To Catch a Data Thief

Once you suspect data theft, move fast to preserve evidence.

By Dylan W. Wiseman and Aaron D. Crews Nov 1, 2009
Reuse Permissions

November CoverUnfortunately, theft of electronic devices is becoming as common as swiping Post-it notepads. More than 60 percent of U.S. workers who left their employers in 2008 took some data with them, according to a Feb. 24 article in The Economist.

Catching a thief can be difficult when stolen information is downloaded on tiny iPods or flash drives. And yet, finding culprits is imperative, as stolen data often includes proprietary or private information or trade secrets.

In the recession, many laid-off employees, who feel they have nothing to lose, walk off with data they no longer have any right to use. This problem is likely to grow in good times as well as bad.

Investigation Essentials

HR professionals need to work with information technology and legal staff members to respond quickly and preserve critical evidence during the precious hours and days immediately following the discovery of suspected data theft. That means having a plan in advance.

Here are suggestions for what to include in your data theft response plan.

Electronic evidence is akin to words written in sand near the edge of the water. Unless collected and preserved in a proper and timely manner, it can be altered, erased or rendered unrecoverable. So, where and how a company investigates suspected wrongdoing can be pivotal to subsequent legal action.

Protect Electronic Data in Exit Interviews

As employees depart, HR professionals should use the exit interview process as a tool to help protect intellectual property. Signed copies of confidentiality agreements should be presented to employees during exit interviews, and they should be reminded verbally of their obligations to maintain confidentiality of records, electronic files and information learned while working at the company.

Employers should have each departing employee sign a document representing that he or she has returned all documents, computers and electronic storage devices, and that he or she has not made copies of such records.

If departing employees are given severance, any mutual release terms included in the severance agreement should expressly exclude known and unknown claims by the employer pertaining to the use or disclosure of its confidential or proprietary information or trade secrets. The best practice is to expressly reference all confidentiality, post-termination restrictive covenants, intellectual property assignment and nonsolicitation agreements in the severance agreement, and make it clear that those obligations carry forward after the severance agreement is executed.

If the employer learns that an employee who will be given a severance has not signed the company’s confidentiality agreements, those protections should be inserted into the severance agreement.

Finally, each departing employee should be sent a letter attaching a copy of his or her signed confidentiality agreements. In the letter, the company should again assert that the former employee’s confidentiality obligations apply to all records and files and also include the former employee’s memory of confidential information and trade secrets.

When investigating suspected data theft, be sure to:

Involve computer forensics personnel early. Members of a company’s IT staff often will try to help by looking for evidence of data theft on the suspect employee’s computer or in e-mail. In doing so, however, IT employees risk trampling critical electronic data.

A company official who suspects that a current or former employee has engaged in data theft should immediately bring in a qualified expert in computer forensics. Before hiring an expert, make sure that the expert’s professional credentials are current and include certificates for using the major forensic tools: EnCase and FTK.

If the matter proceeds to litigation, the computer forensics expert likely will need to testify about the investigation and its findings. So, hire an expert who speaks "plain English." Qualified computer forensics technicians also must be extremely concerned about the chain of custody of evidence so their findings can be used in court.

Consider the workplace a crime scene. Once an official suspects data theft, the guiding principle must be "Do no harm." Until advised otherwise by someone trained in computer forensics, employees investigating data theft should leave hardware believed to contain potential evidence in its current state; computers that are on should be left on, and computers powered down should be left off.

Every company has electronic data that is updated daily or weekly, such as customer databases, research documentation or other records. HR professionals should promptly determine when and how data a departed employee might have accessed was backed up. Immediately preserve the most recent backup records.

Document the investigation. In the heat of the moment, it’s easy to fail to document the course of the investigation from the beginning. But documentation is critical to legal proceedings, as it helps prove that the investigation was legitimate and reasonable. In addition, chain-of-custody documents should document the handling of electronic storage devices.

Contact experienced counsel early. A company’s intellectual property can be its most valuable asset. Promptly consulting with qualified legal counsel can make certain aspects of the company’s investigation subject to attorney-client privilege.

Where Else to Look

A qualified forensics technician’s review of information stored on the computer or mobile devices used by an employee suspected of data theft is just a starting point for a proper investigation.

Additional sources of possible evidence should be reviewed as part of the investigation, including:

Parking garage access records. If the company facility has a parking garage that requires employees to log their entries, the log records should be reviewed. Log entries showing the suspect employee entering the garage during abnormal hours is circumstantial evidence that can bolster other evidence. If the company does not own or control the garage, it is worth inquiring with the controlling company to see if it will search logs for suspected data theft.

Building surveillance footage. If a facility has surveillance cameras, review the recorded footage from company offices and the building. In many cases, footage from security cameras proves that an employee suspected of data theft left the premises with records or other information.

Office access logs. Like the entry logs kept by some parking garages, many offices require employees entering the premises outside of normal working hours to use a key card or other form of electronic access. In many cases, these entries are logged. These logs should be reviewed.

Office telephone logs. Many companies are switching from traditional hard-line telephone service to service provided via voice-over-Internet-protocol (VOIP). Companies that have made this switch have telephone calls routed to a dedicated server. Calls logged on the server, and aspects such as the numbers called and the durations, can be recovered and analyzed by individuals trained in computer forensics.

Companies that have not yet made the switch to VOIP should review and retain telephone bills for calls made from the suspect employee’s office telephone. Calls to competitors, or to what turn out to be future employers, can bolster a trade secrets case.

Cellular telephone bills. If the company owns the mobile telephone assigned to the suspect employee, bills from the provider should be reviewed and retained. Depending on the carrier, bills can be obtained in an electronic format and downloaded to Microsoft Excel for searching of suspicious calls.

E-mails. Employees engaging in data theft often use company e-mail in the process. Employees seeking to take electronic files may e-mail them to a personal e-mail account or other recipient rather than attempt to "walk out the door" with them. Assuming that the company’s e-mail system is server-based, as opposed to end-unit-based, someone trained in computer forensics should review and retain the suspect employee’s .pst (or similar) file.

SIM cards and memory cards. Most cellular and smart phones use subscriber identity module (SIM) cards or other electronic storage media. These cards store information that includes contact lists, call logs, mobile files, text files, pictures and music. A computer forensics expert should review and retain these cards for office cell phones.

Witness interviews. Conduct witness interviews with co-workers who may have observed suspicious behavior while information is still fresh in their memories. Make sure interviews are well-documented. Recreating the suspect employee’s typical day might help locate records of the employee’s daily activities.

Prevent and Respond

In the digital world, attempted data theft is common, and market forces created by the global economic environment are likely to make it more common. Executives should be prepared to deal with the problem proactively.

Investigating suspected employee data theft is complicated and time-consuming. Prophylactic measures can deter some employees from engaging in data theft.

However, once someone suspects data theft, a complete, well-planned and well-orchestrated investigation should be conducted as soon as possible. When done correctly, a timely investigation can minimize or prevent massive losses that often accompany sensitive data walking out the corporate door. 

Web Extras

Reuse Permissions


Choose from dozens of free webcasts on the most timely HR topics.

Register Today

Job Finder

Find an HR Job Near You


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect