Improper management of client info can result in financial or legal repercussions.
Prior to establishing any business relationship, most companies require signed nondisclosure agreements (NDAs) for all parties involved with the manufacture of their products. But an NDA is not a license to share everything about a customer’s product. OEMs, EMS companies and PCB manufacturers have an obligation to protect their customers’ intellectual property (IP).
I can’t tell you the number of times I have received an email from a customer requesting a PCB quote that has attached to it not only the Gerber file(s) for the board, but also the assembly drawing, the bill of material and the schematic drawing for the entire product.
With the press of a Send button, every detail about that customer’s product is exposed, and the associated protection of IP goes up in smoke. All employees should be educated in how to securely manage customer IP.
How is it that email is often such a gaping hole in what companies think is a secure system?
This “insider” threat is usually a combination of negligence and lack of training. Often, the sales department will flip an entire quote package it received from a customer over to purchasing. Most buyers will in turn send that same package to the vendor base for a quote, letting numerous suppliers sort through the zipped files looking for what they need to quote their portion of an assembly.
Yes, a supplier needs access to some sensitive information to provide an accurate quote or to perform the requirements of the contract, but they should only receive information pertaining to their services.
For example, to receive a PCB quote, sometimes only a PDF drawing is needed. If the board has some technology, then the Gerber files or electronic data for that board only are required for the supplier to provide an accurate quote.
What process does your organization have in place for reviewing files to ensure that vendors are sent only what is needed to generate a quote?
Your quoting team may not have the technical expertise to view electronic files and determine what is needed for a quote, so your company must invest in training so that everyone involved in handling a customer’s sensitive information is on the same page.
The normalization of remote work means no face-to-face supervision and sometimes minimal training for handling IP risks. Employees may face more distractions in their home settings, where accidental disclosures can easily happen. Having a clearly documented and enforced organizational policy in place to prevent these self-inflicted threats is critical.
IP protection does not pertain only to commercial work. What is your corporate process to keep ITAR or MIL data from being sent offshore?
A PCB buyer must know what they are sending and to whom when seeking quotes. ITAR products are sometimes not as clearly identified as they should be. An ITAR print may not say anything about being export-controlled, and a buyer may inadvertently send protected information to an overseas supplier.
Has your PCB supplier let you know what they can or cannot legally receive? Do you have that in writing?
If the PCB manufacturer is purely a domestic facility, this is a non-issue. But you should still be sure you have the manufacturer’s ITAR certification on file.
If the domestic manufacturer also brokers PCBs from Asia, ensure you have a copy of its ITAR certification, and then find out how it segregates quotes that are permitted to be sent offshore from those that must stay domestic.
If your supplier is a pure broker, there is a real possibility of files accidentally being sent overseas. It is vital to have an agreement in writing with all involved parties that breaks down how sensitive files are to be sent and received.
Along with the PCB customer, the board supplier is also responsible for ensuring sensitive information and files that are supposed to stay domestic do not end up in the wrong hands.
If, for instance, files are sent from a customer where there is no mention of domestic-only manufacture, but the fab drawing references a noncommercial spec or the drawing is stamped as a controlled item, the supplier must ask questions. Or when a customer says something like, “I am sending you files, but this can’t be made in China,” the PCB supplier should ask, “Is this a MIL/ITAR order?” or “This can’t be made outside the US, correct?”
Whatever answers a board supplier gets to those questions must also be in writing.
Companies associated with the electronics manufacturing industry need to look carefully at everything sent by their employees and others associated with them. Failing to do so could result in significant legal and financial consequences, along with a loss of credibility in the PCB industry. •
has more than 25 years’ experience selling PCBs directly for various fabricators and as founder of a leading distributor. He is cofounder of Better Board Buying (boardbuying.com);