Keeping corporate data safe is an increasingly difficult task; one of the biggest risks that a company faces comes from within: its own employees. Indeed, contrary to what the headlines may lead us to believe, hackers are not the only, or even the primary, culprits in loss of critical data—employees take or send sensitive information outside of the company with alarming frequency. While these actions are not always malicious or intentional, they can cause just as much damage as (if not more damage than) a sophisticated cyber threat campaign, ranging from causing confidential information to lose its legal designation as a “trade secret” to arming a competitor with the ability to undercut the company’s competitive advantage.
The increase in the volume of electronic data companies have and the frequency with which employees change jobs have created particularly dangerous circumstances for companies trying to protect their data. Specifically, the ways corporate data is now accessed—including through remote access and bring your own device (BYOD) environments —and where it is stored (whether on-premise, in the cloud, or on web-based platforms), as well as the prolific use of email, can make it difficult for legal, compliance, and IT stakeholders to keep track of how and where corporate data is flowing. In fact, if a company does not take affirmative steps to monitor and safeguard its data, it may not realize that data was taken or sent outside the company until it is too late (or ever).
One known risk point is departing employees. In fact, a report from HfS Research (The Services Research Company) found that 69% of organizations have experienced data loss from employee movements. Furthermore, a recent study from Symantec reported that 50% of people who left or lost their jobs in the last 12 months kept confidential corporate data from their former employers. Alarmingly, 40% of those people planned to use that data in their new jobs. This risk of employees taking data when they leave a company is heightened given the fact that, according to the Bureau of Labor Statistics, the median tenure of employment for U.S. employees is 4.2 years. Thus, companies need to have protocols in place to assess the potential risk of data loss when employees leave, and to promptly investigate and respond if risk exists.
A failure to prepare for the complications of the modern data environment—and the near-inevitability of data being taken or sent outside of the organization—can leave a company open to significant business and legal risks, including the following.
Potential Loss of Valuable Competitive Advantage
Protecting sensitive data is critical to protecting the company’s position in the marketplace. The dissemination of intellectual property or trade secrets can be devastating to, among other things, a corporation’s competitive advantage and even its future viability. In fact, our legal and forensic investigation teams have worked together on several recent matters that involved significant threats to the companies’ business. In one case, two employees at a highly profitable financial services firm stole data and code for the company’s trading algorithm, planning to start a competitive venture. In another case, two original founders of a medical device manufacturer worked with a company engineer to build a new version of the company’s main product based on stolen confidential drawings and schematics. If the employees in these cases had not been caught and stopped, the results for both companies could have been financially devastating.
Loss of Evidence in Relation to Civil/Criminal Cases
Spoliation or loss of evidence in relation to litigation can be a major issue, yet it happens regularly from inadvertent data loss, including as a result of zealous IT employees conducting their own investigations of suspected data theft. Without a solid preservation plan in place that is applied to all types of devices and data (including emails, computers, hard drives, cloud storage, and logs), the integrity of important evidence can be undermined or lost completely.
No Cause of Action or Criminal Charge Available
How a company stores and safeguards its data can potentially limit what types of legal remedies are available if data theft occurs. For example, a company must take steps to keep its valuable data confidential; otherwise that information may not be legally considered a “trade secret” under both the federal Defend Trade Secrets Act as well as most state trade secret laws. Further, there may be no “unauthorized access” claim under the Computer Fraud and Abuse Act if access to confidential information is broadly given to all employees.
Inability to Utilize Evidence Due to Improper Handling
If the necessary procedures for keeping corporate data safe are not in place, and proper preservation techniques are not utilized, key evidence may be lost, corrupted, or be inadmissible in a future legal proceeding. Evidence must not be altered in any way by outside providers and chain of custody must be preserved. Therefore, only properly trained forensic experts should be involved in gathering data and accessing it if a risk of data theft exists.
Our experience has taught us that companies can only prevent the above risks by being proactive – both before and after data loss occurs. Below are some best practices to help implement such protective measures and establish effective reactive protocols.
Limit Access to Data
Identifying what trade secrets the company has, understanding who has access to what data, and reasonably limiting access to that data are important first steps. Organizations should consider ways to segregate valuable data, implement responsible VPN policies and practices, and govern whether data can be copied or downloaded outside of the corporate environment.
Clearly Communicate Policies
A company should craft robust and clear policies that protect its data, including policies addressing confidentiality, non-disclosure, intellectual property and trade secret ownership, and acceptable IT use policies relating to computers, cloud storage, email, and remote storage devices. Employees also should be trained on and acknowledge their understanding of such policies. A company should also implement policies to allow it to review and search corporate emails and devices used by employees, as well as artifacts from personal email, cloud storage, internet history, and social media to ensure the company has the tools it needs to conduct an effective investigation.
Leverage Technology to Track Employee Status Changes
A secure information governance policy should involve a sustainable tracking process for when employees change roles or locations or leave the company and should include, if possible, a mechanism to know what devices departing employees were issued. Technology can help automate such efforts, and ensure that all security and legal hold needs are being met as employees’ statuses change.
Utilize Robust Employee Agreements
Non-compete and non-disclosure agreements should be utilized with appropriate employees (which may include IT professionals, sales persons, engineers, and others depending on the nature of the company’s data). It is important to make sure these policies encompass data loss prevention, are be reviewed and updated regularly, and comply with the nuances of different states’ laws.
Implement Coordinated Security Measures
Physical and technological security measures are important both for preventing data from leaving the company and for maintaining a strong position for possible future litigation. Potential measures include physical security such as keycards, passwords, policies against using USB storage devices, and limiting remote access; as well as network security measures, such as alerts for suspicious activity and implementation of data loss prevention protocols, mobile device management, and surveillance tools.
Conduct Exit Interviews
An exit interview can serve as an opportunity to assess risk and gain important evidence for future litigation. When an employee departs, HR should conduct a comprehensive exit interview that requires the employee to reconfirm confidentiality and non-disclosure obligations (preferably in writing) and seeks to learn where the employee plans to work and the reasons for departure.
Collect and Preserve All Devices and Evidence Immediately
If data has already been disseminated or taken outside of the company (or such data loss is suspected), prompt and forensically-sound preservation is key. It is critical that companies have protocols in place for determining what data sources should be preserved (e.g., devices, remote storage, logs, phone records, etc.), for memorializing collection, and for preserving data before any investigation occurs. Such processes must be methodical and involve collaboration between legal and IT to ensure that the level of risk is understood, that volatile data is not lost, and that the reliability of the data is not undermined.
Cut off Access to Servers/Systems Prior to Employee Departure
When data loss is suspected or an employee departs, the employee’s access to company data should be shut off promptly, and, in the cases of termination, before termination occurs. For large, complex environments, this can require advanced planning, particularly to ensure termination of access is complete across all servers and databases.
While it is not possible to completely lock down information without disrupting daily business, there are certain safeguards that, as discussed above, can—and should—be put in place to the extent possible to maintain day-to-day data access while still preventing theft, monitoring for red flags of potential dissemination, and bolstering a company’s position to seek legal remedies, if ever necessary. Taking such steps is critical, given the challenges that exist with tracking the movement of electronic data and the severe consequences that can occur when data is stolen or disseminated. Companies can tailor their approach, the above measures, and their investigation protocols to correspond with their perceived level of risk—an assessment that outside counsel and computer forensic experts can help companies undertake. Furthermore, because computer forensic artifacts and data are often the crux of any investigation and litigation, it is important to use trusted digital forensic experts to preserve and analyze electronic data. Outside counsel can also help assess criminal and/or civil remedial options and protect the company’s privilege through any investigation and litigation.