Many of our forensic engagements entail the investigation of EMPLOYER OWNED and COMPANY ISSUED devices that were issues to an employee and can include computers, smartphones, USB devices, data repositories, email, web sites and online services, etc. These can impact employee workplace privacy.
Lacking at times are sufficient electronic usage policies to substantiate the do’s and don’ts of using such equipment.
Another pitfall for employers is allowing employees to access company data with personal devices. Allowing this essentially eliminates control over company proprietary data. Think Edward Snowden.
The following list provides the foundation for securing company information:
- Only allow company issued devices to access the company resource.
- Good luck trying to get an employee’s personal computer , thumb drive or smartphone for analysis.
- The IT department can deploy policy restrictions to lock down access for only defined devices. Not a big undertaking
- DO NOT use shared devices or logins.
- Using shared computers or worse, shared logins can severely hamper an investigation. You ultimately want to have a secured unique ID for everyone and every device.
- Enable audit logging where appropriate.
- Network access and applications provide for activity audit logging and can provide key evidence of who did what, when.
- Establish an asset management tracking system.
- This does not need to be elaborate but items from card keys to company issued devices should be logged and ultimately tracked through destruction.
- Perform an annual review of the network security policy.
- Many companies do not have this in place now but is critical to support the electronic usage policy.
- Create an up-to-date and comprehensive electronic usage policy.
- Have it reviewed with counsel when it changes in accordance to the security policy or every 2-3 years.
- Technology changes so rapidly and new technologies may not exist in the current policy. For instance, many polices today fail to mention smartphone and social media use.
- During an incident response or initial call with the client, it’s imperative to quickly determine the universe of what could be potentially relevant and determine the risk of exposure. We run through a cursory checklist to better device the impact:
- What company devices were issued to the employee?
- Was the employee allowed to use personal devices for work?
- Could the employee use USB thumb sticks or 3rd-party web services without limitations?
- Does the employer have all devices now?
- What was the job junction of the employee?
- What systems were accessed by employee?
- Was the employee provided remote access to the company’s network and email?
- Has remote access been disabled?
- Could anyone else be involved?
Those questions will provide us a 10,000’ view of what our universe of exposure is and baseline to drill down further, if needed, when we review permissions, proprietary application features, data backup retentions and offsite archives, access limitations, etc.
So we now have the universe of devices and data collected for analysis. And on these devices there are files that are personal in nature such as personal email, family photos, text messages, etc. All these are gems when it comes to analysis but is it violating the employee’s workplace privacy?
Having the policies listed above current and in effect will address any challenges but from my experience, if this data exists on the company computer then the employee has waived their right to privacy for review of these files.
I investigated a matter a few years ago when counsel provided me a computer of an employee who upon trashing his cube, abruptly left his employment without notice. A clear indication that something was amiss.
Upon our review, we were able to recover over two weeks of cached web pages that were imprints of what was on the screen when this employee was accessing their Yahoo email at work, on a work computer. Those cached email pages were available without having to access the employees Yahoo account – they were simply recovered files on the computer we were able to view without any restrictions or authentication.
These files provided two weeks of email conversations that essentially provided all the information needed to confirm a conspiracy to create a competing business and in fact was the system used to transfer proprietary company information. Think the client and attorney were happy?
This case never got to court and the effort to start a competing business was squashed.
What about personal information found that includes user ids and passwords providing to non-company services like personal email? Yes, these were there too but by no means could be used. The Computer Fraud and Abuse Act (CFAA) prohibits accessing a computer without authorization, or in excess of authorization. In that we were able to recover the user ID and password to the employee’s Yahoo account does not provide authorization to his online without authorization. The cached email imprints are not protected by the CFAA.