managing the internal threat - epstein becker & green · insider threats: the bad news 74...

Managing the Internal Threat:Preventing and Remediating Trade SecretMisappropriation by Disloyal Employees

3September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com

33

Panelists

John G. BatesGeneral Counsel and ChiefInformation Security Officer

Robert J. HudockMember

Epstein Becker Green

Washington, DC

Jeffrey P. RosierSenior Employment

Counsel and Director ofState Government Relations

Marsh & McLennan Companies

Peter A. SteinmeyerMember

Epstein Becker GreenChicagoClarity Insights


True Story: SWE – Failure to Restrict Access


Insider Threats: The Bad News

74 percent ofcorporate counsel

named databreaches as theirtop data-related

legal risk

One companyfound that insiderswere responsible

for 68% of allnetwork attackstargeting health

care data in 2016

Most data breachesare caused byemployees and

other insiders (e.g.,vendors), whether

intentionally orinadvertently


Insider Threats: The Good News

Many insider data breachesare preventable


Timeline of Insider Activity

Opportunities for preventing, detecting, and responding to an insider attack


How to Prevent Insider Threats?

Formalized, Well-documented, and

Consistently applied insider threat program compliant withapplicable law, including

Screening

Monitoring, and

Regular training of employees


A malicious insider is a current or formeremployee or a business partner who has orhad authorized access to an organization’snetwork and intentionally exceeds ormisuses that access in a manner thatnegatively affects the confidentiality, integrity,or availability of the organization’sinformation or information systems

What Are Insider Threats?


What Are Insider Threats? (Cont’d)

An unintentional insider is someonewho, through his or her action/inactionwithout malicious intent, causes harm orsubstantially increases the probability offuture harm to the confidentiality, integrity,or availability of the information orinformation systems


What Should the Employer’s First Step Be?

Conduct a vulnerabilityassessment to evaluate risks according

to job position and to the mostsensitive data


What Should Employers Identify?

Where confidential business information ismaintained on its systems, and the employees whohave access to this critical data

Job positions that permit access to critical data orsystems, or grant administrative or superuserprivilege

Any trade secrets


What Constitutes a Trade Secret?

Informationthat:

Has commercialand economic

value preciselybecause it is notgenerally known

Is the subjectof reasonableefforts tomaintain itssecrecy


What Type of Information Can Be a Trade Secret?

Technical ornon-technical data

Formula

Compilation Program

Device Method

Technique Drawing

Process Financial data


Examples of Trade Secrets

Blueprints anddesign

manuals

Customer lists(so long as not

generally knownor readily

ascertainable)Manufacturing

processesPricing

information

Strategicbusiness

plansTrainingmanuals

Computersoftware

Formulas Testing dataResearchstudies

Marketingplans


Once the Vulnerability Assessment Is Conducted and Trade Secrets AreIdentified, What’s Next?

The employer’s program should be tailored to

Prevent Detect,and

Mitigate the identifiedrisks by employeesand to key data


Once the Vulnerability Assessment Is Conducted and Trade Secrets AreIdentified, What’s Next? (Cont’d)

Program should include personnel policies, including:

Pre-hire and periodicbackground checks and creditmonitoring

Employee training

Access control and electronicmonitoring of employeesystem use

Strong passwords

Acceptable use policies

Employer controls on theInternet of Things (IoT) inthe workplace and BringYour Own Device to Work(BYOD)


Once the Vulnerability Assessment Is Conducted and Trade Secrets AreIdentified, What’s Next? (Cont’d)

Program should also include:

Addressing BYOD and IoTrisks, including regulatingtypes of devices that can beworn or used in theworkplace

Encryption for confidentialdata in transit and at rest

Pre-hire and periodicbackground checks andcredit monitoring

Limiting access todocuments

Safeguarding documents


Ongoing Training Is Key to Successful Program

Ongoing training is important bothin preventing breach and indefending against legalclaims if a breach occurs

Trainingshould occur regularly

Training should address socialengineering attacks(e.g., ransomware)

Training preventsEvents and intrusions


Documentation and Monitoring as Keys to Successful Program

Risks from disgruntledemployees, oremployees with afinancial motive toparticipate in a databreach, should bedocumented andmonitored usingbaselines and otherobjective measures

A deviation fromnormal baselinesystem activity or ahigh-risk event (e.g.,demotion) shouldresult in an objectivetrigger for increasedscrutiny


Formulate a Response Plan

The program mustanticipate the

likelihood that abreach will occur

and outline aresponse plan

Forensic artifactscan be used todetermine who,

what, when, where,and why something

occurred after abreach

The employer’spolicies in place(e.g., consensual

monitoring) shouldfacilitate any

future forensicinvestigation and a

quick response time


Legal and Other Options for Protecting Trade Secrets

Confidentiality agreements (the single mostimportant factor courts will look at when determiningtrade secret status

Restrictive covenants, such as non-compete andnon-solicit provisions

Notification to new employers of restrictivecovenants

Use of “assignment of invention” clauses

Use of exit interviews


Insider Threat Capabilities

Data Owners Human ResourcesInformation

TechnologyLegal Physical Security

Software

Engineering

Trusted Business

Partners

Access Control Recruitment Access ControlAgreements to Protect

Sensitive InformationFacility Security

Technical Policies and

Agreements

Screening/Hiring of

Applicants

Modification of Data,

Systems, or LogsPolicies and Practices

Modification of Data or

Disruption of Services

or Systems

Restrictions on

Outside Employment

Physical Asset

Security

Modification of Data or

Systems

Management of

Business Partners

Unauthorized Access,

Download, or Transfer

of Assets

Training and

Education, Evaluation

Unauthorized Access,

Download, or Transfer

of Assets

Employee Behaviors

in the WorkplaceAsset Management Asset Management

Incident Response

Policy and Practice

Monitoring and

Enforcement

Programs

Detection and

IdentificationConditions of Hire Incident Response

TerminationEnforcement and

TerminationIncident Response

Property Lending

Agreements

Contractor/

Business Partner

Agreements

TerminationContractor / Business

Partner Agreements


Conclusion

Cyber security andprotection of trade secrets isa shared organizationalresponsibility—involving IT,Legal, and HR—and bestaddressed through an insiderthreat program

Stayvigilant!

managing the internal threat - epstein becker & green · insider threats: the bad news 74...

Documents