In a letter dated 5 August 2004 the SEC noted that "the Sarbanes-Oxley Act of 2002 and the Commission's rules promulgated under the Act seek to strengthen pre-existing standards for internal controls, thereby potentially improving the ability of companies to track the costs and impact of economic espionage and theft of intellectual property." The SEC assumed — not unreasonably, albeit incorrectly — that internal controls were in place to identify and value intellectual property and critical information (IPCI), and to protect these from competitive intelligence, economic espionage, theft, and inappropriate disclosure.

The assumption was reasonable because there is a standard control process, OPSEC, developed by the U.S. Government, for the identification, valuation, and protection of information that would give adversaries and competitors an advantage. OPSEC is promulgated on the government side by the Interagency OPSEC Support Staff. The OPSEC Professionals Society" is the independent professional society that provides certification of OPSEC Associate Professionals (OAP) and OPSEC Certified Professionals (OCP)

However, the assumption was also incorrect, because most senior managers do not think of IPCI as something that needs to be protected. After all, the PCAOB says that intellectual property developed in-house "has no book value," which many equate to having no economic value. In addition, the majority of organizations have not yet funded a senior executive with detailed knowledge of the company's business functions, as well as Sarbanes-Oxley audit responsibility, to bring qualified OPSEC professionals to oversee an OPSEC program to identify information as needing to be protected from competitive intelligence, economic espionage, inappropriate disclosure, and theft, the four primary sources of loss of critical information. Without an OPSEC program you are unlikely to be capable of being compliant.

1. You will have to deal with the consequences of being in non-compliance with Sarbanes-Oxley, which can involve both civil and criminal exposure.

2. If the theft ends up being prosecuted under the Economic Espionage Act of 1996, a compelling case can be made that by not having an OPSEC program to identify, value, and protect information from competitive intelligence, economic espionage, and theft, you failed to take the required "reasonable measures to keep such information secret." This means that you have, either through negligence or deliberate indifference, abandoned the trade secret status of the stolen information, which was therefore no longer considerte to be a trade secret as defined under both the Economic Espionage Act of 1996 and the Uniform Trade Secrets Act.

3. You face the increased possibility of a shareholder negligent action lawsuit because you knew, or should have known, based upon annual domestic losses of $300 billion, there was a high-probability threat that you should have addressed. Additionally there is exposure because you both abandoned the trade secret status of your information under the Economic Espionage Act AND you were non-compliant with Sarbanes-Oxley, both of which were at least partly designed to force you to protect the firm's shareholders from just this type of loss. Since ignoring Sarbanes-Oxley requirements indicates negligence or deliberate indifference, there is an increasing probability that your liability will not be covered by your Directors and Officers Insurance because you did not exercise due care. It becomes personal liability.

Using experienced and skilled OPSEC professionals, we help you to accurately identify, value, and protect all critical information, trade secret or not, that might give competitors and adversaries an advantage, if known. We use OPSEC to help you identify competitors and adversarieswho may have an interest in and who might try to obtain such critical information. We use OPSEC to help you better insure this information doesn't get the hands of your competitors and adversaries.

To be effective, and because of government liability requirements, OPSEC needs to be authorized and overseen by a senior executive that has detailed knowledge of the company's business functions. It is often, therefore, appropriately handled through a team reporting to the CFO.

LUBRINCO offers the specialized training and consulting that firms need to understand, develop, implement, and maintain a successful program to protect your organization from competitive intelligence, economic espionage, and theft; comply more fully with Sarbanes-Oxley requirements; and demonstrate "due care and a reasonable effort to protect trade secrets."

An OPSEC program can do more than just make your firm Sarbanes-Oxley compliant and and reduce the personal liability related to not having implemented an OPSEC program.

• Most obviously, if you are responsible for the sale of a company, and the benefits to the purchaser greatly outstrip the sale price because you had not adequately identified and valued the intellectual property, shareholders are increasingly likely to take you to task.
• It also allows you to eliminate or reduce your company's share of the estimated $300 billion that is lost every year to competitive intelligence, economic espionage, and theft. How much might this add to your bottom line? If you posited that losses were evenly divided among the Fortune 1000 companies, it could add as much as $300 million per year. But even if it were only $75 million a year added to the bottom line each year it would be a significant contribution to your bottom line.
• By fully identifying your actual assets and their value, you become equipped to then exploit them to their fullest, maximizing their contribution to your bottom line. As an example, a nmber of sources estimate that it costs roughly $80,000 to protect a patent over its lifetime. An OPSEC program is likely to reveal that some patents no longer maintain real value. This puts your firm in a much better position of choosing exactly how to deal with costs related to intellectual property that has lost its value.
• By the same token, sometimes the value of an intellectual property lies not in the revenue stream it produces, but rather in its strategic value. However, without first properly identifying the asset and its potential value, a significant portion of the value can readily be forfited. Until the value is recognized it cannot be exploited to your firm's benefit.

For information on a variety of aspects of Sarbanes-Oxley, we suggest you look at the Sarbanes-Oxley Act Forum