This article will discuss how employee turnover is impacting intellectual property and data protection, as well as the important role of digital forensics in both preventing IP theft and recovering from such an incident.
With the tight labour market, and the recent trend of large numbers of employees leaving their jobs, the risk of intellectual property theft and loss is rising. Given ongoing turbulence in the global economy and employment trends, it’s likely that many organisations will continue to experience high turnover or increased numbers of disengaged employees. With this, business leaders must increase their vigilance over data protection and prevent sensitive data leaving along with departing employees.
Employees may consider taking information when they leave for many reasons, not all of which include malicious intentions. Often, they may want to bring useful material or knowledge with them to a new position, or they may not always be aware that the files they take contain sensitive or protected information. In more deliberately malicious instances, employees may steal IP to offer, or even sell, to a future employer or competitor, or otherwise harm their former employer. In any instance where employees depart with private customer information, email data or other personally identifiable information (PII), if the incident considered a data breach under GDPR, and the employer is required to notify the national supervisory authority. Additionally, companies may have non-disclosure agreements (NDAs) in place for customers and partners, which may violated in the case of data loss or theft.
Investigation into such matters are typically reactive in nature. Of course, there are proactive measures that can be taken for prevention, e.g., briefing employees in detail about restrictions on taking data and conducting in-depth exit reviews to ensure a departing employee is not in possession of restricted information. However, there are several reasons why proactive measures might not be in place. These may range from a lack of budget for implementing necessary tools, a rapidly growing business lagging in updating policies, or due to employees’ job requirements, restricting access to the data may not be feasible. In any event, whether an employee is suspected of stealing sensitive information, or as part of an off-boarding process when an employee resigns, the main questions that employers want answers to are:
- Understanding if any kind of data breach has indeed occurred;
- The scope of what data was stolen and/or deleted;
- How the data was exfiltrated, and,
- A timeline of when it happened.
To answer these questions, organisations must conduct a timely and thorough digital forensics investigation. Best practice is to engage with digital forensics experts before any action is taken, as these specialists play an important role in ensuring that digital evidence can be properly preserved, collected and analysed.
Digital evidence is fragile, and without proper handling, can be destroyed easily. Digital forensics experts understand the steps necessary to ensure all possible sources of evidence can be forensically imaged defensibly and without any inadvertent changes to the data.
For instance, after a departing employee has handed in their company devices, it is vital that the devices are not turned on or used in any way – even for triage or to confirm suspicions. This can lead to data being overwritten, especially when the recovery of deleted data is necessary. Such mistakes can diminish the value of forensic artifacts. Rather, the devices should be forensically imaged by a professional, with subsequent analysis being performed on the forensic images, where information has been safely preserved.
With this approach, digital forensic investigators can conduct in-depth analysis on deleted files, investigate on the dates associated to the files, determine history of USB use, analyse cloud storage access, and review emails, browser history, texts and messages extracted from mobile backups. Any or all of these artifacts may prove relevant to the investigation.
Physical devices used by employees are just one source of evidence for investigation. It is recommended that a holistic approach is taken to include the wide range of emerging data sources that are now a daily part of business communications and collaboration today. These data sources can provide evidence of not only what data the employees had access to, but can provide metadata and logs that reveal user activity on the platforms, additional devices they logged in from and if data was downloaded to external devices.
Once the analysis has concluded and findings are delivered, it is not uncommon for follow-up remediation work to be conducted. This can involve requesting additional devices to be analysed to look for the stolen data if it had been transferred elsewhere and subsequently delete in a secure it.
Protecting sensitive corporate data is critical. Access to valuable and confidential information by competitors or other parties can inflict devastating consequence for an organisation.
Digital forensic experts can leverage their expertise to identify the evidence of IP theft in the corporate environment, and take the necessary steps to ensure data is preserved, so potential offenders may be investigated and lost data may be recovered or remediated. Organisations must be aware that the process of acquisition, extraction and examination of data from modern data sources, including mobile devices, cloud-based storage and chat applications, are very nuanced and have introduced an array of complexities and challenges into the forensic investigation process. In any investigation dealing with sensitive data, trade secrets or IP misappropriation, experienced experts focused on digital forensics should be involved, to ensure defensible and effective methodologies are used to perform data collection and analysis.
By Danny Markey, Senior Consultant, Conor Gavin, Senior Director and Elina Nikoo, Senior Director, FTI Technology
Picture by Christina Morillo
