No spy’s arsenal is complete without some high-tech gadgetry. Although modern corporate spies generally don’t have laser-shooting watches or fountain pens that double as tape recorders, they are licensed to use laptops, tablets and smartphones, which can be effective tools of the trade for taking sensitive company data.
In today’s device-heavy workplace, where employees may be working exclusively on their own laptops or tablets at the office, it’s essential that companies remain vigilant to protect trade secrets and key data from rogue employees who would pass along these materials to competitors.
David Long-Daniels, a shareholder at Greenberg Traurig and cochairman of the firm’s global labor and employment practice, told CorpCounsel.com he has dealt with numerous cases of corporate theft and espionage, including via digital devices. “I can’t think of any industry that’s an exception,” he said, explaining that he’s seen information stolen from all kinds of companies, including those in the construction, manufacturing, financial services and insurance sectors.
Trade secrets, whether a list of customers or a secret recipe, comprise an average of two-thirds of the value of companies’ information portfolios, according to a 2013 report by Covington & Burling [PDF]. In knowledge-intensive industries such as manufacturing or professional services, this number increases to between 70 and 80 percent. Another study showed trade secret theft may cost between 1 and 3 percent of the gross domestic product of the U.S. and other advanced economies.
The methods of stealing secrets on a device can be pretty straightforward. In one case Long-Daniels worked on, four employees all moving to the same new company together used their company BlackBerries to access information that they then transferred to their own devices. Then, since the company BlackBerries automatically deleted all data after enough failed access attempts, the employees simply typed in incorrect passwords until the phones deleted everything.
Although in this case the bad guys got busted, it doesn’t always work out so well for companies with secrets. If an employee is using their own device for work purposes, for example, it can be hard to separate the personal from the work files in data erasure. And then when a device is lost or stolen, a company might get into trouble for wiping it if they take out an employee’s personal data in the process.
“It’s tricky, because if you do it wrong, you could violate the Stored Communications Act,” said Long-Daniels. Certain software can help separate data, but according to Long-Daniels, companies don’t necessarily have it on their networks.
The situation can also get dicey when employees are traveling with work-issued devices and outside theft threats come into play. “What I recommend the companies do—and this sounds draconian—but the best practice is to give the person a computer that is almost clean, just what they need in that location that they’re going to,” Long-Daniels said, explaining that valuable information carried into other countries may lose the legal protection guaranteed by U.S. law. If a laptop is confiscated during a customs inspection or just simply lost in another country, for example, there’s no way to make certain the company will be able to get it back or that the information on the device won’t end up in the public domain.
Another danger, said Long-Daniels, is hotel Wi-Fi. Tapping into the hotel’s wireless network with a tablet or laptop might seem like a good way to get some work done on the road, but Long-Daniels emphasized that some seemingly safe hotel networks actually are not set up by hotels at all, but by potential cyberattackers imitating hotel Wi-Fi.
Employees might want to be especially careful when dealing with some countries—for example, China. In a recent survey from the American Chamber of Commerce China, one in four respondents said they experienced a breach or theft of data or trade secrets from their China operations.
How can all of this illicit activity be stopped? James Bond might not be available to thwart corporate theft from Russia or China, but at least for many domestic matters, Long-Daniels said, having the right company policies is essential. “You want to have good policies saying: thou shalt not steal and thou shalt not share,” he noted.
He recommends that companies avoid creating formal Bring Your Own Device (BYOD) policies due to the many risk factors. In any policy though, he explained a company should get the employee to agree that the employer can, at will, wipe data from any device used by employees for work purposes. The policy should also say that when the employee leaves his or her job, the company gets all of their work data, whether it’s on a device or on paper. He added the policy should clearly state that employees should have “no expectation of privacy” when they use company equipment, and that they consent to the company searching the equipment.
Since getting caught up in a corporate espionage case can be expensive and time-consuming, there’s also motivation for employers hiring a new employee to make sure that person didn’t steal any sensitive proprietary information from his or her previous job. “You want to have a clear policy that says: ‘We don’t want anything but your mind,’” Long-Daniels said.