0:05 – Michael Gibeault

Welcome to another edition of TCDI Talks. I’m your host, Michael Gibeault. And joining me today is my colleague, Erin Swakopf. She’s a project manager in our forensics division. And today, Erin’s going to talk about employee data theft. Welcome, Erin. 

0:22 – Erin Swakopf

Welcome. Thanks for having me, Michael.

0:25 – Michael Gibeault

Absolutely. Hey, let’s start out. Tell me a little bit more about your role at TCDI and your experience with employee data theft investigations, especially.

0:35 – Erin Swakopf

Absolutely. So, I first joined TCDI in, I believe, 2021, and I came in as a digital forensic analyst, and I’ve since grown into my current position as the project manager for the forensics department. Still dabbling in the forensic collections, analysis, and reporting pieces. And I’m lucky enough to be involved in other TCDI initiatives outside of forensics as well. So, stay tuned for some exciting announcements at Legal Week.

But for our topic today, data theft, theft of IP investigations, employee departure, whatever you want to call it, they’re a huge piece of my forensic experience. So, it’s one of the most common projects that we receive in corporate forensics, and I’m really glad we’re talking about this today. Data theft situations can have significant ramifications to a company’s financial, health and legal standing.

1:30 – Michael Gibeault

Well, let’s focus in on employee data theft. So, what types of data do employees most commonly take when they leave a company?

1:40 – Erin Swakopf

Right. I’d say most commonly it’s going to be customer information. It’s going to be those client contact lists, proprietary material. So, any trade secrets, product designs, product code strategic documents, business plans, pricing strategies, marketing plans, as well as financial information, financial forecasts, models, and then other kind of R&D research and development materials.

2:08 – Michael Gibeault

What are the red flags when we start to detect data theft is taking place. You know, what suggests that an employee is stealing company data?

2:17 – Erin Swakopf

Right. I would say you want to look out for a couple things. They’re all going to be sort of outside usual patterns. We want to uncover those unusual access patterns. Some logins outside their standard business hours. Any kind of mass downloading or printing of documents. They’re accessing information unrelated to their job duties. You know, they’re in sales, but, you know, we’ve noticed that they’ve touched this R&D folder they shouldn’t really be in.

They may have used some unauthorized external storage devices, or they suddenly start sending a bunch of emails to personal accounts outside of that company address, maybe Gmail, Hotmail, Yahoo. All those things should be red flags there. And I see most of this activity centered around that resignation period, whether that’s a few weeks before, as they’re preparing to resign or even during that two week notice after they’ve resigned.

3:21 – Michael Gibeault

Okay, and once the organization suspects an employee has stolen data, what are the first steps they should take to preserve evidence?

3:31 – Erin Swakopf

Yeah, the first steps are critical. So, I’ll touch on, first, the unlikely event where you have this live machine running. And I see this is way less common. I think it was it was more common at the time where you had everyone in office and everyone had desktops, and, you know, you all came and left your machine there.

But in the unlikely event that you do have this live machine running, keep it running. It’s important. You may be able to capture and perform RAM capture on that volatile temporary data that’s lost once you shut it down.

Now, much more common, you’re going to receive that device back powered off. And so, in that case, I say leave it off, essentially. Don’t touch it. It’s really tempting, I know, if you suspect something, and you receive this person’s device back, it’s so tempting to power it on. Log in, you say, maybe legal, maybe IT, just want to take a look. I want to take a peek. You know, let’s just do some triage. But the problem with that is that it’s similar to civilians or citizens walking into an active crime scene that’s taped off. So, they’re stepping all over things. They’re touching things. You’re getting your footprints and your fingerprints mixed in. So, it really muddies the water for when we need to come in and do an investigation.

So, you want to immediately preserve that device, and maybe implement legal holds onto any cloud accounts, any kind of system logs that you have, engaging counsel early on. But yeah, try not to step on those tracks a little bit.

And then, also a note, I have – kind of a tip – is to avoid confronting that employee until the evidence is secured. You don’t want to sort of tip them off that you’re looking into something. And that might lead them into trying to wipe any hard drives or dispose of the evidence before you have it in hand.

5:31– Michael Gibeault

Let’s look at it from a legal and business perspective. From, you know, when you have employee data theft, how can digital forensics support the legal teams when it comes to data theft?

5:46 – Erin Swakopf

That’s really important. So, I think we have kind of three main support factors here. And that’s going to be, like I mentioned previously, you know, we have that experience with maintaining chain of custody, data integrity, and defensibility. So that we can support you if it goes to litigation, we keep those paramount.

Also like I mentioned, the sheer volume of data nowadays to sort through can be unmanageable. You know, for a smaller IT department or legal team. So, we have the ability to preserve and interpret large quantities of data and activity.

And then, third, you know, if it comes, if it comes to that place where you are in litigation or having testimony, we can provide expert witness testimony to those technical findings.

6:35 – Michael Gibeault

Erin, are there industries or business types that are more vulnerable to employee data theft than others?

6:42 – Erin Swakopf

So, I can’t think of a business that shouldn’t be concerned about data theft. But I imagine we see the most prevalence in the same industries as, say, external cyber attacks. So, you have tech companies, particularly software development, financial services, healthcare with patient data is a big one. And then manufacturing, I’d say with those designs and processes.

7:09 – Michael Gibeault

Well, how can employee off-boarding help minimize the risk of data theft?

7:15– Erin Swakopf

Right. Important as well. I think you want to involve legal and HR, making sure everyone’s on the same page. So, having structured exit interviews is important. You want to make sure you can identify all potential data sources. As I mentioned, that immediate revocation of system access. Right. Making sure that they can no longer … as soon as their termination date occurs and they may still have that device in hand, making sure they don’t have access. Trying to verify return and inspection of company devices, reminding them of ongoing legal obligations.

And then it’s certainly not a bad practice – I see it often in in large companies especially – that standard procedure is to forensically image all departing employee devices. And that’s great in a couple of ways. Not necessarily that you have to conduct these thorough investigations on every single employee that leaves. But just maintaining that preserved image of their laptop before it wipes it and redistributes it to a new employee is a really good practice so that you can have that for safekeeping when you need it later. That’s one of those things: Once you’ve done it, once you’ve wiped it and redistributed it, you can’t go back. So, it’s really a good idea maybe to just save an image somewhere. Maybe once suspicions arise, you already have that image in place, and then we can take a look and begin that investigation.

8:44 – Michael Gibeault

Well, for those companies, Erin, that may be hesitant to invest in digital forensic services, what would you say to them about the value of these investigations and processes?

8:57 – Erin Swakopf

I completely understand. I understand the hesitancy – as someone involved in creating project estimates and involved in invoicing, I know it can be expensive. But, you know, I would say you, as a client, you know your business and your business materials best. So, I urge you to really weigh carefully the risk of data loss and the potential impact on your business with the cost of these investigations. You know, it’s to protect your company advantage and intellectual property. It’s maintaining that customer’s trust after a breach. You know, having that that name tarnished can be really detrimental. Also, making sure to ensure you have swift legal action taken to prevent any further damage. And then finally, you can really demonstrate your due diligence for regulatory compliance.

9:57 – Michael Gibeault

Well, thank you for joining TCDI Talks. If you’d like to learn more about how digital forensics can help and investigate employee data theft, check out our whitepaper. We’ve put the link next to this video. Thanks again for joining us, Erin.

10:14 – Erin Swakopf

Yeah, thanks for having me. Bye, everyone.