Title: Data Theft: Do's and Don'ts · 2018. 3. 16. · Data Theft “Dos and Don’ts ... instant...
Transcript of Title: Data Theft: Do's and Don'ts · 2018. 3. 16. · Data Theft “Dos and Don’ts ... instant...
MARCHMADNESS:EMERGINGLEGALISSUESANDTRENDS
Session 3: 11:40-12:40 Presented by FTI Consulting
Title:
Data Theft: Do's and Don'ts
Speakers: Jason Ray
Managing Director - Technology Solutions FTI Consulting
March Madness 2018
DataTheft“DosandDon’ts”
1
Jason Ray, Managing Director
Introductions
2
FTIConsulting§ 4,000+professionalsaroundtheworldandover400eDiscovery
&ComputerForensicsprofessionals§ FTI’sTechnologySegmentfocusesoneDiscovery&Computer
Forensics§ PubliclytradedontheNYSE:FCN
JasonRay§ ManagingDirectorofFTI’sWestCoastTechnologyPractice§ 11yearswithFTIand36yearsinDiscoveryServices
The Difference between Theory and Practice
3
In theory, there is no difference between
theory and practice.
In practice, there IS.
4
TopicsCoveredToday
DefiningTradeSecrets1
Lawsgoverningtheftoftradesecrets2
Do’sandDon’ts3
ProactiveandReactiveOptions4
ECONOMIC ESPIONAGE ACT
The Economic Espionage Act defines a “trade secret” as having the following elements:
1. It must be information;
2. That is not generally known;
3. From which the owner derives economic value from its secrecy; and
4. Where the owner made reasonable efforts to maintain its secrecy.
18 U.S.C. § 1839.
DefinitionofaTradeSecret
UNIVERSAL TRADE SECRET ACT "Trade secret" means information, including a formula, pattern, compilation, program, device, method, technique, or process, that: (i) derives independent economic value,
actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and
(ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.
6
CivilTradeSecretTheftLaws
§ UntilMay2016,tradesecrettheftwashandledprimarilybystatelawso MostadoptedsomeversionoftheUniformTradeSecretsAct
§ DefendTradeSecretsActof2016wassignedonMay11o Federalandstatelawswillco-existlikeanti-discriminationlaws
o Claimscannowbefiledinfederalcourtandseekremediessuchasaseizureordertorecoverstolentradesecrets(alsodamagesasaresultofwrongfulseizure)
o Damagesforactuallossanddamagesforunjustenrichment
o Insteadofdamages,areasonableroyaltyfortheunauthorizeduseordisclosure
o Exemplarydamagesforwillfulormaliciousmisappropriation
o SimilartotheUTSA,attorneys’feesforbadfaithmisappropriations
o Injunctiverelief,orwhereaninjunctionwouldbeinequitable,paymentofareasonableroyalty.
§ TheDOJprincipallyrelieson2criminalstatutesininvestigatingandprosecutingtheftoftradesecretso EconomicEspionageAct(EEA)-18USC§§1831-39
o ComputerFraudandAbuseAct(CFAA)–18USC§1030
7
CriminalTradeSecretTheftLaws
TheDOJprincipallyrelieson2criminalstatutesininvestigatingandprosecutingtheftoftradesecrets:
§ EconomicEspionageAct(EEA)-18USC§§1831-39
§ ComputerFraudandAbuseAct(CFAA)–18USC§1030
§ Whoeverintentionallyaccessesacomputerwithoutauthorizationorexceedsauthorizedaccess,andtherebyobtains—
§ (A)informationcontainedinafinancialrecordofafinancialinstitution,orofacardissuerasdefinedinsection1602(n)oftitle15,orcontainedinafileofaconsumerreportingagencyonaconsumer,assuchtermsaredefinedintheFairCreditReportingAct;
§ (B)informationfromanydepartmentoragencyoftheUnitedStates;or
§ (C)informationfromanyprotectedcomputer;
8
IssuesforCorporations&LawFirms
Non-networkbreach
Whatistheleadingcauseofdatabreaches?
IssuesforCorporations&LawFirms
9
NetworkHacking/MaliciousBreachOR
Non-NetworkBreach?
69%
31%NetworkHackingorMaliciousBreach
• TradesecrettheftscostU.S.businessesmorethan$250billionperyear
• 60percentofcompaniespolledreportedtheyhadexperiencedattemptstostealtheirproprietaryinformation.
• Thenumberoftheftsisincreasinggeometrically–projectedtobeup5,000%withinthenextdecade.
• Employeestakethedatatheyknow,workwithandoftenfeelentitledtoit.75%ofinternaltheftsareofmaterialtheywereauthorizedtoaccess.
• 65%oftheseemployeeshadalreadyacceptedpositionswithacompetingcompanyorstartedtheirowncompanyatthetimeofthetheft.
• IPstolenbyinsidersincludes:
• 52%tradesecrets• 36%proprietarybusinessinformation(billing,plans,pricelists,etc..)• 34%%sourcecodeorproprietarysoftware• 12%customerinformation
Statistics
How people “took data” then …
11
… and now
12
… anywhere and everywhere
13
14
ChangesintheDataLandscape
15
HowIPcanslipthroughthecracks
§ Tremendousamountofinformationcanslipthroughverysmallcracks(e.g.MicroSDcardsthesizeofafingernail)
§ MicroSDcardscanhold512GBofdatainthesizeofafingernail.
– That’sequivalentto6.6billionpagesofpaperorover80,000treesworthofpaper.
- Cardscanbefoundinphones,tablets,cameras,etc..
16
HowIPcanslipthroughthecracks
WorldWideWeb§ Email§ FTP§ CloudStorage§ Apps§ Copy&Paste
Hackers Lost/StolenLaptops,Tablets,orPhones
Vendors
TheDumpster
Do’sandDon’ts
17
18
Do’sandDon’ts
§ Tradesecretscanbestolenthroughanyofthedeviceswehavediscussed–andmore.
§ Thatdoesn’tmeanweshouldn’tembracetechnologyinourjobs.
§ HowcanweprotectourIPwhileenablingemployeestowork?
19
Do’sandDon’tsDo Don’t Give employees the tools they need to do their jobs
Tell them they can’t use a particular type of technology without providing an alternative
Opt for corporate versions of technology (e.g. Box for business, encrypted thumb drives)
Allow unfettered access to file sharing tools
Provide hardware to facilitate work and track it/get it back when an employee leaves
Let an employee walk off with your hardware when they are terminated
Consider secure options of common technology (e.g. encryption on photocopiers and external devices, instant messaging, mobile device communication, etc..)
Let employees pick their own security settings on devices
Let employees know that you monitor activity and DO SO
Buy expensive monitoring technology and then not review the reports
20
Theimportanceofpoliciesandmonitoring
§ OneclientallowsBYODbutemployeesmustsignawaiverfirstthatallowsthecompanyaccesstothedeviceatanytimetocomplywithlegalandregulatoryrequest
§ AnotherclientmonitorsUSBdeviceactivityviaDLP(DataLossPrevention)software
§ Inoneinstance,aclientinstalledsoftwaretotakescreenshotsofcertainactionsonacomputer
ProactiveandReactiveOptions
21
22
ProactiveActions
23
ProtectingCriticalIP…
Fromemployees
§ DisablingUSB,DVD,anduncontrolledcloudstorage.
§ Monitoringemployeeactions
§ ImplementingeffectiveITpoliciesandenforcingthem
§ Informingemployeesofpoliciesandprocedures
§ EmployeeMonitoringsystems
24
ProtectingCriticalIP…
Fromoutsiders
§ Firewalls/proxies
§ Encryption/Goodinformationgovernancepolicies
§ MDM/DLP/MonitoringTechnology
§ Penetrationtesting
§ RegularImplementationofsecuritypatchesandupdates
§ Developaproactiveplan/responseteam
ProactiveToolstoConsider
MDM DLP Monitoring
26
ReactiveInvestigations–KeyPoints
§ Preservequickly–andcompletely
§ Everydetailwillbeexamined
§ Everydiscrepancywillbeattacked
§ Thingschangeconstantlyasnewknowledgeisgained
§ PlansmustincludeinvestigationANDremediation
§ Timelinesareextremelyaggressive
§ Carefullyconsiderlawenforcementinvolvement
27
CommonArtifacts–PersonalComputers
§ Devicesconnected–USBandRemovable
§ Linkfiles–filesaccessed§ Jumplists–recentfilesshownwhenrightclickingappsinWindows7andbeyond
§ MRU–Mostlyrecentlyused
§ Systemregistry
§ Unallocatedspace
28
CommonArtifacts–InternetHistory
§ Reportonwebsitesvisitedo URLo Dateo Namesofpage
§ Visualrepresentationofwhatwebsitelookedlike§ Cachedwebmail(fragmentsorSQLitedatabase)
§ GoogleMapsearches
§ Cloudstorageusage§ Dating/Gaming/Pornography
29
CommonArtifacts–MobileDevices
§ Email/Webmail
§ IM/Skypelogs/GChatfragments
§ BackupsofcellphonesonharddrivesandiCloudcontaintextmessages
§ Textmessages,iChat,Skype,WhatsApp,Kik,etc..
§ Recordsfromcarrierinlieuofphoneitself
§ SocialMediaApplications
30
TheValueofanInvestigativeTeam
Computer forensics • Who did what when on a computer • Massive source of information
Human intelligence • Invaluable when your most sensitive information is missing
Web investigations • Tracing IP addresses • Social Media
Background investigations • Fills in the gaps between computer forensics and human intelligence • E.G. what kind of car does the subject drive
Questions
31
NOTES
________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________