New employee with bad intentions shaking hands with his boss. Data theft by employees.

Ask a group of IT officers who the real enemy of cybersecurity is and they’ll call out in unison: Trojans! Phishing mails! Hackers! Are you nodding in agreement? While indeed these threats are real and need to be addressed, there is another menace that people, including experts, tend to forget about (or are entirely unaware of to begin with): the inside threat. According to Verizon’s Data Breach Investigations Report of 2019, 34% of companies who experienced a data breach in 2018 claim that it was caused by insiders.

In this article, we are going to explore to what extent employees can be made liable for stealing data, how data theft can be proven, and what you can do to protect your company against data theft from within.

Contents (show)

Unintentional and Intentional Data Theft

Mostly affected by internal data theft are databases containing customer contacts, training materials, presentation materials or strategic papers. Let’s assume we know this guy, John, for instance. John has been working as a salesperson for a company for several years, but recently decided that it is time for a change: He is going to go work for the competition. That’s where things can get really messy, though.

John invested a lot of time into developing strategies and concepts for his current employer. He decides to copy and download some of those papers before leaving for good – after all, he produced them, and therefore they are his property. Right?

Wrong, John! According to US copyright law (§ 201 8b), such products are the property of the company, not yours!


John hopes that bringing his old customer contacts to the new company is going to get him instant recognition and praise. He is unaware, however, that his actions could cause serious economic damage to his former employer.

Data Theft and the Law

Corporate data theft is not just a petty offence – in the US, it is punishable by law, as stipulated by the Computer Fraud and Abuse Act (CFAA). “The CFAA is the primary statutory mechanism for prosecuting cybercrime and provides for both criminal and civil penalties.” (Source: iclg.com) This means, if you are able to prove that someone committed data theft, you can press criminal charges against that person. In the US, sentences for cybercrimes are hefty:

Offense Sentence (max. sentence for
second convictions noted in parentheses)
Unauthorized access (or exceeding authorized access) to a computer and obtaining national security information 10 years (20)
Accessing a computer and obtaining information 1 or 5 yrs (10)
Trespassing in a government computer 1 yr (10)
Accessing a computer to defraud and obtain value 5 yrs (10)
Intentionally damaging by knowing transmission 1 or 10 yrs (20)
Recklessly damaging by intentional access 1 or 5 yrs (20)
Negligently causing damage and loss by intentional access 1 yr (10)
Trafficking in passwords 1 yr (10)
Extortion involving computers 5 yrs (10)
Attempt and conspiracy to commit such an offense 10 yrs for attempt but no penalty specified for conspiracy

Source: NACDL.org


According to 18 U.S. Code § 1030 “whoever intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains information from any protected computer shall be punished.”

John, you’re looking at 1-10 years in prison for taking all that data with you.

Employees in a company, each of whom poses a threat. Data theft by employees.

Examples of Data Theft

Copying or forwarding data without your employer’s approval is against the law. Such data includes sensitive information like personal customer details, product infos and strategic plans. Taking less valuable data such as presentations, checklists or the like also counts as a violation of the law.

How Can I Protect My Company Against Data Theft?

If data is stolen, forwarded or copied, it means there’s a security leak. If the data includes customer information or other sensitive information, the offence could potentially cause great economic damage.

Even the theft of less crucial documents (e.g. presentations, training materials, work plans) could damage the company severely and bring great advantages to its competitors. We therefore advise taking a two-level approach to data protection:

  1. Grant access only to workers who really need it to perform their job duties.
  2. You must be able to track which employee has or had access to what data and when.

Use an Access Management Strategy to Protect Your Data

In many cases, the reason data misuse or theft occur at all is because an employee has privileges he or she should not have to begin with. This is a problem many companies face, and it is often caused by so-called reference users: What happens here is that, when a new person joins the company, instead of generating a new user profile for that person, someone else’s existing profile (e.g. from a person working for the same department) is simply copied and assigned to the new person – including all the extra privileges the person whose profile was copied has.

In the years that follow, the new person collects more privileges (e.g. with each department change, working on different projects that require different rights, etc.) until, at some point, they end up with twice the amount of privileges than actually needed. With each extra privilege and each new file added to the access list, the risk of data misuse and theft rises significantly.

You can combat this problem by implementing an access management software. The software safeguards information inside your network and assigns access rights automatically using a profile system. It also ensures that privileges are withdrawn automatically at a specified time, for instance when somebody leaves the company.

Automated Reporting as Proof of Data Theft

Access management solutions automate reporting processes for Active Directory (Microsoft) as well as for file servers (Windows, Linux, various SAN/NAS systems) and other products, such as Exchange or SharePoint. This allows you to control and track who has access to what data in your company with only a few clicks.

Furthermore, a regular access review prevents outdated access rights from accumulating. As part of the process, the software will regularly force admins to check in on the access rights they are responsible for and to either reconfirm or retract them.

For larger enterprises, it might be worth investing into a more complex Identity and access management software. In our blog post you will learn which features you must look out for when choosing an IAM software and how to implement such a solution correctly.

Free trial

tenfold Download

Meet the full range of functions of our software in the free trial version of tenfold and learn how simple and efficient access management could benefit you in the future.

tenfold free trial

Sources:

https://www.ponemon.org/research/ponemon-library/security/data-breaches-caused-by-insiders-increase-in-frequency-and-cost.html

https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/usa

https://www.nacdl.org/Landing/ComputerFraudandAbuseAct

https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf

https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

https://www.law.cornell.edu/uscode/text/18/1030#a_2

https://www.st-sozien.de/aktuelles/news-detail/datendiebstahl-im-arbeitsrecht/ (only available in German)

https://www.datenschutzexperte.de/blog/datenschutz-im-unternehmen/datenklau-wenn-ehemalige-mitarbeiter-unbefugt-daten-mitnehmen/ (only available in German)

https://www.computerwoche.de/a/mitarbeiter-die-zu-innentaetern-wurden,3544625 (only available in German)