Copy that: What to do when employees sneak out with your IP

Copy that: What to do when employees sneak out with your IP

As technology continues to evolve and new methods to store or transmit electronic data come into fashion, how do you protect your intellectual property when an employee leaves to join a competitor or launch a new business?

This scenario is a common problem. Unfortunately by the time you realise that Newco Pty Ltd is using your customer list and intellectual property, your data has already left the building.

Too many times I have seen suspicious copying of commercially sensitive material in the days or weeks leading up to the employee’s final day. There have even been cases where the employee had been harvesting precedents, templates and client data nearly a year prior to their resignation.

Prevention vs detection

Locking down a business environment so severely that it prevents IP theft can effectively cripple many of the business’s processes. Modern organisations rely upon flexibility and the quick movement of electronic data to operate effectively. Company directors and business owners may struggle to achieve the right balance between data freedom and data security so that employees have sufficiently flexible access to commercially sensitive material whilst maintaining organisational control over that data.

Prevention largely comes down to the formulation, implementation and communication of appropriate policies, which must be regularly updated for technological evolution. For example, organisations need a clearly communicated policy regarding the use of cloud storage services.

Detection, on the other hand, often requires the creation and preservation of a sufficient electronic evidence trail. Increasingly, organisations have policies for carrying out forensic preservation of computer systems, mobile phones and network storage of critical employees in their exit process. Preserving and retaining these forensic copies is not expensive, and acts as an insurance policy in the event of future problems. Once a forensic copy is taken, computers and phones can be decommissioned or repurposed without destroying potential electronic evidence.

“It looks like they’ve got all of my templates – and my client list!”

While consideration should be given to what copies an ex-employee may legitimately take, for example personal files and public information, it is obvious a copy of “client list.xls” with the folder “Precedents & Templates” is a serious concern. Identifying proof of the theft, including when and how, generally requires an expert forensic examination. Evidence must be thorough and clear to support any applications for injunctive or other forms of legal relief. In many previous cases, the quality of the evidence uncovered has warranted the need to seek procedures such as a court order that provides the right to search premises and seize evidence without prior warning.

Finding relevant evidence is fast and inexpensive when you know where to look.

 Common strategies used by soon to be ex-staff

Are employees sending information to web-based email addresses or taking copies on USB devices or CD/DVD? More sophisticated methods are now emerging with employees utilising a myriad of cloud-based storage services including Dropbox, Google Drive and Share File.

In a recent engagement, a user activity timeline was established that linked:

  • The user of interest accessing various client and marketing lists within a short period of time
  • The insertion of a USB device
  • Folders being created or accessed on that USB device.
  • One of the key client list documents being later accessed from the USB device, proving that it had actually been moved onto the device.

The serial number of the USB device in question was able to be identified so that demand for access to that specific storage device could be made.

Other things to investigate are correlating access to key documents and network locations with access to cloud storage services such as Dropbox, and also the generation of a disproportionate number of hardcopy print jobs run by an outgoing user during their final days of employment.

“They’ve got my IP – how do I get it back?”

“Regaining control” of electronic data has been debated extensively in the media. When looking at the latest celebrity photo leak or hack it is clear that once the electronic cat is out of the bag, it is very difficult to get the original cat – plus any copies of that cat – back in the bag.

One remedy is to forensically examine the ex- employee’s computers, USB devices and other media, and then securely delete files which impinge on a company’s IP in a manner preventing them from being recovered. This action is usually arranged by court order or agreement and, while it is not a complete guarantee that other copies do not exist, when combined with a written undertaking from the infringing party that no further copies, backups or works based on those documents exist it does provide some level of relief to the aggrieved party.

Intellectual property is becoming increasingly more difficult to regulate as new methods to store and transmit electronic data become available. While we have little influence over the digital transition itself that can result in theft, ensuring the appropriate policies are in place and communicated effectively will assist any forensic analysis if you suspect a loss of intellectual property from a staff departure.

Michael Khoury is a partner in forensic IT services at corporate advisory firm Ferrier Hodgson


Notify of
Inline Feedbacks
View all comments
SmartCompany Plus

Sign in

To connect a sign in method the email must match the one on your SmartCompany Plus account.
Or use your email
Forgot your password?

Want some assistance?

Contact us on: or call the hotline: +61 (03) 8623 9900.