X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
What is the most important asset that a law firm possesses? Is it the firm’s list of clients? Or is it the clients’ confidential information, such as a secret formula for a soft drink, or documents containing next year’s business strategy? Companies, including law firms, spend billions of dollars annually on firewalls and virus-detection software to protect confidential legal information from the outside threat of hackers, crackers and data thieves. But will these tools really protect these most valuable business assets? According to the 2002 Computer Security Institute/FBI Computer and Security Survey, available at the Computer Security Institute, www.gocsi.com, the theft of proprietary information totaled $170,827,000 for only 26 companies. Even more startling is the 2002 survey by the American Society of Industrial Security (ASIS) of Fortune 1,000 corporations and 600 small to midsized U.S. companies, which reported the theft of proprietary information and intellectual property losses at between $53 billion and $59 billion annually. See www.asisonline.org. The ASIS reported that the greatest threat to proprietary information and intellectual property is the trusted insider: in other words, current and former employees, contractors, consultants and temporary employees. Trade secrets and confidential information are routinely smuggled out of companies to waiting customers or business competitors. The most notorious case of a trusted insider stealing information involved FBI agent Robert F. Hanssen, who was convicted for stealing highly classified documents from the FBI and selling them to Russia. Hanssen used a variety of technological devices, including his Palm handheld device, removable data-storage devices and encrypted floppy disks, which he would then turn over to his Russian contacts. He continued to steal data, using the latest technology, for more than 15 years. While most companies do not need to worry about Russian spies stealing their confidential information, anyone with access to such data is always a threat, and devices like the ones Hanssen used are more widely available than ever. In January 2003, a 19-year-old part-time employee at a California imaging firm stole trade secrets from the law firm Jones Day and its client, DirecTV. The trade secrets included details about the design and architecture of DirecTV’s latest anti-piracy card. The estimated cost of developing the “Period 4″ anti-piracy card was more than $25 million. The imaging company made electronic copies of documents for Jones Day, which represented DirecTV in a lawsuit. Its part-time employee took copies, on compact disks, of many of the documents to his home in Los Angeles and then sent more than 800 megabytes of the documents to at least three Web site operators. He pleaded guilty to violating the Federal Economic Espionage Act and was sentenced to five years’ probation and was ordered to pay $146,085 in restitution to DirecTV and Jones Day. Historically, employees who wanted to steal data from their employers had very few options. An employee could print the data, but this is a cumbersome process as one gigabyte (GB) of data (average size of a hard drive today is 60 to 100 GBs) would produce enough paper to fill the bed of a pickup truck. He or she could also save the data to a floppy disk, but this holds only a very small amount of data. It could take up to 70 floppy disks to copy 1 GB of data. Compact disks (CDs-1/2 GB) and digital video disks (DVDs-5 GB) store larger amounts of data, but many employers are deactivating these drives or not installing the software needed to operate these devices. The latest threat to protecting a company’s data is the portable storage device. These removable devices plug effortlessly into a computer’s port and replace the now obsolete floppy drive. They can store anywhere from 1/2 GB to 20 GBs of data and are a convenient and unobtrusive way of carrying a large amount of information in a small device the size of a key ring. The most common type of portable storage device is now the USB (Universal Serial Bus) device, which comes in all shapes and sizes. The most popular is the key-chain size drive, which plugs into a computer’s USB port and can store up to 2 GB of data. There are several other types of USB devices that are made to look like wristwatches or ballpoint pens and can be used to store data secretly. Most of these USB drives work with both Macs and PCs and require no additional software. One simply plugs it in and the device is ready to store data. When Apple introduced the iPod, many people were concerned that employees and others might use it to copy music illegally. The iPod is essentially a high-tech Walkman, which, instead of playing a tape or CD, plays whatever is recorded on its 15 GB hard drive. The iPod sells for about $300 and comes with the additional feature of a FireWire interface, allowing the user to copy huge data files in seconds. Recent news stories report that teenagers are taking the iPod to computer stores, plugging it into display computers and copying data files. Using an iPod or personal digital assistant (PDA), it is easy for an employee to steal a huge amount of data. Acknowledging this threat, Britain’s ministry of defense has recently added the iPod to its list of security risks. The fear is that this type of innocuous device can be employed as a handy tool for data thieves because one can plug it into a Windows XP operating system and bypass basic log-on passwords. Once a firm’s employee or contractor gains access to a computer through a USB or FireWire port, he can bypass perimeter defenses like firewalls and anti-virus software and introduce viruses or Trojan horses, causing serious damage. He can also very simply download critical data or a client’s trade secrets in the blink of an eye. Thus, a small but growing number of firms, particularly in the financial and health care sectors, are implementing policies to keep these devices out of their offices. KEY LOGGERS Another type of device that employers must be aware of is the key logger. An employee can plug this device into the keyboard port on any computer and it will record any information which is typed on the computer, including passwords. The user can then remove the key logger and place it into any computer to reveal everything that was typed by the user and recorded by the device. This device is particularly troublesome because it is not only difficult to detect, but also leaves no trace that it ever was used. Unfortunately, most companies do not realize that confidential information or trade secrets have been stolen until the pilfered information is already being used against the company. A better approach is to protect the confidential information before there is a problem. Most firms’ security policies do not include the single most important factor of securing the human element. Employees need to be advised of threats to confidential information and their responsibility for protecting their employers’ data. Additionally, background checks should be used to identify, before they are hired, those who may compromise trade secrets, and firms should follow up with employees and remind them of their responsibilities before departure. Companies should also implement an internal misuse monitoring system, which operates on the principle that it is not feasible to prevent all attacks from trusted insiders but that such attacks usually follow identifiable patterns or deviate from the employee’s normal usage in an identifiable way. Firms should not allow multiple employees to share a single log-on account. They should instruct them to log off their computers daily, and only give users access to computers and files that they need to do their jobs. Firms often extend courtesy services to departing attorneys, such as giving them access to the firm’s e-mail. If done, all of the employees’ data and information should be copied immediately for safekeeping and all confidential and proprietary information should be off-limits. Companies should also prohibit the use of uncontrolled, privately owned devices on their work computers. Removable devices can provide many benefits, including a great way to “sneaker-net” documents between home and firm. So, in many cases it would be counterproductive to ban them entirely. More realistically, a controlled approach should be implemented, requiring a security policy to define when and if the devices can be used. If and when they are used, passwords and encryption should be required. Technology should also be used to limit only authorized devices and to notify the information technology department when a device is being used. Another possibility is to start a “firm watch” program similar to the idea of a neighborhood watch. The idea is to create an open atmosphere that encourages employees to be aware of and report suspicious activity. A firm should encourage its employees to report all suspicious activity such as shoulder surfing-looking over a user’s shoulder to access information-or the use of a computer by unauthorized personnel. They should also report anyone who contacts them seeking access to unauthorized information. The firm should also designate a security manager who is the primary point of contact for all security issues. Additionally, firms should be on the lookout for employees who are not following security policies or are not security conscious. Anyone who leaves a computer unlocked and unattended, has passwords written under the keyboard or on a monitor, or has sensitive client information or trade secrets in the open or unattended, needs to be notified immediately. If the employee understands exactly how his or her actions threaten the firm, he or she can take corrective action so mistakes are never repeated. With today’s technology, safeguarding proprietary information against theft is more difficult than ever. But if firms and companies take an active role in supervising and monitoring their employees, the risk can be dramatically reduced. Michael R. Levinson is a partner at Chicago’s Seyfarth Shaw, focusing on commercial litigation with special expertise in intellectual property matters. He is also an adjunct faculty member at Chicago-Kent College of Law. Patrick E. Zeller is a senior associate in the firm’s litigation group. His practice focuses on computer security and technology issues.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.