Protect Your Firm’s Electronic Systems From Malevolent Employees By: John B. Gamble, Jr. and D. Albert Brannen

Firms used to be able to protect themselves when terminating employees by changing locks, monitoring the removal of personal items from desks and lockers, and escorting the employee from the premises. Today, computer wise employees can hurt your firm in more serious ways than by simply taking or damaging physical property. In this article, we suggest 10 ways that firms can protect their electronic systems and preserve critical evidence in the unfortunate event that litigation with such employees become necessary.

1. Preserve computer hard drives after an employee is terminated or resigns. When an employee is terminated, many firms reassign the terminated employee's computer to another employee, then reformat the hard drive and reinstall software. This process results in either a loss of electronic evidence of the employee's improper activities or the evidence is so badly compromised that its usefulness in litigation is questionable.

Thus, whenever employees are terminated in situations in which litigation is possible, the employee's old hard drive should be removed and secured. If a long storage period is anticipated, or if storage space is scare, the hard drive should be imaged and retained in a more durable medium such as a DVD. However care must be taken to image the complete drive contents. Such imaging requires the use of forensic grade software instead of the software typically used for replicating workstations. Critically, all forensic imaging, and any and all forensic examinations of the evidence, must be done in such a way as not to change any of the active or deleted data on the drive, when making images or performing other examinations.

2. Preserve server based e-mails. Just as important as preserving hard drives is the preservation of any and all active and deleted e-mails to or from the employee (including e-mails on which the employee is copied). The employee's full electronic mailbox should be preserved. This should be done separately from the recovery of deleted e-mails, so that recovered e-mail which had been deleted by the employee is distinguishable from e-mails which were still in the employee's mailbox upon termination of employment. The fact that the employee deleted the e-mail, and the timing of the deletion, may be critical.

3. Carefully inspect for documents of interest. The employee's hard drive and e-mails need to be examined for documents of interest, but this process should never be started until after both the hard drive and the employee's e-mails had been properly preserved. Beyond the obvious search for e-mails which are of operational use, the examiner should look for file system remnants, and determine when important files were deleted, or whether the computer was ever cleaned or defragmented by the employee.

An examination for computer cleaning can include a determination of whether a software program was run and whether any other artifacts remain of file wiping software that may have been used. Another sign of drive cleaning by the departed employee could be large volumes of files being created or copied onto the computer, as the process of copying large quantities of new files can overwrite previously deleted files and make them unrecoverable.

If large quantities of files have been deleted, there is reason to suspect that the employee may have run the Windows disk defragmenter to overwrite deletions, hiding them and making them harder to recover. As a result, the use of a defragmentation program by an employee trying to hide nefarious conduct can be effective in making deleted files unrecoverable. Determining whether a defragmentation program has been run should be part of most forensic examinations of the hard drives of departed employees.

There should also be a review of LNK files . LNK files are Windows shortcuts such as those most users keep on Windows desktops or on their Start Menus. In the case of the terminated employee, detection and review of LNK files often help the examiner determine whether suspect documents have been copied or downloaded to storage devices such as floppy disks, zip disks, or home networks.

4. Practice good computer security procedures. Computer security must start with the basics: unique passwords, restricted permission, regular changing of passwords, activity and access logging, and logging off when leaving a workstation. Beyond this, a forensic examiner's analysis is significantly facilitated by using information captured in security logs, adding to other evidence found on hard drives and in active and deleted e-mails. Security and access logs should be regularly backed up and retained (see discussion below of adequate retention horizons).

5. Communicate and verify receipt by employees of computer-related policies and procedures. Employee handbooks, receipt of which should be acknowledged by all employees, should communicate plainly that firm computers and other electronic systems are firm property, that they are for business purposes only and that the employees should have no expectation of privacy in their use. Firms should adopt rules prohibiting the installation of unapproved software, and prohibiting the cleaning or deletion of electronic data before returning a computer to the firm. Employees should be put on notice that firm may monitor and inspect computers at any time, and that exit interviews will include a final computer inspection and review. Firms should specifically reserve the right, and notify employees of their intention, to monitor all computer activities using firm equipment and to use spyware as appropriate.

6. Use spyware to monitor and control employee computer use. As computer usage has increased in the workplace, so have the number of employee distractions with e-mail, internet surfing and computerized games. To counter these problems, software makers developed employee monitoring programs (spyware) that can be installed on employee machines remotely from a central location. Spyware packages provide a wide range of monitoring capabilities: restricting employee access to certain internet sites, preventing installation of software, logging employee activity and application usage and recording e-mails and attachments sent or received by the employee.

7. Establish adequate time limits for data retention and backup. With the advent of electronic discovery, some firms have attempted to reduce the burden of electronic discovery in litigation by reducing the volume of their electronic data archives. However, if the backup cycle is only a few months, evidence of employee misconduct may be lost forever. The longer the backup cycle, the more likely it will be that critical evidence for litigation will be retained but, at the same time, you will have more data to review in the event of litigation. Ultimately, thelength of these cycles will need to be based each firm's unique circumstances.

8. Conduct surprise inspections. Surprise inspections of employee computers for compliance with firm policies and procedures should be a standard practice. Live inspections can be time consuming and disruptive, and, of course, they alert the employee to the fact that he or she is being monitored, enabling the employee to further disguise his activities; and such inspections can sometimes cause morale problems or generate conflict in the workplace. The number of live inspections needed, however, can be reduced significantly if remote employee monitoring devices are used, thus enabling internal auditors to review data files remotely without disruption of the employee's work, and, when necessary or appropriate, without the employee's knowledge.

9. Consider the threat of new technologies. New technologies such as PDAs , cell phones, thumb drives , wireless networks , and instant messaging are quickly making their way into today's work places. These different technologies present a real threat to firms when used by employees who want to copy or send confidential information outside the workplace.

10. Be sensitive to smuggling techniques. Sophisticated hackers now have access to digital steganograpy and watermarking . Steganography (literally meaning “covered writing”) is the process of hiding information within other information. Digital watermarking is a further enhancement to digital steganography , which makes the hidden information in the digital document resistant to removal of the identification feature. These technologies can be used to hide client lists, business plans, and computer source codes in files as innocuous-looking as vacation or family photos that can be e-mailed from work to home by an employee before his departure from the workplace (or from a current employee to a departed employee). Because such hidden data within a file is imperceptible to the eye, a reviewer of the data cannot detect its existence without special software and/or access to the unaltered original file. To guard against the use of these sophisticated techniques, firms should install spyware which that alerts the firm whenever an employee installs unapproved software that has the capability of hiding data by such means and that can also be used to monitor an employee's use of instant messaging , thumb drives , and wireless networks .

Conclusion.

Although computers and related electronic equipment are the tools which firms use to keep pace and stay competitive in today's world, employee misuse of electronic equipment is an increasing threat to firm security and survivability. Clearly, more is at stake for firms in monitoring and controlling employee computer activity than lost productivity from web surfing and computer games.

Firms must also deploy an arsenal of modern electronic weapons to protect their electronic systems in the workplace. In today's world, firm must protect themselves against malevolent employees by using proactive weapons such as spyware, surprise inspections, and consistently enforced computer security procedures and reactive weapons such as forensic imaging and adequate retention horizons.

For more information, feel free to contact the authors at www.laborlawyers.com or 404.231.1400.

_______
John B. Gamble, Jr. and D. Albert Brannen are partners at Fisher & Phillips LLP here in Atlanta where they represent employers nationwide in labor and employment law matters.

Editor: Marianne M. Lawhead (mlawhead@sheastokes.com) (This publication is the property of the Atlanta Association of Legal Administrators. Reproduction or reprint without prior permission is strictly prohibited. Click here to request reprint permission.)

Designed/Distributed By