Monitoring the Internal Threat

IDWise Logo

Can you remember the last time you rummaged through a physical file drawer at work?

Approximately 97 percent of corporate documents are now created electronically—which makes life a lot easier for everyone. Unfortunately, "everyone" can include a disgruntled or malicious employee who wants to steal sensitive data from your company.

What is employee data theft?

Employee data theft is the copying of confidential or proprietary data for personal gain and/or use by another company. The increased usage of technology such as USB flash drives, iPods, digital cameras, and smart phones has made this a growing problem.

The 2014 Verizon Data Breach Investigations Report found that breaches originating internally are on the rise. Some are due to human error; in other cases, employees who quit or are terminated often take confidential or sensitive data with them when they leave. Once information leaves your system, it can be shared anywhere and everywhere. Of course, not all of this data is personally identifying information (PII) that can be used for identity theft, but other information, such as trade secrets and intellectual property, can be just as damaging in the wrong hands.

How do employees steal confidential data?

The method of employee data theft has changed a great deal in the last decade. Where once data was copied onto a CD or DVD, more common today is the use of USB devices, smart phones, email, messenger services, and File Transfer Protocol (FTP).

What policies should I put in place to protect our data?

Employers should have a comprehensive set of company policies and procedures in place regarding data usage. These should include:

  • Acceptable Use Policy. This governs the use of all company hardware and software.
  • Data Classification and Retention Policy. Intended to identify the types of data created within a company and specify the length of time data should be retained.
  • New and Departing Employee Procedures. These procedures ensure the proper setup, maintenance and decommissioning of an employee's computer equipment from their first day on the job to their last.

What technologies should I put in place to protect our data?

Of course, all the policies in the world won't stop an employee who is determined to steal data. To further protect sensitive information, companies need to put technological safeguards in place, such as:

  • Preventing employees from installing software or hardware
  • Preventing employees from copying data to discs, USB drives, or FTP sites, unless there is a business need to do so
  • Monitoring or blocking malicious websites or those that allow easy transmission of data
  • Implementing a centralized logging device, which receives and aggregates all of a company's log files

What should I do if a current hire is stealing data?

Even though an employee currently working with your business may not be stealing physical items like copper insulation or office supplies, data is often even more valuable.

If you suspect an employee of theft, consider the following roadmap:

  • Gather your evidence. A good IT team can provide you with the digital fingerprints of a data theft.
  • Follow your discipline policy. If your business has an established policy, make sure it is being followed before you fire any employee.
  • Terminate the employee. You may terminate at-will employees immediately and without cause (even though your investigation may give you cause).
  • Notify the police. You are not required to notify an employee that you intend to call the police or press charges; doing so may be taken as a threat.
  • Don't discuss the employee. Do not leave yourself open to defamation suits by calling the employee a thief, even after the employee has been terminated.

What should I do if a former employee has stolen/is stealing data?

It is very common for former employees, especially those who have just been terminated, to take emails, personnel files, memos and other sensitive data from the company.

A business always has recourse in these cases, and can:

  • Send a cease and desist letter. You or your lawyer can easily draft a letter demanding that the employee return the data and destroy any remaining copies.
  • File a civil suit. If a former employee refuses to return stolen data, you may consider seeking a legal remedy.
  • Call the police. Give them your evidence and follow up with the case. Do not attempt to contact or warn the employee of the investigation.

Employee theft of company data is serious business. In addition to the above suggestions, it may also be wise to consult a small business attorney to figure out the best way for your business to address the issue.

How can computer and mobile forensics help me prove and prosecute a data theft?

In order to collect damages or an injunction against a current or former employee stealing data, businesses must prove two things:

  • That the departed employee took information without permission
  • That the stolen information caused harm

Computer and mobile forensics experts can find and document instances of an employee's improper conduct using specialized software, hardware, and techniques. For more information on how forensics can assist you with insider threat situations, see the Center for Identity's article "Using Computer Forensics to Manage the Internal Threat."

What legal remedies does my company have in the case of an employee data theft?

Once a security breach has been detected, the remedies available to the former employer are limited. The Computer Fraud and Abuse Act (CFAA), which authorizes losses to be recovered in a civil action, has limited application to stolen confidential electronic information. However, "losses" in this case means loss or damage suffered by computer systems--not losses of revenue or unfair competition.

The most widely used legal remedy in a case of stolen electronic information is an injunction, followed by a civil claim for one of the following:

  • Conversion, or any unauthorized act that deprives an owner of personal property without his or her consent.
  • Tortious interference, which occurs when one person deliberately damages another person's business relationships.
  • Misappropriation of trade secrets, or the theft of any formula, information, process or design belonging to the company.

Remember, to support any claims of theft, evidence of actual damages must be shown.

IDWise Logo
What is IDWise?

Funded by a partnership with the Texas Legislature, and powered by the Center for Identity, IDWise is a resource center for the public on identity theft, fraud, and privacy. IDWise offers clear and accessible resources to empower citizens—both online and offline—to be better informed and make smarter choices to protect their personal information.

IDWise Logo

Funded by a partnership with the Texas Legislature, and powered by the Center for Identity, IDWise is a resource center for the public on identity theft, fraud, and privacy.

Learn More