How To Protect Your Intellectual Property


p038-041-ABS#32-Risk-Management-1By Kim Khor.

Corporate information systems are thought of as housing data-like documents, messages and databases. They should also include all digital devices like mobile phones, cameras and GPS (global positioning system) navigators. When people use any of these systems, their actions are also converted into data. Each action is recorded in some way and these records of actions are often retrievable and reviewable.

The collection and review of this information can be performed for employee monitoring. This information can be used for investigations, risk management, statistical analysis or produced as evidence to a formal proceeding. Beyond matters of compliance, OH&S (occupational health and safety), managing culture, protecting revenue and managing fraud risk, it is critical to protecting intellectual property.

From a computer forensics perspective, this is a most significant issue, as it provides substantial advantage when investigating or defending against a claim and is the most common impediment when it is lacking.

A majority of commercial organisations monitor the use of information systems by employees to service a number of obligations other than protecting intellectual property. Under the Sex Discrimination Act 1984 (Cth), an employer must take all reasonable steps to prevent sexual harassment. In Victoria, organisations may avoid breaches of document retention requirements such as with the Crimes (Document Destruction) Act 2006 (Vic). Ultimately, an organisation must have an ability to monitor employees’ use of information systems in order to enforce policy and provide a safe workplace.

The creation, enforcement and education of an appropriate set of policy and guidelines will provide for a great deal of intelligence opportunities on information systems. Policy will define what an organisation can and cannot do, regardless of its technical capabilities. There is no single source of regulation, however, so it is necessary to identify which laws and regulations apply to the organisation, and these vary among states.

The AIRC (Australian Industrial Relations Commission) has maintained that if an employer has an appropriate policy library actively notified and enforced, it may review and produce personal materials stored on company systems as evidence. This is consistent with other regulators, with the exception of some procedural aspects of the Workplace Surveillance Act 2005 (NSW) – such as requiring a magistrate’s authority to perform covert computer surveillance, whereas in Victoria it is only necessary to advise via policy or gain consent via employee agreement. It is the only legislation among the Australian states that directly regulates computer surveillance. While there is a Surveillance Devices (Workplace Privacy) Act 2006 (Vic), it deals with audio and video surveillance specifically. It does not address computer surveillance directly. Note that this legislation requires consent to be obtained, which is typically achieved via policy.

Typical sources of information to monitor, include archived email and SMS (short message service) text messages, activity logs from internet activity and remote access, and phone call logs from the office phone system. More obscure examples include logs out of a manufacturing machine or GPS navigator logs (work activity only, not private use).

Essentially, if an organisation owns the system, device or path of communication, and has educated its employees about the appropriate policy in place, it can monitor most aspects of technology use. Interestingly, it can also monitor significant information in the public domain, such as with social networking website pages (such as Facebook).

To monitor PC usage, an organisation can run ‘keyloggers’ – hardware or software that records everything the user types. The software variety can also record screenshots and other information, and store it in a central repository. A copy (or ‘image’) of the hard drive in the PC will reveal much information (usually the primary source of evidence), even if deleted. It is a good idea to take such a copy before hardware is re-assigned to another user (as well as clean the original one so the new user cannot recover confidential deleted information). In larger or more sophisticated organisations, the network itself is monitored like a phone tap, but on every conversation. However, this is not legal on public or shared networks.

If an organisation assigns a company mobile phone to an employee, it can inspect and archive messages, call logs, appointments, images and videos, possibly including deleted information. However, it cannot monitor audio of the phone calls themselves without announcing the fact on each call. If an organisation has a server that manages the mobile phones (such as a Blackberry server), it is easy to establish archiving and a review capability. This potentially vast source of evidence can prove a significant advantage of providing mobile phones to staff rather than simply reimbursing costs.

Another simple source of information is the ‘gateway’ to the internet connection. Here, an organisation can record each action users perform on the internet. This is constrained a little by security considerations; for example, it is not possible to see the contents of something like internet banking screens, but how long they used it for can be seen.

Many sound technical processes to enable good collection, archiving and review of this kind of useful information are often quite inexpensive, as the information is already there. It may just need a system configuration change.

There is great overlap between monitoring information systems usage and the ‘data protection’ program that includes backing up and document management systems – where much of the information to be reviewed will come from. As eDiscovery becomes more tightly regulated, initially for larger organisations, these capabilities will come to be expected by regulators and the courts. Most higher courts have already stated that ignorance will not be accepted as an excuse for organisations not being able to produce electronic evidence.

It is also quite important to run a tight asset register to keep track of who is assigned what devices. This is often important when an employee is leaving the organisation. Create and enforce a policy that prohibits users using any other users’ accounts and requires that they ‘lock’ their computer when away from it. This will strengthen an organisation’s stance against counter-arguments when using evidence gained from the monitoring activity, as well as allow for a competent, rapid response to a potential incident or cause for investigation.

Although an organisation can, with proper policy treatment, review any information contained in company systems, any private information gathered in monitoring must be treated according to the National Privacy Principles under the Privacy Act 1988 (Cth) or the Information Privacy Act 2000 (Vic) for Victorian public sector agencies.

IT administrators occupy a position of trust and often have access to all of an organisation’s information due to the ‘super-user’ access they need to perform engineering tasks. Policy should include a stipulation that IT staff use these administrator accounts only for engineering work and that they use a normal user account to go about other activity. Common issues with IT staff include monitoring email for personal reasons, stealing the easily accessible intellectual property and providing assistance to other staff in breaching information security.

It is good practice to get consent for monitoring by referring to an appropriate policy in employment agreements. A common technique is to display a notice that users must acknowledge when they log on to the system. The Federal Privacy Commissioner’s guidelines on workplace emails and privacy recommend policy documents specify what acceptable use is and what is prohibited, what information is collected about employees’ activity on the system and who has the ability to review archived information.

To develop a solid monitoring program, follows these steps:

  1. Determine which laws apply and where
  2. Create simple and usable IT policy
  3. Identify information repositories, nodes of activity and paths of communication
  4. Identify usable and efficient sources of evidence
  5. Create standard procedures for capture, preservation and review
  6. Create escalation procedures (incident response, investigation, reporting and eDiscovery)

 

Disclaimer

This article is intended to suggest concepts and issues to be considered by an employer organisation. It is not advice, and should not be taken as such. The reader must seek formal legal advice from proper sources and not rely on this article for any specific information.

 

Kim Khor is a computer forensics expert. He consults on network security, incident response, risk and compliance, investigations, and electronic evidence management in the Asia Pacific region. He can be contacted at kimkhor@gmail.com

A full list of references is available upon request to admin@interactivemediasolutions.com.au

 

Most Read at ABS!

Boost Your Business By Boosting Your Brain

By Dr Helena Popovic MBBS. Your most powerful business asset is your brain. By understanding how your brain works, you can work more productively, creatively and efficiently. You can learn how to think more incisively, focus more effectively and sustain your mental energy throughout the day. Here are some of the latest findings from neuroscience […]

The Fifth Assessment: What Is It And What Does It Tell Us?

By Mark O’Brien. Recently, the media has been reporting that the latest report on the science of climate change has been released by the Intergovernmental Panel on Climate Change (IPCC). This report has stirred up plenty of commentary, especially while the fires in NSW were burning during October. A lot of the commentary is focussed […]

How To Protect Your Intellectual Property

By Kim Khor. Corporate information systems are thought of as housing data-like documents, messages and databases. They should also include all digital devices like mobile phones, cameras and GPS (global positioning system) navigators. When people use any of these systems, their actions are also converted into data. Each action is recorded in some way and […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: