HR has the task of balancing company IT policy and the management of electronically stored information (ESI) with the rights of the individual. This is particularly true in the event of a data theft.
With significant advances in the ways we store, process and exchange information, data can be duplicated in seconds onto a data storage device. To understand the power of such devices, consider that just 1GB of storage capacity equates to roughly 30,000 pages of data. These devices are widely available and in the wrong hands can be used to easily breach company policy.
Data theft mainly occurs when an employee leaves or sets up a rival business, taking with them important data. Many employees consider files that they have worked on as their own. In a survey carried out by Prefix IT, 30% of workers believe sales leads/business contacts are rightfully theirs.
When an employee is suspected of wrong-doing, it is likely that their computer will be examined by the IT team to retrieve evidence. However, most IT departments are not equipped with the tools or expertise to perform sophisticated computer forensic procedures. To preserve the data in its original form, it is vital that a company employs the correct techniques.
Employees are also becoming better informed of their rights. Should the results of an investigation be questioned by an employment lawyer, a company may find itself accused of evidence tampering, discrimination and wrongful dismissal.
It is vital to have a policy that clearly dictates the use of company systems, electronic devices and the transfer of company information. Training should be conducted when the policy is updated and must be documented thoroughly to demonstrate compliance with the policy.
Organisations must be aware of the risks they face and should have a clear computer incident response plan in place should an incident occur. The plan should be reviewed and updated regularly to ensure that it is applicable to the current business environment.
A forensic investigator will consider:
- What systems the suspect has access to and what means are used to access these?
- Can anyone else other than the suspect access these systems using the same methods?
- If so, can we determine who is responsible for any given action?
- Does the suspect work on several machines or just one?
- Do they have a personal drive?
- Is it possible that there are other people involved?
The forensic examination of portable devices can contain further sources of evidence such as SMS or residual copies of e-mails that have been deleted from individual mail boxes. As such, e-mail servers, file shares and the examination of back-up tapes are all potentially valuable sources of case-winning evidence.
When faced with a data theft incident, employing the correct practices the first time is crucial in helping organisations to defend their position and protect what belongs to them. Equipping key staff with the knowledge and understanding of how to respond to a relatively rare but complex situation could make all the difference to the outcome of the case.
Graham Jackson, business development consultant, Kroll Ontrack
