An important part of our contentious IP/IT work is supporting clients whose sensitive business information has been taken by a current or departing employee.

Typically, they will have a plan to use that data to gain an unfair advantage in competing with their former employer.

In these situations, the law is surprisingly helpful. We can turn to Trade Secrets regulations introduced in 2018 and established UK confidentiality laws in addition to database rights and copyright. Often all of these can be brought into play to safeguard company information which has been stolen. The law is not the problem. The bigger challenge is often getting evidence of what happened.

To help us find that evidence we have been working closely with Jim Borwick of KJB Computer Forensics. Jim has been adept at finding needles in digital haystacks for us. Colin Hulme and Jim caught up recently to talk through Jim's background in this area, and some of the key ‘dos and don’ts’ for companies faced with misappropriation of data by their employees.

Colin: How did you get into the field of digital forensics?

Jim: My background is in the British Army, where I spent 20 years up until 2004. In the last 12 years of my Army career I was in the Military Police, during which time the field of digital forensics was developing and I had the opportunity to take some courses and gain some experience. After leaving the Army, I joined Lothian and Borders Police as a civilian and took up a role with the National High Tech Crime Unit in 2005. I spent seven and a half years working for that Unit and then the SCDA. At the SCDA, I got involved in all sorts of digital forensics work, from counter-terrorism to investigating crime that is more typical.

I gained some valuable experience there and, in 2012, I set up on my own account doing a whole range of civil digital forensics work, from theft of employee data to supporting the SSPCA. One area I tend to avoid is marital disputes, which is a whole world of pain I prefer to avoid.

Colin: Are you seeing any trends in demand for your digital forensics services?

Jim: There is no doubt about it that this is a growing problem with the increased use of technology and electronic data.

The global pandemic will bring new challenges but at the moment employees are sitting at home, and probably many employers will not know exactly what they are doing. Perhaps post-pandemic there will be revelations of data theft which will come out of the woodwork. I have seen some reports about some real invasive monitoring of home-based employees by employers, such as by being able to access their cameras to check that they are at their desk. That seems to me to be a fairly scary level of monitoring of employees, which would concern me.

Colin: From your perspective, what is the worst thing an employer can do when they suspect theft of information by an employee?

Jim: Absolutely the worst thing they can do is just to ignore it, or perhaps just try to sort it out themselves. Logs of activity typically are deleted in perhaps seven, or even 30, days, and if I am brought in after that then valuable evidence which could have been used will have been lost. Employers can be too worried about offending employees, and then it is only after the event that they discover the extent of the misconduct by the employee and regret not acting sooner.

Colin: In the first instance, we will very often be directed to work with an in-house IT team rather than engage external digital forensics.  What are your thoughts on that?

Jim: IT and digital forensics services are two entirely different things. Some IT teams may have digital forensics experience, but that cannot be assumed.  There is a risk that an IT team can think they have got to the bottom of what has happened and convince less-IT savvy management that they have done so when, in fact, the real problem has not been uncovered.

An analogy I might make is that IT teams are good at building the house and making it as secure as needed. If there is a crime within that house, then it would be digital forensics which would be needed to come in to examine the crime scene and find out what has happened. My job is very different from what IT teams do.

Having said that, there are some IT teams which I work with regularly which do have really good experience here, and are able to use forensic imaging to preserve evidence, or the  crime scene if you like, before I get involved.

It is always important to work with IT teams, who know their system far better than I could.

Colin: What are some of the more clever methods you have seen employees deploy to misappropriate information?

Jim: The typical and more obvious ways are for employees to send emails with attachments on them to their personal email addresses and then they just delete that email. The deleted emails can often be detected provided we are engaged relatively quickly.

One recent job I have worked on disclosed that a departing employee brought in a personal device and copied their company email account onto that device so they then had a complete copy of all data which was held in their inbox at the time – that was pretty clever.

The most difficult theft to detect was for an energy sector client which had an employee who had gained access to a training laptop networked across the company. They installed a key logger that was able to gather admin passwords as they were entered on that laptop. The employee then used that laptop to access the company’s mainframe, taking screenshots of data as they went. They did this overnight. The conduct was detected when an employee saw the cursor on their computer moving, suggesting it was being controlled by somebody else. That led us to tracing the IP address which was being used to access the training laptop, and we managed to track down the individual concerned.

Colin: What advice would you give generally to companies concerned about this issue?

Jim: They should look at the obvious things, ensure the overall security of their networks, you should ensure that employees cannot just plug in a drive to their laptops and extract information. It always surprises me if employees have access to personal email accounts from work computers, and that can easily be prevented where firewalls should be in place, and I think they need to be aware that as much as ‘BYOD’ policies are popular, there are real risks that go with employees bringing in their own devices.

Otherwise, my advice would be once you detect the problem, do not hang around and you should seek appropriate legal or digital forensics support before it is too late and evidence is lost.

Related News, Insights & Events