The Newberry Group Blog

Archived Categories

Sort By: Title   |   Blog Date
Monday, June 27, 2016

Reverse IP Theft - Know What's Coming In To Your Organization. Part 4 in a 6 Part Blog Series

As you have been reading my blog series about theft of IP when an employee departs, I have mentioned that reports have said that about 50% of all departing employees take intellectual property with them to their new employer.  After all, chances are great that they got their new job because of the work that they did at their previous employer. 

We have been talking a lot about that departed employee and how to detect if and what data they may have taken.  But now let’s turn things around. Your company is the one that has hired an employee that stole Intellectual Property (IP) and they bring it inside your company.  How do you know they brought stolen IP in?  Do you have some type of legal exposure?  When they end up leaving your company, will they also steal IP from you?  The list of concerns with employees bringing stolen IP inside can go on and on.

Reverse Intellectual Property Theft is when a new hire brings stolen IP into your company.   Chances are that in your hiring process, asking questions about stolen IP is not something that people think to ask about.  Most companies that I have worked with rarely do much to discourage or stop IP from coming in until it is too late and they get caught.  One simple measure to help discourage new employees bringing in stolen IP is to incorporate some documentation regarding no disclosure or use of Confidential Information of Others. The intent of this language is to make sure that the new employee is aware they are not to bring into your organization IP from another company.  It should also address that they not use in the performance of their responsibilities at the Company any confidential or proprietary information, materials, trade secrets, intellectual property, or documents of a former employer or other third party that are not generally available to the public, unless the employee or the company has obtained written authorization from the former employer or third party for their possession and use In addition, you might consider making random checks of new hires machines to make sure that other companies IP has not been brought in and outlining consequences if they do bring it in. 

While this won’t stop you from getting sued if data makes its way onto your network, it should make an employee think twice before doing it.

Internal Employee Case Study Continued:

Now, let’s get back to our case studies. We are going to go back to the case study of that internal employee that left and went to work for the competition.  As you may remember we were able to prove multiple things up to this point.  The departed employee:

  • Used a sync function on some of the last days of employment.
  • The sync function appeared to sync IP to one or two USB devices.
  • Multiple USB devices (over 20) were used on the computer, and some were only used during his final days of employment.
  • We put in a request through the lawyers to get our hands on the 20+ USB devices, but only 4 arrived.
  • One of the USB devices that arrived was never used at his old work.
  • We asked for and received access to his home computer.
  • We identified that most of the USB devices had been used on both his home and old work computer.
  • The home computer showed us that the two USB devices that we were looking for where both used on the home computer after his last day of employment.
  • Data from his former company had been opened on his home computer after he started his new job.

It was at this point that the judge gave us access to his new work computer.  As I mentioned in the previous post, we performed the “New Hire Program” package on his new work computer.  This type of analysis is virtually the same as we perform when an employee departs but there is a key difference. We are now looking for data artifacts that show that data is moving onto, and not off of, the device that we are investigating.  We also continue to look for USB devices; we are still searching for IP.  However this time we are trying to match things up between the old employer’s computer, his home computer and his new employer’s computer. 

To correctly match everything up, we created a timeline for the three machines.  It is important to note that to do this correctly, you need to make sure that you take into account the time zone of the computer you are analyzing, as some data movement is not far apart.

When we started to look at his new work computer, we quickly identified that the key USB device had been used on the new work computer.  Knowing the date and the time that the key USB device was plugged in, we started searching the work computer for data that was created after that date.  Looking for files created within an hour of the time the device was plugged in; we found copies of files that appeared to be the stolen IP had been copied down to his new work computer.  While this was a nice nail in the coffin, we finish our investigation process and what we found shocked even the new company.

In-between his start date at the new company and the date we received his new work computer, he had already changed the IP taken from our client, his former employer, and updated it with his new employers company information and logos. For example: he took his former employers’ divisions business plan and executed a “find and replace” of the old company name to the new company name.  He opened presentations and changed all the footers and logos to the new company.  It was determined that he had repurposed roughly 100 of the 2000 files that he had taken by just removing the old companies name and logo.

We reported our finding to our client’s legal team and they reported what we had found to the new company. In turn the new company immediately fired the employee.  You might think the story ends there, but it does not.  We continued our investigation, as we needed to be able to confirm that the repurposed IP had not made its way to the corporate network or to anyone else inside this company. 

Unfortunately, we were able to confirm that data that he had brought with him had already been copied up to the corporate servers and more importantly we found that the data had been emailed out to the team he worked with, his boss and to his peers.   It was beginning to look like this data was spreading within the new company.

All of this information was provided to the court.  The judge in the case ruled that we needed to go into the new company and search their network shares, the computers of his boss, and all his peers to track down and delete all the IP that was stolen.  Due to the volume and the extent of what was found, this deletion of IP took much longer than expected as we found that the people he had sent the data to had forward the data to others in addition to saving it to their network shares.  Over time, the trail just kept growing and we kept on following it and deleting the data wherever it was found.

As the search for stolen IP continues, we start the analysis on his boss’s computer and boy, were we surprised at what we found. An examination of the boss’s computer found that he had stolen IP from our client years prior to him starting at the company.  We began to wonder if there was an insider that was sending the boss this information.  Through deeper analysis of this newly found “old” IP, and from conversations with our client, we discovered that the boss had been an employee of our client.  When he left, he also stole IP, brought it into and disseminated throughout the new company.  Once this information was given to the new company, he too was fired.

The Final Word of the Court:

Let’s jump forward in time.  This case was not just about making sure that the data was removed from the new company servers and laptops and those two employees getting fired.  Our client wanted the other company to reimburse them for all that they had spent on legal fees and all third party fees, including for the forensic work that had been done over the entire time period of this case.  They were also asking for damages in addition to expenses.  After a long trial, the judge ruled in favor of our client and awarded them over $14 million in damages and fees.  As you can imagine, our client was very happy with the outcome.

The company that hired these two employees on the other hand was not happy at all.  At no time did anyone in the organization think that hiring one individual would cost them over $14 million.  So to answer one of my original questions, yes, you do have legal exposure if you hire someone that brings in stolen IP to your company.

Both companies involved in this matter have now taken additional steps during the hiring process to let all new hires know that bringing in outside data from previous employers is not allowed and it is cause for immediate termination.  They have instituted simple forensic checks that give visibility to newly used USB devices and data that gets copied off of them. This data is randomly checked to make sure it is not from any of their previous employers.  Utilizing the New Hire Program is how they are hoping to never have to experience a situation like this again.

While you might think that awards like the court handed down are rare, they are not.  In most cases that I have been a part of, if we prove that data was stolen, it is very common for legal fees and other third party expenses to be awarded back to the company that had their data stolen.  We all know that legal fees are going up and cases like the ones I am presenting here are no longer considered anomalies.  As I mentioned, employees will continue to take IP out of and bring it into organizations.  And, with the increased legal action that is occurring as a result of the ease of identifying those malicious actions through expert forensic analysis, organizations are paying closer attention to the data flowing in and out of employees hands.

The moral of this cautionary tale: Take precautions and make sure stolen IP isn’t being brought into your company.  

Coming up – I will finish the story of the second case study. Stay tuned!

For more information on these services as well as other Forensic-related services we offer, please visit our website or email us at

Posted by: Jeremy Wunsch
 | permalink

Leave a comment
*First Name  *Last Name 
*Email Address
*Type the code below into the textbox.