HR Should Get a Clue Corporate Spying is Real

Have you ever wondered where all the Cold War spies went once the IronCurtain fell? Look no further than your own doorstep, because many spies are nowinvolved in corporate espionage. Adam Penenberg is the co-author of Spooked:Espionage in Corporate America (Perseus, 2000). We talked to him about the rolethat HR should play in keeping corporate secrets secret.

Corporate espionage is a relatively recent phenomenon, isn’t it?

Corporate espionage has been around forever. Now it’s just beenprofessionalized. In 1811 Francis Cabot Lowell traveled to England and rippedoff the plans for the Cartwright loom, which he memorized while touring afactory. With it, Lowell brought home the blueprints for America’s industrialrevolution.

 

What’s a more recent story of corporate espionage?

One of my favorite corporate spy stories occurred to my co-author, MarcBarry, who is a corporate spy. He was in a room in Silicon Valley meeting withthe inventor of a hot new technology, and there were five other “seedcapital investors” in the room asking questions about the technology andthe specs and everything else. And everyone in the room, Marc knew, was acorporate spy. They were all winking at each other.

 

How did a nice guy like you get started in corporate espionage?

I think that the espionage interest comes out of the hacking stories I didfor Forbes magazine and Forbes.com. I got into the idea of software piracy,music piracy on the Net, the special communities that have formed in cyberspacelike gangs, software gangs, and music-piracy gangs. They had a whole peckingorder. It was unbelievable. I became fascinated by hackers and the idea of theconcept of hacking being everywhere and no one being really aware of it. Thatkind of led me to corporate espionage — another area where it’s happening allthe time, yet people aren’t really aware of it.

 

What is the shortest speech you’d give to an HR person who doesn’t believethis is a problem for her company?

Well, a person or a company that takes that attitude I would call a victim.Odds are, if they have something worth stealing — whether it’s sales information, ormarketing information, or their budget, or new technologies — if they don’tthink it’s happening, they’re wrong. It is. Competitors may be looking at tryingto hire away whole sections of their company, or looking at their internaldecision making, or looking at their internal network. Just about every 500company is engaging in some sort of CI, or “competitive intelligence.”

 

How is competitive intelligence done?

Much of the time it is straightforward market research, done by professionallibrarian types, who dig up publicly available material like publications,market studies, etc. But sometimes companies hire people who break the law, orat least without breaking the law, work as spies. Many of them were trained bythe CIA and the DIA (Defense Intelligence Agency) and at the FBI. They’re formerthree-letter-agency people who are now working for companies. And what do theydo for companies but take the expertise, the skills, and the knowledge theylearned in their agencies and apply it to the private sector.

 

For example, sayI’m a mid-sized company in a field of very large companies that make sneakers. Ifind out that my competitor is about to do a massive national TV ad campaign fora new line of sneakers. Well, I was also planning on doing a national TV thing,but I realize, oh my god, I will get buried by them. So I’ve got to do adifferent strategy. That information may have prevented me from spending tens ofmillions of dollars on an ad campaign that wouldn’t work.

 

Are there any laws protecting companies from CI?

The Economic Espionage Act was passed by Congress in 1996, making it afederal crime to engage in economic espionage or stealing a trade secret. Atrade secret has to be defined, and you are the only one that can define it, youand your company. Now, for example, the formula for Coca-Cola is a trade secret.The source code for Microsoft is a trade secret. These are things that thecompanies go to great lengths to protect, and they’ve documented these steps,right? The information is only in the hands of a few people, and it can betracked, so that basically, you’ve done everything in your power to protect yourtrade secrets.

 

Doesn’t this solve the problem of corporate espionage?

No. Sales figures are not trade secrets. Factory production is not a tradesecret. The next advertising campaign that you’re going to run or inside scoopsor anything like that, everything, any piece of information like that, is not atrade secret. You have to define what your trade secrets are. CI involves, let’ssay, the acquisition of information that’s quite valuable to a competitor but isnot a trade secret.

 

Give me an example of how you can legally acquire valuable information abouta company.

Microsoft posts lists of every available job on its Web site. If you aretelling your competitors what jobs you’re looking to fill, that means they canfigure out what areas you’re looking to invest in R&D, and looking into newtechnologies and looking at areas you want to beef up. For example, if you had,all of a sudden, four new marketing jobs open, that could indicate that you’removing toward marketing some new product in a huge way, or you’re moving yourwhole marketing department in-house, perhaps. These are all pieces ofinformation that are valuable to know.

 

Take it a step further so that it’s not exactly illegal, but not exactlyethical, either.

I love this one. If you ever want to find disgruntled ex-employees of acompany who are specifically trained in a technology or skill that you want totarget as a journalist, or as a corporate spy, or as anyone who wants to findout, just type in the word “résumé,” the name of the company you’retargeting, and the technology you’re interested in. You get those three thingstogether in a search engine, and you’ll pull up a lot of résumés of people inthat area. It’s great to debrief them, because they love to dish about thecompany.

 

Can a company be protected from this sort of thing?

When you let people go, even if they are not taking information with themphysically, they are still taking information with them. You need to have youremployees sign non-disclosure agreements; that’s the first piece of advice Iwould give. That puts a legal sanction on them spilling information about thecompany for as long as you can make them do this. That’s how you can prevent alot of these problems. Also let people who work for you know that while you workfor this company, you are not allowed to spill this information over thetelephone. If someone calls you, you should patch this person over to thesecurity division, let’s say. There should be a structure and place for handlingrequests for information.

 

Is HR information that valuable?

Perhaps the information that is contained in the databases of an HRdepartment is not the kind of competitive intelligence that would give a rivalmuch of an advantage, okay? It may not even mean all that much to the peoplewithin the company if this information was breached. This is possible. Thequestion, though, is if you can breach this, then you can get in much deeper inthe company. So you have to be as responsible as the next person in making surethat you are not the hole that leaks the information from the company.

 

So numberone, it isn’t enough to say, “Oh, well, our information isn’t valuableenough to steal.” You still have a responsibility. Number two, I wouldargue that salary structure could be used by a competitor in a reallyinteresting way. I know of someone hired by a competitor to scope out a wholedivision of people at a Wall Street company. It was a major bank. They were ahotshot division that was really making money for the bank. There were about 30brokers or traders. So the spy was able to get a whole list of their names andtheir salaries, and then the competitor tried to hire the whole group away.

 

How is corporate espionage changing?

It’s been around a long time. What’s new about it is that you’re gettingprofessionals involved now. Guy Dubois, who was at the CIA for many, many yearsand now works in the private sector, told me, “Look, in the CIA, agents dowhatever they need to do to get the job done.” He just kind of says to me,”There are no limits to what an agent will do.” Now you have thesesame people who were trained by this organization engaged in competitiveintelligence. Are you telling me that they are not using the skills they learnedin the CIA? I would tell you that you’re crazy.

Workforce, April 2001, pp. 72-75SubscribeNow!