It wasn’t long after American Superconductor (AMSC) employee Dejan Karabasevic was demoted and resigned before he went rogue. In a state of revenge, he covertly sold AMSC’s encrypted software key code to its most valuable customer. AMSC eventually detected this exploitation and identified Karabasevic as the culprit. He was arrested and pleaded guilty, sentenced to a year in jail, and ordered to pay $270,000 in restitution. But for AMSC, that was hardly the end of the story.
AMSC’s prized customer denied any wrongdoing in the matter, yet the two businesses severed ties. The result was a blow to the bottom line for AMSC: it suffered a devastating 90% drop in revenue and its stock price plunged from $40 to $4.
This is but one illustration of the colossal damage a “bad leaver” can inflict upon his or her ex-employer.
What Is a Bad Leaver?
Simply put, bad leavers are disgruntled employees who “leave” a company on “bad” terms and cause deliberate harm before or after they exit, typically in clandestine fashion. This relatively nascent 21st century phenomenon is evolving into a serious business threat. Why now? Blame largely goes to advanced technology. Global Internet access, portable small data-storage devices (i.e., USBs), universal e-mail and texting capabilities, and powerful mobile communication gadgets like smart phones and BlackBerries have empowered the bad leaver with a new arsenal of high-tech weaponry.
First Step in Combating Bad Leavers: Be Prepared
Given the potential risks and ramifications associated with bad leavers, companies should be prepared to detect, assess, and react to data theft or damage — quickly. That requires IT security systems and processes that are both robust and agile.
If a bad leaver destroys, alters, or steals information, be ready to work with an array of electronic equipment and voluminous information of various types in an effort to uncover latent evidence or isolate compromised data. As such, companies should diligently back up and warehouse employees’ electronic information in a manner that will efficiently facilitate fast data identification, revival, and analysis. When it comes to apprehending the bad leaver, companies should also strive to create an IT environment that is conducive to locating the proverbial “smoking gun,” and moreover is adept at applying ironclad forensics to authenticate evidence in a court of law.
Once notified of a departing employee, precautionary measures call for vigorous imaging of the individual’s electronic devices, network storage locations, and physical and technological access points. Instituting thorough exit protocols is critical to organizing and tracing a bad leaver’s “electronic footprints.” Without such procedures in place, time spent gauging a bad leaver’s degree of destruction is likely to become burdensome and costly, and especially problematic if crucial evidence goes missed or becomes spoiled.
The Particulars of Privacy
Investigating the aftermath of a bad leaver can raise thorny privacy and legal issues for an employer. Thus, it usually makes good sense to consult with an attorney who specializes in privacy-related matters.
For example, an angry employer might opt to leverage the “cache” or “cookies” on a bad leaver’s computer in order to retrieve prepopulated log-on credentials and ultimately access his/her e-mails. However, that maneuver could spark privacy concerns and potentially disrupt an otherwise appropriate internal investigation.
Suppose a company discovers e-mails between a bad leaver and his/her attorney on the company’s equipment or network. Should litigation ensue, the bad leaver may assert that those e-mails were attorney-client privileged communications and, consequently, proof of bad faith on behalf of the company. This scenario fosters such embryonic questions as: Should a company manage but not read such e-mails? Should it seek a neutral third party to host the e-mails? Or instead, should the ex-employer return the e mails in question to the bad leaver? Privacy dilemmas and uncertainties must carefully be taken into account.
Preservation Is Priceless
After identifying a bad leaver, the greatest difficulty often lies in determining the impact of injury, especially if it’s related to a data breach, source code theft, stolen intellectual property, or other electronic crimes. First steps should focus on evidentiary preservation. Answers to some of these following questions can serve as a guide:
- What communications must be preserved?
- Did he or she communicate via company e-mail or instant messaging?
- Were files shared through web e-mail?
- What back-up systems need preservation?
- To which systems did the bad leaver have access?
- What devices did the bad leaver use?
- Are there possible co-conspirators, and if so, are they still with the company?
A bad leaver incident suggests that litigation, a government investigation, or other judicial proceeding is imminent. For that reason, it is wise to engage independent forensics experts to preserve and manage bad leaver data. These professionals are uniquely qualified to anticipate the associated challenges a company might face in court, and to that end, ensure proper and sound forensic safeguarding of the integrity and authenticity of all relevant evidence.
The Digital Forensic Deep Dive
When examining bad-leaver data, the forensic process is far more comprehensive than merely collecting evidence from the “active area” of a computer hard drive. Forensic methodology explores beyond the obvious, combing for files in what is known as the hard drive’s “unallocated space.” It is here where a forensic examiner can retrieve a deleted file; that is, if data has not been written over the area in which the file once resided. The forensic approach also unveils critical findings by systematically investigating the following components:
- “Deleted Recoverable Files”: Some erased files can create retrieval “pointers” that show a forensic examiner where to recover documents from a computer’s trash bin, temp files, or Internet cache files.
- Exhaustive Key Word Searches: May not recover documents, but they can at least render folder listings, path information, or other provenance indicia.
- Media Usage: USB drives, DVDs, and network or Internet resources can leave behind data remnants or full copies of documents in the computer’s temporary or cache files. In addition, if a bad leaver uses a USB device on a company computer, a forensic expert can detect the USB’s registry value, and with that information identify individual documents as having been present on the USB.
- Operating System-Created Files (i.e., link files or Index.dat files): May yield evidence of the time and date a file was either accessed or edited, or copied or moved to external media.
- Encryption Software or Wiping Utilities: Can be used to try to hide or erase criminal tracks, but digital forensic experts can reveal traces of such bad-leaver transgressions and even verify use of intentional overwriting tools.
- Internet History: Reveals a user’s relevant searches or downloads that may also produce evidence of other surreptitious activities.
Technology: A Bad Leaver’s Friend or Foe?
It is true that bad leavers who slash their boss’s tires may never be caught. However, trying to cover up or expunge devious behavior in the digital world is next to impossible. Indeed, the bad leaver will have a far tougher time trying to definitively destroy e-mails or texts, wipe out artifacts that show attempts to delete files, or successfully tamper with network activity logs to obfuscate evidence of malfeasance. So although technology may enable the malicious modus operandi of a bad leaver, ironically enough it can exponentially contribute to that same bad leaver’s downfall.
John Reed Stark is managing director and deputy general counsel in charge of the Washington office of Stroz Friedberg, a digital forensics and e-discovery consulting firm. Formerly, Stark served for almost 20 years in the enforcement division of the Securities and Exchange Commission, the last 11 as chief of its Office of Internet Enforcement. He also has served for the past 15 years as an adjunct professor of law at the Georgetown University Law Center.