There have been a number of good insights shared about the value of data and the risks of cyberattack by hackers that address the value of the loss of access to data and the impact of this on the business. The risk to a company lacking access to its data is significant, and there is much to know and learn about steps to take to protect data from unauthorized access. There is, however, another risk that companies may face from unauthorized access to their data beyond the loss of access.
A company’s data is not only valuable to the company for use in its own operations, but in some circumstances, the data may be valuable to the company’s competitors. Unauthorized access to company data can both damage the company whose data is accessed and benefit the competitor who obtains unauthorized access to the data. If a competitor (international or domestic) obtains unauthorized access to a company’s confidential information and/or trade secrets (e.g., customer lists, pricing data, strategic plans, product designs, formulas, software, etc.) there is risk of the company suffering economic losses as well as the competitor obtaining ill-gotten gains. The means of the competitor’s unauthorized access to the data (e.g., hackers, former employees, etc.) may vary, but the types of economic losses and illegal gains at risk are the same.
Let’s take a look at how unauthorized access to data may result in potential economic losses and dishonest gains. Common types of economic losses a company or data owner may face if a competitor obtains access to confidential data and trade secrets include lost profits, price erosion, and loss or impairment of value of the data or trade secret. In the example below, we’ll call the owner of the data or trade secrets “Owner, Inc.” and the competitor that obtained unauthorized access “Taker Corporation.”
Owner, Inc. could lose profits if Taker Corporation obtains access to information that enables it to divert Owner Inc.’s customers. Examples of such information include strategic or business plans that provide insight to planned new product offerings, confidential product costing and pricing information, and designs or formulas for new product. Information at risk could also include software offered by Owner, Inc. that Taker Corporation incorporates in all or in part of it in its own competing software product.
Price erosion could occur if Taker Corporation gains such an advantage that it is able to undercut Owner, Inc.’s prices and, consequently, Owner, Inc.’s losses include not only lost sales, but also reduced sales revenue and profits on the products and services actually sold because of required matching price reductions. Finally, the value of the data or trade secret can be completely lost if it is released into the public domain and there is no ability to control its use.
If Taker Corporation obtains unauthorized access to data or trade secrets, there are a number of potential ill-gotten gains, including diverted profits, avoided development costs and other cost savings. The first type of gain may be obvious. If Owner, Inc. stands to lose profits from the loss of a customer, Taker Corporation, by diverting that customer, stands to gain improper profits that it otherwise would not obtain.
Avoided development costs can include Taker Corporation’s significant savings in research and development costs because it obtained information that it would otherwise have to develop independently over time. Not only has Taker saved research and development costs, it also may have accelerated product development and, therefore, accelerated and increased its sales and profits sooner than it otherwise might have.
Finally, Taker Corporation may obtain savings in product cost production. In a previous case I was involved with, the trade secret owner did not lose sales and the competitor did not divert sales from the trade secret owner. However, the competitor saved tens of millions of U.S. dollars from improvements to its production processes that were alleged to be based on the stolen trade secrets.
If you suspect that a competitor has obtained unauthorized access to confidential data or trade secrets, how do you calculate owner losses or estimate competitor gains? There are many factors to consider that are beyond the scope of this article, but some factors to consider include the following:
There are many other factors to consider depending on the circumstances of the particular situation, but the above questions are a good place to start when it is believed that there has been unauthorized access to data. Depending on the legal jurisdiction of the country, state, province, etc., there may be multiple legal remedies available to stop the unauthorized access and obtain monetary remedies to compensate for any losses or ill-gotten gains. In these situations, appropriate legal counsel, and possibly financial professionals, may be needed to assist in the quantification and recovery of any monetary remedies.
Industrial espionage is not a new phenomenon. If anything, the use of a cyberattack to obtain confidential data is just a variation on an existing theme. However, the economic losses can be damaging to a company and, depending on the circumstances, could even be existential. While the cyber insurance market is continuing to wrestle with some of the issues that occur in first-party business interruption losses following a ransomware attack, its next challenge will be how it addresses the issue of economic losses resulting from a cyber-related intellectual property loss.
For more information on this topic, or to learn how Baker Tilly’s Value Architects™ can help, contact our team.