Computerworld - Last week, I was called into a meeting with our company's legal counsel and several U.S. attorneys. The topic was the alleged theft of intellectual property by a former employee. An investigation was under way, and they needed information from me.
I am not privy to all the details -- I don't know whether the former employee was able to sell the documents he is alleged to have stolen or put them to some other illicit use -- but this incident gave me a great way to justify the security requirements I want to include in a new application.
These are the facts of the case that I do know. This employee had resigned recently. According to our legal counsel, just before the employee's departure, he apparently transferred hundreds of design-specification documents and source code for one of our flagship products to a server outside our control. I was in the room with the lawyers to help the prosecution prove beyond a reasonable doubt that the employee had logged into the data repository between certain dates, that he had transferred the data and, more important, that he knew that this activity was wrong.
The first part of the request was fairly straightforward, but I don't have a way to provide all the information I would like. I was able to capture logs that indicated that the employee used his SecurID token and VPN client to access the network on several occasions just prior to his departure. The problem is that the applications that contain the design documents and source code aren't configured to log user activity. That capability just wasn't enabled when the system was deployed six years ago. We can show that this user was on our network at certain times, but we don't have any logs to tell us the details of his activity on the servers or within the applications that maintain the intellectual property.
I had better luck on the question of whether the alleged thief knew that he wasn't supposed to transfer sensitive data outside the company. Our company has extensive policies and guidelines regarding data classification and the handling of intellectual property. We just have to prove that this employee read and understood this information.
Lucky Break
Thankfully, our company's corporate learning center maintains records that show which employees have successfully passed or completed various online classes and mandatory training sessions. Each year, employees must complete refresher training on a variety of topics. One of those is on intellectual property protection, and here's where we got lucky. This former employee had completed the online training just three months ago, with a passing grade! The training provides specific guidance in the area of transferring sensitive information outside the company without approval.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
