Employee Data Theft Investigations
Employee data theft occurs most frequently just prior to, or immediately after, an individual’s termination or resignation from an organization. Motives for data theft include setting up a competing business, using the information at a new job, a sense of ownership of what was created, and revenge against the employer, among other things. The most commonly stolen intellectual property and trade secrets include:
- Customer information
- Financial records
- Software code
- Email lists
- Strategic plans
- Process documents
- Secret formulas
- Research and development materials
- Employee records
Tools Commonly Used by Employees to Steal Data
Technology is making employee data theft both easier to accomplish and harder to detect. For example, a small 16GB USB flash drive can hold thousands of Microsoft Office Documents that can be quickly copied from a work computer and taken anywhere. Other tools such as Dropbox, remote desktop connections, personal email accounts, smart phones, CDs/DVDs, and File Transfer Protocol (FTP) sites are also commonly used to steal company data.
Using Computer Forensics to Uncover Employee Data Theft
Employees who steal data often leave a trail of digital evidence that proves invaluable when investigating data theft. Computer forensics experts may be able to uncover important evidence, such as:
- Identifying recently attached storage media such as USB thumb drives
- Locating recently accessed files and documents
- Isolating emails sent to public email accounts like Gmail or Yahoo
- Determining recent internet activity
- Establishing days and times of remote connections
- Recovering text messages, emails, call logs and other data stored on a smart phone
Suspect Employee Data Theft? Avoid Destroying Important Electronic Evidence with These Steps
If you are concerned a departing employee may have stolen proprietary data, one of the first things you should do is quarantine the computer. If the computer is powered on then leave it on because important evidence may be stored on the computer’s random access memory (“RAM”) and may be deleted if the computer is powered off. If the computer is already turned off then place it into secure storage. Furthermore, do not let your IT staff reinstall the operating system or give the computer to someone else to use because it could destroy / overwrite any evidence of wrongdoing. Finally, resist the temptation to “take a peek” at what is stored on the computer by turning it on and accessing files. This simple act will destroy valuable evidence.
If the suspected employee had a company-issued cell phone then also place it in secure storage. Smart phones have an abundance of useful information such as text messages, emails, call logs, internet activity and more. The simple act of resetting the phone, however, can permanently destroy this data.
If you suspect employee data theft then it is important to call a computer forensics expert for assistance. They are adept at preserving evidence and maintaining chain of custody so that their findings are admissible in a court of law. This is a crucial step when investigating employee data theft because electronic evidence will be important when seeking an injunction or pursuing litigation.