Intellectual Property Theft

So, you just received a phone call from the head of your research and development department who claims that one of the scientists just quit and left with sensitive information. Wait … Or was it a mutual fund dealer who left the organization and took your client list and their investments? Wait … Or was it a sales rep who took client information, including product blueprints, so he could start his own business? Wait … Or was it a programmer who took part of the source code he developed for your company because he thought it could be useful in his next job? Wait … Or was it … ?

These cases have three things in common: 

• They’re examples of intellectual property (IP) theft.

• They involve electronic evidence.

• I’ve been involved in all of them recently.

I wrote a Digital Fingerprints column in the July/August 2008 issue in which I discussed IP theft. So, why another one? Well, it’s quite simple: It’s still happening and will continue to happen. And the faster the organization reacts, the less damage it might have to deal with. Many organizations discover IP theft months or years after it has occurred, and you never want to be in that situation. So, what to do?

Security Policy 

The first step in protecting IP is knowing: Where does it reside, where is it stored, who has access to it, etc.? How do you answer these questions? By discussing IP with the information owners, the various departments within the organization, and the custodian of the information – the IT department.

Your organization’s security policy should include directives on classification of information, access control, and storage including portable storage devices. Inform employees through the policy that they’re obligated to protect IP. The code of ethics, which employees should sign every year, should contain a clause about IP protection.

Exit Strategies 

IP theft is usually an inside job because employees and consultants have access to the information and know its value. Most organizations would love to trust their employees, consultants and other business partners, but it’s probably not the best method of preventing IP theft. So ensure that you have a thorough exit plan for departing employees, vendors and consultants that identities high-risk departures and preserves potential evidence.

The human resources’ (HR) department exit interviews should determine the reasons behind employees’ departures and note high-risk people – those who are disgruntled, leaving for a competitor, or had access to highly sensitive information. Some might actually refuse to participate in an exit interview, and, of course, that’s a red flag.

Work with your forensic people to preserve a forensic image of the departing high-risk employee’s work laptop and desktop to find any potential trail or bread crumbs to IP theft. With the relative ease of copying electronic information afforded by technology, it is likely that many cases of trade secret theft would leave a trail of breadcrumbs on the employee’s computer. By preserving it, the organization is in a position to examine the content of the departing employee’s computer if any suspicion leading to cause were to be identified.

It’s not 12 months later, when IT has reassigned the laptop or PC to another employee and data has disappeared, is overwritten, or not complete enough to get the big picture.

Consultants and contractors should only use company-issued computers because the organization would have limited rights to forensically image the content of the computers without obtaining consent or seeking legal recourses. If they use their own it’s nearly impossible to conduct investigations without undertaking legal action. Furthermore, their contracts should be tightly write their contracts to ensure that your organization retains ownership of all IP.

Investigating IP Theft 

If you discover IP theft, your first thought is legal action. You do have to act quickly, but you must first build your case. So where to start? Well, by looking at the digital fingerprints of course! Who’ll usually be involved in such an investigation? It does vary based on the structure of the organization but human resources, legal counsel and IT are some of the likely parties.

Forensically acquire and preserve all electronic media that could contain evidence pertaining to the theft of trade secrets such as the employee’s computer, removable storage, mobile devices, etc. The organization should preserve phone call logs, logical access logs showing who filed and when, physical access control logs showing who had access to facilities and offices, firewall and proxy logs showing network communications, etc.

The following are potential elements that might support your case:

• Evidence of a non company issued removable storage media has been connected to the computer

• Evidence that sensitive information has been copied to the employee’s computer or other electronic media

• Evidence that sensitive information has been emailed to a personal email account or to another party

• Email exchanges discussing the employee’s new employment which could suggest misuse of information

• Communications relating to the value of the information

Although electronic evidence is a big part of investigations into IP theft, let’s not forget traditional investigative techniques. Interview former colleagues to better understand the departing individual’s state of mind. Also, examine other sources of information that could lead to relevant evidence:

• Discussions the employee might have had with other employees about leaving the company to start a business or to convince them to join him or her in a new venture

• Logs showing that the employee or consultant had been working long hours when their workload didn’t warrant it

• Business records showing that the suspect had registered a company prior to his or her departure

The best way to address IP theft is to not let it happen. A well-written security policy and associated controls is the first line of defense. But if it does happen, electronic evidence is the first place to look.

Jean-François Legault is a senior manager with Deloitte’s Forensic & Dispute Services practice in Montreal. Canada. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.