Learn. Do. Apply. Comply. Succeed!

 

Confidentiality Risk with MBA Internships at Small For-Profits

by | May 22, 2025 | Legal and Regulatory | 0 comments

Case Study Confidentiality Risk

Case Study

Small businesses are usually cash-constrained. They look for creative ways to obtain skilled workers; some use interns as a no-cost or low-cost option. These businesses must understand the confidentiality and other risks of using interns and take proactive steps to ensure that interns don’t impair confidentiality and IP.

Background

A combined federal and state agency program places MBA interns at small for-profit businesses funded by SBIR (Small Business Innovation Research) and STTR (Small Business Technology Transfer) grants. These businesses operate in highly competitive and IP-sensitive environments, developing innovative products and technologies. The interns, all MBA students, receive stipends from their universities, not the host companies, which reduces business labor costs. The agency facilitates intern placements and receives $2,000 per intern, incentivizing high placement rates.

Interns sign agreements with the agency, not the host companies, and must share information about their work via emails, reports, and discussions with the agency and other interns. At a Biotech Center social event, interns publicly discussed sensitive company information, including board meeting details, product development challenges, and HR issues. A consultant who advised several of the companies discussed reached out to the CEOs of these companies to inform them of the confidentiality breaches. These events raise significant concerns about confidentiality breaches and IP risks, threatening the businesses’ competitive advantage and trust in the program.

Key Issues

  1. Lack of Direct Agreements with Host Companies: Interns’ agreements are with the agency, not the businesses, creating ambiguity around confidentiality and IP ownership obligations.
  2. Inappropriate Sharing of Sensitive Information: Interns share confidential details (e.g., board discussions, product issues, HR matters) with the agency and peers, risking proprietary data leaks.
  3. Public Disclosure at Social Events: Casual discussions at a Biotech Center event exposed sensitive company information, increasing the risk of competitive harm.
  4. IP Vulnerability in SBIR/STTR-Funded Businesses: Small businesses reliant on SBIR/STTR funds operate in IP-intensive fields like biotech, where leaks can undermine funding, partnerships, or market position.
  5. Agency’s Role and Incentives: The agency’s $2,000-per-intern fee may prioritize placement volume over ensuring robust confidentiality protocols, exacerbating risks.

Analysis

Confidentiality Breaches and IP Risks

The absence of direct confidentiality agreements between interns and host companies creates a critical gap. Small businesses, especially in biotech, rely on proprietary IP, patents, trade secrets, and development strategies to secure SBIR/STTR funding and compete. Interns’ mandated sharing with the agency and peers, combined with casual disclosures at social events, risks exposing trade secrets (e.g., product formulations) or strategic plans (e.g., board decisions). For example, a competitor overhearing product development challenges could exploit this knowledge to accelerate their R&D or undermine the company’s funding prospects.

Under U.S. law, trade secrets lose protection if not adequately safeguarded. As of 2025, most states have adopted the USTA (Uniform Trade Secrets Act), which requires “reasonable measures” to maintain secrecy. Without clear agreements and training, the businesses risk losing IP protections and facing financial losses.

Agency’s Role and Misaligned Incentives

The agency’s $2,000-per-intern fee creates a potential conflict of interest, prioritizing placement numbers over rigorous oversight. The requirement for interns to share work details with the agency and peers, likely intended to foster collaboration and program evaluation, lacks clear boundaries on what can be shared. This structure fails to account for the sensitive nature of biotech businesses’ operations, where even minor leaks can have outsized impacts.

Intern Behavior and Lack of Training

While skilled, MBA interns may lack experience handling sensitive business information. Their discussions at the Biotech Center event suggest inadequate confidentiality and professional conduct training. Publicly sharing board meeting details or HR issues violates basic governance principles and erodes trust. This behavior may stem from unclear expectations in the agency’s agreements or a lack of awareness about IP and confidentiality obligations.

Impact on Host Companies

For small businesses, the consequences of these breaches are severe:

  • Competitive Harm: Competitors gaining access to product development or strategic insights could outmaneuver the company in the market.
  • Funding Risks: SBIR/STTR grants often require proof of IP protection. Leaks could jeopardize future funding.
  • Reputational Damage: Public disclosure of internal issues (e.g., HR conflicts) could deter investors or partners.
  • Legal Costs: Recovering from IP theft or pursuing litigation is costly for resource-constrained small businesses.

Recommendations

To address these issues, the agency, host companies, and universities must collaborate to strengthen confidentiality protocols and align incentives with the needs of SBIR/STTR-funded businesses.

Require Direct Confidentiality and IP Agreements

Host companies must mandate that interns sign non-disclosure agreements (NDAs) and IP assignment contracts directly with them, in addition to agency agreements. These should:

  • Define confidential information (e.g., board discussions, product data, HR matters).
  • Assign all work-related IP to the company.
  • Prohibit sharing sensitive information with third parties, including the agency or other interns, without explicit permission.

Action Step: Develop a standardized NDA template for host companies, review it with legal counsel, and require interns to sign it before starting. Include clauses prohibiting public discussions of company matters.

Restrict Information Sharing with the Agency

The agency’s requirement for interns to share work details must be limited to non-sensitive, high-level summaries (e.g., project milestones, skills learned). Sensitive data, such as product specifications or board decisions, should be explicitly excluded.

Action Step: Revise agency agreements to include clear guidelines on permissible information sharing. Require the host company’s approval for any reports shared with the agency or peers.

Implement Mandatory Training

Interns need training on confidentiality, IP, and professional conduct. Training should cover:

  • Definitions of trade secrets, proprietary data, and confidential information.
  • Risks of public disclosures, including at social events.
  • Consequences of breaches (e.g., legal liability, program termination).

Action Step: Partner with universities to deliver a 1-hour onboarding session for interns, using real-world examples of IP risks in biotech. Reinforce training with a signed acknowledgment of responsibilities.

Enhance Agency Oversight and Accountability

The agency must prioritize confidentiality over placement volume. Confidentiality focus includes:

  • Auditing intern communications to ensure compliance with confidentiality rules.
  • Establishing a reporting mechanism for companies to flag breaches.
  • Reducing reliance on the $2,000 fee structure to avoid incentivizing lax oversight.

Action Step: Create a joint oversight committee with representatives from the agency, host companies, and universities to review program policies and address breaches promptly.

Limit Intern Access to Sensitive Information

Host companies should restrict interns’ exposure to sensitive areas like board meetings or proprietary R&D data. Assign interns to specific projects with clear boundaries and monitor access to digital systems.

Action Step: Use role-based access controls for company systems and brief interns only on project-relevant information. Exclude them from high-level strategic discussions unless essential.

Monitor and Respond to Breaches

Companies and the agency should establish a protocol for addressing breaches, such as those observed at the Biotech Center event. The protocol must include:

  • Investigating the scope of disclosed information.
  • Notifying affected companies and assessing competitive risks.
  • Disciplining interns (e.g., termination from the program) and retraining others.

Action Step: Appoint a confidentiality officer at each host company to monitor intern behavior and report issues to the agency. Conduct a post-event audit to identify shared information and mitigate damage.

Conclusion

This MBA internship program offers significant value to SBIR/STTR-funded small businesses by providing cost-effective talent and fresh perspectives. However, lacking direct NDAs, clear sharing boundaries, and robust training, the current structure creates unacceptable confidentiality and IP protection risks. By implementing direct agreements, restricting information sharing, training interns, and enhancing oversight, stakeholders can preserve the program’s benefits while safeguarding the businesses’ competitive edge. Small businesses, the agency, and universities must act swiftly to rebuild trust and ensure the program’s long-te

Submit a Comment

Your email address will not be published. Required fields are marked *

Verified by ExactMetrics