By: Greg Hudson and Ryan Duquette
The following article was originally published in Canadian Lawyer Magazine. It has been reproduced with permission.
MNP works with their clients to identify IP and other valuable data exfiltration, even when their clients don’t know if anything has been taken
Because intellectual property is often intangible, it can be difficult to know when, or even if, it’s been stolen. Discovering IP theft must therefore be a collaborative process between digital forensics professionakls and their clients, explains Ryan Duquette, Partner and National Digital Forensics Leader at MNP, the leading professional services firm in Canada.
“Oftentimes, companies don’t know they’ve had anything taken,” he says. “It is often during internal investigations or litigation matters, that evidence of data exfiltration becomes known. We work with our clients to identify IP or other valuable data and then determine a timeline of suspect activity.”
But he, and digital forensics professionals like him, know the most common internal theft methods and clues to look out for. Often sending files to a personal email address, saving files to a USB drive or Cloud Storage, and Instant Messaging are common methods to exfiltrate IP. Large downloads in general might be a sign someone is trying to walk away with protected IP.
“We are currently working with a client on an internal investigation where an employee was accessing IP that they should not have. The employee left the firm and still had their laptop at home. The company retrieved the laptop and upon a digital investigation, it was determined that the employee had also downloaded thousands of files to a USB drive. Our client then had to request the return of that USB,” Duquette says.
By its nature, digital forensics — like its analog counterpart — is mostly reactive. But, Duquette explains, there are proactive steps organizations can take using digital forensics. “Clients often have us take forensic images of employees' devices that have access to highly valuable IP. Those images can be held for future use. Another proactive measure is to conduct a triage of an employee's device during exit interviews. It is always best to deal with any IP exfiltration prior to an employee leaving rather than litigation afterward.”
But this process can be complicated by some contemporary work practices. Most companies who suspect they’ve had IP stolen will consent to have their systems looked over, so long as the forensic specialist stays within the scope of the investigation, but what about employees that work from their own devices?
Let the evidence tell the story
There are legal resources for such cases. An Anton Piller order is a form of civil search warrant. Under the direction of counsel, it grants investigators the ability to enter a defendant’s premises to look for missing data.
The challenge with protecting IP is that companies give their employees the means to take data by giving them passwords, and by outsourcing their IT so there are fewer guardrails against theft. “That’s why the simplest way to avoid theft is to silo your data,” Duquette says. “There’s no reason for someone in sales to have access to Human Resources data.”