Australia: Theft of commercial information: Prevention and incident response in the first 48 hours

1 Introduction

Businesses that have suffered the sudden loss of a single key employee or en-masse employee defection to a competitor know the pain of the event, the confusion that sometimes follows and the sting of the aftermath. This is something that many businesses face, and we're often called in to help. Here's what we've learned.

Often, the defection of key employee or employees is months in the making and with no warning. So the departing employees have time to gather commercially sensitive information for a new employer or business venture. The use of this information, before or after departure, may cause disadvantage and loss to the former employer.

Employment contracts may restrict when employees can join a competitor. But, in our experience, this will not stop them using stolen information in preparation for that move. This risk is heightened by the many ways that employees may access or remove sensitive information: cloud platforms, laptops, mobile phones and tablets including Bring-Your-Own-Devices (BYOD), USB drives, personal email accounts, or hard copy documents and prototypes.

Significant time and costs can result from a defection, especially if there are legal and consultant fees. But financial loss suffered may be the grounds for legal recourse, including compensation from the former employees. Having systems in place and access to the right expertise will help you to speedily find and analyse data to support your remediation actions.

The benefits of adequate preparation are reductions in:

• Financial leakage
• Investigation costs
• Legal costs
• Reputational damage
• Management time in dealing with the issue.

2 Steps you can take to minimise risk and impact

Best to have a plan in place before the horse has bolted.

You should review your processes to see whether controls can be tightened. For example, do you have:

• An information security framework?
• Documented incident response procedures?

Do you have better-practice controls such as:

• Asset registers: Know what electronic devices have been issued or reissued to employees, including serial numbers.
• Employment Contracts: Do you have clear employment policies about your rights of access to laptop, desktop, smart phones (including BYOD devices)? Do you have a clear acceptable use of IT policy?
• Understanding how quickly can you revoke:
• • Building access cards
  • Remote login
  • Access to critical information (electronic and hard copy).
• A deleted email retention policy: for example 90 days.
• Appropriate activity-logging on servers and business applications.
• Employee training on how to classify data and how it can be used (security awareness training).
• A plan for a media and market response to instil confidence and perhaps announce new contact points.
• Where appropriate, subjecting departing employees to an electronic exit interview (see side bar).

What's in an electronic exit interview?

Employee exit interviews should include:

• Retrieval of any company-supplied devices prior to the employee's departure.
• Disabling active accounts.
• Removal of remote and local access.
• Forensic preservation of computers and devices before they are re-issued to other employees. Once another party has accessed a device, data can be overwritten and the integrity challenged.

Where leakage of commercial information is suspected, employers should not themselves search the devices. This may compromise the integrity of evidence and overwrite existing data.

Some employers perform a health-check of devices used by an employee if his or her departure is high risk – even if no breaches of security are apparent. A health-check reviews computers, devices and data accessed by the employee to identify behaviour prior to departure.

External providers bring independence and expertise. Should any misconduct be identified, the evidence obtained through this process should withstand scrutiny and the provider may have experience in giving evidence in court.

3 The first 48 hours

So, if the worst should happen despite all of these measures, what can you do in the first 48 hours to minimise damage?

When you find out who is responsible, you need to consider their sphere of influence, act quickly and:

• Search work places for physical evidence such as notepads and other discarded pieces of paper.
• Determine what devices have been issued to each employee.
• Assess the need to revoke all electronic access to systems and email.
• Secure and forensically imaged devices.
• Analyse electronic devices for evidence of pre-departure behaviour such as:
• • Unusual access, copy or deletion of electronic information.
  • Transmission of corporate information external to the business.
  • Inappropriate communication or collusion with staff or competitors.
• Secure CCTV footage, access control records, phone records.
• Determine and co-conspirators or enablers.
• Implement the incident response plan.

Early activation of professional forensic investigators and appropriate legal advice is key. The earlier investigators become involved, the greater your chance of getting help from staff to help fill information gaps.

Delay in having investigators find and secure evidence means you lose valuable time in mitigating the risk. Often we find that by the time that we're called, work areas have been tidied, and electronic devices are missing or can't be examined because they've been wiped by IT and reallocated to other staff. These steps may have resulted in the evidence of misconduct being overwritten.

Recently we were brought in by a client's external legal advisers five days after the event. Bins had been emptied, desks cleaned and papers thrown out. The company will never fully know what valuable evidentiary information might have been recoverable.

Where devices have already been reallocated, we can sometimes retrieve valuable information. However, the complexity of retrieval and potential contamination can make this costly.

In trying to establish how the employee defection was organised and the extent of the damage, employees can be directed to attend an interview: they have a duty to help their employer. So: don't fire too early, or you may lose an opportunity.

While you can't force an employee to answer questions, it's better to give them an opportunity to respond and commit to a version of events that is on record.

The May 2015 Cost of Data Breach Study: Australia released by the Ponemon Institute examined the costs incurred by 23 Australian companies across 11 industry sectors after they experienced theft of protected data. Key findings from the study include:

• The average number of breached records was 19,788.
• The average cost of business lost as a result of a data breach was $820,000.
• 43% of data breaches were due to malicious attacks, while 30% were attributed to negligence by an employee or contractor.
• Being prepared reduces the cost of a data breach.
• Costs related to the time, effort and other business resources spent to resolve data breaches were greater than those spent on tasks such as purchasing technology or hiring a consultant.

4 Conclusion

A well-considered and implemented information security framework can reduce the likelihood of theft of corporate information. Of course, even perfectly designed internal controls can't prevent every incident. So having ready response processes, including a plan for the critical actions to take in the first 48 hours following a departure, will significantly reduce the stress and severity of the event.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.