Insider theft of proprietary information is a widespread threat that's becoming increasingly difficult to detect and prove, due in part to mobile phones and the cloud. One need not say more than the name Edward Snowden to underscore what's at stake, but there are many corporate cases that demonstrate the severity of this matter as well.
In one recent high-profile case, an employee of American Superconductor is charged with selling company secrets to China's Sinovel Wind Group, part of a scheme that cost the U.S. company $800 million. In another case, General Motors engineer Shanshan Du made headlines when she allegedly stole an estimated $40 million in hybrid-automobile-related trade secrets using her personal email account and USB devices.
With the evolution of technologies like webmail and removable media, as well as the proliferation of Bring Your Own Device (BYOD) policies and cloud storage, transferring sensitive information outside of the organization has become very easy for employees to do. The FBI reports that theft of proprietary information is rising, particularly once employees anticipate leaving their jobs. In a recent study by Symantec, half of all departing employees admitted to stealing company data upon their departure.
For counsel, insider theft presents significant challenges. Differentiating between an employee's valid access to sensitive data and its illegitimate use can be hard to do, and sorting through activity across multiple devices as well as a company's vast computer network can stymie investigations. But if investigators know where to look, they can quickly get to the heart of the matter, enabling counsel to effectively pursue or litigate a case.
Below are four tell-tale signs of insider theft of information.
Mass Data Copying
Evidence of mass copying can be found in the file system's metadata. Computer file systems track various metadata, such as when a user last modified, accessed or created a file. First and foremost, metadata can show whether an employee interacted with sensitive data in close proximity to their date of departure. If the employee did so without clear reason, this finding alone can arouse suspicion.
For example, the mock table below shows documents that were all last accessed consecutively and within seconds. The speed of these actions may indicate that they were copied with the help of the computer. However, counsel shouldn't jump to conclusions. This activity could also represent a virus scan or other systematic activity. To know if these files were copied or scanned for viruses, look for additional evidence that might substantiate copying, such as insertion of a USB device.
Copying to USB Drive or the Cloud
To tell if a user inserted a USB device directly prior to accessing sensitive files, investigators should evaluate various system files on the user's computer, including the system registry. The system registry is a major data storehouse that contains information such as settings for the operating system. It may have information on the date a USB device was last inserted. Look again at the table above. If analysis of the computer showed that a USB device was first and last inserted into the computer on 1/1/2012 at 3:50:00 AM, this would be a strong indicator that files were copied onto the thumb drive.
Another valuable piece of evidence can come from link files, which can prove that the documents in question existed on one external media. A link file is a file used by Microsoft Windows to track recently opened documents. Analyzing link files can show whether a file was opened from the computer hard drive, a USB device, a CD or DVD, or a network server. This evidence can demonstrate that the sensitive information in question existed on one of these devices, even though counsel may not have the actual USB device, CD or DVD to which the files were copied.
Copying documents to or from the cloud can often be tracked by information available from the cloud service provider. Its logs may record when a user signed in to the cloud, as well as which documents were accessed or copied to or from its servers. The challenge, however, is that these logs are often retained only for short periods of time, if at all. Counsel must act quickly to preserve this information before it's too late.