Outsourcing situations are fraught with personnel turnover — whether your internal team experiences it or the service provider does. Along the way, some departing folks may believe they have reasons to hold a grudge against your company. Most companies take care to ensure that new and departing employees have completed human resource files with non-disclosure agreements, non-competition agreements, invention and assignment agreements and various other forms. But are you doing enough to protect your organization from intellectual property (IP) theft by departing employees and consultants?
This brief article explains how to make sure you’ve gone the extra lengths to protect your company from digital forms of theft.
The Challenge of IP Theft
Typically, departing employees turn in keys, access cards and computers on their final day with the firm. The keys are re-used and access cards destroyed, and the departing employee’s computer makes its way back to the IT department to be reformatted and reissued to a new employee. But when companies re-issue computers without making a forensically sound copy of the hard drive prior to reformatting, they hinder their ability to proactively prosecute theft of IP by departing employees.
Properly securing the original or making forensically sound copies of the computers and storage devices of employees with access to trade secrets and IP may be the best proactive protection against theft. In the case of a pending termination of an employee considered to have significant risk, making forensic copies of the person’s computers should be “standard operating procedure.” This action may be the best defense against theft and misappropriation of assets. After all, the ubiquity of notebook computers, Internet email accounts, USB drives, compact flash cards, iPods, CD and DVD burners and other technologies have made copying and removing large amounts of information from a company all but invisible to the eye.
What needs protecting? In the case of sales and support staff, customer lists, prospect lists, competitive analysis, product development schedules, features and price lists are typically easily accessible. With engineers, future patents, methodologies, product development schedules, CAD and design files and algorithms are typically accessible and used frequently. Executives and senior staff have access to all of these assets in addition to business plans, financing, compensation plans, legal defense strategies, financials and many other proprietary or damaging forms of information and data.
How To Protect Your Company from IP Theft
How can you protect the company and what do you look for? First and foremost, the forensic securing of information through the use of proper procedures and the use of licensed or certified personnel or vendors are keys to avoiding spoliation or unintentional compromise of the electronic files.
In some states the collection of electronic evidence must be performed by a licensed individual. Depending on the state, this may include licensed private investigators, attorneys and in some cases trained certified public accountants; but typically, these individuals may not be trained nor qualified to collect evidence.
In addition to the correct licensing, the party engaged to make the forensically sound copies of the hard drives should be certified. Certification is completely voluntary in this field; however, hiring a certified individual will ensure that a minimum standard of knowledge has been attained by the expert.
So should you use your company’s internal IT people to make copies of the hard drives of departing employees? Some companies choose to do just this, and don’t run into problems providing that they have trained (and preferably certified) staff members performing the hard drive acquisitions using “forensically sound procedures.”
Procedurally, the collection of electronic evidence should follow similar processes to any other criminal/corporate investigation:
1. Every step should be documented with the evidence (pristine forensic copies) being sealed and signed.
2. The computer storage devices should be copied using a special “read only” hardware device, which doesn’t allow for updates or modifications to file dates or time stamps. These write-blocking devices are made by companies like Intelligent Computer Solutions. The forensically sound copy is generated by forensic acquisition software like AccessData’s Forensic Toolkit or Guidance Software’s EnCase. The copy made at this stage will be an exact bit-for-bit replica of the original drive, including deleted files, unallocated space and file slack, not just a copy of the “active files.”
3. Repeat this procedure on all hard drives, flash drives, USB drives and external media.
4. A minimum of two copies should be made if you intend to perform an immediate investigation. The first copy should be the “pristine copy,” sealed, logged and endorsed by the licensed collector as the forensic copy. A second “working” copy can be used to perform analysis and used for legal discovery.
5. Store the evidence in a secure, appropriate location.
Now that the evidence has been “collected,” what next?
1. Using only the “working” copy, look for unusual activity such as:
- Unusual large file transfers.
- Unusual files residing locally (like a downloaded customer list from your hosted CRM).
- CAD files on a computer not having the CAD program or not being used as a workstation.
- File types not normally used by the individual.
- Large files, especially those with recent date stamps.
- Large numbers of files, outside the normal, saved by date.
- Unusual after-hours, weekend or holiday activity.
- Significant increases in outbound emails.
- Link files from writing to CD-ROM or USB drives.
- Recently added or deleted software.
- Recently upgraded or “downgraded” software and applications.
2. Identify and log password protected files and encrypted files.
3. Use software to recover “deleted” files, expose “hidden” files and recover temporary files used to copy data to other storage devices.
4. Check the network and file server logs for the individual for unusual activity and activity times, large file transfers and deleted files. If necessary, check the server back-up tapes and restore the files onto another “working” server.
Once you review the evidence for suspicious “activity” and have restored any deleted files, you can proceed sequentially with your discovery process and decide the extent to which full discovery is required. What you’re looking for is:
- The presence of suspicious activity that calls for further investigation.
- The presence of deleted files that disclose evidence or a pattern requiring further investigation.
- The presence in deleted files of any suspicious content.
If necessary, native files (such as emails, word processing and spreadsheet documents and PDFs), along with their full text and metadata, can be loaded into an e-discovery system for a more complete review and investigation.
While all of this may not be necessary, it’s almost impossible to perform if addressed “after the fact” or without forensic acquisition of the data being performed in short order. When dealing with electronic data, time is of the essence. After all, anytime a computer is turned on, a file is accessed or information is transferred, potentially valuable evidence can be overwritten, making prosecution extremely difficult.
Similarly, “deleted” files aren’t necessarily deleted. In most cases the file is still on the computer but the “pointer” to the file has been removed, creating the appearance that the file has been deleted. The space that has been released by the “deletion” will be re-used by the computer over some period of time — sometimes quickly. There are ways to more permanently delete files, which more technically knowledgeable individuals may use; but in this event, the very act of intentionally and permanently deleting files and activity records, if not performed as a normal activity, would provide inference of intent. (Consider the recent case against Sanjay Kumar, the former CEO of Computer Associates International Inc., who pleaded guilty to obstruction of justice and perjury).
3 Steps for IP Protection
Have a defined policy for forensic storage declared in your employee manual, just as statements on computer usage and access are addressed. Provide notice to employees of your intended commitment to safeguard company assets, IP and trade secrets.
Consider forensically storing copies of departed employees’ electronic files — at least those of key executives and “at-risk” employees — as a safeguard and proactive offensive or defensive insurance against future litigation, before the electronic records are destroyed. Whether employees’ departures are voluntary or involuntary, some may be classified as “at-risk” employees due to the nature of their jobs, understanding of the law, the employees’ intention for starting a competing business, intent to join a competitor or even their attitudes when departing the company.
If you have cause for concern, or if your review of the recent activity of the individual is suspect, a reminder letter of obligation restating the agreements the employee endorsed may be all that is needed to protect the company. If a stronger notice is required, a cease and desist can be sent with specific mention of activities and files providing notice of the company’s intention and dedication to protecting its assets.
Should there be a need to litigate, finding evidence of the stolen IP is sometimes as simple as analyzing the ex-employee’s home computer and new work computer for evidence of the files owned by the previous employer. Each file on the hard drive has a unique “digital fingerprint” called an MD5 hash. This fingerprint is calculated using a mathematical algorithm and can be calculated on recovered deleted files as well as active files. Finding files with matching MD5 hashes or “fingerprints” allows the employer to prove that their IP exists or existed on the ex-employee’s home computer or on the competitor’s computer system, allowing for additional defendants to be named in the suit.
Remember, electronic data is volatile. Making a forensically sound copy of the data as soon as possible enhances your chances of prevailing down the road.
Intelligent Computer Solutions
A version of this article was first printed in Volume 14, Number 3 of Employment Law Strategist¨, an ALM publication. Reprinted with permission.