Making the case against an insider takes preparation and proactive work with HR and legal

Dark Reading Staff, Dark Reading

May 15, 2012

7 Min Read

When the worst-case scenario strikes and a malicious insider does damage to an organization, be it by theft or sabotage, legal recourse may be in order. But if IT doesn't prepare in advance to cooperate with human resources and legal, the civil or criminal case against a bad former employee may be doomed from the start.

According to security and legal experts, failing to cover your legal bases before presenting your case to judge and jury can effectively give the defendant that proverbial "get-out-of-jail-free card" and leave your organization without much leverage at all.

Here are some of the most common ways that enterprises tend to blow their cases against malicious insiders.

1. Don't Make Employees Sign A Contract or Policy
According to Damon Petraglia of Chartstone, one of the most common civil cases he's brought in to help forensically investigate is when employees steal information from their employers or do something inappropriate with technology. In order to make a case against such an employee, it is important to not only prove they stole or did something wrong, but that they had intent.

"If you want to fire someone or you want to sue someone, you have to prove that they had intent to do something malicious. Just because I installed something on my computer, it doesn't really prove I did something malicious," says Petraglia, director of forensic and information security services for Chartstone. "A lot of times, when I'm looking at something forensically, a company will not have any policy in place that says you cannot do something. That makes it very difficult to prosecute or to fire someone."

This is where signed acceptable use policies and confidentiality agreements are key. While signing such a document might seem like a mere formality when employees or contractors are brought in, their existence can make or break a case when things go wrong.

"If I were advising someone that has confidential information, data, or technology, I'd say the most important thing to do is have agreements with your employees that make it clear that there is confidential information that limit the employees' ability to use that information, and to prevent the employees from taking it or disclosing it to anyone else," says Jim Davis, partner at Dallas, Tex.-based law firm Klemchuck Kubasta.

[Are insiders your biggest threat? Probably. See Biggest Threats Come From Inside The Enterprise, Survey Says.]

2. Fail To Treat IP As A Secret
Getting the signing of acceptable use policies and confidentiality agreements embedded into the employee on-boarding process not only helps prove intent, it's also one of several methods organizations need to establish to prove they're actually treating their trade secrets as secrets.

According to Davis, judges tend not to be very sympathetic of a case against an insider for stealing trade secrets when the information in question was left unprotected on company systems.

"If you do not take reasonable action to protect it and limit access, a court very likely may find that you didn't treat it as a secret," he says. "And if you didn't treat it as a secret, the court is very likely to say, 'We're not going to treat it as a secret, either, and we're not going to give you any remedy. If you didn't care enough about it to protect it, then we're not going to help you protect it after the fact.'"

Davis says the most important thing is to institute technology and procedures that limit access to sensitive data on a need-to-know basis. Attorney John Hornick agrees, emphasizing that these procedures not only offer legal protection, but they're also a no-brainer for limiting risk of insider incidents in the first place.

"Such procedures control information, the people with access to it, and the equipment that either contains confidential information or can be used to manage and transmit it," says Hornick, partner at global IP law firm Finnegan.

3. Limit Log Retention Or Don't Monitor At All
When he worked at Scotland Yard, Steve Santorelli, director of global outreach at the Internet security research group Team Cymru, says that one of the rules that he and his fellow cops lived by was: "If it isn't written down, then it never happened."

Monitoring logs are some of the best bits of written evidence organization can have to prove something happened. But they need to exist to make a difference.

According to Petraglia, the first whiff of impropriety by an insider, or foreknowledge of events like layoffs, should push IT to step up its monitoring of affected individuals if their computer activity isn't already under a lot of scrutiny.

More importantly, though, organizations need to be mindful that their log retention policies don't limit how well the organization can go back for forensic evidence.

"Make sure you're not overwriting any data," Petraglia says. "That happens all the time. There's a thirty day retention policy, they don't find out until sixty days that something bad happened and now they don't have the evidence anymore. Storage is so cheap now, you should be keeping logs a long time and logging as much as possible."

4. Tramp All Over The Scene Of The Crime
You don't necessarily have to go to ridiculously complicated levels to maintain the forensics evidence, says Santorelli, but you do need to take precautions or your case will be wrecked before it even starts.

"Time and time again when I was a police officer, people would come to us and by the time they made the decision to come to law enforcement, the crime scene was already obliterated the digital equivalent of 10,000 footprints was all over it," he says. "If you have some well-meaning systems administrator run roughshod through a log file without keeping any notes and altering things, then a judge quite rightly is going to turn around and throw out the lawsuit."

According to Santorelli, the number one rule of thumb is never to work on the original media as evidence -- always make a bit-level copy to work on and store the original media as evidence.

"You take your original and you lock it away and then you don't touch it again so it's there in three years' time if a defense attorney doesn't agree with your work and [wants to] employ his expert to go in and redo your forensics on the original. So you do all of your examinations on this bit-level 'photo copy,'" he says. "If you assume that everything is going to eventually end up in court and forensically you treat it that way, then you can't go wrong."

5. Wait To Respond Legally
Organizations that take their sweet time filing legal paperwork against a malicious insider tend to find it difficult to foster sympathy from judges once filings cross their desks, Davis says. As he puts it, the longer you wait, the less likely the court will be to help you.

"The court's going to say, 'If this was such an emergency, why did you wait two weeks to come down here and file a lawsuit?'" he says. "Especially if it's sensitive data. If you find out that data has been taken, you need to gather the evidence immediately, get an attorney and get a lawsuit on file as quickly as possible and try to get a temporary restraining order from a judge to stop the person in their tracks, before they further copy it, further disseminate it, or share it with a competitor."

The quicker you act, the more likely you are to get the relief that you need, Davis says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights