How Employers Can Conduct an Investigation of Computer Breaches by Current/Former Employees
Data security is a critical aspect of any company’s business operations whether the data involves confidential company information or the private personal data of individuals. Most employee-related violations—be it fraud, theft of IP, threats, or other misconduct—involves the use of electronic devices such as computers. The majority of these violations are committed by former or current employees. Their “inside” status within the company makes it easy for them to obtain and then steal large amounts of data in an easy manner. Types of data that are typically stolen include company trade secrets, passwords, employee records, customer lists and business plans, email lists, and other sensitive data.
Employers need to be aware of which employees have access to valuable and sensitive information, where this information is located, and how employees steal information (e.g., USB devices, cloud, email, etc.). Conducting an internal investigation of computer breaches by the employee who perpetrated the breach is of vital importance both to rectify the harm done and prevent its occurrence in the future. This article addresses these concerns by explaining the most important laws regulating computer breaches and electronic communications as well as how employers can best prepare and conduct an investigation for employee-related computer breaches.
What are Employee Computer Breaches?
Employee computer breaches can involve abusing the employee’s credentials or privilege within the company to access sensitive data or disseminating the stolen data to third parties for financial gain or retaliatory purposes. Whether the employee commits the computer breach negligently or intentionally, employers need to know how to respond and structure their investigation. As mentioned, these breaches are often committed by “insiders”—former or current employees. These individuals will usually have an intricate level of knowledge regarding the company, including schedules, passwords, or access points. Companies often suffer extensive damage where the information stolen entails personal information of customers, credit card or bank details, financial records, or intellectual property. Examples of computer breaches include phishing, denial-of-service attacks, ransomware, spyware, viruses, electronic theft, identity fraud, and other cybercrimes.
Laws Regulating Computer Breaches, Fraud, and Abuse
The United States has no national laws regulating data privacy and protection. Instead, laws and regulation on this topic are addressed at the state and local levels and also by industry sector (e.g., healthcare industry versus financial industry). There are, however, important federal statutes regarding improper uses of electronic devices or communications. For instance, the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, is a federal statute that provides criminal and civil penalties for the unauthorized access to computers used in interstate or foreign commerce.
The CFAA prohibits the unauthorized access (or exceeding authorized access) of a protected computer without proper authorization. As the senior defense attorneys at Oberheiden, P.C. make clear, the CFAA applies to almost every computer due to the ability of electronic devices to transmit, receive, and exchange information for personal or business use across interstate or foreign commerce. The Supreme Court will issue its opinion on the scope of the CFAA later this year. Van Buren v. United States, 206 L. Ed. 2d 822 (2020).
Other relevant statutes include the Electronic Communications Privacy Act (“ECPA”) (which prohibits a third party from disclosing oral, wire, or electronic communications without proper authorization) and the Stored Communications Act (“SCA”) (which was enacted as a part of the ECPA and provides privacy protection of personal information stored by electronic storage providers). States have supplemented federal statutes by passing their own laws regulating computer crimes. Further, courts have also taken an active role in rooting out computer breaches. For instance, more and more courts are finding it appropriate to extend the CFAA outside the territory of the United States where the misconduct occurs abroad and causes injury to U.S. nationals.
Tips for Employers When Investigating Employee Computer Breaches
Company-wide investigations for employee computer breaches can cause significant problems. Internal investigations can be expensive, waste useful time and resources, and lead to legal issues and significant reputational harm. Fortunately, there are ways for employers to effectively manage these risks when conducting an internal investigation. Below are useful tips for employers to keep in mind when investigating employee-related computer breaches:
- Retain legal counsel to advise you on the scope and progression of the investigation. Computer breaches committed by former or current employees can easily escalate into protracted federal/state investigations and/or litigation. This risk is increased where the violating employee disseminates financial records of the company or personal information of customers to third parties. It is critical to respond as soon as possible. Retaining legal counsel experienced in crisis management and containment in addition to computer breach defense will help you and your company limit liability exposure.
- Have in place an internal investigations team as well as a crisis supervisor and crisis management plan. This tip allows your company to start gathering as much information as possible before an outside forensic investigator and attorney are brought in to help with the company’s investigation. A crisis management plan helps the company follow a detailed step-by-step process for dealing with internal computer breaches.
- Accumulate evidence from the breach. Preserving evidence is key to remedying the computer breach and preventing it from occurring in the future. In addition to retaining a forensic investigator, other useful steps include checking employee entry logs, reviewing employee complaints, internal whistleblower actions, employee files of disciplined or recently terminated personnel, witness accounts, etc. This information can help employers develop a picture of who may be responsible and the motives for their breach.
- Remove special or administrative privileges from “suspect” employees. This step prevents the breach from escalating into a major company crisis by restricting access to essential personnel with seniority. It may even involve temporarily revoking all privileges of all personnel until the root of the breach is uncovered.
- Hire an independent, third party forensic investigator to analyze the breach. This step, in conjunction with retaining an attorney, is the most important. Because computer breaches involve technology and oftentimes multiple electronic devices, a forensic investigator will be needed to review digital footprints, backup devices, and recovery options. Below are examples of how a forensic investigator can assist employers in their investigations for employee-related computer breaches:
- Identifying, preserving, and recovering digital evidence and data relating to the breach;
- Retrieving employee email messages stored on another device or in another location, such as deleted emails; or
- Using specialized software tools to extract deleted or transferred data such as internet history, employee logs, messages, call history, pictures, etc.
- Aim to lessen the severity of the breach. Steps to undertake here may vary but will likely include complying with notification provisions if the breach involved the personal information of customers. If the personal or sensitive data was disseminated to third parties, the company may need to seek an injunctive order from court. If the computer breach is significant, cooperation with any relevant authorities may reduce the public attention that will ensue.
“Computer breaches committed by former or current employees are difficult to prevent because these “insiders” may already have the credentials or passwords to perpetrate the breach. Whether committed out of retaliation or financial motive, computer breaches can quickly escalate into national headlines and cause your company irreparable reputational harm. Understating how to respond when conducting an internal investigation is key to reducing your liability and the public eye.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
Employee-related computer breaches are increasing in severity and scope as the world grapples with new technological advancements. The means available to steal sensitive or personal data from a company are expanding, giving disgruntled employees all the ammunition needed to perpetrate a computer breach. Federal statutes such as the Computer Fraud and Abuse Act are useful when thinking about punishment and remedies but less useful when helping the company contain the breach and limit its liability. Employers need to be constantly prepared for computer breaches, especially when committed by “insiders.” Adopting an approach that prepares the company with a strategic response plan and detailed internal investigation will help the company better contain the crisis.
Dr. Nick Oberheiden, founder of Oberheiden P.C., focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation.