Departing employees and data theft
New techniques shift power back to companies
By Andrew Hoog, Kyle Gaffaney and the viaForensics team
Gone are the days when employees kept rolodexes on their desks. According to the How Much Information? study conducted by the University of California Berkeley, 92% of all new information in 2002 was stored electronically. This percentage appears to increase each year with some informal estimates that 97% of all business documents are now created electronically. While commentators frequently discuss the impact this business shift has on electronic discovery, the implications for departing employee data theft are just as significant but often overlooked.
What is employee data theft?
Electronic documents by their nature are portable, easy to copy and more prone to theft than paper documents by employees. This fact not only applies to the ease with which electronic documents are stolen, but also to the sheer quantity taken. In August 2009, DuPont filed a lawsuit against a research scientist for breach of contract and misappropriation of trade secrets for stealing a large number of files. It was alleged that research scientist, Hong Meng, stole more than 600 files by copying them to a portable hard drive. After a forensic investigation, over 550 of these files were found on Meng’s home computer. This was not the first high profile instance of theft at DuPont; another research scientist was sentenced to an 18 month prison term for stealing proprietary company information valued at $400 million.
Not surprisingly, DuPont is not alone in its woes. Outlined in a 2009 study conducted by the Ponemon Institute, data theft is rampant in the business world. The study found that 59% of employees who either quit or are asked to leave take confidential or sensitive business information upon their departure. Done without the employer’s permission, this confidential electronic information has the potential to be saved in multiple locations beyond the employer’s control and on devices unknown to the employer.
The reasons an employee takes confidential company information vary from being benign and misguided to intentional for the purposes of personal gain. The Ponemon Institute study found that over 50% of departing employees claimed that one reason they took employer data was their perception that “everyone else did it when they left.” This statistic alone underscores the importance and impact of a policy regarding the company’s confidential data that is well thought out, documented, communicated and enforced.
Other reasons cited in the report include the potential usefulness of the data in the future (53%), the employees’ sense of ownership around what they helped to create (52%); their belief that the company cannot trace the theft back to them (49%) while only 13% state the theft was an accident.
What kinds of confidential data do employees take?
An employee may steal valuable trade secret information as seen at DuPont. However, not every business has these types of trade secrets. The type of information an employee is most likely to steal is the information needed to do his or her specific job, usually information that is readily available to them. To maintain a competitive advantage, the electronic information an employee uses everyday must be protected. Everyday employees have access to a wide variety of electronic information which range from important (email lists and non-financial business information), to confidential (customer information), to private (employee records), through the most sensitive and potentially damaging data: financial records, databases with enormous company history, trade secrets and intellectual property.
When the employee is in IT or security, the access to confidential data is even greater. According to a 2008 study by Cyber-Ark Software, almost 90% of IT employees indicated they would take sensitive company data if they were laid off. The types of data itemized in the report include passwords, customer information, intellectual property from Research and Development (R&D), financial and other strategic plans for the company.
How do employees take confidential data?
Technology affords many methods for an employee to take data electronically from a company. In the past, the most common method was to write the files to a CD or DVD, but a growing trend involves copying files to a portable USB storage device. USB devices are easily concealed, ready to use and can hold vast amounts of data.
Surprisingly, most companies do not address the danger of stealing electronic information through smart phones which include the BlackBerry, iPhone and the emerging Android phones. These devices often have enormous storage capacity (the most recent iPhone is capable of storing 32GB of data) and are easily connected to the corporate email system. They can also access WiFi wireless networks for high transfer speeds and even have the ability to connect to a company’s private network. The combination of storage, data access and ubiquity make a mobile communication device an ideal method of stealing data.
Email is also another efficient way to take confidential data. Most email services provide users with a website for email access and a generous storage quota. With IT budgets constrained and limited spending available for security, personal emails generally flow unfettered through the enterprise. Employees can easily email large amounts of data to personal accounts and then access it from anywhere in the world. While this is convenient to an employee, it can be very dangerous to the employer. By using a personal email account, the employee not only circumvents the corporate email system but the account is beyond the control and scope of corporate investigations and most legal instruments.
There are also many less common approaches to stealing data that are just as damaging as those mentioned so far. These include websites focused on the sharing of data (for example, yousendit.com), Instant Messenger services (such as Yahoo, AIM, MSN, Google Talk), the venerable FTP (File Transfer Protocol), software which allows complete copies of hard drives and very sophisticated techniques which create encrypted tunnels for transferring data. Suffice to say, it is impossible for a company to completely prevent data loss. According to the U.S. Homeland Security Department, in 2008 there were 5,499 known breaches of U.S. government computers.
All of the methods described above cover intentional data theft by employees. However, an employee may also inadvertently expose confidential data by installing software onto his or her computer. Over half of all respondents to the Ponemon Institute’s survey admitted to downloading personal internet software to their company computers. Many of these programs contain a trojan horse or other malware which seeks out confidential data and copies it to data caches on the Internet for retrieval by unauthorized individuals.
Furthermore, company secrets can be leaked through social networking sites. Today, secrets can be leaked through status updates on these sites, where ‘updating your status’ is a common phrase. Both current and departing employees can inadvertently leak company information by disclosing their current ‘status’ or updating online profiles. For example, a recent Microsoft development was leaked to the public through an online posting on Linkedin.com.
What can you do to protect your clients?
Clients need to protect themselves not only before a data theft has occurred but definitely after such an event. Clients frequently do not understand that failing to take preventive measures may preclude an effective response to the data theft.
Before a theft occurs, you should offer your client advice on appropriate IT policies and technology necessary to protect their valuable data. If a theft has already occurred, legal counsel can provide advice on how to investigate the theft and what legal remedies may exist, such as litigation.
The first protection an employer should have in place is a thorough and well communicated set of company policies and procedures . Two policies and one procedure in particular are essential to the protection of company confidential data: (1) Acceptable Use Policy, (2) Data Classification and Retention Policy and (3) New and Departing Employee Procedures.
The Acceptable Use Policy is a comprehensive policy governing the use of all company assets and in particular should include safeguards to prevent the theft of confidential data, as well as general policies limiting the copying of information and use of computer hardware or software which puts company data at risk. Keep in mind that developing an effective policy may require trading employee convenience for data security. The assessment of these issues will involve difficult decisions that each company must make after weighing the benefits versus the consequences.
The goals of the Data Classification and Retention Policy are to identify all types of data created within a company and the amount of time it should be retained. While this may seem obvious, the process needed to develop an effective policy is arduous, demands participation from numerous departments throughout an organization and an attention to detail. After classifying the various data within a company, other policies can specifically address the data types and how to control and protect them. This policy is also instrumental in developing an effective e-discovery strategy.
Finally, direction must be provided to the Information Technology department to ensure that an employee’s computer equipment is properly handled, starting from the initial setup through the eventual decommissioning of the system. Without specific procedures, it is extremely difficult to use the results of a computer investigation in a legal proceeding since most IT departments will significantly modify an employee’s computer once they have departed.
Even with a thorough set of policies and procedures in place, it is impossible to prevent an employee from stealing confidential data. The next important step in prevention is to deploy effective technical solutions to protect your data. In many companies, a few minor changes to the IT system can yield significant results.
One important change is to remove employees from the Administrator group on their computer. This prevents them from installing any software or hardware. Also, companies should not allow employees to create CDs/DVDs or copy data to USB drives unless there is a business need. In some instances, only the IT department should have the authorization to make or create such data.
Many companies eliminate attaching a printer to a single computer. This not only prevents theft of confidential data (by printing) but also allows for improved print management. Companies should also consider deploying a device which can monitor and block websites that are malicious, in violation of the Acceptable Use Policy, not required to operate the business or allow easy transmission of data.
Finally, companies should implement a centralized logging device. This device will receive all of a company’s log files for aggregation and allows a single view of what is happening throughout the organization. In addition, it can provide critical information as to whether or not your system was compromised by outside entities.
Getting help via forensics (computer and mobile)
While policies and technology will prevent casual data theft, determined employees will still steal data. If this occurs, protect your company by proving two things; that the departed employee took information without your permission and that the stolen information caused harm. This is where computer forensics is important. Companies must first have documentation of the theft by proving that the theft originated from their systems. Computer forensics experts can find and document instances of an employee’s improper conduct using specialized software, hardware and techniques.
Computer forensics experts can determine if an employee connected a device such as a removable USB storage device or if a CD was created which contained confidential data. A true expert can even identify the make, model and serial number of the removable storage device, when it was first connected and the last time it was used. They can also identify which data was deleted and often times can even recover the information. Printing a document also leaves a trail which can be uncovered and can provide key information about the theft itself. Frequently, websites visited by an employee will bring context to the theft or even constitute direct evidence.
An emerging discipline is mobile forensics which target smart phones such as an iPhone, Blackberry or Android phone. Since they contain information which can provide significant insight on what an employee was doing leading up to the theft of data, it might also provide direct evidence of the theft. As an example, a forensics investigation of an Apple iPhone will generally result in the recovery of 50,000 – 60,000 files, most of which the employee never realized existed or thought they had deleted. For the iPhone, the files recovered include all voicemails that were ever left on the phone, all emails ever sent or received, and data users often believe is deleted but can be recovered – including text messages, contacts, call logs and pictures. The blending of modern smart phones with GPS technology can also pinpoint a departing employee’s location at a particular date and time. Of course, many privacy implications exist and should be thoroughly vetted, but lawyers should be aware of the data available if a company employs the services of a qualified computer/mobile forensics expert.
Information gathered during a forensic investigation can provide crucial evidence which enables the employer to seek legal redress from a employee’s data theft. Remedies can include monetary damages or an injunction. Unfortunately, many employers do not realize an employee has taken confidential information until weeks or months have passed. If the former employee’s computer is redeployed or altered by the company, the value of the evidence uncovered is severely diminished.
Whether to preserve forensically a departing employee’s computer is a business decision that must be considered in light of the employee’s access to confidential data. One cost-effective precaution is to make a forensics copy of the hard drive or mobile device. Should suspicions arise in the future concerning theft of confidential information (or a number of other potential matters), the results of a forensic examination conducted on the hard drive “mirror” will be as valid as if the original hard drive had been preserved and examined.
Once a breach of security has been detected the remedies available to the former employer are limited. The Computer Fraud and Abuse Act (CFAA) have limited application to stolen confidential electronic information. This statute authorizes losses to be recovered in a civil action. However, “losses” are defined as loss or damage suffered by computer systems. In other words, losses of revenue or unfair competition are not recoverable under the statute. The most widely used legal remedy in a case of stolen electronic information is an injunction followed by a claim for damages based on misappropriation of trade secrets. However, to support this claim of theft, evidence of actual damages must be shown.
An example of an injunctive order that was issued and upheld on motion to dismiss, was against Frank Ringo in Dental Health Products, Inc. v. Ringo. Ringo was accused of stealing confidential information from his employer. He had been issued a laptop by his employer which allowed him to access highly confidential information about customers, business practices, negotiating strategies, and sales reports. In July 2008, Ringo’s employer noticed that his sales were declining and Ringo submitted his resignation soon after. That same month, his employer learned that Ringo was associated with a direct competitor.
Upon the return of Ringo’s laptop to the employer, computer forensics revealed that Ringo had installed and used special software (Norton Ghost) to copy the entire hard drive onto an external hard drive on multiple occasions. From the evidence produced to the court on the motion to dismiss, there were not enough facts to base the injunctive relief on a violation of CFAA because ‘loss’ to the computer system must be shown. However, the court denied the motion to dismiss because it found that the plaintiff had presented a case sufficient to find that Ringo misappropriated trade secrets of his employer.
With the percentage of business documents being created and stored digitally approaching 100%, the most important assets of a company are easier than ever to steal. And with nearly 60% of departing employees admitting to such theft, companies must find more effective ways to protect their assets. Since litigation is expensive, time consuming and may not yield the desired results, the best strategies to prevent or minimize loss include: (1) Development of a comprehensive set of policies and procedure, (2) Deployment and verification of IT security controls, (3) Proactively leveraging the power of computer and mobile forensics and if necessary, (4) seek legal redress.
Growing awareness that a company takes serious steps to protect digital assets can significantly reduce casual theft by employees. With proper policies and procedures in place, the theft of data requires an intent to profit that is easily proved. In such a case, a company which leverage computer and mobile forensics has the means to identify and document the theft to provide a sound basis for seeking legal redress as did DuPont. The result is a company which operates more efficiently, proactively reduces theft, and has all available means to address thefts which do inevitably occur.