The enemy within: investigating insider IP theft
February 2020 | SPOTLIGHT | INTELLECTUAL PROPERTY
Financier Worldwide Magazine
February 2020 Issue
In today’s connected world, what scares the chief executives, boards of directors, customers and shareholders of any company is a large-scale data breach perpetrated by third parties, resulting in untold financial and reputational costs. Moreover, resources expended in determining the breach vector, investigating who did it, remediating to ensure it does not happen again, fines and penalties as a result of litigation and, of course, the legal and cyber security consulting fees, could easily extend into eight digits.
What most company stakeholders pay far less attention to, at their own peril, is the more insidious death by a thousand cuts – critically, valuable intellectual property (IP) theft committed by company insiders as a result of siphoning off the company’s crown jewels one byte at a time. While US government prosecutions of IP theft have increased in recent years, along with heightened awareness of the need to protect trade secrets in the EU, just like any other type of crime, law enforcement cannot be everywhere at once. It is incumbent on every company to be itself capable of investigating these matters.
Picture a threat equation where ‘threat = likelihood x vulnerability x impact’. The likelihood of an insider stealing, or attempting to steal, a company’s IP is very high. Just ask anyone at Eli Lily, Motorola, Valspar, GE, Société Générale and Citadel, to name a few. The vulnerability is real. There is no perimeter to defend when it comes to insider IP theft since the perpetrators are already in the vault. As alluded to above and factoring in the loss of current and future business, the impact is substantial, but a well-structured and executed investigation can best address and reduce the threat of insider IP theft by disrupting the impact factor.
Investigative goals
The approach to investigating insider IP theft, like every investigation, begins with establishing goals. In a typical investigation, one’s investigative goals are simple: conduct a thorough, independent, expeditious and objective factual inquiry capable of withstanding intense scrutiny from internal and external stakeholders, protect the integrity of the investigation and the reputation of reporters and those alleged to have engaged in misconduct, manage internal communications, and recommend remedial and disciplinary measures as appropriate.
Investigations of insider IP theft are different. The goals should reflect that speed is of the essence in order to minimise the impact from the misconduct. One must quickly find the IP at issue where the focus is not on ‘whodunnit’ but rather on ‘what happened’. Then, a series of questions should be asked. If IP was downloaded, was it transferred outside of the company’s network? How was it transferred? Where is the IP now? Concurrently, you can pivot to the ‘who did it’ by focusing the inquiry to identify the insider’s motivation. Is she working for personal gain or to start a new business? Is the insider working for the competition, a hacker or a foreign government? Finally, do not forget to address the means of preventing or at least minimising the recurrence of IP theft via the same vector.
Triage
In-house investigators, whether learning of an incident from the security team, a business group or from a tap on the shoulder by the government, need to adroitly focus their inquiry in order to allow the company to shape how fast, wide and deep the investigation must proceed. Focus on whether the IP is considered a trade secret, valuable, sensitive, i.e., something we care about? Ask, does the company classify the IP as public, internal, confidential or restricted? Where does the IP reside: network, shared locations, employee laptops, external devices, hard copy in a drawer or a combination of some or all of these? Who has access to the data? Is it a current employee, including employees recently notified of their separation from the company, a contractor, a joint venture (JV) partner or a combination?
Initial steps
In a typical investigation involving breach of law or the company’s code of conduct, the investigations team is brought into the picture well after the critical events occurred, where the aim is to identify whether the allegation is true, and if so, who did it and how she can be disciplined. With insider IP theft investigations, the conduct is more recent; in fact, many times it is still ongoing, which requires a bias toward investigative action in order to increase the likelihood that the IP might be retrievable before it is disseminated by the thief or used by others. Imagine riding a unicycle, while juggling chainsaws, in the express lane of an interstate, at night, while blindfolded in the rain, and you would be fairly close to describing the terrain an investigator encounters at the outset of an IP theft investigation.
There are many hurdles to overcome even at this early stage of the investigation that one would not encounter in a Foreign Corrupt Practices Act (FCPA) or HR investigation. For instance, numerous stakeholders are affected by the IP loss, there is a lack of appreciation of the threat by executives, and friction within various teams, such as security, IT and compliance, exists. Leveraging your relationships within the company and your communication skills will help you push through in order to start the substantive investigation.
Craft the team by starting with the folks closest to the data and controls environment. Use forensics resources at your disposal to track the IP’s egress from the company’s environment. The longer it takes to identify the data removed and to begin responding, the greater the potential impact.
Cyber forensics deployed by experienced, well-trained team members is a force multiplier. They can inform as to whether the IP was downloaded, copied or transferred and by what means, such as USB, email or hard copy. They can tell if there is evidence that wiping software was employed. Determining which employee was in contact with whom, how often and when is a task this part of the team should perform, as it will provide insight as to whether the suspect employee acted in concert with others, guide further data collection and analysis and establish interview sequencing.
Another area warranting early attention in an IP theft incident is how the company handles the inevitable media interest. For instance, should the company proactively issue a press release, and if so, what should it say, how should it be said and by whom? These are all critical factors impacting on how the public, employees, shareholders and the market respond to such news.
Interviews
Once the team knows what IP was taken, how it was removed and who likely was involved, it is time to start interviewing. Following introductions, Upjohn admonitions and gathering background about the interviewee (her role, tenure with the company, familiarity with relevant IP policies), the interview must address certain areas which are critical in developing necessary facts should the company decide to refer the matter for criminal prosecution under the US Economic Espionage Act or pursue civil remedies under the US Defend Trade Secrets Act or similar statutes.
Questions should be asked to determine if the subject employee had authorised access to and a work-related reason to download and transfer the data. Another area to develop is whether the employee had frequent and planned foreign travel or contact with foreign officials, representatives of competitors or other suspicious third parties. The investigator should ask if the employee executed her company’s version of an ‘IP protection pledge’, and whether the employee received relevant training on safeguarding and not misusing the company’s IP.
Paramount for law enforcement officials, given their limited resources, is determining how well the company protected its IP. The more lax a company treats protection of its IP, the less likely law enforcement will take an interest in pursuing criminal charges, and the odds that a trier of fact will be disposed to find in favour of the plaintiff company in civil litigation reduce. For example, in 2018, a US appellate court found that even though it was undisputed that a vice president (VP) of sales for the plaintiff downloaded hundreds of files containing IP on his last day with the company and used that information to launch a competitor company, the court ruled that the plaintiff failed to take adequate measures to protect its IP and rejected the plaintiff’s claim under the state equivalent to the Defend Trade Secrets Act.
Findings and recommendations
With insider IP theft investigations, there are three expected outcomes. First, the ‘non-event’, in which the purported theft was merely a legitimate, work-related data transfer. Second, the ‘policy violation’, when a work-related data transfer occurred due to ignorance of company policy, an employee trying to be efficient, such as emailing valuable IP to his personal email account so he can work while commuting home, with no ill-intent, but the employee knowingly circumvented IP protection policy. Third, the ‘malicious act’, where an employee deliberately removed the company’s IP for use by herself or others. In this case, remedial action includes internal discipline, filing a civil suit and making a criminal referral. For this last option, federal law enforcement will ask the company to, at a minimum, answer these questions: (i) what is the value of the IP; (ii) did the employee have authorised access to the IP; (iii) how well was the IP protected; and (iv) what was the employee going to do with the IP?
The chances of a federal prosecution are enhanced if the data carried a high value, the employee did not have authorised access to well-protected IP and the employee planned on putting the IP to use in a new or existing competitive entity or delivering it to a foreign government agent.
What can you do?
The compliance team should use these investigations as learning opportunities for every member of the company. The threat of insider IP theft needs to be communicated to and appreciated by everyone from the C-suite to the design shop, on a par with efforts to raise awareness about the risk to the company from FCPA and sexual harassment misconduct. Studies have shown that a large percentage of insider IP theft cases could have been prevented or their impact minimised had employees known what to look for and reported their observations.
Basic training for each employee on the following signs of potential insider IP theft should be mandatory. Visits to copy machine at odd hours. Asking for access to files outside scope of work. Seeing USBs attached to laptops. Employees working unusual days or hours. Changes in behaviour, such as formerly happy and engaging employees now being withdrawn and sullen. Unexplained wealth. New or frequent foreign travel.
Well-executed investigations of insider IP theft can turn a horrible day for the company into just an uncomfortable hour.
Joseph Alesia is senior counsel, business integrity group at Nokia. He can be contacted on +1 (224) 205 0308 or by email: joe.alesia@nokia.com.
© Financier Worldwide
BY
Joseph Alesia
Nokia