The Top 5 Considerations of IP and Trade Secret Theft Investigations

The biggest threat to a company's intellectual property doesn't come from the outside; it comes from within. According to a recent study, the U.S. Chamber of Commerce estimates that 75% of employees steal from the workplace.[i] Sometimes intellectual property is not properly accounted for, such as when a salesperson exits the company and corporate does not perform a proper exit interview and associated procedures, or when the salesperson neglects to erase sensitive client data from his or her personal computer after leaving the company. Other situations are conducted with malice, such as when an employee downloads proprietary materials from internal databases and transmits them to a competitor. Perhaps the most serious and potentially threatening scenario is when a team of employees collude to steal trade secrets as they depart the organization to form a competing business.

Regardless of whether the theft is a mistake or deliberate, when a theft occurs, a company needs to protect itself and its valuable information before significant damage is done. To do this requires a thorough investigation of the company's data systems and, if possible, the hardware devices used by the likely suspects. These are sophisticated forensic investigations, often well beyond the capability of a company’s information technology or security staff. Companies should consider an independent forensic investigation team that is versed in proper evidence collection procedures such that the investigation and following litigation, if needed, will not be compromised by tainted evidence due to faulty collection practices.

The following are five of the top considerations companies should take into account prior to initiating an IP theft investigation.

1. Modern Technology Benefits the Thieves: As technology has changed, so too have the methods of IP theft. A while ago, a perpetrator would have to steal an entire notebook or even a file cabinet from an office or building unnoticed. Today, USB drives and smartphones are becoming physically smaller while storage capacity is increasing at an extraordinarily fast rate. Additionally, with so much information stored electronically and in cloud environments, transmitting sensitive data from one location to another has become incredibly easy. This means there is a myriad of devices and transfer protocols that investigators may need to search to compose a picture of how the incident of theft occurred.

2. Modern Technology Can Also Benefit the Investigators: Some of the same advances in technology that aid criminals can also aid investigators in their attempt to piece together the crime. For example, files stored locally, such as Word and Excel documents, contain important metadata fields that investigators can rely on to help identify what material may have been taken. Also, while the Windows operating system doesn’t by default maintain a log of what files have been copied externally, computer forensic examiners can analyze certain operating system artifacts to understand the events that transpired leading up to the potential copying of data. For example, by examining the Microsoft Windows Registry, investigators may be able to learn when a USB drive was connected to the PC and the USB drive’s serial number.

3. Preservation Is Key to a Defensible Investigation: If a company suspects that it is the victim of IP theft, preserving the integrity of the potentially compromised files should be a priority since it could impact the company’s options for future action. This requires the technical skills of a computer forensics expert. Improperly accessing the files can inadvertently alter the metadata or hamper the ability to recover deleted files and result in spoliation of evidence. It is critical that companies only employ a trained professional to access the data using trusted forensics technology. For example, the forensics expert will properly preserve the original device and create a “working” copy of the device for investigation purposes. Bottom line, the original device is preserved and is not altered.

4. Conducting an Investigation Should Be a Business Decision: Conducting a forensics investigation on every outgoing employee's computer devices may not be practical. Instead, companies should assess the context of an employee's departure to determine whether launching a forensics investigation is a sound decision. For example, if an employee has only been at a company for two weeks and has had low-level access to internal information, he is probably not a significant threat. Then again, with poor information security and the proliferation of devices to download data, think WikiLeaks, a lot of damage can be done in days or even hours. Certainly, whenever a senior member leaves or if several employees all exit at the same time, the cost of a forensics expert may far outweigh the cost of uncertainty.

5. Rely on an Expert Data Forensics Specialist: Because of the complexities that surround handling electronic data, it is critical that companies invest in skilled data forensics specialists for IP theft investigations. As mentioned earlier, the data forensics expert can forensically image relevant computer devices and preserve the integrity of associated metadata. Additionally, a specialist will have a general understanding of business computer systems, how they might be used and where data lives, which results in an expedited investigation process. If questions arise about the company's IT network, data forensics experts are trained to effectively communicate with counsel, preparing affidavits, experts reports, and testifying to help the company pursue injunctions and court orders to stop the thief from using and exploiting the company’s stolen intellectual property.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.