Many companies think of Personally Identifiable and Personal Health Information (PII & PHI) as the core types of data to identify and protect with a DLP (Data Loss Prevention) solution.  This is prudent since many regulations require that firms properly control that data.

A growing number of companies are recognizing the need to protect and control intellectual property (IP).  DLP solutions must be able to accurately identify and protect both PII and IP from the "insider threat" - misuse by employees.

Earlier this week, a news story broke concerning the theft of intellectual property in the form of proprietary computer code from one of the most prestigious firms on Wall Street.

The firm involved in the incident did a good job detecting that their IP was leaked. An even better outcome would have been to prevent the loss from occurring in the first place. Many companies don't take the steps necessary to protect their IP. Why? Perhaps there are two explanations.

1. It is hard!  What I mean is that it's difficult to do this accurately. Contextual detection of IP is important since it is rarely represented in a common format (like, say, credit card numbers). DLP must also be able to identify protected data such as encrypted files or transports.  Doing this while understanding the context of the activity helps to determine whether or not something suspicious is occurring. 
   
2. Certain individuals must be allowed to use and transmit IP.  For these employees, DLP must be able to account for their identity. Then, DLP can take alternative action when these individuals are involved (perhaps alerting a supervisor or issuing a warning, versus blocking the activity).

The question this incident raises is what types of control policies should be placed around IP?  And, what kind of solutions, complementary to DLP (like access control), are required to address the problem more completely?  Clearly controls for IP require as much attention as do those for PII.