Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Prevention of information leaks

Status
Not open for further replies.
Stevehewitt

Stevehewitt

IS-IT--Management
Joined
Jun 7, 2001
Messages
2,075
Location
GB
Hey people,

Just after some advice really as this has completly messed things up!

The sales manager left the company yesterday and is planning to go solo and is actually going to be a competitor of ours.

Well the problem is that he has created an AOL email account and has sent off some of the most confidential information we have such as customer lists, contracts and even our current stock and cost price.
I obviously cannot get this information back as it has passed through my network, but I was wondering if anyone knows of how to prevent this thing from happening again - or how the law lays it out!?

Thanks,

Steve.
 
Sort by date Sort by votes
Did this person sign a confidentiality agreement? I look into how to forensicaly preserve any evidence that this person sent the mail from your location. Once that evidence has been preserved I would look into filing charges against the person. There are alot of ways a person could take this information if they really wanted to. But I would definately try to make an example out of this person. Let all the employees know that your company is vigilant about this and that it wont hesitate to prosecute.
 
Upvote 0 Downvote
Technically, I doubt there's any way to stop it from happening in future. If he hadn't emailed it to himself, then he could have copied it all to some portable storage device.

I think that wbg34 is on the right tack. Confidentiality agreements are a good start.

But I think the law is on your side. Even without non-compete contracts (which unless carefully drafted by a lawyer are often unenforceable), the law may specify a period during which he cannot contact any of your current clients. Also, the law will almost certainly state that he has stolen information that belonged to your company.

Sounds to me like it's lawyer time.

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
Hey thanks,

Some sound advice. I've been looking into the mail logs a bit more and found out that there are a total of 10 mails sent to this guys email address - 2 of which are from a current employee sending more information out.

Wow - lawyer time?! Well, thats one for the management to decide; but I'll certianly put it to them.

The only way to get information out of the network (or onto) if through the email system to smartcard (One workstation for the digital camera). CD and Floppy drives are all locked down.

Cheers,

Steve.
 
Upvote 0 Downvote
Actually, commando-tactics lawyer time. This guy has to be hit hard and hit fast.

Also, If this guy has cohorts still in the company, it might be prudent to lock everything down until management can make some sense of it all.

At the very least, I would suspend the one known mole's access to everything until you can get a better picture of what is happening.

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
I agree with sleipner214. We had the exact same thing happen here at our company about 2 years ago. A guy that was our sales dept manager bailed and went to work for a competitior. He pulled a lot of files, price and customer lists and took them with him. We contacted the lawyers, and now that the FBI is finished with them they are paying a 6 figure settlement ( not counting after the decimal ) to us. Of course, the lawyers are getting a good chunk of it...

Go after him, as soon as possible, document everything, and good luck!

Robert
 
Upvote 0 Downvote
I agree with everyone here. Technically you can do nothing. The guy had access, and abused your confidence before jumping ship.
That is theft, no more, no less, and the existence or not of a confidentiality agreement is just icing on the cake as far as I am concerned. You work for a company, you don't give away its secrets - that is called loyalty. While you cannot prevent such things from happening, you can sure as hell get the authorities to deliver a restraining order or even an arrest warrant.
The thing is to gather every pertinent fact ASAP and present your case to a judge NOW.
Also, with or without the backup of a judge, I would publicise the name of the person as much as possible, with a clear summary of what he did. Not in writing, of course, lest I be subject to a libel case (no honor in a thief), but I would get the word around as far as I could. There are employers who would think twice before hiring a person with a documented history of jumping ship with the customer list.
Of course, a court file does a lot better on that count, but I think the reputation suffers more from word-of-mouth in the long run.

Pascal.
 
Upvote 0 Downvote
I would take pmonett's advice about publishing the name and offense of the person publicly.

I agree that if you don't do it in writing it's not libel. But there is that whole "slander" thing to worry about. Even if you have the decision of a court of law to back up your assertions, in some jurisdictions you can be telling the truth and still slander someone.

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
CORRECTION.

In my last post, the sentence:

I would take pmonett's advice about publishing the name and offense of the person publicly.

Should have read:

I would take pmonett's advice about publishing the name and offense of the person publicly with a grain of salt.


Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
Your customer lists are your property. He can no more walk out with a customer list than he could walk out with your tangible property such as inventory, company car, etc.

Going after him on non-compete (assumming it exists) is a waste of time. He took company property. Get a good lawyer, and make him pay.

Software Sales, Training, Implementation and Support for Exact Macola, eSynergy, and Crystal Reports
 
Upvote 0 Downvote
Steve; I can't remember if you're in the UK...

Non-competition contracts mean squat here (thanks to the Human Rights Act - Freedom to work, etc...) but taking your company data will be seen in UK law as theft, plus a contravention of the Data Protection Act to boot.

I take it your mail logs record the email's content?
The mole should be suspended immediately - even if you lock down the network, he may phone information through.

As for internet and email access, it may be worthwhile sutting off ALL internet access (to block hotmail / yahoo email / etc). Can your email server be configured to only send emails once they've been approved? You could then check each email before deciding if it should be sent or not.

You should inform the police; as taking the customer data can easily be interpreted as theft they'll hit him with criminal charges whilst you can pursue a civil suit.

<marc> i wonder what will happen if i press this...[pc][ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]
 
Upvote 0 Downvote
Hey thanks people.

Yeah, I'm in the UK. So it is technically illegal? I wasn't sure..!

I'll lockdown the Internet access, and the guy's private email address has already been blacklisted.
Don't think we'll take the legal route though, but it nice to know what the rest of the IT community think.

Cheers,

Steve.
 
Upvote 0 Downvote
Steve -
Even though you've locked down people's floppy drives, etc. Don't forget the USB port -- I have a USB keychain drive that will hold 256mb.

Chip H.


If you want to get the best response to a question, please check out FAQ222-2244 first
 
Upvote 0 Downvote
Hmm,

Good point. I know that users cannot install drivers etc. but some of the newer USB stuff doesn't require it so...!

Looks like a treck through Groups Policies! :-)

Cheers,


Steve.
 
Upvote 0 Downvote
SteveHewitt,

course it's illegal!

You aren't allowed to keep my address and details on your computer without first getting permission to do so from the data registrar. You certainly aren't allowed to give it to anyone else without my permission. And that is just what this wretched person has done. You could get him in terrible trouble with the data protection registrar people....

But I'm not a lawyer (though I am UK) so I might be writing utter rubbish.

Good luck!
 
Upvote 0 Downvote
Spot on. Good point. Unfortunatly this said person is my neighbour, friend and ex-employer!!! The company has decided not to do anything about it but does anyone know of any software or techniques that could prevent this sort of thing in the future?

Thanks,

Steve.
 
Upvote 0 Downvote
There is no technological gizmo to keep a car driver from driving in the wrong direction, is there ?
Access to sensitive information is the same thing. If you already have the access, you can do as you please with it.
Email ? You can eventually block all outgoing email until a third party has approved it. Setting aside privacy concerns (who controls the top managers email ?), it will not prevent a user having access to data from printing it, or photocopying it.
Are you going to prevent printing ? I'd like to see you succeed in doing that. Take all the printers away and see how long it takes for a manager to roll into your office spitting desk shavings at you.
What about fax machines ? You can put them all in one room and have a certified, trusted person to check all outgoing faxes. Can you do that ?
You'll have to check all outgoing normal mail also - BEFORE the envelope is sealed. In truth, that shouldn't be a major issue anyway.
Control photocopying ? What's the use of that (security-wise) if one can print ? Zilch.
You can disable floppy units, users are rarely supposed to use those in a networked environment anyway. That will probably not ruffle many feathers. You must also control any CD burners that might be lying around (no reason for one of those in a normal office).
Oh, and let's not forget the lowly phone. Conversations will have to be recorded (and listend to !).
So, if you have secured e-mail and fax machines, phones and paper copies, there is only one measure left : make a security guard check each and every person every time they leave the building.
Why ? Well, what is the use of limiting faxes and controlling email if one can print a sheaf of documents and take them out of the premises without worrying ?
So, you lock down the mail (each and every one, regardless of sender), you record phone calls, you control outgoing faxes, you monitor copying machines and forbid printing and, finally, you have every outgoing person (worker, client, the cleaning guy) frisked and every container (including handbags) opened, systematically (no exceptions, no excuses).
There, you have a secure environment - until somebody finds a loophole you forgot.
Plus, you have a lot of stressed, unhappy workers who feel that they are considered as thieves.
Even banks do not have security guards at the personnel exit. It is called trust, and it is a basic building block of any relationship. In the workplace environment, it is thankfully considered a crime to abuse that trust, and I have yet to know of any judgement that was lenient on such behavior if the facts were undisputable.
The law is the last barrier to bad behavior. There is no technical substitute for that.

Pascal.
 
Upvote 0 Downvote
:-)

I understand you point, but if someone was so determined to steal information then nothing would stop them - but in this case if just email picked it up then it would of stopped there.

Has anyone heard of the new MS Office gizmo that allows authors to control what is done with their docs - such as printing and emailing/forwarding/copying?!

Cheers,

Steve.
 
Upvote 0 Downvote
DRM for documents?


Yeah, it sounds vaguely interesting... will allow alot of the stuff Pascal was saying would be really difficult, as in locking down printing without locking down viewing on a per document level.

The interesting point to me though is how they'll overcome some of the technical hurdles... like laptops... and catastrophic server crashes without a useable backup (nah, nevermind, everyone makes good backups)

There's rumor there might be a tracking mode too... put your document out there, publish a password, and get a log of every user who opened it.

-Rob
 
Upvote 0 Downvote
Certianlly sounds interesting, just wondering how it effects NTFS permissions though. E.G. User leaves company - how can Administrators override the settings? User goes on holiday and document has to be sent to another user ASAP - How?!

Just some thoughts. Maybe for another thread though.

Steve.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

johnherman
  • Locked
  • Question Question
Office 365
Replies
3
Views
839
SamBones
SamBones
pbouldin
  • Locked
  • Question Question
What kind of metrics
Replies
1
Views
315
strongm
strongm
eindoofus
  • Locked
  • Question Question
Future of business networks?
Replies
8
Views
681
mrdenny
mrdenny
phnechic
  • Locked
  • Question Question
What kind of metrics do you report on?
Replies
1
Views
270
Sympology
Sympology
SpanishWaiter01
  • Locked
  • Question Question
Manage someone out of the company?? Is this Wrong/Legal?
Replies
3
Views
426
SpanishWaiter01
SpanishWaiter01

Part and Inventory Search

Sponsor

Back
Top