Managing the New Company Thief

It used to be that an employee desiring to steal $2 million from your company would have a hard time doing so unnoticed. Today, that employee can do so undetected while having a casual conversation with you in the office.

Up until recently, sophisticated firewalls and password protection have been relatively sufficient to protect sensitive company information. Now, these measures are anything but sufficient. The proliferation of electronic devices such as iPods, camera cell phones, thumb drives, Blackberries, flash drives, and all other sorts of downloadable devices have made all companies at risk for insider theft right under their proverbial noses. With the use of these devices, downloading significant amounts of data is easy, virtually instantaneous, and often very difficult to detect. Indeed, numerous companies have had valuable proprietary information stolen covertly by their own employees. Those that haven't yet are undoubtedly at risk. The security risks associated with these new portable electronic devices apply to essentially all companies that, in the course of doing business, allow employees' access to electronically stored, confidential, and proprietary information.

Unfortunately, in the current environment, the legal system is not forgiving toward companies that take a more relaxed approach with respect to protecting their own sensitive information. The Uniform Trade Secrets Act, adopted by many states, requires that companies exercise reasonable efforts to maintain the secrecy of confidential information before the information can be protected under trade secrets laws. A lack of such efforts taken by a company precludes its ability to seek protection of its sensitive information.

And although industry studies show that 70% of company computer system hackings are executed by company insiders, even when theft isn't a goal by insiders, the pocket devices used by employees to transport data between home and work, or on the road when traveling, are susceptible to theft just like any other piece of personal property. The person who happens to find the thumb drive inadvertently left behind in a cab can exploit the company information on the device just as easily, if not more easily, than the hacker that used to represent the company's biggest security concern. Indeed, 26.5 million veterans recently learned the pain associated with poorly organized computer security practices when their personal information, including birth dates and Social Security Numbers, was stolen from a Department of Veterans Affairs employee's home via his laptop computer and a portable device. Although that laptop was eventually located and it was determined that the data had not been compromised, the case highlighted the vulnerability of personal data on portable electronic devices. Stolen private customer or client information not only puts a business and its trade secrets at risk, but also subjects the business to legal liability claims by individuals or other companies whose private information is leaked as a result. In addition, the business's reputation and ability to attract new customers or investors in the future may be damaged beyond repair.

So what is today's company supposed to do to protect its valuable, sensitive information in the face of the risks posed by new portable devices?

Of course, the most efficient way to prevent downloading abuse is to ban use of these portable electronic storage devices, a move that many companies have considered. Yet, the convenience and value to companies afforded by these devices is difficult, if not impossible, to ignore. The ability of employees to transport data so that they may work from anywhere provides enormous value to companies, sometimes affording them efficiencies not obtainable otherwise. The ability to work outside the office gives companies a competitive advantage. It is often not only necessary for today's companies to remain competitive, but their clients also demand it.

While not foolproof, there are many other less dramatic changes a company can implement to protect itself from vulnerability while still enjoying the benefits of today's portable technology:

1) Adopt a policy forbidding misuse. Such a policy, often referred to as a 'Portable Storage Device Policy,' announces to employees, and ultimately to courts, that the company does not tolerate abuse of portable storage devices. The policy should include the following elements:

• a statement detailing the intent and purpose of the policy, ie, why portable storage device usage is a concern and how the company is acting to address the risks associated with it;
• a nonexclusive list of the technologies and devices to which the policy applies, such as camera cell phones, PDAs, iPods and other devices for downloadable music, CD burners, thumb drives, etc.;
• a mandate forbidding personal stor-age devices from being attached to company computers or networks and requiring that only company-provided and approved portable storage devices may be used for data storage and transport;
• a requirement that passwords are to be activated on all possible devices and a description of any technical safeguards implemented in furtherance of that policy;
• a statement reminding employees about the risks of theft and imposing a reminder to exercise reasonable care to guard against it;
• a suggested point of contact for re-porting concerns, including other employees' misuse of portable devices or theft of a device holding company information;
• a general reference to the employer's other data policies and/or a section detailing procedures for data handling, including how and when portable storage usage is allowed (ie, before attaching a portable storage device, the user must be identified and authenticated and a virus scan completed), as well as a requirement that all downloaded information must be encrypted.

The policy should be distributed to all employees and conspicuously posted. Ideally, it should contain a signature page requiring employees to read and sign off at the outset of employment. It should also be easily accessible on the company intranet or other frequented place for information on employee policies. And, as with other important employee policies, it should be redistributed annually to employees and updated as needed to reflect the changing face of technology.

2) A company serious about protecting its information may also consider having employees complete cybersecurity and information privacy courses annually. Consistent with the underlying technology, these courses could be Internet-based training programs.

3) A company should consider employing an appropriate electronic device security system that requires authentication of users, records information about the devices attached to it, and performs automatic virus scans. Such a system should also automatically encrypt all stored data at high speeds without requiring employees to do anything beyond authentication. Companies may also consider implementing security systems that allow network administrators to monitor and grant or deny access to employees attempting to download particular information with specific devices.

4) An employee exit interview is a company's last chance to protect its valuable information. Companies should require that all employees deliver back any computer, portable electronic storage device, or other device upon which company information has been stored, before they leave the company's employ. Even employee-owned devices upon which company information has been stored should be brought in to be cleaned of any proprietary or sensitive company information before an employee leaves the company's employ (assuming the company allows these devices to be used). Employees should be required to certify their compliance with these requirements. This provision may be included in the Portable Storage Device Policy agreed to by employees at the outset of their employment, and final paychecks may even be delayed until complied with, so long as the policy reflects such requirements and the withholding is consistent with state wage and hour laws.

Remember, even if not foolproof, these measures will at least assist a company in proving to a court that it used reasonable efforts to maintain the secrecy of its valuable information. Such a finding increases the company's chance of having its sensitive information protected by trade secret laws, allowing it to demand the return of such information and even sue for damages associated with its misappropriation. It also will save the pain of having to explain to investors or customers why the company's sensitive information is available for public consumption, a prospect just as frightening as having trade secrets out in the open, vulnerable to the competition.

Michael W. Droke, a partner at Dorsey & Whitney LLP, is the head of the Seattle office Labor & Employment Practice Group, co-chair of the Computer Fraud and Abuse Practice Group, and a member of both the Privacy Practice Group and Executive Compensation Team. Rachel E. Byrne is an associate in the Labor & Employment practice group. Her practice includes both labor and employment litigation and preventative counseling on all labor and employment matters. They can be reached at [email protected] and [email protected], respectively.

It used to be that an employee desiring to steal $2 million from your company would have a hard time doing so unnoticed. Today, that employee can do so undetected while having a casual conversation with you in the office.

Up until recently, sophisticated firewalls and password protection have been relatively sufficient to protect sensitive company information. Now, these measures are anything but sufficient. The proliferation of electronic devices such as iPods, camera cell phones, thumb drives, Blackberries, flash drives, and all other sorts of downloadable devices have made all companies at risk for insider theft right under their proverbial noses. With the use of these devices, downloading significant amounts of data is easy, virtually instantaneous, and often very difficult to detect. Indeed, numerous companies have had valuable proprietary information stolen covertly by their own employees. Those that haven't yet are undoubtedly at risk. The security risks associated with these new portable electronic devices apply to essentially all companies that, in the course of doing business, allow employees' access to electronically stored, confidential, and proprietary information.

Unfortunately, in the current environment, the legal system is not forgiving toward companies that take a more relaxed approach with respect to protecting their own sensitive information. The Uniform Trade Secrets Act, adopted by many states, requires that companies exercise reasonable efforts to maintain the secrecy of confidential information before the information can be protected under trade secrets laws. A lack of such efforts taken by a company precludes its ability to seek protection of its sensitive information.

And although industry studies show that 70% of company computer system hackings are executed by company insiders, even when theft isn't a goal by insiders, the pocket devices used by employees to transport data between home and work, or on the road when traveling, are susceptible to theft just like any other piece of personal property. The person who happens to find the thumb drive inadvertently left behind in a cab can exploit the company information on the device just as easily, if not more easily, than the hacker that used to represent the company's biggest security concern. Indeed, 26.5 million veterans recently learned the pain associated with poorly organized computer security practices when their personal information, including birth dates and Social Security Numbers, was stolen from a Department of Veterans Affairs employee's home via his laptop computer and a portable device. Although that laptop was eventually located and it was determined that the data had not been compromised, the case highlighted the vulnerability of personal data on portable electronic devices. Stolen private customer or client information not only puts a business and its trade secrets at risk, but also subjects the business to legal liability claims by individuals or other companies whose private information is leaked as a result. In addition, the business's reputation and ability to attract new customers or investors in the future may be damaged beyond repair.

So what is today's company supposed to do to protect its valuable, sensitive information in the face of the risks posed by new portable devices?

Of course, the most efficient way to prevent downloading abuse is to ban use of these portable electronic storage devices, a move that many companies have considered. Yet, the convenience and value to companies afforded by these devices is difficult, if not impossible, to ignore. The ability of employees to transport data so that they may work from anywhere provides enormous value to companies, sometimes affording them efficiencies not obtainable otherwise. The ability to work outside the office gives companies a competitive advantage. It is often not only necessary for today's companies to remain competitive, but their clients also demand it.

While not foolproof, there are many other less dramatic changes a company can implement to protect itself from vulnerability while still enjoying the benefits of today's portable technology:

1) Adopt a policy forbidding misuse. Such a policy, often referred to as a 'Portable Storage Device Policy,' announces to employees, and ultimately to courts, that the company does not tolerate abuse of portable storage devices. The policy should include the following elements:

• a statement detailing the intent and purpose of the policy, ie, why portable storage device usage is a concern and how the company is acting to address the risks associated with it;
• a nonexclusive list of the technologies and devices to which the policy applies, such as camera cell phones, PDAs, iPods and other devices for downloadable music, CD burners, thumb drives, etc.;
• a mandate forbidding personal stor-age devices from being attached to company computers or networks and requiring that only company-provided and approved portable storage devices may be used for data storage and transport;
• a requirement that passwords are to be activated on all possible devices and a description of any technical safeguards implemented in furtherance of that policy;
• a statement reminding employees about the risks of theft and imposing a reminder to exercise reasonable care to guard against it;
• a suggested point of contact for re-porting concerns, including other employees' misuse of portable devices or theft of a device holding company information;
• a general reference to the employer's other data policies and/or a section detailing procedures for data handling, including how and when portable storage usage is allowed (ie, before attaching a portable storage device, the user must be identified and authenticated and a virus scan completed), as well as a requirement that all downloaded information must be encrypted.

The policy should be distributed to all employees and conspicuously posted. Ideally, it should contain a signature page requiring employees to read and sign off at the outset of employment. It should also be easily accessible on the company intranet or other frequented place for information on employee policies. And, as with other important employee policies, it should be redistributed annually to employees and updated as needed to reflect the changing face of technology.

2) A company serious about protecting its information may also consider having employees complete cybersecurity and information privacy courses annually. Consistent with the underlying technology, these courses could be Internet-based training programs.

3) A company should consider employing an appropriate electronic device security system that requires authentication of users, records information about the devices attached to it, and performs automatic virus scans. Such a system should also automatically encrypt all stored data at high speeds without requiring employees to do anything beyond authentication. Companies may also consider implementing security systems that allow network administrators to monitor and grant or deny access to employees attempting to download particular information with specific devices.

4) An employee exit interview is a company's last chance to protect its valuable information. Companies should require that all employees deliver back any computer, portable electronic storage device, or other device upon which company information has been stored, before they leave the company's employ. Even employee-owned devices upon which company information has been stored should be brought in to be cleaned of any proprietary or sensitive company information before an employee leaves the company's employ (assuming the company allows these devices to be used). Employees should be required to certify their compliance with these requirements. This provision may be included in the Portable Storage Device Policy agreed to by employees at the outset of their employment, and final paychecks may even be delayed until complied with, so long as the policy reflects such requirements and the withholding is consistent with state wage and hour laws.

Remember, even if not foolproof, these measures will at least assist a company in proving to a court that it used reasonable efforts to maintain the secrecy of its valuable information. Such a finding increases the company's chance of having its sensitive information protected by trade secret laws, allowing it to demand the return of such information and even sue for damages associated with its misappropriation. It also will save the pain of having to explain to investors or customers why the company's sensitive information is available for public consumption, a prospect just as frightening as having trade secrets out in the open, vulnerable to the competition.

Michael W. Droke, a partner at Dorsey & Whitney LLP, is the head of the Seattle office Labor & Employment Practice Group, co-chair of the Computer Fraud and Abuse Practice Group, and a member of both the Privacy Practice Group and Executive Compensation Team. Rachel E. Byrne is an associate in the Labor & Employment practice group. Her practice includes both labor and employment litigation and preventative counseling on all labor and employment matters. They can be reached at [email protected] and [email protected], respectively.