Balancing Company Security with Employee Privacy

Ben Hammerton, Kroll Ontrack

The increasing use of computers in almost every aspect of our working day presents a significant challenge to those that are tasked with ensuring employees are properly protected, whilst at the same time ensuring that company policy is adhered to, company standards are maintained and both financial and reputational damage to the company is avoided.  These people are known as the Human Resources (HR) department.

The HR team and departmental managers are expected to balance the needs of the company with the rights of the individual and one of the greatest threats to both is the spectre of an investigation into:

• Intellectual Property (IP)Theft
• Computer Misuse / Misconduct
• Bullying / Harassment / Discrimination
• Fraud / Theft
• Contractual Dispute

Types of electronic storage

Electronic data is stored in a variety of media and the amount of storage currently available to an individual is extremely high, available both easily and cheaply.  It is possible to store hundreds of thousands of confidential documents on a small USB memory stick, as 1GB of storage roughly equates to 20,000 pages of data.

Laptop computers present the most obvious and frequently used method of data storage and today, a large percentage of employees work from a laptop due to their ever reducing cost, ease of portability, the rise of the ‘hot desk’ and more progressive company policies allowing employees to work from home.  All of these factors mean that a laptop is a powerful but potentially damaging source of data leak as a standard laptop with a 100GB hard drive could contain two million pages of confidential data. In addition to the company laptop, employees are also utilising other means of data storage that can pose serious difficulties for a company trying to ensure a secure environment:

Examples of such storage media are:

• USB memory sticks - a leading supermarket chain currently offers a 32GB memory stick.
• Scan Disc (SD) Card - 16GB versions available on the high street.
• Digital Cameras - most utilise SD cards but can also have internal memory of up to 1GB.
• iPod/MP3 player - can store .xls, .doc, .ppt files.
• Digital photo frames - utilise SD cards so can store any format and can be wireless enabled.

Most employees will have easy access to one or many of these devices and used with the wrong intentions, can pose a potential security nightmare.  If you also consider that a mobile phone, PDA or Blackberry can utilise similar memory storage, take photos and communicate via webmail, then the HR team are faced with a wide range of devices capable of breaking company policy and landing either the employee or the employer in dangerous territory.

However, these devices also provide the HR team with a variety of options to investigate wrongdoing if the worst case scenario occurs.

The typical response to an employee investigation

The typical response to an investigation into IP theft, computer misuse, or fraud is to ask somebody in the IT team to ‘have a look’ at the employees computer to confirm what the suspect has been done, but this is in fact the first mistake in performing a computer investigation and could potentially leave your company open to accusations of tampering, bullying and worst of all discrimination.

A well meaning manager or HR team member will of course ask somebody to take a careful look to confirm the evidence of wrongdoing.  In the case of a laptop, this is company property and so it would seem to most to be in the companies’ right to investigate their own property in order to find out what, if any, offence has been committed.  At this stage it is only an accusation and in order to back it up and take matters further it is sensible to assume that a ‘quick look’ is both proper and in both the employee and employer’s interest to quickly ascertain if there is a problem.  At this stage it may not seem necessary to involve potentially costly outside help.

It is also true that many employee investigations end in an admission of guilt and the individual(s) concerned being reprimanded, given a formal warning or dismissed if gross misconduct is found, with the cost to the company being minimal.  However, if the investigation is performed incorrectly then it is often the company that can be shown to be at fault and an industrial tribunal could be the result.  Employees are becoming much better aware of their rights and if the results of your investigation are then questioned by an employment lawyer, your company may easily find itself accused of evidence tampering, discrimination and wrongful dismissal.

A seemingly minor investigation may have far reaching implications depending on the evidence found, the offence in question and most particularly the method of evidence collection.  What’s more, an industrial tribunal is not the highest court that this matter may get played out, cases have gone as high as the European Court of Human Rights.

What is the correct response?

STOP! Ensure the correct team members are involved in the decision making process and follow a predetermined company policy that follows the correct guidelines.
If you don’t have a specific company procedure in place for dealing with an employee investigation there are a few simple guidelines to follow that will ensure all parties are protected, the evidence found is able to be relied upon, and ultimately lead to a successful investigation with the desired outcome.

A number of training courses are available to ensure your policies and procedures are correct:

Forensics for HR - learn the legal issues, step-by-step incident response guidelines, common scenarios.
First Responder Training - learn evidence handling, chains of custody, ACPO (Association of Chief Police Officers) guidelines.
Management Awareness Training - bring together heads of departments to learn legal issues, policy versus practice and incident response planning.

'Imaging for Preservation' – Exit Strategy

To ensure the smooth running of the business it is ultimately best to ensure employees know exactly what is expected of them whilst they are working for the company but also should they leave in the future.

Increasingly, companies are setting out new expanded exit policies which include both the provision for and the permission to take computer forensic images of the employees hard drive when they leave the company. This process is referred to as ‘Imaging for Preservation’ and is designed to safeguard both the employee and the company.  An ‘image’ is a 100% complete forensic copy of a computer hard drive (including hidden, deleted and encrypted data) and is the first step in any computer forensic investigation.  An investigation is always carried out on the ‘image’ and not the original hard drive so to ensure that the evidence is not damaged or deleted and as such, allows the investigator to go back and get another copy of the data in its original state should the need arise.

‘Imaging for Preservation’ ensures that you have a copy of the individual’s hard drive stored for future use if needed.  It also means that your company can put the ex-employees computer back into company circulation knowing that a complete copy of its history is available in archive. Companies are now routinely performing this process for management and executive level employees or key workers/departments which are considered to be of particular risk (such as the sales team), to protect themselves against the following scenarios:

• An employee leaves, deleting company information that may be useful or ‘mission critical’ to the business.
• An employee leaves and six months later starts a new business in competition and corporate clients start to defect.
• An employee is dismissed, claims harassment, bullying and unfair dismissal.

In all these scenarios a copy of the hard drive is available to perform a post-event investigation to either absolve an individual of wrongdoing or prove their guilt and actions, or more importantly to absolve the employer and remaining employees from any unfair accusations.

Conclusion

Practices such as these and others, are helping organisations to best protect themselves and their IP from the increasingly common insider threat.  A small investment which equips key staff with the knowledge and understanding of how to respond to a relatively rare but complex situation, could prove invaluable when defending your organisation’s position and protecting your most priceless assets.

Ben Hammerton is a Computer Forensics Consultant at Kroll Ontrack's office in London.

Disclaimer
This document is neither designed nor intended to provide legal or other professional advice but is intended merely to be a starting point for research and information on the subject of legal technology. While every attempt has been made to ensure accuracy of this information, no responsibility can be accepted for errors or omissions. Recipients of information or services provided by Kroll Ontrack shall maintain full, professional, and direct responsibility to their clients for any information or services rendered by Kroll Ontrack.