Attorney Andrew Froman wrote a short but very insightful piece for the Employment Privacy Blog (from Fisher Phillips) entitled, “Security Breached – Tips for Mitigating and Protecting Private Information from Inside and Outside Threats.” The article paints a dismal picture of what can happen when company management does not consider and take steps to minimize potential risks to some of their most valuable assets, tangible and intangible when dealing with key IT employees or independent contractors.
Mr. Froman describes a case where his firm is helping a client do damage control and data recovery a week after their Chief Technology Officer (CTO) resigned from the client company. In this case, the CTO was demoted to a lesser role in the company six months before he resigned his position with the company.
Froman’s “damage control and data recovery” case consists in part in filing with the U.S. District Court an ex-parte Temporary Restraining Order (TRO) against the former CTO for violations of the Computer Fraud and Abuse Act and the Defense of Trade Secrets Act; and for the CTO to return a company laptop he had taken when he left the company.
Imagine this happening to your company:
…the CTO had created a back door for himself to the client’s servers and had spent those last six months of his employment accessing, downloading and storing emails of the client’s top executives, and its most important vendors. These stolen emails contain personal financial information, such as bank account numbers, personal health information, bank routing information for personal accounts of the client’s top executives, including the CEO and two board members. The former CTO also had accessed and downloaded other proprietary corporate information, including bank routing numbers for several of the client’s most important vendors, and other private information. At a minimum, the executives and their vendors will need to change their banking and other private, personal information, at some if not significant expense, and no less heartache.
While you might think the Chief Technology Officer would have had such access authorized, he did not. He most certainly exceeded his authorized access, and did so without requesting or obtaining permission either from the client, the executives, or the vendors. Additionally, as part of his resignation, the client and the former CTO arranged a “consulting agreement,” under the terms of which he was permitted to keep and use his company-issued laptop.
The U.S. District Court granted the TRO which was issued for only 14 days. The client was successful in retrieving their laptop from the CTO.
However, the process server hired to deliver the court papers to the former employee and to retrieve the laptop was required to wait for 45 minutes while the former employee ”searched” for it in his own home. While the process server waited, with the former employee out of his eyesight, it is entirely possible this former CTO deleted or attempted to delete compromising information still on the laptop’s hard drive. The computer is now in the hands of a forensic computer expert who can examine it thoroughly.
Very scary, indeed. Froman correctly points out our profound naiveté when we neglect to protect ourselves and our companies from the cunning craft of an IT person — whether our own trusted in-house CTO or a private independent contractor — who has intimate knowledge of and direct unfettered access to our business and trade secrets. Froman makes this cogent point:
…we as employers ought to know by now that our technology-savvy employees, especially our in-house technology experts, are quite able to figure out ways to steal, use or corrupt our electronic information. Rather than wait until after they’ve departed to determine if they’ve done anything that can harm us or our other employees, we should plan to conduct such an inquiry before we demote, re-assign, otherwise discipline or terminate any employee. This is especially true for those with the technical expertise to engage in electronic misconduct. That way, if we find misconduct has occurred, we still have some control over the employee and can diminish or negate the harm before the employee is gone from our premises. It is a more timely and cost effective method of protecting our, and our employees’, privacy and private information.
Froman suggests hiring an independent forensic expert to examine the CTO’s company-issued computer devices for any lingering signs of skulduggery.
Access the employee’s desktop or laptop (or any other company-issued device such as a tablet or smart phone) outside their presence, utilizing an independent forensic expert to “image” the device’s hard drive, then examine it. Be sure to maintain and record a clear chain of custody of the device. If there is data on the device the employee should not have, you, of course, can question them about it. If it looks like they’ve moved, copied, or compromised data, your forensic expert should be able to tell you. If they’ve corrupted data, you might be able to mitigate the damage while you still have them in front of you, to be questioned. After they’re gone, your only access to them may be a subpoena, or a lawsuit.
It is not too difficult to imagine a scenario where discovering such malfeasance after the fact would be devastating at best and catastrophic at worst.
So often it is the trusted associate you let inside that wreaks the most carnage on you and your company. Who else could get at you like that?
As I’ve said so many times before, “The good guys are the bad guys.”