When should you call the FBI?
Companies that choose not to implement an OPSEC program face a substantial eventuality of substantial loses from competitive intelligence, theft, and economic espionage.
The mindset of companies that wish to avoid this issue is such that it greatly reduces the likelihood that they will ever be aware that they have been ripped off. They will lose market share, find it harder to compete against those who are using their R&D cost-free, and even close divisions or go out of business without knowing the cause. It generally requires something roughly equivalent to being repeatedly hit over the head with a baseball bat before the cause of their losses intrudes on their consciousness.
However, in some small number of cases the problem becomes so egregious that they may at some point realize that they are being ripped off. What do you do if you find yourself in this position? The traditional approach is to try to put together a group, either internally or through use of consultants, to figure out what has gone wrong and how to address the problem.
Our repeated experience indicates that this approach is not fruitful, and that the first action should be to call the FBI. For most large organizations, the likelihood is that the Director of Security is a former FBI Special Agent, a former Secret Service Agent, or a former high level member of a major police department, so that the ability to directly contact the FBI is already in place.
The FBI is very good at what they do, and will be able to manage the job of finding, tracking, and shepherding the process of catching the bad guys and bringing the case to the federal prosecutor. They have resources and skills not available within the private sector, and substantial expertise in this area. Plus, they have the authority of the law behind them. As one Secret Service agent noted when they took over a case from us, “when the Secret Service knocks on your door it makes a greater impression than when LUBRINCO knocks on your door.” Putting all of these factors together, the FBI represents your best bet in terms of getting this particular instance of criminal activity to stop.
Keep in mind, however, that prosecution is not as cost effective as preventing the problem, in part because your failure to take preventive measures reduces the options available. As an example, if you have ignored SEC mandates and failed to implement an OPSEC program (or some equivalent, if there is such a thing) you have arguably abandoned the trade secret status of your information, which closes off several otherwise- promising avenues. Plus, you lose control of the process once you turn it over to the FBI, and their goals are not necessarily your goals. And, as with most events that end in court, it is likely that you are going to come away from the experience less whole than you would like. For example it is not unlikely that whatever happens in court will appear, from your perspective, to be merely a token slap on the wrist. This being the case, as the criminal prosecution goes forward your company will simultaneously need to be preparing a civil suit to attempt to get restitution once there is a criminal conviction in place.
While this particular instance of theft can be made to stop, unless you learn from the experience and institute an OPSEC program you will continue to be vulnerable. Indeed, experience indicates that if one instance has been discovered, there are likely one or two other attacks from other adversaries going on at the same time. After all, there is more than one lion in the jungle of international commerce, and many of them are likely to have been aware of your corporate indifference to protecting your intellectual property and sensitive information, and to have been willing to take advantage of this.