INFORMATION & TECHNOLOGY LAW
Former Employees and the
Need for Technological Security
By Jon M. Garon*
As published in Interface Tech News, June, 2002
In the information age, companies unfortunately find themselves as the target of significant intellectual property theft, because 'that's where the money is.' While much of the privacy and security rhetoric focuses on the improper intrusion into electronic information by mysterious third parties — hackers, pirates, terrorists, and sexual predators — most of the vulnerabilities are much closer to home.
The economic slowdown and large layoffs provide opportunities for mischief. (Just remember the missing W's from the Whitehouse keyboards). Layoffs and business retooling often lead to embittered employees. Among these, a small fraction occasionally strikes out at current or former employers by exploiting the vulnerabilities they have observed — or created —while giving their effort to the company. The result is an incendiary combination of motive, opportunity, and effectiveness that can instantly cripple a company, and push a tottering organization into the bankruptcy abyss.
The techniques are legion. Former employees often have the ability to quarantine viruses rather than eliminate them so that they can be released internally. Executable programs can be left on computer servers that will run only when the infrequent, but inevitable reboot of the server is completed. Client lists, product specifications, source code, production schedules, passwords, customer credit card or account numbers, and many other forms of valuable, sensitive data can be copied onto CD's, PDA's, off-site servers, or e-mail and removed from the corporation. Those seeking to do harm can destroy the data; those seeking financial gain can retain the data; and a few bold thieves may try both.
The F.B.I. and the Criminal Justice Response
Fortunately, intellectual property protection provides both civil and criminal protection to its owners. As a result, a host of state and federal laws protect the owners of intellectual property. The U.S. Department of Justice has authority to investigate and prosecute claims related to copyright and interstate crimes or crimes using interstate commerce, such as telephone or telecommunications systems. The local field offices of the F.B.I. have become increasingly sophisticated at helping companies who have been the victims of significant criminal activity and many recent prosecutions stem from the activities of former employees.
The minimum jurisdictional requirements for the Justice Department vary depending on the activity involved. For most computer crimes, there must be $5,000 in damage or theft, but there is no financial requirement for government computers, physical injuries, or threats to public health or safety. For claims of copyright infringement, the monetary threshold for criminal liability is $1,000. The Justice Department has created a very helpful website dedicated to computer, intellectual property, and cybercrime issues to help explain these laws.
In addition, state laws often provide similar protections criminalizing the unauthorized accessing and copying of computer files or the destruction of computer data and software. In New Hampshire, for example, the laws generally track those of the federal government, but require only a $250 threshold. Unfortunately, local law enforcement is not as sophisticated as the F.B.I. when it comes to these issues, so the initial telephone call to the police department may be met with questions and confusion rather than a charge to action.
The Importance of Deterrence
The real importance of the state and federal criminal laws is not to exact judicial retribution, but to act as a deterrent to the criminal misconduct. Only the smallest fraction of computer and cybercrime flows from ingenious criminal planning. Most comes from the ease with which the crime can be committed, the small risk of getting caught, and the trouble it can cause the victim. By planning ahead, a company can make the misconduct significantly more difficult, increase the likelihood the attacker will be caught, and warn troublemakers enough to deter misconduct.
The response should start with an explicit warning. Every IT department and HR department should have a poster which reads "Copying is Stealing — Don't Do It!" which goes on to list the many federal crimes related to copyright infringement, trademark falsification, trade secret theft, computer tampering, hacking, interception of electronic communications, and the many others.
The warning should be incorporated into the employee handbook. These are felonies, so a company could reasonably provide that any employee terminated for committing a felony directed at the company, its clients or employees (whether or not convicted) may lose severance, pension, and unemployment benefits. A restatement of this policy at the time of termination may remind people that a moment of revenge is not worth the financial costs involved. In addition, the company should train people regarding acceptable and unacceptable behavior involving private data and computer security. Breaches of these policies should be treated like other serious employment misconduct, with policies calling for written incident reports and meaningful follow-up.
In addition to the warnings and training, IT security should be reviewed regularly by an independent company. Financial departments learned long ago that treasurer/comptroller should not be the sole signatory on the checks. Despite Enron, outside auditors, separate treasurers from financial officers, and two-signature checks still all help to reduce the risk of embezzlement. IT has become as important and as ripe for embezzlement as the finance department, so a similar system of checks and balances needs to be utilized.
For many companies, the first and only step in the security process has been to lock an employee out of the building upon termination. This brutal, but sometimes warranted technique physically separates the employee from the computers and resources necessary to steal. Whether or not such a step is always mandated, the procedure should also include immediate disabling of that employee's passwords and a change of common security information (keypads, etc.) to which the employee had access. Offsite access should also be disabled immediately. If any misconduct is suspected, the computer should be quarantined. A review of the Internet and e-mail logs and of trash files may also indicate what the computer has been used for recently, providing evidence of misconduct or evidence helpful to refute such an allegation.
The key to any response timing. Once a decision has been made to terminate an employee or a report has been made that an employee is improperly removing data, the company must be able to take immediate, comprehensive action. Weekends are an ideal time to cause damage or steal information. A company must be able to respond even on a Sunday.
Senior officers require additional safeguards because they may have access to other people's passwords or may have taken home significant amounts of proprietary data, documents and materials to be legitimately used at home. In these cases, the most sensitive information must be retrieved. For the rest, the company must make explicit the consequences to the employee of violating the confidentiality obligations the former employee holds to the company. The confidentiality obligations are best if they are part of the initial employment agreement, but even absent such an agreement, the confidential trade secrets of a company cannot be disclosed by a former employee.
Taken together, improved warnings and better physical security focusing on internal access will allow a company to protect itself. By making security part of the culture, it can be implemented in a manner which is prudent rather than onerous. In those situations where the worst does come to pass, the knowledge of the criminal sanctions available may make the disgruntled employee more reasonable.
Finally, when internal measures fail, the F.B.I. is ready to serve. The telephone number of the local field office should be added to the internal telephone directory — just in case.
*Jon M. Garon is admitted in New Hampshire and California.
Return to top of page
Return to Technology Law Articles
Return to Firm Publications
