Exchange Commission, to protect the investment and shareholder community from "unusual" accounting and business practices.

But do the risks of revealing strategic or tactical business plans to competitors outweigh the benefits of being traded on a public stock exchange? Are other information leaks in modern infrastructures, such as knowledge management systems, just as likely to reveal sensitive, proprietary information. Those systems are designed to make it easier to capture what a firm knows and apply those knowledge assets later.

Traditionally, competitive intelligence has been associated with a sister discipline, known as competitive counter intelligence, which tries to prevent disclosure of key competitive data to rivals. Unfortunately, the practice of counter CI has not been a unified effort. There are myriad contact points, both internal and external, where leaks occur, and the protection of information assets has been disparately charged to various guardians of knowledge. They include: public relations, investor relations, the Web development team, corporate security, intellectual property and licensing, security and user authentication and management functions within information services, customer service, vendors and suppliers, contract employees, and any user on your network who has stuck a password to the side of his or her monitor.

That confusing situation seems to beg the need for a unified security function in today's accelerated knowledge delivery systems; however, centralization of control can be as much a liability as it is an asset.

Consider the case of General Motors' Opel division in Europe: GM discovered its former purchasing czar, who fled to Volkswagen, and his lieutenants had made off with critical purchasing and negotiating information regarding the company's component suppliers. VW's Ferdinand Peich eventually settled the matter out of court with GM/Opel for a whopping $100 million.

I also remember a story a colleague told me about a Fortune 100 electronics company whose northern Europe-based head of corporate security tried to sell the company's European marketing plan. He had stolen it from the company intranet and e-mailed the offer to sell to my colleague. What was he thinking? The answer becomes clearer when we learned he'd just failed a drug test and was on deck for disciplinary action. He had decided to cut his losses and resign--but not before he'd tried to secure a little "knowledge capital" of his own (FYI, the guy's in a Norwegian prison today). The centralized approach clearly failed in this case, even though they caught the man involved.

The legal and ethical implications of soliciting company secrets are significant. In 1996, President Clinton signed into law the Economic Espionage Act, which established the most severe criminal penalties the United States has ever known for acquiring trade secrets or other proprietary information from American companies. While the law has been exercised in a number of recent actions between American companies, its original intent was to protect U.S. firms against foreign attempts to acquire competitor data. It should also be noted that a code of ethics was adopted several years ago by the professional society (SCIP) for business researchers. But laws and guidelines are only as good as the people subject to them. How can corporations be proactive in safeguarding the knowledge enterprise while making knowledge free to be shared?

The fact is that most sensitive information doesn't get leaked by financial reporting to the SEC or by corporate spies hired to infiltrate the company. Publicly traded companies usually compete most fiercely against other publicly traded companies. Consequently, there is no knowledge gap between those rivals in terms of what they know about each other or the marketplace. Competitive intelligence is most influential when the knowledge gap exists and a particular firm is privy to some knowledge its competitors have either failed to uncover, ignored or dismissed as irrelevant. Simply knowing what is available to everyone else is really the minimum a firm must do to stay abreast.

Most of the risk involved with corporate knowledge is inherent in the knowledge workers themselves--the simple fact that some day they will certainly leave the organization and all the knowledge they've created or investment made by the firm in teaching them will be lost. How can a company ensure that this most costly tacit knowledge is captured and can be applied after the knowledge creator has left the firm? And how can the company minimize the chance that the person will leave with company information that can end up in the hands of competitors? Companies have always struggled with how to include transient employees --which includes all of us--in the knowledge work of the firm while protecting the knowledge they've acquired. The solution might lie in the unique mixture of knowledge protection that most firms have developed through their unique experience, rather than as a factor of a best practices or benchmarking analysis.

In the absence of an enforceable non-compete/non-disclosure agreement, nothing stops the ex-employee from taking all he or she can carry in terms of proprietary information. Non-compete and non-disclosure agreements are notoriously troublesome to enforce. In any firm without a legal department or adviser overseeing the signature process, such agreements are usually burdened by unreasonably long terms of duration. That means former employees can sue for and likely win the right to work in an industry in which they've invested their professional careers. Likewise, while the Economic Espionage Act of 1996 provides for punitive retribution as a disincentive to applying dubious information, it does so only when a link can be established to misappropriated information showing up in another organization--like the research scientist who goes to work for a competitor and six months later applies for a patent for technology bearing a striking resemblance to that of his former employer.

While U.S. patent applications are confidential until their assignment usually two to four years later, patent apps in Europe are public documents and available for search and retrieval. That fact alone points up the complexity of the issue of compliance and risk within a unified knowledge enterprise. The process of protecting one's intellectual property might lead a firm seeking global IP protection to reveal much of its strategic business plan to anyone willing to perform a comprehensive search.

Before ethics became a major question in American business, using subterfuge to spy on competitors was less of an issue. My father once described his interview experience for a major furniture manufacturer early in his career in the 1950s. After a quick screening process, he learned that they weren't interviewing for their own salespeople--they were interviewing for candidates who could get hired as salespeople by their competitors. The ultimate goal here was pretty obvious--insertion of a "mole" in the competitor to funnel useful information back to the company. While most such practices are less explicit, if you employ more than about a dozen people, you are certainly at risk of not only external competitive intelligence, but also internal corporate espionage.

In early October, I attended a CI conference at which I chatted corporate heads of competitive technical intelligence--one for a major facilities and building components conglomerate and the other for a large telecom products company. Both women mentioned that anything that goes on the company intranet is 'gone'--already in the hands of the competition--just because it's available to everyone who can get on the intranet. The same can be said of the corporate Web site, they said, where anything and everything labeled as content can find a home as long as it's new and exciting--regardless of whether the corporation wants anyone else to understand certain of those matters.

"So," I asked naively, "how do you make sure sensitive information doesn't get out?" The stereophonic reply was, "Don't let anyone know about it!"

That might be the ultimate answer as we struggle to unify knowledge sources and the authenticity of employees to use them through the deployment of passwords and biometric technology. Has anyone decided that certain morsels of company knowledge shouldn't be shared with anyone? Who decides and based on what criteria? In the end, organizations should comply with laws and policies that require disclosure, but always consider the consequences of sharing sensitive information with others--it could wind up in the wrong hands.