As I write this article I note that Infosecurity Europe is currently conducting an online survey, asking participants to consider if they would download their list of contacts or competitive information, to take with them when they leave their current employment.
At present, two-thirds of respondents have stated that they would indeed take this information with them.
The current result is perhaps not surprising, but certainly it is a serious concern for businesses and potentially something that can impact significantly, both on the individual concerned and their future employer, should they decide to leave.
The last year has seen a considerable increase in cases where organizations refuse to accept that intellectual property that has been misappropriated by their staff, can remain in those people's possession. Ultimately these corporate victims are taking action through the courts to recover this information and in turn, to seek damages from the offenders.
This does not necessary relate to the downloading of an individual's address book, but more commonly, the taking of a sales database or financial and product information. The former will of course always be subject to debate – which party owns the contacts list, the employer or the individual? Either way, it is the potential impact of the loss of the databases that is likely to lead to court action.
The offender profile
The most frequent scenario encountered by DataSec over the last year has been that of a senior person within the organization deciding to leave and set up a competitive company. Such individuals will often hold highly responsible positions and also take with them a number of staff that feel a loyalty towards the instigator. I am sure that 'greener grass' will always play a part in the decision to move on for anyone. I wonder however, how often the employee considering departure in order to join a new competitive company, will be aware of the legalities, the source of the information which will be used to support their new venture, and indeed, whether their new employer will be in existence some months down the line?
It is likely that employment contracts, policies and codes of conduct will detail acceptable behavior for the employee in relation to use of their employer's intellectual property and confidential information. It is important for any employer to ensure that they proactively protect this information with up-to-date policies that restrict misuse of such vital data.
A recent case first came to light when a company received a telephone call from one of their longstanding customers. The customer had been approached by a new supplier offering the same goods as those which they regularly purchased from the current supplier, with a 10 percent discount across the board. The customer had noticed that the layout of the sales information relating to the goods offered, the prices, and indeed the product codes, were identical to that which they currently received from the existing supplier.
An investigation then discovered that an employee who had since left the organization had stolen this confidential information. The relationship between the company and their longstanding customer had identified the situation at an early stage and afforded the company the opportunity to deal with it promptly. The most worrying factor for the company was the potential impact this new competitor could have had on their business over the medium term. They estimated potentially losing 20 percent of their customers.
In another recent case in the U.K., a defecting employee was seeking to take product information held on a database, which would allow him to support a major contract that he intended take away from his current employer. The contract value exceeded £10 million. Had he succeeded, his action would have led to over 100 redundancies, affecting people that would have called him their colleague up until this point.
When suspicion arises the company is faced with its first series of decisions. Does it dismiss the person they suspect if he or she is still in their employ? Does it investigate covertly to build a case? How does it protect their intellectual property? Who does it use to work through the process?
It is vitally important that action is taken quickly and that a strategy, including a legal risk assessment, is developed by specialists who are experienced with such issues. A worrying statistic from the U.K.'s Department of Trade and Industry last year however, is that only 10 percent of companies have documented guidelines on how to deal with IT evidence and investigations. It is not uncommon for companies to address these issues for the first time immediately after becoming a victim.
Legislation pertaining to an employer's ability to deal with a computer related investigation comes in the U.K. in the form of the Data Protection Act 1998 and The Regulation of Investigatory Powers Act 2000 (RIPA).
RIPA affords the employer quite wide powers to their staff and to ensure that company policies are adhered to. The RIPA Lawful Business Practice Regulations provide a number of criteria for monitoring without the consent of the sender and recipient. These include the prevention and detection of crime and to ensure that company policies are adhered to.
Acting in a proportionate manner is undoubtedly one part of working within the Data Protection Act. It is important to ensure that grounds for suspicion do in fact exist. A good test is to actually write down the grounds. Having done this, ask if the source of the information is reliable and also if it is possible to corroborate the information in any way.
If grounds exist, the law does not preclude a covert investigation, which is conducted with proportionality in mind. The most incriminating evidence may often be gathered while the suspect is unaware of the investigation.
The actual IT investigation should be forensically sound. By this I mean that certain principles must be adhered to, such as documenting the process and not altering the data in any way as you gather the evidence. Ultimately it is imperative that the person conducting the investigation has the requisite knowledge, which may of course involve them justifying their actions in court.
The lawful interception of communications will often play a vital role, that is, reading the suspect's email without their knowledge. This can often lead to identifying where intellectual property has been sent to or indeed its intended use in the future.
The IT investigation may also run concurrently with a conventional investigation, which might include surveillance for example. This will lead to an evidence file being generated that demonstrates the suspect's intentions, their breach of company contracts or codes that relate to the misappropriation of intellectual property and indeed, the details of the new competitive company.
Recovering stolen intellectual property
Having identified where the stolen information may be located, the evidence can be presented to a court without the knowledge of the suspect. Civil courts in the U.K. are issuing increasing numbers search and seize orders, which will allow representatives of the complainant (corporate victim) to enter the premises of the suspect and seize data on their computers.
This can lead to interesting events, such as the time when the computer in question was 'formatted' as the court officials entered the building. Unfortunately for the suspects, forensic analysis recovers data after formatting. Not only was the data recovered but also the user of the computer prior to the time that the format took place was identified, providing valuable evidence for the complainant.
Having seized computers from the suspect, forensic analysis will show whether the information does in fact belong to the complainant and if this is proved the evidence will be used in legal proceedings, where damages can be pursued in addition to recouping all costs associated with the investigation.
If the evidence is strong, it is highly likely that the suspect and his or her associates in their new venture will settle very quickly, thus avoiding costly litigation. There is no doubt that the initial costs encountered by the victim are considerable, and therefore the company must weigh up the potential to win the case and indeed the impact on their business should they decide to take no action.
Despite the initial outlay however, if the company's case is a good one, the law will support its objectives of recovering its intellectual property and restricting its misuse, and indeed will afford it the ability to recover their costs and attain damages.
The last and possibly most important benefit is that which will be realized by the employer, when the news filters through the organization. This should deter others from considering such similar action in the future.
Adrian Reid is managing director for computer forensic consultants DataSec Limited (www.datasec.co.uk). Datasec Limited is also exhibiting at Infosecurity Europe 2003, which takes place at London's Olympia from April 29 to May 1.