Protecting corporate information and the use of computer forensics


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Protecting corporate information and the use of computer forensics

  1. 1. Protecting Corporate Information and the Use of Computer Forensics Andrea Kimball Partner Dentons Kansas City T 816 460 2427 Lee Whitfield, GCFA EnCE Director of Forensics Digital Discovery Texas T 972 774 1500, Ext. 202 CLE Seminar for In-House Counsel June 5, 2014 Chicago, Illinois © 2014 Dentons. All rights reserved.
  2. 2. Computers: Friend and Foe June 5, 2014 • Thefts of data and trade secrets are mostly internal. • Biggest challenge - protect data but still allow employee mobility and efficiency. • Tech Realities - USBs and recording devices are everywhere. Goals for Today • ID the issues and how to spot potential problems. • How computer forensics can assist in learning extent of any data breach and protecting confidential information and IP. • Discuss best practices in data security from both an HR & IT perspective. 2
  3. 3. The Problem June 5, 2014 3 • 85% of corporate data theft by someone the company knows. • Most employees steal within 3 weeks of separation. • ¾ of workers own personal storage devices. • Estimated 60% of departing employees steal something! • Innocent data breaches - 1 in 5 external emails contains high risk content.1 • Most thefts committed by sales people. • Most thefts occur by people with authorized access. • Expensive Problem - routine PDA losses/breaches average $429K per year. 2 Sources: 1 “A Statistical Analysis of Trade Secret litigation in Federal Courts, 45:2 Gonzaga Law Rev. (2010). 2 Symantec State of Mobility Survey, 2012.
  4. 4. Recognizing the Signs June 5, 2014 4 • Defections • Suspicious Behavior • Coming into work early or staying late • Accessing folders where no previous access • Slowly cleaning out office • Resigning citing new job with competition or desire to “take time off” or “go back to school,” etc. • Binders, lists or equipment goes missing
  5. 5. First Response to Suspicion of Theft June 5, 2014 • Monitor network activity. • Secure all data in any company device (computers, smart phones, PDAs, network email, phone records, pull back up tapes, etc.). • Start investigation / interviews - recreate employee’s last few weeks. • Gather applicable agreements (NDAs, etc.) and send employee a reminder of obligations letter. • No “poking around.” • Call in professional to avoid contamination. • Any access can delete footprints. 5
  6. 6. What is Digital Forensics (DF)? June 5, 2014 6 • Much more than recovering deleted files (but we can do that too) • Gathering and analyzing evidence from electronic sources in order to establish the facts. • These facts may include the actions taken by a user and any potential motive for that action.
  7. 7. Why is DF Important? June 5, 2014 • Do you know how much data exists about you? • Digital devices and ESI are a part of all of our lives ... • Personal computers, smart phones, thumb drives, GPS’s, Email, social media, on-line bill payments, shopping, wearable technology. • Everywhere around you, you can find a digital storage device within arm’s reach. • Our personal/private data are recorded on digital devices moment-by- moment. 7
  8. 8. What can we determine? June 5, 2014 8 • Most commonly asked question: • What applications were run? • What websites were visited? • What files / documents were accessed? • Most popular question: Was data copied? • What else happened around this time? • What devices were attached? • We can usually answer all of these. • What else? • Location(s) of both computers and phones • Spoliation? Did the user try to cover their tracks? (Case Study) • References or links still exist even if file deleted.
  9. 9. Digital Forensics Process in a Nutshell June 5, 2014 • Evidence preservation • Investigation and analysis • Reporting results 9
  10. 10. Evidence Preservation June 5, 2014 10 • Tools & Techniques vary with situation • Full collection vs. Targeted • Forensic investigation vs. e-Discovery request
  11. 11. Investigation and Analysis June 5, 2014 • Blend of Science & Art • Requires solid understanding • OS’s, Applications, Hardware, Networks • How is specific evidence / artifact created • What is being investigated (case background) • Scope • Investigations are often an Iterative Process • Best Method • Best Tool • Investigation requires analysis • Not just data extraction • W, W, W, W, W, H 11
  12. 12. Reporting Results June 5, 2014 12 • Purpose • Early case assessment or use in litigation/injunction • Deposition prep • Audience • Internal vs. External • Consulting vs. Testifying
  13. 13. DDIY – DON’T Do It Yourself • ALWAYS a bad idea • Inadequate Methods or Tools • Inadvertent Altering of Metadata • Incomplete Collection • Damage to Source Drive or Data • Spoliation – Penalties and Sanctions • Improperly licensed personnel • Unqualified personnel • Case studies June 5, 2014 13
  14. 14. IP Theft June 5, 2014 • How can data can leave the organization? • Corporate email systems like Exchange or Lotus Notes • Web-based email like Gmail, Yahoo, AOL, etc. • USB devices • Thumb drives • iOS devices (iPhone, iPads, iPods) • Other Smart phones and music players • CDs/DVDs • BYOD? • Web services (Basecamp, Atlassian, etc.) • Cloud based file syncing services like Dropbox, Salesforce and Skydrive • Social media 14
  15. 15. IP Theft Case Studies June 5, 2014 15 • Each scenario is different • Users have varying levels of technical knowledge/skill • Results are common but not guaranteed • Evidence from the strangest places
  16. 16. Have a Plan June 5, 2014 • Two types of people in this world • Those that know they’ve had data stolen • Those that don’t • Be proactive and create a plan for inevitable. • Spoliation • Will you use an outside vendor or internal resources? • Understand the pros and cons. • Get proper training if you choose to handle incidents internally. • IT staff can be your worst enemy. 16
  17. 17. How to make your DF professional’s day June 5, 2014 17 • Get your DF investigator involved early. • Temporal proximity – The sooner the better • Don’t use the computer / device • Clear Scope & Objectives • Understand a DF investigation can take time. • The CSI Effect. • Archeology - 5th shovel or 100th • Remember – its an iterative process. • Your DF investigator should be part of the legal team. • Consulting expert vs. Testifying experts • Privileged or Not
  18. 18. Best HR Practices to Protect Company Information June 5, 2014 18 • Obtain confidentiality agreements (separate from non-competes). • Obtain separate acknowledgements - all employees and consultants. • Conduct trainings on confidentiality. • Get incoming employees assurances re: NO info brought from former employers. • Clear policies re: no privacy on company computers. • Ban cell phones/cameras/flash drives in sensitive areas like R&D. • Lock up hard copies of formulas. • Employ badges and swipe cards and log all visitors into facilities. • Conduct exit interviews and remind of continuing obligations in writing. • Yearly audit of all offices/branches (including marketing material) to avoid inadvertent info disclosures.
  19. 19. Success Story June 5, 2014 • Optimal Scenario is confronting employee at exit interview with evidence. • Ask employee to allow a wipe of all company info from home computer. • “Mr. M” - 5800 files downloaded to external hard drive. • When met with evidence (serial number of hard drive, etc.) employees usually cooperate. 19
  20. 20. Best IT Practices to Avoid Theft June 5, 2014 • Control Access to Information • Who really needs access? • Limit those who can work from home (or print). • Monitor emails and warn of policy with use of “pop up” screen. • Software available to encrypt files or prevent emailing information outside the company. • Stamp/encrypt all key documents as confidential (prevent printing). • Turn on logs that show files downloaded from network! 20
  21. 21. Enforcement Measures June 5, 2014 21 • File suit under state Uniform Trade Secrets Act. • Timelines are critical to proving a trade secret/theft case! Preliminary Injunctions key enforcement tool. • To prove claim must show reasonable efforts to protect the secrets. • File Computer Fraud & Abuse Act (CFAA) Claims - (Federal Jurisdiction). • No cause of action if employee was authorized to access information, so restrict access. • Cause of action if information is altered and remedies for certain losses. • 337 Actions in ITC ban importation of goods. • Proposed legislation and criminal component. • Economic Espionage Act. • Proposed legislation will create a private federal right-of-action (like patents, trademarks).
  22. 22. Thank You! We are very interested in your feedback - please take a moment to leave a note about this class and presenters on the back side of your evaluation form. © 2014 Dentons. Dentons is an international legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. Please see for Legal Notices. Andrea Kimball Partner Dentons Kansas City T 816 460 2427 Lee Whitfield, GCFA EnCE Director of Forensics Digital Discovery Texas T 972 774 1500, Ext. 202