In the Data Theft by Departing Employees: A Bigger Threat Than Hackers, an ACEDS webinar, we learn that when an employee leaves an organization, it is generally understood that the organization will lose that person’s experience and all of the institutional knowledge they’ve built up.
But what happens if that person takes more than that?
While the data theft problem may not appear in headlines anywhere near as much as security breaches and hacking-related incidents do, but when it comes down to it, a staggering 87 percent of employees in fact take corporate information with them.
In this webinar, our eDiscovery experts Brian Schrader and Jason Park will share the best practices when it comes to exiting employees, and how to not only to seek out these culprits after they’ve left but also how to prevent the information from leaving the corporation in the first place.
In the Data Theft by Departing Employees: A Bigger Threat Than Hackers webinar, you’ll learn about:
- How common of a problem this is to a corporation
- How to find evidence of exiting employee data theft
- How to prevent data theft
- Correct procedures for handling a departing employee’s devices, including preserving data from:
- Cloud platforms
- MS Office and other computer software
- Chat applications
- Operating systems
- Social media networks
- Online activity
- Deleted files
- And more
Watch the Webinar
Thanks to everyone who joined us and made it a very informative discussion! We received some great questions from participants, so here is a wrap-up of everything that was covered:
How common is data theft by departing employees?
It’s more common than you think. A survey published by Biscom in late 2015 found that 87 percent of employees who leave a job take with them data that they created in that job and 28 percent take data that others had created. Among the majority who took company data with them, 88 percent took corporate presentations and/or strategy documents, 31 percent took customer lists, and 25 percent took intellectual property.
Why do departing employees take data with them?
Some do so inadvertently – they simply forgot they had the data in their possession. Others don’t feel or don’t realize it’s wrong because they figure anything they create while at the company is theirs to keep and do with it what they want. Then there are the few that take it with malicious intent, such as to compete with or hurt the former employer. A survey of 1,000 employees in the United States and Europe found that one in five had uploaded sensitive and confidential corporate data to an external cloud service specifically for the purpose of sharing it with others.
So, what should the IT department do when an employee is leaving?
First and foremost, they need to take all the employee’s devices, including computers, tablets, external hard drives, thumb drives, backup discs, etc., as well as company credit cards, security access cards, parking codes, etc.
This is something that most companies typically do already. However, those devices should not be deployed to a new employee until forensic images of the devices have been made, especially for those employees who had access to important information, such as intellectual property, trade secrets and other things of that nature. Unless you have copies of this data on hand – ones that have been forensically copied to maintain the same metadata – how would you know that the former employee is, for example, using that information to benefit a competing company? If the device has already been deployed to a new employee without the necessary imaging, it’s very hard to prove that data was taken.
Also, it’s important to keep track of the chain of custody of any devices the employee used. You need to know who took possession of each device from the employee and where it was put. Was it locked up? Did anybody lose it? Did anybody get into that device, and if so, why? When did it go to the forensic company? Is there a common server or other device that may mean that data could be overwritten before you analyze it? Set a procedure for how you will handle devices and data when an employee leaves so you are prepared if a problem leads to litigation. You don’t want potentially vital evidence to be thrown out because of sloppy handling.
Once the employee has left, disable his or her access to computer systems, phone and voicemail systems, email, cloud providers, CRM platforms, etc. Also pay attention to social media accounts, and disable the employee’s access to accounts owned by the company.
Conversely, what should the IT department NOT do when an employee is leaving?
In addition to not re-deploying the devices until a forensic image has been made, the IT department should not, for any reason, go poking around on the computer just to “see what’s there” like in web search histories, document folders, etc. Often, we’ll encounter an IT person who thinks he or she is being helpful by doing this, but keep in mind that this may end up in court under the scrutiny of lawyers, a judge and the jury. All poking around does is trample all over the important data that we need to make our case. Once a forensic image has been made, though, they can look at whatever they want.
Why can’t I just do a back-up of the device?
A back-up is usually not sufficient to capture the full image of the data. An IT backup usually copies only active files – not deleted files or unallocated space. However, forensic imaging copies every bit of the data, including active files, deleted files, file slack (fragments) and unallocated space.
How can I prevent employees from taking data with them?
Companies should establish policies to limit employee access to sensitive and confidential data by role, function, need to know, etc. Employment contracts and agreements should also include clear language about ownership of sensitive, confidential and trade secret data while employees are working for a company. And all personnel need to be frequently reminded about this agreement, especially of management’s intent and right to monitor and audit employee behavior when using any corporate resource, such as a computer, mobile device or network.
Additionally, sensitive and confidential data should be encrypted in transit, at rest and in use, regardless of its location. Because of the significant amount of data stored on smartphones and laptops, it is vital that every mobile device can be remotely wiped by the company. However, doing so may destroy valuable evidence, so only do that when it is absolutely necessary.
Another way to protect data is to require two-factor authentication for sensitive content. Finally, managers need to be trained properly and on an ongoing basis so they are aware of the various issues involved when employees leave and are able to prevent exfiltration of data.
Let’s say a company doesn’t have the data theft clause in the employee contract, and it finds that a former employee has taken company property. What recourse does the company have at that point to go after that employee if it was never in his or her contract?
The bottom line is: It’s still theft. For example, just because you may not have a policy posted in the office that says, “Don’t steal office supplies,” stealing office supplies is still theft. Agreements like non-disclosures and others that limit what employees can take and share make things easier because the rules are defined, and it puts those rules proactively at the forefront of the conversation. But if you don’t have the agreement, you can still go after that former employee and ask them to return or destroy the data or face the consequences. It’s no different than if the employee walked out with the entire computer. Common law would apply here.
What is your advice for establishing policies and best practices around which data to keep and how to keep it?
It’s so dependent on the type of company you’re talking about. Generally speaking, a corporation needs to do a self-evaluation. What does the company see as critical information that it doesn’t want others to have, and how does it go about protecting that information through both policies and procedures? It’s important that you have both. Again, you shouldn’t have to tell people not to steal stuff, but if you do tell them in your policies, it makes the recovery after a theft that much easier. Check out our exiting employees checklist for specific items and procedures to consider when an employee is leaving and returning their devices.
Would you advise more extreme measures to prevent data theft, such as locking down USB ports?
If there is absolutely no reason for employees to ever use USB ports in day-to-day functioning – where the only way they’d use it is to take data and put it on a flash drive to take with them when they leave – then it might be a good idea. Similarly, if they don’t need access to certain websites, you can block those as well. That helps increase protection, but you have to be very careful that you don’t hamper the ability of your employees to be able to serve your customers. It’s definitely on a company-to-company basis. Of course, just because you lock one door, it doesn’t mean they won’t find another way in, especially with so many sophisticated technologies available now. It’s smart to keep monitoring even after the employee walks out the door.
Do you advise that a company should image every computer and device for each and every exiting employee?
Not at all, and every company will be different. In implementing these policies, protocols, and protections, a company needs to do a self-evaluation of their employee roles to determine general rules that should apply to each role – from what they can access to whether it’s beneficial to collect and preserve or even collect and investigate their data upon exit. And, of course, the manner of exit should always be a consideration too.
For example, for any software developers, or those developers at a certain level at least, who have access to the most sensitive company assets, from corporate information to patented technologies and other intellectual property, you might decide to collect and investigate as a default upon each such exit. Same for high-level salespeople. But for lower-level salespeople, maybe you just collect and preserve their data for a period in case you later learn of potential issues. And of course, for those with little or no access to such data, then no such preservation and/or investigation protocols would be appropriate.
In the end, it comes down to a classic thought exercise where you must think about all the different roles within your organization, to what sensitive information those various roles have access, and the overall ROI on what it would cost to collect and preserve or to collect and investigate each such exited employee versus the cost to the organization of losing that data. When you think in those terms, the potential concerns should become very clear.
Bruce: Hello, everyone. My name is Peter Bruce. I’m the operations manager at ACEDS, and I would like to thank you all for joining us on the ACEDS webinar channel today. Today’s webinar is titled, “Data Theft by Departing Employees: A Bigger Threat Than Hackers.” And it is graciously sponsored by our gold level affiliate partner BIA. At this time, I’m going to turn over to the fine folks at BIA to introduce themselves and to begin today’s presentation. Take it away, guys.
Maureen: Hello everyone, and welcome to today’s webinar by ACEDS and BIA titled “Data Theft by Departing Employees.” My name is Maureen Murchie, and I’m here to briefly introduce our speakers today, Brian Schrader and Jason Park. Brian is BIA CEO and co-founder, and he’s an attorney with over 20 years in computer forensics, eDiscovery information, information technology, and the law. Jason is BIA senior vice president of digital forensic services. He manages our digital forensic examination, Data Collection, Social Media Discovery, among other investigation and analysis services. Jason is a licensed PI with a very diverse background, and we’re delighted to have him here today with Brian to talk about how to manage exiting employees and specifically to prevent them from taking company data out the door with them. I would also like to mention here that if you like what you hear today and happen to be in the Dallas area next week, on October 10th, BIA and ACEDS are partnering in an all-day education and networking event with CLE credits and lunch and cocktail hour and ask the experts panel. We’d love to have you join us there. For information on that, please refer to the ACEDS website and check us out, please. Thanks again for joining us today, and here are Brian and Jason.
Brian: Thank you, Maureen, this is Brian speaking. I’ll start out by welcoming everybody, and thank you for joining us today to talk about what is interesting enough, probably a more common problem, but doesn’t get anywhere near as much news as the headlines that hacking gets. You hear big headlines about Facebook just had another security breach this last week, and those are the stories that you hear about in the news. But when it comes down to really day to day practice, the bigger threat to most organizations or to a lot of organizations or even you could say the more common threat is the idea of employees departing the organization not just by themselves, but taking information along with them. There was a survey in 2015 that found that 87%, that’s not a typo, 87% of employees who leave a job take with them the data they created on the job. 28% take data that others had created as well. And so among the majority, 88% took corporate presentations and strategy, 31% took customer lists, and 25% took intellectual property. So these are pretty staggering numbers that I don’t think get anywhere near the attention that they should. We see it a lot because we get brought into and deal with a lot of these issues to help figure out what exited the door along with the employees and how to recover it and the various litigations that often ensure because of it.
Here’s another flip side of it, a survey of 1000 employees in the United States found that 1 in 5 employees had uploaded sensitive and confidential corporate information to external cloud services. Specifically for sharing it with others, and specifically for the purpose of sharing it with others. So again, this is 20% of employees admit. If you have 20% admitting, then there’s probably more like 40 or 50 percent in actual practice. But who knows? To have such a high number of people admit that they not only take confidential information but specifically do it for the purpose of sharing it with others really puts a frame around how big of an issue this is. Again, some more statistics. So the percentage of respondents indicating significant or major problems. One of the biggest here you can see is that companies say one of their biggest problems is data and knowledge loss from older employees who leave. That’s kind of a flip side of it as far as preserving data from employees as they exit. The biggest problem is knowledge transfer, and how do you maintain all of that? Not having full control over corporate data, turnover among millennials, here’s the various topics that talk about different types of data loss inside of the organization. A big one is, as you can see here, kind of in the middle, employees either storing information on cloud repositories of their own. They create a box account or personal OneDrive or whatever. Employees improperly keeping data, corporate data when they leave the company, or not returning all of the corporate assets and data when they leave a company. So these are huge concerns for IT in general. Especially when you look at it with respect to the various release in comparison to hacking, it’s something that you see happen a lot more or a lot more often.
So one of the questions that obviously you want to ask about everything that comes up is why do so many people take data? Is it just this massive criminal conspiracy that’s out there? The answer is not really. A lot of them do it either inadvertently, and a lot of people don’t feel that it is wrong. There was a case recently, kind of a corporate espionage case, where a foreign national had taken a lot of data with her when she left the company and was planning on using it to help start a new company in China. Her statement was, or part of her defense was, well, this is the stuff that I created while I was at the company, so I just thought it was mine. Obviously, there were other factors in that litigation, but that was a big part of it. That’s probably the most common. But then again, you also have people who will leave the employer and talk about specific cases where it was done with malicious intent to steal IP or to steal customer lists or to open a competing business. And those are just from a level of concern, probably the most concerning. The inadvertent issue is probably the least concerning because people don’t tend to expect to use that information, although it’s still a very serious concern. The middle ground of people thinking that this is information I created while I was here, of course, I’m going to take it with me when I go. So those are the kind of reasons why people do things and give you a scope of the level of this issue and how prevalent this is across corporate America.
So now that we have an understanding of how big the problem is and why it happens let’s talk a little bit about what we can do to help or what organizations can do to help prevent this from happening. And to take it from here, I will turn it over to Jason. Jason, why don’t you tell us how companies go about preventing this and discovering it in the first place?
Jason: Great, thank you, Brian. I’m going to get these slides right here. How do we figure this out? How do we know that employees have, in fact, taken stuff? They usually don’t let you know and don’t oftentimes say hey I’m going to be taking this stuff. One of the first things you have to do is make sure that you grab their company devices when they’re leaving. You get the car key, and you get their door key, you get their alarm code, you do this kind of thing naturally. Getting their devices is something that HR needs to do. If IT is going to be grabbing the devices from someone who leaves, they need to be prepared to not deploy those devices to a new employee until a forensic image of the devices has been made, especially for folks that have access to important information, intellectual property, trade secrets, things of that nature. All too often happens that an executive leaves, they tell their former employer they’re leaving the industry, and six months later they show up at a competitor, and they’re pitching business and going in a buck cheaper than the previous guys. How would they know that unless they had taken intellectual property with them? If their devices have been redeployed by IT, it’s very hard to prove that the data was taken. So keeping a forensic image, putting it almost on the shelf, and just waiting to see where the departing employees show up in case you need to go after them with a theft or trade secrets case or a non-compete case is very advisable. Another thing that we see which kind of gets in the way of our investigations is the gumshoe IT guys who thinks that he’s doing his company a big favor and boots up the computer and goes looking around for internet history and stuff like that. All he’s doing is trampling all over the important data that we need in order to make our case. So don’t let IT go poking around on the original computer until an image has been made. Once the image has been made, they can go look at whatever they want to and be the hero, but don’t do it on the original device. Keep in mind that stuff is going to end up in court perhaps, so keeping a chain of custody, who took possession of the device from the employee, where was it put, was it locked up, did anyone boot it, did anyone get into that device and if so why? And finally, if you brought in a forensic company, keep that chain of custody going with the forensic company. You don’t want to have vital evidence thrown out because of the sloppy handling of potentially important evidence in your case.
So let’s talk about a backup. I’ve heard many times from attorney clients of mine and in-house counsel who are trying to save a buck going our IT guys are super good, they’re going to make a backup. Oftentimes an IT backup of a hard drive is not the same as a forensic image or a hard drive. An IT backup is basically designed to copy the active files that a user uses onto an external media and have it available so that if the computer was to fail or documents were to become corrupt, they can be restored rapidly. It is not designed to take deleted files, unallocated space, unused space, and things of that nature where are super crucial for a forensic examination. I always cringe when a client says our IT guys are going to be making a backup of this, so we don’t need you. It’s probably advisable to dig a little deeper and say when you say a backup, what do you mean? There’s a big difference.
Brian: Just on that point, Jason, in general, we’ll talk about here in a little bit when we get into our case studies, specifically on that point about backups. The types of information that we found in those cases that we wouldn’t have found if we just had backups and not an image. So we’ll touch on that a little bit as well.
Jason: Yeah, you bet, there’s a bunch of forensic artifacts that do not get copied if you’re making a simple backup. So what is a forensic image? Well, basically, every single bit and byte of data from the original source media is copied onto the destination media. A write blocker is used. What is a write blocker? A write blocker allows for the one-way transfer of data from your source to your destination. It does not allow any data to be transferred from a destination to the source, or from any other device to the source. So we’re not going to be polluting our source data or comingling anything with that data. It stays pristine, and it stays write blocked, and we’re only copying data from the source. Why is that important? Well, we don’t want opposing counsel to make any allegations that we planted any forensic artifacts that may lay blame on their client. So it’s a good practice to make sure that write blocking is used wherever possible. And then, every single bit of data is preserved – your active files, your deleted files, your unallocated space, and fragments of files as well. Whenever you make a forensic image, the rule of thumb is you’re going to make a pristine copy which is going to be sealed and placed in your evidence vault or your evidence locker or wherever you have your pristine originals. And then a working copy, upon which you’re going to do your additional analysis, extraction, processing, and things that need to be down the road. Why do we make two copies? Data can go bad, hard drives can fail, and they don’t raise a red flag and say I’ve only got 10 minutes left. They usually just stop working. So you don’t want your data to exist only in one spot. It’s best practice to have two copies of it.
So let’s look at a forensic image in slightly more technical terms. We’ve got our original if we look on the left-hand side of this graphic, we have our original hard drive. And because I’m not real good at math, I said that this was a 10-gigabyte hard drive. So that’s my small, round number. The original is 10 gigs, we have our write blocker, we have our examiners computer, and those are all connected together, and then we would have a destination drive connected to the examiner’s computer, and the destination drive would have to be 10 gigabytes in size or bigger so the entire image can fit on that destination drive. And then basically the forensic software is going to cut that original 10-gigabyte suspect drive into chunks. And we’ve got nice round 1-gigabyte chunks, so we’d end up with 10 chunks that make up the original. And then, those would be hashed using an algorithm. And if the original hash matches the destination hash, then we’ve got every single bit, and byte of data from our source drive onto our destination drives.
There’s a variety of algorithms that are used, one is MD5, one is SHA1, is SHA56, and SHA512. Those are most frequently used. Basically, it’s a one-way mathematical calculation where you say to the software, start here and here, do your calculation, and spit out a number – a combination of letters and numbers. If two files are identical, they will have the exact same hash. If two forensic images are identical, they will have the same exact hash. The hash is always the same length, the same number of letters or characters, and depending on which algorithm you use. You can’t take the hash and recreate a hard drive, it’s a one-way process from the source, and it’s going to spit out that hash. So we hash a lot of different things when we’re going our forensic collections. If we’re doing loose files, we’re going to hash those to make sure that the original is the same as the copy that’s made. When you get your data produced to you in litigation, you know relativity or whatever your platform is, you’re going to have a load file, and along with that is going to be hashes. Hashes are used to de-duplicate documents, and they’re also used to find duplicates. We use hashes oftentimes too, let’s say somebody works for Company A and they steal a bunch of documents, and they go to work for Company B. We hash the documents on Company A’s computers, we get a hold of Company B’s computers, we hash all those, and we do a comparison. It’s pretty easy to show if a document has the exact same hash and it’s on Company B’s computer. We have data that was sourced from Company A. So it makes the examination fairly quick and proof positive that that was an identical document.
Brian: Just really quick; let me just jump in there really quick. So yeah and of course one of the other things we can use. So hashing is the exact duplicates, and that’s really easy where you can say look there’s an apple here and an apple here. The two apples match each other, and they’re exactly the same. And what’s really cool is some of the new technologies that people generally assert with predictive coding or document review like looking for near dupes and things like that. We can apply that kind of technology as well in a lot of these investigations to look for documents that are substantially similar. So somebody took a document from Company A, went over to Company B and made some changes to it, doesn’t mean we can’t find it. So there’s that kind of technology that kind of goes with that same concept and can really help identify stuff that might have been changed along the way a little bit. So anyway, now we get into some really interesting stuff the forensic artifacts and kind of the nitty-gritty where we can find a lot of details and interesting stuff, so I’ll hand it back over to you Jason.
Jason: Yeah, thanks, Brian. That’s a very good point. In effective trade secrets cases, we find that folks are pretty lazy, and they take a lot of stuff, and they don’t create stuff from scratch. They simply reuse the stuff from their previous employers. Near dupe ability will identify stuff where perhaps just a logo has been changed, or just a customer name has been changed or things of that nature where they’re substantially similar documents.
So some of the ways that stuff gets stolen; let’s look at this. We’ve got chats. People can chat with one another these days using a whole plethora of different platforms. And they have the ability to attach files to their chats. So you can have a Skype message, for instance, and attach a document to that, and the person that you’re Skyping with will have a copy of whatever it is you sent them. Proprietary trade secret data, for example. So examining Skype databases and chat databases on the computers is a very important first step when we’re looking for theft of trade secrets. Another way that’s becoming more and more popular for people to steal stuff is to use one of the very many cloud storage companies out there. We see a lot of Dropbox, we see a lot of Google Drive, a little bit of OneDrive, and the rest are few and fewer. So I would say the lion’s share is probably Dropbox. One of the cool things about Dropbox is that when you’re using Dropbox either as the application on your computer or going to Dropbox through the browser, Dropbox URLs follow the folder paths of the Dropbox files that exist in the app. So you’d have Dropbox, slash Jason Park, slash stuff I’m going to take with me, slash really important documents. And browser history will show those paths and what-have-you, which it’s a lovely find when you can find those. Google Drive, on the other hand, does not have the paths so explicitly written out. They use algorithms so you’ll have Google Drive, backslash ADBC1357, just gibberish there. So it doesn’t really help you as much as finding Dropbox. Luckily, Dropbox is a very, very well used drive platform. So if you’ve got a case where somebody has used Dropbox to steal data, if it’s a corporate Dropbox account, the audit logs are kept for a year or two by Dropbox. If it’s a free Dropbox account, the audit logs are kept for only about 30 days. It’s well worth subpoenaing Dropbox in order to get as much information as you can from them in cases like this. Some of the granularity of their audit trails is amazing. It’ll show you when a document was uploaded, when it was altered, when it was downloaded, who it was downloaded by, the IP address that was accessing Dropbox at the time, the different computers that were attached to the Dropbox account, it goes on and on and on and on. Those Dropbox audit logs, if the bad guys use Dropbox, they can be very, very good for our side and very bad for their side. Email. It’s amazing how many knuckleheads still use their company email and attach proprietary data to them, and email it to their own Gmail. So certainly look through your Office 365 logs, look through your exchange server on the corporate side. That’s one of the first places I would look because you wouldn’t believe how many people just don’t even think about it, and that’s what they do. So email is a great source of trade secret theft. As far as the devices go, the email clients, different email clients have different, we’re able to recover deleted stuff from email clients differently depending on what it is. So, for example, Outlook, it’s easier to recover deleted stuff than some of the others. AOL email clients would be an example of a more difficult one to recover deleted emails from.
Different operating system artifact thief. These are super useful, and it depends on how lucky we get. I’ll go through them one at a time, some of the ones that we look for first. One of the first things we look for are called link files. Link files are shortcut files that are created when a user browses out to a file and double clicks it to open the file. So if I’ve got a proposal, and it’s on my computer hard drive, the link file, if I browse to that document and double click it from my own computer, link file will show that I opened a document from the C drive from the document folder from the proposal folder and the documents name was “Proposal for XYZ Corporation”. It’ll show the date and time that I did that, it will also show the date and time that the document was originally created and modified and accessed. So link files have a lot of very important information. If I’ve taken a document and put it onto an external thumb drive for instance, and then I open a document to see, to look at that document, a link file will be created that will point to the E drive or whatever drive letter it is for the external drive. It’ll also get the volume serial number of that drive and the volume name. So if I have a thumb drive called you know, “my red thumb drive,” it will show that in the link file. These are all useful for putting the dots together when you go after your ex-employee, and you ask them to preserve everything and to turn over their devices. Link files will also show you the serial number of the, oh wait, sorry, USB history will show you the serial number of the device that has been plugged into the computer. So for instance, let’s say I go get a brand new thumb drive a week before I leave, that’s going to leave a track, it’s going to be a USB device that is tracked in the registry and a couple of other places on the computer and will tell me that the advisers first plugged in at this date and time, last used on this date and time. It helps you put the story together. That, together with the link files and a couple of other artifacts, paint a picture of how the documents move from one place to another.
If you have any questions, go ahead and put them in, and we’ll try to get to these questions at the end of the session. Would you like to speak Brian?
Brian: Jason? Yeah. Sorry, I just wanted to point out everybody you know earlier on we talked about backups versus images right. So if you just do an IT backup, you’re going to get an IT backup, which is maybe email backup, documents, and things like that. But all these things here that you’re talking about now, the link files, the registry entries, the various log stuff, these are great examples that help us, like you said, really connect the dots. They show exactly what the user did, exactly what they had accessed and logged into and the documents that they viewed, and any USB keys that they might have plugged in or USB drives. All of this kind of stuff and even the internet history. The URLs show us that they went to box.com. All this stuff that we’re talking about in the past couple of slides are things you don’t get from a backup, at least not unless your backup is extraordinarily strange. Standard backups would have none of that. So it’s a great example of the difference between relying on a backup and getting a full forensic image. So I just wanted to throw that out there.
Jason: Yeah, thanks, Brian, you’re exactly right. Another thing backups don’t do is hash the original and hash the destination; that’s something I forgot to mention earlier when we were talking about hashing. Whereas forensic imaging software does. Video game consoles and things of that nature. It’s been known that people have actually hidden files on Xboxes. This happens a lot more in child porn cases than in the 50 trade secret cases that we normally see, but that’s something to keep in mind as well if you’ve got somebody that’s a big gamer. It’s possible that they’ve stored stuff on gaming systems. Other places we look are peer to peer where you’re sending a file directly from one computer to another. Some of these are used by people that pirate music and movies and things of that nature. Bitcoin wallets are starting to become pretty interesting as well. People that are involved in nefarious stuff are using Bitcoin and other cryptocurrencies more and more, so finding wallets and things of that nature are becoming sorts of things that you look for nowadays. Social networking, there’s a lot of different interesting stuff that can be pulled from social networking apps, and so on. Most of these social networking apps, in addition to being able to post selfies and pictures of your lunch and avocado toast and whatnot, have these side chat abilities as well. So, somebody can use Facebook to post what they had for lunch, but they can also use Facebook messenger to communicate with people and to attach files to those social networking messengering app sessions as well. So it just becomes more and more and more ways that people communicate with one another, and we have to keep an eye on all of these for stuff that gets stolen. Typed URLs and searches, I love. This is one of the funnest parts of doing one of these exams. You get a look at the web history of some of these people, and invariably, I would say in probably 50% cases I do, there is a web search for how do I take my outlook PST? How do I back up my content to my Outlook PST? Where is the location of the Outlook PST? It’s just unbelievable. How to export contacts from saleforce.com? And these people are basically just telling you how they plan on stealing stuff. So those are always good, always end up being a good laugh with us and our clients, and then they turn around and file the lawsuit on the ex-employee.
All right, here’s time for a war story. I recently had a case where there were several, three or four guys, that work for a brokerage firm. And they all decided to take off and join another firm. And Monday morning none of them showed up to the old company. The owner of the old company called the lawyer, the lawyer, called us, nobody touched any computer, and it was almost perfect. So we imaged the computers of everybody in the office and took a look at the four folks that had left and done a quick triage of their computers, looking for some of the low hanging fruit as it were. So we looked for web cloud usage, we looked for CD burning, we looked for a USB thumb drive or external drive usage, and a couple of other places. And lo and behold, we found the exact same external drive had been plugged into the four computers over the course of the weekend. So Saturday morning it was plugged into computer one, Saturday afternoon is was plugged into computer two, Sunday morning computer three, Sunday afternoon computer four. And we were able to get the dates and times to the attorney who was able to go to the security company that was watching the building. And lo and behold footage, and we could tell them the exact date and time, they pulled footage of one of the ringleaders of these guys showing up at the office at eight on Saturday morning with an external drive under his arm. He gets in the elevator, comes downstairs ten minutes later, and proceeds to come and go right around the time that the USB had been plugged into each of the computers. On Sunday evening was leaving with the USB drive under his arm. So we put together a simple timeline which hyperlinked the forensic evidence to the video, and lo and behold these guys caved very very quickly. It makes quite a good demonstrative in that case. I think Brian’s probably got some more stories too, Brian?
Brian: Yeah, very interesting. When we did recently, that also involves salespeople. And actually, this is kind of a side note here, one of the questions that we get a lot from people is, are we imaging every single employee as they walk out the door? And the answer is, of course not. We’re not going to image absolutely every single employee. But depending on your business, there are certain employees that you should, and certain investigations that you should because at the end of the day, you don’t know if someone is taking something until you’ve looked. And so salespeople, engineers, anyone involved in an inventive process of any kind of intellectual property. Depending on the business, you want to figure out who has that kind of sensitive information, and who can take it with them. And a lot of times, one of the obvious and probably the most common cases we get involved in is salespeople or executive managers.
And so your example was of salespeople, the example I have is somebody who was both an executive and essentially a salesperson. He ran a satellite office for a big company that did basically commuter van services throughout the country. And again, this is the same kind of thing. The guy walked out of this one office on Friday and went and started a new business literally across the street the next day. And lo and behold had a bunch of customers on day one. So we were able to go through in that case, and we had forensic images and, of course, because the computers were remarkably clean to the appearance. We were able to recover a ton of deleted information, and it was the story that we were able to put together from starting with the person who went to legalzoom.com to form his new company. When he went to the bank websites that he used to open up the banking accounts for the new company. Getting the phone service, all the stuff he did on his browser during business hours while he was getting paid to work for his former employer. So we were able to show that all of the work he did to set up his new company he did on the clock for his old company, which led to all sorts of claims on the fact that his old company probably really owned the new company. But beyond that, we were able to work with the same kinds of things you were talking about as far as looking devices and some external USBs and copying that data. But a really interesting thing is this particular company used salesforce. And so we worked with salesforce and their professional services arm to really kind of get into the types of logging that isn’t necessarily available directly through the salesforce application, but you can get directly through the salesforce company. And because we were pulling information on our corporate client salesforce account and had their permission, there was no subpoena needed. We were able to pull all sorts of audit logs about synchronizations that this person had done to various computers, and there were a wide variety of computers, which showed that he was essentially sinking their entire salesforce database down to his personal laptop and taking all the client lists and everything with them which was how he was able to start up his new company with a nice client list on day one. And so that is again kind of a sales but also an executive manager of that branch, and it showed how he not only stole all the customer information he needed to start up his new company. Of course forms and documents and policies and procedures and all that stuff he took with him, but also the cloud resources that the company was using because they hadn’t locked any of that down. And so this guy was able to synchronize and take that information with him as well. And it’s really interesting like you said, you could really, I tell people all the time, it’s amazing what you can learn. It’s not about individuals from just their browsing history and their clicking files and things like that. You can truly paint a picture that starts from beginning to end and doesn’t leave a whole lot to the imagination. It’s pretty clear. Especially when you see things like web searches for “how do I take my Outlook email with me?” like you mentioned. Those are some of the kind of probably more comical ones, I guess.
So the big question is that it’s a problem – what kind of cases do we see a lot of this stuff in? And you know theft of trade secrets probably number one, and in that, I also tend to include sales cases where the trade secrets are your customer lists and things like that. White-collar crime and fraud, we had a case where a bank CFO, this was several years ago, was suspected of submitting fraudulent reimbursement requests into his expense account. We were able to prove that, and although it wasn’t kind of traditional, the individual was on his way out. And for us to, in that particular investigation, we were able to show that he had been committing fraud for years because all the information we needed was on his laptop about how he had created, and the programs he had used to create fake invoices. So in that particular case, it wasn’t so much about preserving trade secrets as it was about identifying the fraud. And they used that information to nullify that person’s golden parachute. Bankruptcies and receiverships, kind of looking for fraudulent transfers and things of that nature. Employee cases, EEOC cases, government investigations, pretty much any kind of departing employee situation, whether it’s voluntary or involuntary. Any of those situations definitely this information becomes important, and it’s important to preserve the data and make a forensic image as soon as you can.
So let’s talk a little bit about prevention. So now that we know why this is such a problem – how do we stop the floodgates or close the floodgates? And there’s some basic things you can do. And these are more IT security policies, and so we’re not going to kind of dive in and make this any more of a geeky call than it already is. But these are high-level things to be concerned about and areas to look at. First off and foremost, limit access to employee data. A lot of companies just have network shares and SharePoint sites and other things, and they don’t really look at controlling access on, and I hate to use the word need to know because it should like a spy thriller, but kind of on a need to know basis. If there are sensitive and confidential areas, make sure that your IT organization is designing permissions around what people need to see. Not everybody needs access to an entire customer list; not everybody needs access to proprietary intellectual property. One of the other big things is encrypting data; sensitive and confidential information should always be encrypted. It helps prevent unauthorized access. It also prevents data from being easily transferred and moved around if people don’t have access to it, or even if they copy the encrypted data, they can’t really use it. Requiring two-factor authentication is another great way to control that and especially, we talked about earlier when an employee leaves you gather all their devices, and so if the employee no longer has their two-factor authentication device such as their company cell phone, then that will help shut off that access right away as well. And managing mobile devices and laptops. So much information is stored on mobile devices and laptops, and you want to make sure if you’re allowing employees, for example, to store information on mobile devices, that IT has the ability to remotely wipe those devices. And that might be something that sounds ultra-technical, but it pretty much comes with most enterprise systems. So like if you’re using Microsoft Office 365 or even Exchange in general, a lot of times, those come with remote wiping capabilities. And so when an employee leaves, even if they’re not giving you their cell phone back right away, your IT department, with a click of a button, can remotely wipe corporate data from those devices to kind of help prevent things from walking out the door.
Include confidentiality provisions in employee contracts. This is a big thing, and it kind of serves two purposes. Not only does it give you a clear expectation of the employee and a clear basis on which to sue over, but it’s also something that, for example, when an employee leaves BIA, we sit down with them and go through their confidentiality and non-disclosure and all those requirements. And specifically, address this topic across the board, verify that no information exists where we don’t expect it, even with the controls we have in place and remind the employee. I don’t want to sound too optimistic, but most people, when reminded of their obligations, tend not to take stuff with them. Then again, if you remember one of the things we talked about earlier on was a lot of this stuff is just inadvertent, saying I created this kind of spreadsheet or whatever or this formula, it’s mind to take. If you have that confidentiality provisions or NDA in the contracts, you can make sure you cover that as a topic on your exit interview. Sit down with the employee and not only going to tell them about the corporate insurance that they can sign up for, but hey don’t forget you signed all these confidentialities and all this stuff is ours whether you create it or not, anything you created while you’re here is our property, not yours, and you can’t take anything with you. And so that really helps that process. Again, frequently reminded and training employees on confidentiality, you can make sure you’re covering these kinds of topics. And introduce and use policies to monitor and audit employee behavior. One of the things you can look at is basically monitoring, and especially if you’re using stuff like Office 365, you have an incredible ability to monitor employees and set up rules and protocols and alerts and things to alert you if someone starts copying a ton of information from a source that they don’t normally do. And the last thing is training your managers. Make sure your managers understand all of this so they can cover this on a routine basis and especially again when an employee walks out the door. So for the last couple of slides here as far as handling and what to do with departing employees, Jason if you want to step back in and cover this? I’ll gladly listen for a little bit.
Jason: Alright, thank you, Brian. So this slide here shows from a research point of view how many companies handle different aspects of the departure of the employees. Almost everybody disables access to the employee’s email mailbox. But surprisingly, some don’t. Disabling access to other applications most do. Disabling company-owned mobile devices majority do. I would warn you before wiping, if it’s a personally owned device owned by an employee before you wipe it I would probably request from that employee that we could make an image of their device. Because if you wipe that device, and good juicy forensic artifacts that could help your case are going to be erased. So that’s something to think about. Defensibly deleting data that’s been used by the departed employee, about half and half. And then monitoring access to the different sources of information that the employee had access to about half and half.
Here’s one that hardly ever gets addressed. And this one that creates big problems in certain cases. Who owns the social media contacts of an account? So if you’ve got a radio personnel or a television personnel, who is an employee of a radio station or TV station, and they’ve got a bunch of contacts in their twitter or social media – who owns those contacts? Does the radio station own it? Does the personality own it? Let’s say you’ve got a salesman or saleswoman or an executive who has a LinkedIn account, and during the course of his employment has developed thousands of contacts that he’s linked in through that social network platform. When he leaves, who controls and owns all those contacts? If the employee does, he doesn’t have to steal a customer list; he’s already got one ready to go the moment he leaves because of the LinkedIn contacts that he has developed and grown. That’s something that a lot of companies don’t even think about. LinkedIn accounts belong to the individual, and most companies are happy that people are using LinkedIn to promote the company. We’ve got a big whatever promotion going on, everybody get on your LinkedIn and send out XYZ message. They’re happy for that, but when the employee walks out the door with a bunch of contacts, it’s a bit of a bummer, and they hadn’t thought about it.
One of the things, make sure you obtain a chain of custody for the employee’s stuff as I talked about. The employee hands it to HR, HR creates a chain of custody, and so on. Exit interviews those are super important. We actually eyeball to eyeball ask the employee if they have any company data with you and make them sign a form that says they have no company data. Six months from now, when company data shows up on their personal devices, courts don’t look lightly on people that lie about stuff like that. So that’s been a real help to a lot of clients that they have that in writing. What else do we want to talk about – disabling we’ve kind of talked about that, social media accounts we’ve talked about that. I think we’re kind of towards the end. Do we have any questions from anybody?
Bruce: Yes, diving back further. For those listening, please feel free to continue to use the Q&A window if you have more questions that pop up that you want answered. Going back to some of the technical items you were discussing at the beginning. Someone was asking how often do you see hash collisions? Are those common at all, or have you experience them at all?
Jason: Hash collisions are an interesting thing, and I’ve had to explain it to a judge once. What a hash collision is is when two completely different files end up with the same MD5 hash or SHA hash that is generated by that algorithm. And I explained it to a judge that it’s less likely for two different files to have the same hash than it is for two different human beings who are not identical twins to have the exact same DNA. So it’s less likely for two files in the wild to have the same hash than it is for two people to have DNA. So he says it’s more secure than DNA? Well, basically, yes. He said I’ll allow it, that’s fine.
Brian: It’s one of those things that has kind of been talked about as theoretical. Theoretically, this is possible. I don’t think I’ve ever actually seen it in the 20 years of doing this work. Have you ever actually seen that Jason? Just out of curiosity.
Jason: I have never seen a hash, and I’ve never been able to create a hash either. Or a collision, sorry.
Bruce: Alright, another question. So let’s say we don’t heed your advice, and we don’t have our employees or anything in their employee contract about confidentiality, and they go, and they walk out the door, and we discover that they’ve taken some of our property. What recourse does the company have at that point to go after the employee? We know they’ve taken data, but maybe we didn’t have it in their employee contract?
Brian: I’ll take that one. It’s still theft. Just because you don’t have a policy posted on the wall that says don’t steal office supplies, stealing office supplies is still theft. The agreements and the NBAs just make things easier, make things more defined, and probably the most important thing is that it puts these issues forefront in the conversation. And you’re addressing these things practically with the employees. And if you don’t have the agreements and somebody leaves with confidential information, you can still go after them to destroy that, to return it, to potentially face the consequences of doing it. It’s no different than walking out with the computer you gave them and deciding to keep it. You probably don’t have a policy in your HR manual that says you can’t keep your company-owned laptop when you leave, but if you do, it’s just plain old theft. So common law would really apply there.
Bruce: Perfect. And assume you guys would recommend that all companies have policies in place as to what information they retain when an employee leaves. Is there anywhere that you guys could point our audience today for some practical examples or advice about establishing those policies and best practices around which data to keep and how to keep it?
Brian: I think the answer to that is that it’s just so dependent on the kind of company you’re talking about. As far as practice and policies, we have some general kind of resources on our website that talk about that. And we’ll be doing some blog posting with some follows up, and so we’ll make sure and include that, it’s not like a URL or website address that I could think of off the top of my head, but I know we do have resources for that. But at the end of the day, it’s really, obviously, things like customer lists are pretty common, but a corporation really needs to do a self-evaluation and figure out what do we as this particular company really see as critical trade secrets, competitive advantage information, that we don’t want others to have. How do we go about protecting that through both policies and procedures? Like I said it’s important that you do both. You have to, again, you shouldn’t have to tell people not steal stuff. But if you do tell them not to steal stuff and they go ahead and do it that just makes the recovery of that much easier.
Bruce: Sound advice. I think we have time for one more question here. Someone was wondering, we had some good advice here on how we could go and sort of identify if a thumb drive had been plugged in and look at the logs and see when and where it was plugged in and those sorts of things. But they’re wondering, would you ever recommend, if you’re especially concerned about doing more extreme measures like shutting down USB ports on a machine or anything like that, are there any I guess further recommendations you have for preventing data theft beyond the normal guidelines you gave?
Brian: I’ll give my two cents, and then you can finish it off there. Again this is very customers specific. So we advise customers that you have to balance the ability of your employees to serve your customers and the company generally with the security measures. And so if you have employees who have no reason to ever use USB drives, then sure locking down ports is a good idea. I would just caution, you have to be very careful that you don’t hamper the ability of your employees to be able to service your customers. And again, it’s one of those very specific things. But you know we have policies and procedures here that certain employees that don’t ever need to access USB devices have their USB ports turned off. And a lot of that stuff you can push out through Microsoft’s network management tools. In similar things like if somebody doesn’t need access to box, you can block the website. If they don’t need access to Google Docs or Gmail you can block the websites, and that helps. But I would caution you. It’s great to go through and look at those issues and look at the various ways and all the things that we talked about – the websites, the webmail, the social media, all that stuff. You can block as much of it as you like, just keep in mind two very important facts. Don’t hamper the ability of your employees to get their job done by doing so and be very, very cognizant to that fact. Just as from a business perspective. And number two, don’t assume that because you locked one door they won’t find another way out. And that’s the thing. In one of our webinars, we talk about the ever-expanding data universe. And there’s just more and more apps and more websites and more things. It’s almost impossible to keep up with it. Don’t think that just because you locked the door, you can all sit back and relax and take a deep breath and never have to worry about this. It’s like the old saying locks are there to keep honest people honest. If people really want to find a way out, they will. It’s very, very hard, almost impossible to anticipate. And look, you’ve got companies like Facebook and Google and others that are getting hacked still. There are some of the most sophisticated technology companies in the world. And they’re still getting hacked because you cannot anticipate every possibility, it’s an infinity. It’s the same thing here. So I would just caution yes, lock it down, take security measures, put the policies in place, but don’t assume just because you’ve been proactive that you don’t need to monitor things that happen as the employees walk out the door. Jason, anything to add?
Jason: Brian, it’s going to be hard for me to follow that articulate perfect explanation that you gave, other than saying there are low tech ways to defeat high tech stuff like locking the USB drives. People print documents, people take photographs with their phone screens, so you close one door and lock it they’re going to find a window. Crooked people are crooked. And that’s about it.
Bruce: Alright, wonderful. So we are at the top of the hour. We at ACEDS would like to thank you both for putting together a very complete and thorough presentation. I found it to be fascinating, and I’m sure our audience did as well. This is a subject that impacts every workplace. So again, thank you guys for coming in and sharing from your bevy of wisdom with the ACEDS community. And of course, thank you to everyone who attended today, we look forward to seeing you all again soon. The next ACEDS webinar is scheduled for October 23rd. It will be on the subject of internal investigations in today’s connected world. For more information on that webinar and the rest of the ACEDS community, you can visit www.ACEDS.org. Thank you again for attending today, and one more time, thank you, Brian and Jason, for the fantastic presentation. I hope everyone has a wonderful day, and we’ll see you again soon.
Brian: Thank you.
Jason: Thank you.