What to do after an employee leaked our algorithm?

Question

One of my company's internally developed algorithms was published online. It's a complex algorithm that took years to develop, I have a pretty good idea of which employee leaked it based on the team who worked on it and personal information on the blog, but I want confirmation. The algorithm is covered in detail but without any code from our codebase, so my employee might have thought it was okay to share this information publicly when it is absolutely not.

What steps should I take to confirm this employee's identity, and make sure this issue doesn't happen again with our engineers?

_{Related legal questions have been asked over at Law SE.}

@tgreg9 You are right that your management question is on topic. I would just cut the questions asking for how to handle the IP from a legal perspective and maybe ask those specific parts at [law.se]. — David K, Nov 08 '18 at 21:51
"so my employee might have thought it was okay to share this information publicly when it is absolutely not." Sounds like I already know the answer to this, but does your company have any policies on the topic, or have they made any broadly targeted communications about what you guys consider "trade secrets"? Sounds like you're not all on the same page regarding the topic. (And of course, the answer to that would impact what you should do about this, so I'd suggest adding those details to the question.) — HopelessN00b, Nov 09 '18 at 16:48
Given that the legal-related parts have been edited out, almost all of the current answers seem to need serious editing to address the question in its current form... — V2Blast, Nov 10 '18 at 07:21
What is your role in regards to this employee? Are you his direct manager? Are you in HR / in legal department / CTO / CEO / etc. ? — Radu Murzea, Nov 10 '18 at 10:08
@V2Blast legal advice is still needed to establish what you can do to prevent it in future - if you don't have legal ownership of the underlying concept in some form (copyright, patent, trade secret, actionable NDA) then there's nothing you can do to prevent future disclosure, so my answer stands just as well to the current form of the question. — , Nov 10 '18 at 21:09
Why not do what everybody else does? Make an educated guess at who the culprit was, fire him, and let everyone know why. I'm kidding -- sort of. Truth is, this sort of thing happens all the time. — Jennifer, Nov 11 '18 at 18:39
It's not this one by any chance, is it? :)) - https://security.stackexchange.com/questions/25585/is-my-developers-home-brew-password-security-right-or-wrong-and-why — Andrejs, Nov 11 '18 at 19:17
If you want to make sure this does not happen again, fire the employee immediately with no notice, ask him to delete the blog, and issue a warning that if that damages the company he will be persecuted by legal action. Dam hell, someone pays those guys to work and creators of companies have invested hard work in building it to be destroyed in such way — albanx, Nov 11 '18 at 23:58

score 109 · Answer 1 · 2018-11-11T06:31:16.620

The other answers highlighting your need for legal advice right now are correct, but for reasons other than they give.

As the employee disclosed no code, copyright is not a concern here - in pretty much all jurisdictions, you cannot copyright an algorithm.

Patents are an approach, but again have different issues in different jurisdictions - some jurisdictions are "first to file" and some are "first to discover", so you may not have any retroactive cover from any patent applied for today, even assuming the algorithm is patentable.

What you can attempt to pursue is protection for your algorithm under trade secrets laws if they exist in your jurisdiction, which can apply protection and civil and (often) criminal penalties for unauthorised disclosure, even when no copyright or patent is violated.

Also check your employment contract for any non-disclosure agreement, which would certainly apply in this case. Seek legal advice as to how enforceable it is in your jurisdiction and in this specific case.

Once it's been established what right of control you have over the algorithms disclosure, I would suggest you have a full team meeting with everyone who has access to the code base in which you discuss what happened, why it is inappropriate to disclose such things as they can be extremely detrimental to the companies operation and their continued employment, and also highlight the potential civil or criminal liabilities such actions can result in.

If the specific employee in question does not come forward after the team meeting, there is little you can do without proof of identity - you can of course hire an investigator to see if they can uncover proof, but then all of this really comes down to what course of action are you intending to take if you do discover their identity.

A slap on the wrist and a "that was really damaging to the company, please don't do it again"? - well, the team meeting will have covered that.

Firing the employee? Intent on taking legal action against the employee? - depends on how badly you want retribution.

Comments are not for extended discussion; this conversation has been moved to chat. — Jane S, Nov 10 '18 at 22:11

score 42 · Answer 2 · answered Nov 08 '18 at 21:44

42

What steps should I take to confirm this employee's identity, and make sure this issue doesn't happen again with our engineers?

First, since you are reasonably confident which employee it was, I suggest pulling them aside and talking to them. Time is important here, so I wouldn't waste too much time trying to make 100% sure you have the right person.

John, this is your blog, right? I need you to take this post down immediately. This is proprietary company information that and cannot be leaked to the public.

Depending on how you want to handle this, you might discuss consequences for the employee, but the biggest thing is just getting them to take it down as soon as possible.

Once you've taken care of the immediate damage, I'd say it's worth having a company meeting or sending out a company-wide email (depends on your style and size of your company). Don't name names or mention the specific incident, but explain that all company algorithms and information are proprietary and should not be shared or published without prior approval. This shouldn't be new information for them, but it sounds like it needs to be reiterated.

As for damage control for the information that has already leaked, I don't have a good answer, but I recommend talking to a professional who specializes in intellectual property.

answered Nov 08 '18 at 21:44

David K

30,066
21
108
140

3

"I wouldn't waste too much time trying to make 100% sure you have the right person" - I wonder that, if you get the wrong person, you will have not only a blabbermouth or loose-minded employee on one side, but now also a very angry one on the other. – Captain Emacs Nov 09 '18 at 01:06
19

@CaptainEmacs I'm not saying that you continue to accuse someone if they say you have the wrong person, but I see no reason to wait to approach someone when you are 90% sure who it is. That's why you start by asking, "This is your blog, right?" If they say no, then you ask if they know whose it is and can even explain why you need to know. – David K Nov 09 '18 at 02:21
10

@CaptainEmacs It depends on your approach, but unless you go down the "we know it was you, confess now!" route then the employee should be equally pissed off with the person who leaked it, and understand why you're upset. – Graham Nov 09 '18 at 08:52
@DavidK and Graham, point made. – Captain Emacs Nov 09 '18 at 11:36
1

One possible reason this is a risky approach. If you can't prove it was this employee, and the employee knows you can't prove it. Then at any point in the future, if you let this employee go, then he/she may choose to pursue a wrongful dismissal case against you. As it would be quite easy for the employee to argue that he/she was dismissed because of the alleged algorithm leak. – user1751825 Nov 10 '18 at 13:45
1

Unless it can be proven, I wouldn't disclose anything to the employee. If the issue is serious enough, I would find another excuse, and let them go. – user1751825 Nov 10 '18 at 13:48

score 33 · Answer 3 · answered Nov 08 '18 at 21:30

33

Step 1 - Get an intellectual property law firm hired. Not a lawyer, a LAW FIRM!

Step 2 - Listen to them!

At the very least, you should file for a copyright AND a patent on it ASAP (copyright will probably get turned down, but patent will probably not).

Then have that law firm send a takedown notice to the blog's registered agent(s).

This will cost $, but if your algorithm is valuable, this is what to do.

answered Nov 08 '18 at 21:30

Wesley Long

63,364
22
144
213

2

Comments are not for extended discussion; this conversation has been moved to chat. – Nov 09 '18 at 06:51
1

“patent will probably not“ - as a gonna-be patent attorney, that statement is borderline. I feel the need to at least add, act fast, whatever chances there still are for getting a patent (depends), there are time limits! – DonQuiKong Nov 09 '18 at 09:28
28

“File for copyright”. Copyright is automatically granted on any created work? Who do you “file” a copyright with…? – Martin Bean Nov 09 '18 at 10:12
3

@MartinBean the united states copyright office, obviously ;) https://en.wikipedia.org/wiki/Copyright_registration – DonQuiKong Nov 09 '18 at 11:16
@DonQuiKong - If you're more knowledgeable, please feel free to correct my answer. What I know is from 12 years ago and it's second-hand from the attorney I my client hired I was working with. I'll not feel slighted at all if you know more than I. – Wesley Long Nov 09 '18 at 16:48
1

Depending on the country, it may be too late for the patent. Some countries require a patent be filed before public disclosure, whereas, as DonQuiKong says, other countries have some timeframe (1 year for the US). – user71659 Nov 09 '18 at 17:03
17

It is not legally possible to copyright an algorithm. That recommendation does not make any sense. – Dietrich Epp Nov 09 '18 at 17:57
1

@WesleyLong you can file for a patent pretty uch everywhere if the publication was made in bad faith (the exact regulations vary, but if the employee wasn't allowed to publish that, that should be enough). However, as there is some discussion as to how much the employee knew and if they really were not allowed to do that ... the US grace period should also apply because ultimately the publication originated with the inventors, but both are complicated matters and should be evaluated in detail, too much for an answer here. So what I'm getting at, both ways have a strict time limit. – DonQuiKong Nov 09 '18 at 23:14
@MartinBean Yes copyright protection is automatic, but you may still need to prove that you are the guy who created the work if you do not want to publish it but keep it closed source. If it is not registered somehow, who should trust that it was your original work? – mathreadler Nov 10 '18 at 13:01
@WesleyLong - The patent won't be approved if the blog existed before the patent was issued. In fact, the author of the blog would have a better chance to get the patent issued to themselves and file a claim against their employer at this point. The company would then have to invalidate the patent, by proving they had worked on the algorithm before the blog was submitted, and it was issued in bad faith due to trade secrets being stolen (although there are no actual protections against this). – Donald Nov 10 '18 at 13:59
1

@Ramhound that entirely depends on the jurisdiction - first to file, or first to discover. In many jurisdictions it doesn't matter if there has been a prior public disclosure ("prior art") if the filer can prove their discovery predates that disclosure and indeed that that disclosure was based on the filers discovery and not independent. – Nov 11 '18 at 00:49

Sopuli · Answer 4 · 2018-11-08T21:57:51.530

It's possible that the employee did nothing wrong.

IANAL, but my understanding is that actual implementation is intellectual property and belongs to the company, but the generic idea of algorithms can't be protected. This is the reason why companies like Google and Facebook are extremely strict about not disclosing anything about their algorithms in public. And this shows also in game rules. Rules can't be protected but all names, artwork, fluff can be. That's why you see similar copied games right after somebody publishes a successful one.

What you do to protect yourself in future is contact lawyer and start obtaining patents and make all your employees to sign NDA where you explicitly prohibit disclosing any information related to your work.

And because it's possible the employee did nothing wrong, I'd approach the issue very carefully. Contact a lawyer and verify what you can and cannot do to mitigate damage on this incident.

Comments are not for extended discussion; this conversation has been moved to chat. — Jane S, Nov 10 '18 at 03:36

score 14 · Answer 5 · answered Nov 09 '18 at 21:57

Addendum:

This might sound like a piece of blatant open-source advocacy. I am not in any way condoning what your employee did.

Consider how you can take advantage of what happened. You're taking the disadvantage anyway. Irrespective of what you will do about it, the toothpaste is out of the tube now. Trying to completely get something like that out of circulation tends to leave copies in the hands of those that you least want to have them.

You can still say that you have the best, most tested, professionally best supported implementation on the market NOW. Someone leaking data like that always generates interest in the technology - and people interested in your technology are potential customers. Also, nothing creates an industry standard like a mix of "free" and "competent for-cost" implementations available...

I am going to upvote this answer, due to the fact, the employee does not have enough money to recover any potential damage this might have caused. Additionally, if a patent has not already been issued, the blog containing the information required to implement the algorithm will muddy the waters. Since no code, owned by the company was published, there isn't a copyright claim. So basically "being the best", and leveraging that fact, is the best solution in this case. — Donald, Nov 10 '18 at 14:04

WoJ · Answer 6 · 2018-11-12T12:20:39.730

3

A perspective from information security: do not do anything without having all your actions reviewed with legal. This includes suggestions from answers such as talking to to employee, checking whether he could be the culprit, etc.

If you start your own investigation you may erase or alter evidence and possibly jeopardize chances to have legally receivable ones.

edited Nov 12 '18 at 12:20

answered Nov 10 '18 at 20:26

WoJ

5,814
17
27

Max Morros · Answer 7 · 2018-11-12T15:58:20.967

Let's start with the fact that a similar situation was admitted, which means your employee had access to the algorithm, after which he gave it publicity.

In this problem there is a fault and a manager who made a similar outcome of events. As a result of an incident that has already happened, except for drawing conclusions, nothing remains for you.

In the future, you should take care of reliable security and security of software products. To do this, try to use the program to prevent attempts to seize someone else's intellectual property. At best, begin to restrict employee access to company materials. There are various options, such as using software to monitor the actions of employees, heard about SoftActivity. These are preventive measures to avoid further problems.

If the problem has already been resolved, as in your case, you should take care as soon as possible about legal proceedings on this matter. Legal advice with a specialist will help you to find out all the advantages in this matter.

this post is rather hard to read (wall of text). Would you mind [edit]ing it into a better shape? — gnat, Nov 11 '18 at 18:20

What to do after an employee leaked our algorithm?

7 Answers7