Theft of Confidential Info by Ex-Employee: 4 Steps to Fix the Damage

business woman taking photo of confidential documents.

These days organisations require employees to have instant access to company information such as customer contacts, e-mails, and business-related documents. This is to ensure that they can provide customers with rapid answers and, keep the business slick and efficient.

However, sometimes an employee may have access to more information than needed, specifically confidential information. This is because many organisations fail to control access to data and do not operate a “need to know” policy, which governs sensitive data access strictly to authorised employees only.

As a result, when employees leave their job, it may be possible for them to take such confidential data with them into their new employment, and use it to their new employer’s advantage. This is likely to occur as employees often leave a job in one particular niche area, to take a job with a competitor in a similar area.

There was a case in the UK where an insurance company allowed staff unrestricted access to data and was stunned when gruesome fatal car crash pictures involving a particular model of car appeared on their direct competitor’s website criticising safety records. The culprit was not in a claims role but in an internal administrative position.

What can you do if you learn that one of your ex-employees is suspected of taking confidential information?

Damage Limitation

Step 1: Do not turn on the ex-employee’s devices!

Usually the first reaction is to turn on the ex-employee’s computer and start blindly sifting through the data to try to locate signs of misconduct. However, thousands of files, and thus digital evidence, may be altered and/or destroyed by simply turning the computer on.

Hence, this is not a good first step, unless your organisation has trained personnel capable of acquiring and performing a computer forensic investigation.

In the absence of such skills, you will need to consult experienced professionals to perform the investigation for you. They will ensure the data is preserved in a forensically sound manner. Meaning, data is acquired as originally discovered and in a manner (i.e handling/storing of data) that is reliable enough to be submitted as evidence.

This way, in the event of litigation, evidence can be adduced in the correct and recognised manner, with assurance that the integrity of the evidence is by no way corrupted or destroyed during the investigation (which includes searching, tagging and exporting key investigative findings).

If the computer has been repurposed for the use of other staff, it is imperative that the computer forensics professionals get hold of the computer as early as possible and make a forensic image of it for preservation.

This is because every keystroke that the new user makes is potentially overwriting evidential data.

Step 2: Establish key details for investigation efficiency

Other avenues of search will involve working closely with your IT department and identifying key repositories of data such as network shares and cloud storages.

These repositories can provide access logs that allow you to see who had access to certain data and possibly present a timeframe wherein access to crucial information was granted and to whom.

The email repositories held by the IT department in the server can also provide you with a sense of what the ex-employee may have been up to within emails, whether it may be requesting access to unauthorised documents, or clandestine meetings with key customers.

Narrowing down a list of key information that was taken, a timeframe and the types of devices compromised, will help the computer forensics professional in performing an effective investigation.

Your computer forensics investigation may also help to reveal removable USB devices, cloud storage accounts, etc. utilised by the ex-employee.

Damage Rectification

Step 3: Consider possible legal avenues to pursue against the ex-employee

Once the above-mentioned steps have been completed, and it has been established that the ex-employee has indeed gained unauthorised access to confidential information, your organisation should consult a lawyer to see what can be done to prevent the ex-employee from using the information in an illicit manner.

This could include the application for an injunction preventing further usage of data taken.

You may also need to consider other types of injunctions that allow you to seize, forensically examine and sanitise media which allegedly contains said confidential information.

If there are serious allegations of trademark, copyright or patent infringements, search orders may be granted to seek potential evidence belonging to the ex-employee at his/her new working location.

Damage Recovery

Step 4: What other steps can be taken?

To prevent future incidents of confidential theft by ex-employees, the following are some suggestions and possibilities an organisation can take to beef up their internal controls on the distribution of confidential information:

  • Consider adding clauses into each employment contract to invoke confidentiality and non-disclosure. An ounce of prevention is better than a pound of cure!
  • Work with the IT department to draw up an acceptable use policy and introduce restrictions to data access on a “need to know” basis
  • Consider setting up email, network and printer monitoring tools for detecting disclosure of confidential information.
  • USB ports and devices can be restricted to certain key functions within organisations dealing frequently with sensitive information.
  • Network-based file shares should ideally be configured with role-based file access coupled with access and transmission logs.
  • You can opt to restrict access to major cloud storage and file sharing sites such as Google Drive, Dropbox, Box or Pastebin. These represent a quick and easy way for users to siphon off your valuable data.

In some organisations, these steps may be too restrictive and yet in other organisations, they could be too little. You have to decide what types of controls suits your organisations without posing a major impediment to the functional capabilities of your organisation.

Speak with us to understand how we can assist your organisation to review your current practices and, work with you to formulate a customised data protection methodology which suits you best.