managing the internal threat - epstein becker & green · insider threats: the bad news 74...
TRANSCRIPT
Managing the Internal Threat:Preventing and Remediating Trade SecretMisappropriation by Disloyal Employees
3September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
33
Panelists
John G. BatesGeneral Counsel and ChiefInformation Security Officer
Robert J. HudockMember
Epstein Becker Green
Washington, DC
Jeffrey P. RosierSenior Employment
Counsel and Director ofState Government Relations
Marsh & McLennan Companies
Peter A. SteinmeyerMember
Epstein Becker GreenChicagoClarity Insights
4September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
True Story: SWE – Failure to Restrict Access
5September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Insider Threats: The Bad News
74 percent ofcorporate counsel
named databreaches as theirtop data-related
legal risk
One companyfound that insiderswere responsible
for 68% of allnetwork attackstargeting health
care data in 2016
Most data breachesare caused byemployees and
other insiders (e.g.,vendors), whether
intentionally orinadvertently
6September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Insider Threats: The Good News
Many insider data breachesare preventable
7September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Timeline of Insider Activity
Opportunities for preventing, detecting, and responding to an insider attack
8September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
How to Prevent Insider Threats?
Formalized, Well-documented, and
Consistently applied insider threat program compliant withapplicable law, including
Screening
Monitoring, and
Regular training of employees
9September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
A malicious insider is a current or formeremployee or a business partner who has orhad authorized access to an organization’snetwork and intentionally exceeds ormisuses that access in a manner thatnegatively affects the confidentiality, integrity,or availability of the organization’sinformation or information systems
What Are Insider Threats?
10September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
What Are Insider Threats? (Cont’d)
An unintentional insider is someonewho, through his or her action/inactionwithout malicious intent, causes harm orsubstantially increases the probability offuture harm to the confidentiality, integrity,or availability of the information orinformation systems
11September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
What Should the Employer’s First Step Be?
Conduct a vulnerabilityassessment to evaluate risks according
to job position and to the mostsensitive data
12September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
What Should Employers Identify?
Where confidential business information ismaintained on its systems, and the employees whohave access to this critical data
Job positions that permit access to critical data orsystems, or grant administrative or superuserprivilege
Any trade secrets
13September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
What Constitutes a Trade Secret?
Informationthat:
Has commercialand economic
value preciselybecause it is notgenerally known
Is the subjectof reasonableefforts tomaintain itssecrecy
14September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
What Type of Information Can Be a Trade Secret?
Technical ornon-technical data
Formula
Compilation Program
Device Method
Technique Drawing
Process Financial data
15September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Examples of Trade Secrets
Blueprints anddesign
manuals
Customer lists(so long as not
generally knownor readily
ascertainable)Manufacturing
processesPricing
information
Strategicbusiness
plansTrainingmanuals
Computersoftware
Formulas Testing dataResearchstudies
Marketingplans
16September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Once the Vulnerability Assessment Is Conducted and Trade Secrets AreIdentified, What’s Next?
The employer’s program should be tailored to
Prevent Detect,and
Mitigate the identifiedrisks by employeesand to key data
17September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Once the Vulnerability Assessment Is Conducted and Trade Secrets AreIdentified, What’s Next? (Cont’d)
Program should include personnel policies, including:
Pre-hire and periodicbackground checks and creditmonitoring
Employee training
Access control and electronicmonitoring of employeesystem use
Strong passwords
Acceptable use policies
Employer controls on theInternet of Things (IoT) inthe workplace and BringYour Own Device to Work(BYOD)
18September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Once the Vulnerability Assessment Is Conducted and Trade Secrets AreIdentified, What’s Next? (Cont’d)
Program should also include:
Addressing BYOD and IoTrisks, including regulatingtypes of devices that can beworn or used in theworkplace
Encryption for confidentialdata in transit and at rest
Pre-hire and periodicbackground checks andcredit monitoring
Limiting access todocuments
Safeguarding documents
19September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Ongoing Training Is Key to Successful Program
Ongoing training is important bothin preventing breach and indefending against legalclaims if a breach occurs
Trainingshould occur regularly
Training should address socialengineering attacks(e.g., ransomware)
Training preventsEvents and intrusions
20September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Documentation and Monitoring as Keys to Successful Program
Risks from disgruntledemployees, oremployees with afinancial motive toparticipate in a databreach, should bedocumented andmonitored usingbaselines and otherobjective measures
A deviation fromnormal baselinesystem activity or ahigh-risk event (e.g.,demotion) shouldresult in an objectivetrigger for increasedscrutiny
21September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Formulate a Response Plan
The program mustanticipate the
likelihood that abreach will occur
and outline aresponse plan
Forensic artifactscan be used todetermine who,
what, when, where,and why something
occurred after abreach
The employer’spolicies in place(e.g., consensual
monitoring) shouldfacilitate any
future forensicinvestigation and a
quick response time
22September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Legal and Other Options for Protecting Trade Secrets
Confidentiality agreements (the single mostimportant factor courts will look at when determiningtrade secret status
Restrictive covenants, such as non-compete andnon-solicit provisions
Notification to new employers of restrictivecovenants
Use of “assignment of invention” clauses
Use of exit interviews
23September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Insider Threat Capabilities
Data Owners Human ResourcesInformation
TechnologyLegal Physical Security
Software
Engineering
Trusted Business
Partners
Access Control Recruitment Access ControlAgreements to Protect
Sensitive InformationFacility Security
Technical Policies and
Agreements
Screening/Hiring of
Applicants
Modification of Data,
Systems, or LogsPolicies and Practices
Modification of Data or
Disruption of Services
or Systems
Restrictions on
Outside Employment
Physical Asset
Security
Modification of Data or
Systems
Management of
Business Partners
Unauthorized Access,
Download, or Transfer
of Assets
Training and
Education, Evaluation
Unauthorized Access,
Download, or Transfer
of Assets
Employee Behaviors
in the WorkplaceAsset Management Asset Management
Incident Response
Policy and Practice
Monitoring and
Enforcement
Programs
Detection and
IdentificationConditions of Hire Incident Response
TerminationEnforcement and
TerminationIncident Response
Property Lending
Agreements
Contractor/
Business Partner
Agreements
TerminationContractor / Business
Partner Agreements
24September 14, 2017© 2017 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Conclusion
Cyber security andprotection of trade secrets isa shared organizationalresponsibility—involving IT,Legal, and HR—and bestaddressed through an insiderthreat program
Stayvigilant!