Insider theft of proprietary information is a widespread threat that's becoming increasingly difficult to detect and prove, due in part to mobile phones and the cloud. One need not say more than the name Edward Snowden to underscore what's at stake, but there are many corporate cases that demonstrate the severity of this matter as well.
In one recent high-profile case, an employee of American Superconductor is charged with selling company secrets to China's Sinovel Wind Group, part of a scheme that cost the U.S. company $800 million. In another case, General Motors engineer Shanshan Du made headlines when she allegedly stole an estimated $40 million in hybrid-automobile-related trade secrets using her personal email account and USB devices.
With the evolution of technologies like webmail and removable media, as well as the proliferation of Bring Your Own Device (BYOD) policies and cloud storage, transferring sensitive information outside of the organization has become very easy for employees to do. The FBI reports that theft of proprietary information is rising, particularly once employees anticipate leaving their jobs. In a recent study by Symantec, half of all departing employees admitted to stealing company data upon their departure.
For counsel, insider theft presents significant challenges. Differentiating between an employee's valid access to sensitive data and its illegitimate use can be hard to do, and sorting through activity across multiple devices as well as a company's vast computer network can stymie investigations. But if investigators know where to look, they can quickly get to the heart of the matter, enabling counsel to effectively pursue or litigate a case.
Below are four tell-tale signs of insider theft of information.
Mass Data Copying
Evidence of mass copying can be found in the file system's metadata. Computer file systems track various metadata, such as when a user last modified, accessed or created a file. First and foremost, metadata can show whether an employee interacted with sensitive data in close proximity to their date of departure. If the employee did so without clear reason, this finding alone can arouse suspicion.
For example, the mock table below shows documents that were all last accessed consecutively and within seconds. The speed of these actions may indicate that they were copied with the help of the computer. However, counsel shouldn't jump to conclusions. This activity could also represent a virus scan or other systematic activity. To know if these files were copied or scanned for viruses, look for additional evidence that might substantiate copying, such as insertion of a USB device.
Copying to USB Drive or the Cloud
To tell if a user inserted a USB device directly prior to accessing sensitive files, investigators should evaluate various system files on the user's computer, including the system registry. The system registry is a major data storehouse that contains information such as settings for the operating system. It may have information on the date a USB device was last inserted. Look again at the table above. If analysis of the computer showed that a USB device was first and last inserted into the computer on 1/1/2012 at 3:50:00 AM, this would be a strong indicator that files were copied onto the thumb drive.
Another valuable piece of evidence can come from link files, which can prove that the documents in question existed on one external media. A link file is a file used by Microsoft Windows to track recently opened documents. Analyzing link files can show whether a file was opened from the computer hard drive, a USB device, a CD or DVD, or a network server. This evidence can demonstrate that the sensitive information in question existed on one of these devices, even though counsel may not have the actual USB device, CD or DVD to which the files were copied.
Copying documents to or from the cloud can often be tracked by information available from the cloud service provider. Its logs may record when a user signed in to the cloud, as well as which documents were accessed or copied to or from its servers. The challenge, however, is that these logs are often retained only for short periods of time, if at all. Counsel must act quickly to preserve this information before it's too late.
Sending Information to Webmail
Employees commonly send proprietary information to a personal webmail account, by either accessing a personal email account at work to send themselves files, or by using the company's email system to send files to their personal email. In the case that a personal email account was accessed from work, investigation begins with the browser. Counsel should review the "Internet History" associated with a user's Web activity to see if they visited and logged into a webmail provider such as Gmail or Yahoo! Mail. Then, they can correlate the time of this visit with file system metadata showing if and when the employee accessed sensitive files. In cases of sending files from a business email account to a personal one, employers should preserve and search the user's company email account for any relevant emails.
Proving email transfer of information is becoming more difficult due to mobile devices and tablets. Many people access various email accounts using these devices, and the hunt for proof of insider theft may need to extend to these gadgets. Fortunately, when investigators do delve this deep, it's very possible that the incriminating emails will actually reside on the device itself. In some cases, an investigator may even be able to recover emails that were already deleted.
Access from Home Computer
Another important question to ask is if the suspect had access to sensitive files from home through a virtual private network or through a program such as Outlook Web Access. If there was a VPN, the company's computer network keeps a record of when a connection is established from a home computer. If the company uses OWA, logs may show that the employee accessed his company email from a home computer. Aligning the timing of this remote access to the metadata showing when the user last interacted with sensitive files can also be an indicator of illicit activity.
In any investigation, evidence should not be examined before it's been forensically preserved, to avoid inadvertently altering it. For example, it's easy for a well-meaning counsel to connect her client's USB hard drive to her computer to see the contents of the drive. But even if she doesn't open any documents, just hovering her mouse over some of them can inadvertently change the last-accessed date.
Detecting and proving insider theft of proprietary information is a challenge companies and their counsel face with increasing frequency—and just one of these events can financially devastate a business. But by hunting for these four signs of insider theft, counsel can skillfully weave evidence together to create a reliable and defensible foundation for litigation. •
|File Name||Last Accessed|
|2012 Strat Plan.doc||1/1/12 3:50:15 AM|
|Midwest Customer List.doc||1/1/12 3:50:15 AM|
|2012 Business Dev Initiates.doc||1/1/12 3:50:15 AM|
|Sales Deck.ppt||1/1/12 3:50:15 AM|
|Sell Sheet.doc||1/1/12 3:50:16 AM|
|Non-Compete Agreement.doc||1/1/12 3:50:16 AM|
Younger is director of digital forensics and Branham is vice president at Stroz Friedberg, based in Minneapolis. For daily tech news, go to lawtechnologynews.com.