IP in Open Waters Part 2: Bringing Data Back to Safety

Control and Visibility

First and foremost, legal, compliance and IT teams must work together to re-establish control. This starts with locking down user accounts to allow only the access and rights required for the users’ specific roles. In particular, where the network perimeter has been expanded to include staff’s personal devices (e.g., under a Bring Your Own Device (BYOD) policy), ensure that staff cannot expand the perimeter even further. This means disabling actions such as email forwarding to prevent users sending email in bulk to unapproved devices, synchronisation, so users cannot download archives to their personal devices, and folder downloads to prohibit bulk data downloads to personal devices.

Once controls are in place, teams can establish detailed logging and alerts to ensure that access to critical content is visible, and that unusual behaviour is recorded and escalated. Example alerts may include access to critical data, large downloads (volume & quantity), access from unusual IP address or locations and access at unusual times or days (e.g., late nights, early mornings, weekends, or when users are known not to be working).

Personal Devices and Investigative Powers

When an investigation must be initiated, gaining access to personal devices can be problematic at best, and frequently relies on the careful deployment of legal search powers. If the device owner does not consent to the examination of the device, a court order can be sought. Should this become necessary, the court order must be drafted with sufficient detail of known events and include all possible related devices, accounts and authentication details. As such, successfully obtaining a suitable court order requires close collaboration between legal advisors and experienced forensic professionals.

It’s common for orders to set strict timeframes on how long investigators can hold target devices, so it’s important to understand what will be logistically required for a successful search when pursing such an order, in terms of the proposed timeframe and the scope and depth of the search. Additionally, teams should consider any requirements to remediate IP found on the target devices. If IP is located, can this data be securely deleted and, if so, what level of certainty is required? Options range from performing a full wipe or factory reset of a device, selective deletion of data, the closure of accounts, and even confiscation of the device.

In recovering from an IP crisis, the key is to adopt a flexible, multi-disciplinary approach. These crises are frequently multi-faceted, requiring multiple disciplines including cybersecurity, digital forensics, privacy and strategic communications, to wage an effective response. Plan ahead so that you’re not trying to find the right people in the midst of a crisis – it’s best to identify your consulting and legal partners ahead of time (and, ideally, include this information in your crisis management plan). In our experience, the organisations that proactively invest in their crisis response capability are the ones that weather the storm the best. Focus on building capability and minimising risk by understanding the organisation’s data assets and enabling data minimisation, building your crisis response processes, training key staff and testing and strengthening security.

In the wake of COVID-19 and the changes it has instigated, you may not be able to bring all your IP back to the safety of the rockpool – but it’s not too late to deploy the life rafts and patrols, and be prepared.

To read our in-depth paper on IP risks facing organisations in Australia and beyond, click here.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.