How To Let Former Employees Get Away With Data Theft
Several months ago we were involved in an investigation. The respondent was a former employee who had left his employment with the claimant and gone to start his own company in direct competition with his former employer. They suspected that he had taken several items with him including proprietary data from both the corporate network and his work computer. Ordinarily, this type of investigation would have been straightforward--we would look for key pieces of evidence that showed the copying or transferring of data from one source to another. We'd provide reports detailing which USB storage devices were in use and which files were opened from such devices.
Initially, we were told the computer had not been in use since the defendant had left the company, which means that all of the forensic artifacts should have been preserved for our investigation. However, when we began our investigation it became painfully obvious that not only had the computer been in use during the months following his departure but the company had continued to use his user account. As a result the most significant information tying the former employee to any data was either gone or tainted beyond repair.
There are times when the obstacles are too great to overcome—this was one of those times.
If the company had preserved the computer at the time, there may have been a wealth of information to support their case. Instead, the case fell apart and the company had no recourse to pursue their claims against the former employee. Potentially costing them millions of dollars to a competitor.
When an employee leaves it is not unusual for them to take key information on their way out the door. A 2013 study by Symantec found that approximately half of employees keep confidential data when leaving their former company and that 40 percent of the employees intend to use the data when they arrive at their new job.
"Employees not only think it is acceptable to take and use IP when they leave a company, but also believe their companies do not care. Only 47 percent say their organization takes action when employees take sensitive information contrary to company policy and 68 percent say their organization does not take steps to ensure employees do not use confidential competitive information from third parties. Organizations are failing to create an environment and culture that promotes employees' responsibility and accountability in protecting IP."
The good news is that Symantec goes on the explain that employees do very little to clean up their illicit activity so there is usually a great deal of information available for forensic analysis. While 62 percent of employees say it is acceptable to transfer work documents to personal computers, tablets, smartphones or online file sharing applications, the majority never delete the data they've moved because they do not see any harm in keeping it. My question to you is this: Do you care about employees walking out with corporate secrets? Of course you do. I'm sure that a lengthy post about the dangers of letting company data go to a competitor is unnecessary. We all work hard for a competitive edge and would consider it a disaster if such information found its way into our nemeses hands. So now we're faced with a bigger question: What can you do about it?
At Digital Discovery we know that taking a computer out of commission every time an employee leaves is somewhat impractical. Computers and their associated software are costly to replace and the demand for re-purposing these devices is often high. However, we also know that delaying the preservation of that computer, even by a few hours, could make a huge difference in the recoverable artifacts. While some items, like Internet and USB history could still exist on a computer for days or even weeks after it's final use, there is data that shows file deletion, copying, and other manipulation that could be overwritten within a few hours.
How do you balance the need to re-purpose with the need to preserve data for possible future analysis? By preventatively preserving the data at a fixed, low cost.
Imagine that whenever an employee leaves a job a forensic analyst is deployed to your offices to take a forensic image of that employee's computer. You have just bought yourself peace of mind. No matter what happens in the future that forensic analyst has an exact duplicate of the data from that computer from which to work. It is preserved exactly as it was at the time that the employee and company parted ways. If you require an investigation at some point in the future the analyst would still have all of the data necessary to conduct the investigation. Preservation prevents disaster.
When an employee leaves, even if it is on the best of terms, turn the computer off immediately and call the data experts at Digital Discovery. We will preserve and store the data until you need it.
Lee Whitfield is the Director of Forensics for Digital Discovery and responsible for conducting a wide variety of complex digital forensics investigations. He is an internationally recognized digital forensics researcher, examiner and educator with close to a decade of expert witness experience. Lee has conducted a wide variety of investigations in both civil and criminal courts dealing with matters involving intellectual property theft, contract disputes, financial fraud, and terrorism.