Stopping the Thief in Your Company

For employers, theft committed by insiders is a growing problem. And it goes well beyond snatching notebooks, pens or other common office supplies. In many cases, they’re stealing expensive devices, money or even intellectual property.

Asset misappropriation—which includes theft of cash, inventory and confidential information—accounted for 86.7 percent of all internal fraud in the workplace in 2012, according to a global report from the Association of Certified Fraud Examiners (ACFE). That figure is up from 86.3 percent in 2010. The group estimates that employers typically lose 5 percent of their revenues annually because of internal fraud.

To protect the workplace, it’s a good idea to know who generally commits these crimes, and which employers are most susceptible. Businesses can minimize the risks by enacting a wide range of policies and procedures. If employers suspect that an insider is stealing, help is available from technology and the law.

Perpetrators and Victims

According to the ACFE, perpetrators of internal fraud tend to have “clean” work histories, yet there are often warning signs. Some of the group’s findings:

• Most perpetrators are first-time offenders.
• Insiders with more authority typically cause larger losses than people with lower rank.
• In the ACFE study, 77 percent of all the fraud was committed by people in one of six departments: accounting, operations, sales, executive/upper management, customer service and purchasing.
• The red flags frequently associated with misconduct include: living beyond one’s means, financial problems, an unusually close relationship with vendors or customers, and excessive control issues.

The U.S. Chamber of Commerce also urges employers to be aware of warning signs, such as working unusual hours, performing poorly on the job, and being defensive.

When examining insider theft of intellectual property, a 2011 Symantec reportfound a typical profile. Most intellectual property thieves are men an average age of 37. They often serve in technical roles, like engineering or programming. Many of them had accepted new jobs with other companies when the theft occurred.

Another Symantec study, released earlier this year, also raised alarm bells about behaviors and attitudes. The research, based on findings from about 3,300 people worldwide, studied the threat posed by workers who changed jobs over the past year. The study found that half of these workers kept sensitive information, and 40 percent intended to use it at their new workplace.

Many don’t even think it’s a big deal. In the study, 62 percent said there’s nothing wrong with transferring employer data to personal computers, tablets, smartphones or cloud file-sharing applications. And 56 percent said it’s acceptable to use competitive data from a previous employer.

Small businesses are especially vulnerable to internal fraud, because they usually have fewer resources to fight the problem, according to the ACFE report. The industries that are the most common targets of fraud: banking and financial services, government and public administration, and manufacturing.

Protecting Against Workplace Theft

To prevent and detect wrongdoing, employers can take the following steps:

Screen job candidates thoroughly. Even though the ACFE study found that most perpetrators have clean work histories, screening still provides another layer of protection. According to the Small Business Administration, background checks are especially important for candidates who would handle cash or expensive merchandise, and those who would have access to sensitive corporate information. Checking references is another smart step.

Pay special attention to the wording of the company handbook. In general, workers have no reasonable expectation of privacy when using the employer’s computer system, and the handbook should convey this to employees, according to San Francisco attorney Alan Levins of Littler. That way, employers can monitor and investigate if they learn of a breach, Levins told SHRM Online.“Otherwise, you could be limited in terms of what you can do,” he said.

Use confidentiality agreements. The confidentiality agreement should clearly state the employee’s obligation to keep the information confidential, both during employment and afterward, said Ulrico Rosales, a Palo Alto attorney at Wilson Sonsini Goodrich & Rosati. It also should describe the worker’s duty to return confidential information when leaving the company, he told SHRM Online.

Confidentiality agreements shouldn’t be too broad, according to Levins. The National Labor Relations Board (NLRB) has taken an interest in the specific wording of these documents—even if the employees don’t belong to a union. For instance, if an employer states that salaries and benefits are considered confidential, the agency could say that provision inhibits employees from talking among themselves about this issue, and it could regard that as an unfair labor practice, Levins noted. Employers should be familiar with the NLRB’s position, and they should be careful what they label as “confidential.”

Restrict access to sensitive information. Employers should limit access to confidential information on a need-to-know basis, through the use of passwords and other procedures, Levins said. Also, they should make it clear that the information is proprietary, according to Rosales.“Designate the information in ways that call attention to the fact that it’s sensitive information,” Rosales said.

Provide ongoing training. Levins advises companies to train employees on the need to protect confidential information. They could do this through meetings, newsletters, memos, and other ways. Be clear that protecting this information is a condition of employment, Levins said. This is a good way to reinforce the rules the company has discussed in its handbook, he added.

Conduct audits. The Small Business Administration recommends that employers identify their business’ high-risk areas, and then audit for violations every six months to a year. Some examples are expense reports, and cash and sales reconciliation.

Set up a hotline. An employer is more likely to discover wrongdoing through a tip than by any other method, according to ACFE. In its 2012 report, the group stated that hotlines should allow tips from both internal and external sources, and they should allow anonymity. Also, companies should encourage employees to report suspicious activity, and they should enact an anti-retaliation policy.

Use workforce monitoring technology. The digital forensics firm Sensei Enterprises recommends using monitoring technology to track employees’ computer activity. One option is “data loss prevention” technology, which automatically flags potential misconduct, such as accessing confidential files, according to a blog post by Sensei President Sharon Nelson.

Another option is logging. When employers enable logging, the logs are stored on a server, providing a tool that companies could use to investigate potential wrongdoing. Companies can set up their logging systems in different ways, Sensei Vice President John Simek told SHRM Online. For instance, a company could keep the logs for three months, and then overwrite them. In cases of suspected theft, the company could review the logs to see if there’s any evidence.

With the advances in technology over the past decade, people are using different methods to take sensitive corporate data, Simek said. Previously, employees planning to quit their jobs often used their personal e-mail accounts for this purpose. For instance, they might have copied confidential corporate data and sent it as an attachment to their Gmail or Yahoo account.

Now, people are turning to more sophisticated techniques.

“They’re using flash drives, because they’re small, and they can get such a large amount of data on them,” Simek said. “Most companies are not monitoring what’s happening through the USB port.”

Logging can help detect this problem. For example, it can track every instance in which an employee plugs a flash drive or other device into a computer’s USB port. This method also can track all files that are copied onto the flash drive, Simek noted.

Meanwhile, as the BYOD (bring your own device) trend gains steam, Sensei urges companies to be especially careful.

Develop specific procedures for departing employees. During exit interviews, an employer should provide a copy of the confidentiality agreement to the departing employee, Rosales said. The employer should get written acknowledgment that the employee understands the agreement, and the employee should certify that all copies of the company’s trade-secret information have been returned.

Employers also should emphasize that any violations would have negative consequences, according to Symantec.

Sensei suggests developing a “Departing employee checklist,” regardless of whether the worker is leaving on bad terms or good terms. The specific items on the checklist would vary by employer, but it could include changing office lock codes and collecting keys, Nelson wrote in the blog post.

The checklist should include a crucial step: terminating the employee’s remote access to the network. In many cases, employers could have prevented theft if they had just taken this step, Simek said. This could thwart a disgruntled employee who wants to “get even” with the company by copying or deleting files.

In a law.com article, Orrick, Herrington & Sutcliffe attorneys Sid Venkatesan and Elizabeth McBride also emphasize the importance of terminating remote access. Companies also should ensure that employees return all company-issued electronic devices, and they should store them in a safe location to prevent tampering, they wrote on law.com. They add that employers also could hire an intellectual property attorney and a digital forensics expert.

What not to do. The U.S. Chamber of Commerce warns employers not to detain or restrain employees suspected of theft, and not to defame them. Also, if a company is unsure about whether to bring charges, it shouldn’t threaten to prosecute.

Intellectual Property Litigation

When employers suspect theft of intellectual property, there’s always the possibility of litigation, and they should be aware of legal trends that could affect those cases.

Recent legal cases highlight the need for employers to carefully define their trade-secret rights, according to Wilson Sonsini. The cases have examined whether the California Uniform Trade Secrets Act (UTSA) preempts common law claims.

In one major federal case in the Northern District of California, Sunpower Corp. v. SolarCity Corp., Rosales represented the defendant. Sunpower claimed that several former employees had stolen sensitive files shortly before leaving the company for SolarCity. According to the company, they used USB devices, portable hard drives and other technology to store the information.

Sunpower alleged not only theft of trade secrets, but also misappropriation of “non-trade secret proprietary information.” The non-trade secret claims included breach of confidence, conversion, and common law unfair competition. Last December, the court dismissed the non-trade secret claims, ruling that they’re preempted by UTSA.

The Sunpower case reflects a nationwide trend, Wilson Sonsini noted in an online post. “The result is that a litigant bringing claims over the alleged misuse of confidential business information is permitted to bring claims for breach of a confidentiality contract and a UTSA violation, but cannot allege other claims based on the same fact allegations,” the firm wrote.

Even if a company labels information “confidential” or “proprietary,” it may not rise to the level of what constitutes a trade secret under UTSA, according to Rosales. More generalized claims are increasingly disfavored, in favor of claims under UTSA, which require identification of trade secrets in detail, Rosales said.

Companies need to be aware of how trade secrets work, because they might not be able to rely on common law claims to fight IP theft, said Venkatesan, who is based in Orrick’s Menlo Park office.

To win a trade-secret dispute, the employer must show that the information is valuable because it’s secret, and provide evidence that it took reasonable measures to keep it secret, Venkatesan told SHRM Online. Evidence of these “reasonable measures” is often based on HR policies and practices when onboarding and terminating employees.

Toni Vranjes is a freelance business writer in San Pedro, Calif.