We sat down with Howard Susser, chair of the IP Litigation Group at Burns & Levinson, and IP and cybersecurity attorney Brooke Penrose, who will be leading a free webinar “IP & Cybersecurity: Critical Points on Data Misuse” on March 25, 2021 at 1:00 pm ET, to get their thoughts on what companies can do to circumvent “insider” cyber threats.
Q: When people think of cybersecurity threats, they often think of an outside “bad actor” but over one-third of all data breaches involve internal actors. How can a company protect itself from this very real threat?
Penrose: Many, if not most, breaches involving insiders are not the result of the insider intentionally being malicious. Instead, data breaches originating from insiders are often the result of very passable phishing attempts or other instances where insiders are the victims of fraud, insufficient training on their obligations to safeguard a company’s data, and/or a mistaken belief that data belongs to the employee, and not the company, as a result of the employee’s efforts in creating the data. The risk of a data breach resulting from each of these activities can be significantly reduced through a company promoting a culture of awareness and implementing appropriate training to its personnel to address these topics.
Q: What motivates someone to steal data from their employer and how do you figure out who might be vulnerable to stealing data?
Susser: The majority of thefts we encounter occur related to an employee’s looming departure, whether that separation is known (fired/made redundant) or unknown (offered a new job by a competitor) by the employer. Some employees moonlight in parallel with their employment and make use of employer intellectual property. In each case, the employee sees a downstream benefit from the use of data or trade secrets for his or her new venture. Employees are hired away from competitors ostensibly because of their skill and knowledge developed over time, and sometimes this crosses the line to expectations over use of protected internal data about customers, know-how, business strategies, etc. Given the above, special attention should be given to disgruntled employees or those who think their future at the company may be short-lived.
Q: Has fully-remote work due to the pandemic increased the data security risks for companies because there is more access to sensitive data or it’s easier to steal when you are off-site with less oversight?
Penrose: The sudden mass remote-work shift for many companies over the last year forced businesses to revisit their existing policies and practices given that more data necessarily migrated to cloud environments and/or data maintained in paper form was greatly reduced in many instances. In some ways, the shift presented an opportunity for companies to have greater oversight over data as the electronic monitoring of data access, download and alterations is generally far easier than that for physically maintained data. With that said, adding employees’ personal devices and networks into the mix necessarily removes a level of control companies previously had and businesses have quickly had to update their data security to address these factors.
Q: Should companies keep “watch lists” of potential users they think could be a threat? Is there a downside to doing this?
Susser: A list of suspected or suspicious employees is a sensitive and potentially dangerous option given the propensity for litigation and discovery, or inadvertent disclosure, and the risk that targeted employees are viewed as unfairly targeted based on some discriminatory factor. That said, companies should follow best practices and make sure that employee files contain reports on disgruntled statements, suspicious behavior such as unauthorized or unusual access to resources, contacts to competitors, reports from other employees, or other indicators of risk.
Q: What best practices can companies put in place to manage and prevent data misuse?
Penrose: Understand the ins and outs of what data your business is maintaining, adopt appropriate policies to safeguard data based on its importance and/or sensitivity, and implement the policy into the company’s operations so the policies are woven into your corporate culture. One of the most important practices companies can adopt is access restriction; if someone has no legitimate reason to access a piece of data, it may make sense for them to not have access to it.
Q: How are companies protected under the Computer Fraud and Abuse Act?
Susser: If a company’s “protected computers” (which includes data containing electronic devices of nearly any kind – iPads, cellphones, websites, etc.) are accessed “without authorization” in “interstate commerce” (which includes any computer connected to the Internet at a minimum, and even reaches computers abroad) and the “damage” is estimated over $5K (including most costs responding to the data breach), it is protected under the CFAA.
Q: What should a company do if it learns that a former employee has stolen its trade secrets or other intellectual property?
Susser: Each company should have its own prepared checklist for real time reaction to a suspected breach based on the size, nature and risk related to its data. For example, financial institutions have different concerns than a small company with a “secret sauce” trade secret. In no set order, companies should consider the following. Involve counsel and your IT department in your decision-making. Document everything and maintain attorney client privilege. Revoke access, credentials and security immediately. Investigate all data containing devices, log-ins and video surveillance. Work with outside vendors if appropriate. Prepare to contact your former employee and his/her new employer. Pursue ex parte court action for a temporary restraining order or seizure.
Q: Without naming any names, what’s the most interesting or unusual cyber abuse case you’ve worked on over the past few years?
Susser: Without identifying any particular client, one main lesson from many of the cases is that employers and former employees tend to have very different views as to the scope of data and confidential information protections afforded to employers based on employment contracts, non-competes, non-disclosure agreements, etc. In other words, employers see breadth where former employees see narrowness. Employees seldom obtain legal opinions before they make a move and often it is a case of seeking forgiveness rather than permission. This suggests care is taken to define scope in the agreement in the first place and amend over time when necessary.
Penrose: I have seen many inadvertent data breaches, including sending sensitive information to someone outside the company by accident, by high level company personnel who probably always thought “not me” when sitting through their company’s data security training sessions. The most highly trained and prudent personnel often have the broadest data access rights so it is critical that they remain vigilant. Fortunately, in each instance where this has happened, the damage was quickly contained and mitigated but companies should require even C-suite level employees to retake a data security “refresher.”
Howard Susser is a partner and chair of the IP Litigation Group at Burns & Levinson in Boston. He has 30 years of experience litigating patent, trademark, false advertising, unfair competition, copyright, licensing, trade secret and antitrust cases in courts around the country for clients in the high tech and life sciences industries. He can be reached at firstname.lastname@example.org or 617-345-3738.
Brooke Penrose is a senior associate at the firm, where she focuses her practice on trademark and brand protection, copyright, and privacy and data security. She is an IAPP Certified Information Privacy Professional in U.S. and European law. She has helped many companies develop data collection and compliance programs and is well-versed in security breach response and data security best practices. She can be reached at email@example.com or 617-345-5287.