Gaming giant Electronic Arts made headlines recently as the latest victim in a cybersecurity attack. What makes this case interesting is that it appears the hackers did not steal customer information, but instead proprietary source code. Furthermore, they had no intent of ransoming it back to EA, but instead selling it to the highest bidder. As the number of cyberattacks increases, companies must be vigilant about their IP protection strategies. 

Electronic Arts (EA) is a world-leading video game company that is known primarily for providing great entertainment experiences for its customers. One of the keys to its success is that it has some unique intellectual property (IP) for delivering games in a very profitable way, as its customers pay a price for access.

In June 2021, the company suffered a serious security breach when nearly 800 gigabytes of data, including source code for its FIFA 2021 and Frostbite games, was stolen.

This kind of security breach can have a devastating effect on any business, especially if its business model relies heavily on its IP (When news of the security breach was made public, shares of EA fell an estimated 2.4% to a session low of $142.31).

 

The value of your intellectual property may not be well understood

Unfortunately for companies like EA, hackers are increasingly trying to break in and steal their IP, which is known to be their competitive advantage.

EA has a large patent portfolio (over 1000 patents), presumably covering much of what was stolen in the breach. Because of this, it is possible that they can pursue legal action beyond trade secret theft, for patent infringement.

However, most of their patent portfolio was filed in the US only,  which means that the protection afforded by a patent is only enforceable within the United States. Meaning that everything that is disclosed within these patent documents can be used or sold outside of the US as it will now be deemed to have been publicly disclosed and is no longer a trade secret.

It is fair to expect that EA knew that it needed to maintain security around its systems and data. The company may have been confident that they had “enough security” to protect their IP but may not have realized how vulnerable they really were to its theft.

It’s possible that EA’s management didn’t realize they were a big enough target that attackers would do almost anything to breach them. In a large organization with a range of valuable assets like source code and specialized tools, it can be difficult to make sure that there is a proper balance of security, based on “people, process and technology”, to manage the risks.

 

The fundamentals of having an IP protection strategy in a connected and competitive world

To protect the core IP value and sensitive data of a technology business like EA, the following steps need to be taken:

1 | Start by doing a proper and thorough inventory of intellectual property, including:
    • Identifying trade secrets such as confidential commercial technologies not covered by patents;
    • Identifying information about commercial technology that is in the process of being patented, which still needs to be treated as confidential before patent applications are filed;
    • Identifying tools that enable the organization to have greater quality, productivity, or cost-benefits over competitors. 
2 | Design and implement processes for ensuring that the confidentiality of each IP asset is properly protected appropriately during its entire lifecycle, including:
    • Implementing an internal invention disclosure process tied to the product development process to capture innovative concepts as they are created;
    • Implementing regular invention mining sessions to brainstorm on innovation created;
    • Implementing governance to decide whether to patent or keep each innovation as a trade secret and catalogue as such;
    • Implementing strict use of NDAs and manage NDAs to keep track of expiry dates;
    • Minimizing disclosures to NDAs with short time expiry;
    • Providing access to software on a need-to-know basis only. If possible, split the development environment so a designer only accesses the code they need to do their work;
    • Implementing off-boarding process for departing employees to put them on notice of trade secrets they worked on and company’s ownership, and their obligation to protect their confidentiality;
    • Implementing regular cyber-security systems audits and upgrades to state-of-the-art security technologies and processes, as needed.
3 | Ensure that all staff are appropriately trained on how to protect those assets in their jobs, including:
    • Training executives responsible for creating and protecting IP on proper strategies and their application to the company’s unique situation;
    • Training all staff on the importance of IP to the company, and the basics of protecting IP in terms of using authorized processes, and the potential for data breaches from malicious attacks such as state-sponsored theft of competitive information;
    • Providing IP awareness training so all staff understands the basic rules around IP protection (e.g., public disclosures and patents) to avoid inadvertent loss of IP rights;
    • Fostering a culture of respect for IP through visible support for IP protection initiatives by executive management.

It’s an unfortunate reality that cybersecurity attacks are an ongoing and very real risk for businesses. To maximize company value and protect your intangible assets, you need to have a broad, strategic IP protection program (one that acknowledges and mitigates the risks of both intentional and unintentional IP loss).

This blog post was a collaboration between Stratford Intellectual Property and Click Armor

About Stratford Intellectual Property: Our team of IP strategy experts includes certified patent agents and strategic advisors experienced in every aspect of the IP lifecycle, giving you access to a unique blend of IP and business expertise. We lean in to foster a culture of innovation in your organization and optimize your IP portfolio to reduce risk and increase ROI.

If you have questions about your organization’s IP strategy or want to learn about training options for IP protection, please contact Stratford Intellectual Property.

About Click Armor: Click Armor helps business managers battling cyber and compliance risks by using gamified simulations and challenges to engage end-users to avoid breaches and build a strong security culture.

Click Armor also offers a gamified course in “IP Protection Awareness” that is applicable for all staff, to minimize the likelihood of accidental breaches such as the one that occurred with EA. For more information about this course, please contact Click Armor.