Social media and web based communication has become part of our daily lives, both personally and professionally and the speed at which dialogue is exchanged and the range of content shared means that social media use tends to be more informal and uninhibited. However, many people forget that their social media activity may be seen by unintended recipients and the work/private life boundaries become blurred. According to law firm Speechly Bircham, statistics indicate that 25% of workers aged 18-29 spend 3+ hours a week on social networking websites during working hours.

This article addresses the threats that employers face regarding the misuse of confidential information and intellectual property by employees’ use of web based communications, the challenges that forensic investigators face when investigating wrongdoing and how employers can mitigate risk in their organisations.

Whilst reduced staff productivity is a risk that employers face when allowing access to web based applications, far riskier is the ability to easily leak or steal confidential information using these tools. The primary function of applications such as Webmail, Facebook, Linkedin and Twitter is to share information in real time and while this provides many companies with new communication and networking opportunities, these same environments are being used for wrongdoing. It is no surprise that evidence will naturally be found wherever people communicate and given this, wrongdoers such as employees looking to set up in competition or a disgruntled sales rep seeking to trade away their current employer’s secrets are increasingly using these modern methods of communication to hide their actions.

Until recently, the internet history on a user’s hard drive provided a plethora of juicy information easy for forensic experts to extract. Early days of Facebook chat, for example, could provide log in profile ID’s, message content, time values from Facebook servers and ‘to’ and ‘from’ user names. Popular webmail applications would indicate whether an email had been read, provide sender and, potentially multiple, receiver email addresses, subject lines, message content, attachments and time stamps. However, due to advances in technology, such as cloud based applications and hardware formatting, this information has become harder to obtain as less data is landing on the physical hard drives making the search for this critical information more challenging.

Organisations which find themselves needing to investigate misconduct face many challenges when analysing web based evidence and it is important for firms to understand what can be expected from a computer forensic investigation.

For the most reliable investigation any forensic investigator will advise that they need to analyse digital evidence as close to the original source/environment as possible and this is no different when dealing with web based data. The web host servers where the data was created and resides will be where we ‘should’ start the process; however, obtaining that data quickly is often not a realistic option. Given the urgency at which evidence often needs to be isolated and contained, there is little time to obtain the necessary court orders which organisations like Hotmail, Yahoo or Facebook require before they will consider providing any information. This is not to mention the jurisdictional, logistical and data protection headaches one may encounter when actually trying to collect the data from these organisations.

From a computer forensic perspective those who allow access to social media sites should firstly consider the devices they provide their staff – the suspect’s laptop, PC, mobile device or tablet where information may reside in the internet cache, on the hard drives or memory of the device. Forensic software can search hard drives, live RAM, or files for internet related evidence and in many IP theft cases they provide a useful place for an investigator to search. It is also possible to search other historical systems such as back-up tapes, servers etc for evidence relating to the matter. It is rare that information which appears to be deleted cannot be retrieved by an expert in the field. Social networking communications, messenger chat histories and popular webmail applications can leave behind evidence of an individual’s contact base, location, activities, future plans and communications.

Robert Thomas, partner at Speechly Bircham explains, ‘In an example of suspected theft of confidential information or intellectual property by a former employee who is now employed by a competitor, this evidence alone could be enough to require the suspect and potentially the new employer to give undertakings to cease the ongoing use of the information, to return it to the data controller and to disclose to the data controller how and to what extent it may have been used. Should this fail, the employer could apply to the court for an order allowing it to carry out a wider search on the employees personal laptop, PC, mobile device, pda or tablet or even to search the employees home. The Employer could also seek an injunction to prevent the employee and/or new employer from using the information or the employee working for the competitor. Serious non compliance on the part of the employee and/or the new employer would be treated as contempt of court and in extreme cases could result in imprisonment ’

Despite the diversity of information sources, it is still perfectly possible for forensics experts to capture data used across social media and multiple hardware platforms. The key is to ensure that organisations maintain an accurate map of all devices used by staff and communicate a clear policy on how these devices can be used in the workplace – particularly for accessing and using social media sites. Thomas says, ‘Prevention is obviously better than cure and having a robust and thorough policy dictating the use of web-based applications sets both the right expectations and outlines implications of wrongdoing right from the outset. The key is to then keep policies up-to-date and enforce them consistently.’

Further to this, organisations can put in place restrictive covenants or non-solicit agreements which prevent departing employees from working for competitors or approaching the company’s clients. These should be adapted to reflect changes in company technology, equipment and evolutions in the outside digital world such as web-based mail and social media sites. Often, when dealing with IP-theft cases, the question arises as to the ownership of contacts such as those amassed on professional networking sites such as LinkedIn. Andrew Howard, Solicitor of Speechly Bircham says, ‘In order to support the argument that a company owns the contacts that an employee has made using systems such as LinkedIn, the employer might attempt to prove that it invested its own time and money to build and produce this list and that they were collated by the employee on behalf of the organisation, during the course of his employment.’

In addition to any organisation-led policies or agreements regarding the use of devices and applications and/or confidentiality agreements pertaining to client data and trade secrets, those guilty of removing client contacts or sensitive business information from the organisation could be in breach of wider data protection laws or the legal protection of trade secrets.
Ultimately, the onus is on the employer to make employees aware of their responsibilities when using company property. Those that communicate and coordinate their personal activity using company devices run the risk of leaving behind evidence of their actions. Finding existing or deleted data from web based sources is an increasingly complex process, but the experts who are dedicated to keeping up with the latest technologies will always ensure that there is nowhere to hide.
Graham Jackson is a Business Development Consultant at Kroll Ontrack

The Author

Graham Jackson, Business Development Consultant at Kroll Ontrack