Computer Scrubbing and Data Theft: It's Dirty Business if Employers Are Not Prepared

August 1, 2011
In today's highly technical world, the loss of proprietary information can happen in an instant. By simply plugging in a USB drive, an employee can obtain all sorts of critical company information, including client data, product development data and company financials. And covering up one's computer tracks through electronically “wiping” or “scrubbing” a computer can be just as easy.
Computer Data Scrubbing
Imagine a sales or engineering employee for a software company who is about to give notice that he is going to work for the company's main competitor. He quietly sits at his computer, inserts a USB thumb drive, and starts to copy the product research and development files he wants—a process that can take just a few minutes. And then he goes to, downloads the KillDisk program, runs it and wipes his computer clean—again in a matter of minutes. Is the company prepared for this situation? Does the company know how to prevent or respond to it? For a lot of organizations, the answer to these questions is “no,” even though simple measures can be put in place to protect the company.
From the ‘battlefield'
Recently at one of our clients, a group of employees decided to set up a competing business entity months before resigning from their employer. In the months before their resignations, these employees had access to and participated in the development of the client's strategies for bidding on a lucrative contract. These employees, however, did not reveal to their employer that they had set up a competing company or that they were planning on bidding on that same contract once they quit.
In the days just before the announcement of their resignation, these employees engaged in computer scrubbing techniques in an attempt to permanently destroy the information from their computers. Their actions included downloading and running a computer program specifically designed to wipe out files and data—a process apparently intended to mask any copying of files. These employees made it very difficult for their former employer to conduct a thorough computer forensic examination of their computers and to assess what information had been taken or destroyed.
From the news
This client was hardly alone in facing possible data theft and cover-up efforts by employees. At the end of last year, for example, a former Societe Generale, or SocGen, New York trader was found guilty of stealing high-frequency trading software code from the financial services company and using it to develop a similar system for a different company. As part of his job, this employee had access to portions of code for the high-speed trading software developed and used by SocGen. In June 2009, he was captured by surveillance cameras while printing out the code he had access to and leaving with hundreds of resulting pages in a backpack.
While SocGen did eventually discover the security breach, it was several months after the fact and after the employee had left and divulged its trade secret information to a competitor. If SocGen had computer protocols in place that monitored copying or printing of its vital trade secrets or restricted access to or copying of that information, it likely could have avoided the theft. Or it could have learned of the theft immediately and taken quick action to protect against the disclosure or use of its trade secrets.
An ounce of prevention
The following measures will put a company in a far better position to prevent and respond to data theft and computer scrubbing, rather than having to scramble after the fact:
• The company needs to properly identify and know the scope of all of its proprietary and confidential information.
• The company should have comprehensive proprietary information agreements with its employees, independent contractors and vendors to ensure the company's proprietary information is required to be kept confidential at all times (even after the applicable relationship with the company ends).
• The company should have specific procedures or protocols in place: (a) to mark proprietary documents with a confidentiality designation or stamp; (b) to “check-out” and track the copying of, including electronic copies of, documents with proprietary information; (c) to limit the use and distribution of proprietary information for internal use only; (d) to password protect computers and key electronic files or documents; (e) to record and monitor computer access and use—this can assist in the discovery of mass copying, printing, overwriting or deleting; (f) to implement information/administration passwords where only certain employees can authorize the downloading, transferring or copying of certain software and files—a great way to discover whether an employee is downloading/uploading a program or file to scrub or wipe the computer.
• The company should have comprehensive computer, email and Internet-use policies in place that plainly state that company computers should be used for company business only. These policies also should state that the company has the right and discretion to monitor the information on its company work computers, and therefore employees cannot have an expectation of privacy in any information located on or sent to or from their work computers.
• The company should provide specific training to its employees regarding its proprietary information, including (a) the procedures and protocols identified above; (b) how to identify what is proprietary or confidential information; (c) the procedures to mark and protect proprietary information; (d) when and where this data can be used and with whom, and (e) the handling of such information in accordance with the company's computer, Internet and email use policies.
• A comprehensive computer file backup system should allow recovery of lost data caused by computer scrubbing or wiping, or allow the company to determine exactly what potential illegal conduct an employee was engaged in and tried to cover up.
It's Happened, Now What?
If there has been data theft and related computer scrubbing, promptly assess the damage: What was taken, how, by whom and where was it sent? Given the often uncensored use of emails, a review of emails will likely be a great place to catch a trail, which is where the company's computer/email usage policy will come in handy.
If the company is considering legal action against a former employee, make sure any computer evidence is forensically preserved. The company does not want to be accused of destroying or altering evidence. Initially, the company may want to see whether data can be retrieved or “called back” through voluntary means, including by sending a carefully worded demand letter that reminds the employee of his or her legal and contractual obligations. But, if there is no cooperation, the company should quickly initiate legal action including seeking injunctive relief under applicable state or federal law. Moving forward, the company can also seek monetary relief, which may include damages for the actual loss caused by the data theft, recovery of unjust enrichment, royalties and punitive damages.
Today's technology and competitive marketplace require companies to be more vigilant than ever in protecting their proprietary information. As the saying goes, it's better to close the barn door before the proverbial horse has left.
Workforce Management Online, August 2011 -- Register Now!