strategy for dealing with digital asset theft - kemp · pdf file14 / may / 2014 protecting...
TRANSCRIPT
14 / MAY / 2014
Protecting Your
Digital Assets
JEREMY HARRIS
ALISON REA
PETER DALTON
Strategy for dealing with digital
asset theft
How to Handle a Digital Asset Emergency
Digital Asset
Emergency
Talk 1 - How
the Law
Protects
Talk 2 - Practical
Litigation
Response
Talk 3 – System
Integrity/Forensic
Response
Talk 4 – Digital
Asset Risk
Solutions
_2
IP and CI increasingly embodied in digital form
Companies have unprecedented amounts of digital assets
Strategic importance
Available to more people/in multiple formats
Technology transformation has led to distribution around the world
Increased vulnerability
_3
Introduction
Software powers companies
Data helps them to understand customers/exploit sales opportunities
Digital content allows interaction with the public
Value of digital assets – 1 in 3 global executives believe data alone comprises
10% to 50% of the total assets of their organisation (the Economist Intelligence
Unit)
But the value of digital assets is directly linked to the steps taken to protect
them
_4
Introduction
Many different types of digital asset emergency
Each emergency requires a distinct approach
However, senior business leaders are ill-prepared – only 23% know enough to
take the lead in the event of a breach (Economist Intelligence Unit)
Businesses need to be able to:
– react quickly
– investigate
– devise an appropriate strategy
– remediate
_5
Introduction
Talk 1 – How the Law
Protects
Software
_7
Digital Assets
Databases
Background IP Digital
Media
Copying
Digitised
Content
Digital Asset Emergency
_8
Internal Threats:
Ex-employee walking off with digital assets e.g. software; valuable data
(customer database); confidential trade secret
Current employee accidentally leaking digital asset (e.g. posting on their
Facebook about confidential company news)
External Threats:
Attack from external source which enables a third party to access past your
firewall e.g. hacker, bot, malware
_9
What are the Threats?
Legal Action & Digital Assets
_10
(3) Breach of Confidence
Software
Database
Digital content
Digital media
Background IP
(2) Sui generis
Database right
(1) Copyright
Copyright, Designs and Patents Act 1988 (CDPA) traditionally used to protect creative
works:
original literary, dramatic, musical, artistic works [films, sound recordings, broadcasts]
• Software - source code & object code (not functionality)
• Databases (s3A(1) CDPA)
Original?
– Previously quite a low threshold in the UK – skill, labour and judgment
– New EU standard - author’s own intellectual creation (Infopaq)
_11
(1) Copyright - Subsistence
Infringement – carrying out one of the restricted acts below in relation to a substantial
part of the work (judged qualitatively, not quantitatively):
– Copying
– Issuing copies to the public
– Renting or lending the work to the public
– Performing, showing or playing the work in public
– Communicating the work to the public
– Making an adaptation
Not a monopoly right – need to prove digital copying
_12
(1) Copyright - Infringement
_13
(1) Copyright – Summary Table
Advantages
Disadvantages
Covers a wide variety of work, including
Background IP
Need to prove copying – evidence trail is
key
Works created by employees during the
course of employment - owned by the
employer
Works created by independent consultants
(not employees) are not owned by
commissioner
Long duration = life of author + 70 years (in
most cases)
Advantages & Disadvantages of Copyright as a cause of action:
Copyright and Rights in Databases Regulations 1997 (Database Regulations):
_14
(2) Databases – Copyright + sui generis DB right
Database Copyright Sui generis DB right
Type of work
covered?
s3A(1) CDPA - Collection of independent works, data or other material which are:
• Arranged in a systematic or methodical way; and
• Individually accessible by electronic or other means.
Subsistence test Author’s own intellectual creation
– cannot take into account any
intellectual effort in creating data
Protects “substantial investment in obtaining, verifying or
presenting the contents of the database” (regulation 13 Database
Regulations).
Cannot take into account investment in creating data
Infringement test Substantial part (judged
qualitatively)
• Extraction or re-utilisation of all or substantial part (judged
qualitatively) of the contents of the database without the
owner's permission (regulation 16(1)).
• Repeated and systematic extraction or re-utilisation of
insubstantial parts of the contents of the database
(regulation 16(1)).
Duration Life of author + 70 years 15 years from end of year DB is completed/first made available to
public
Powerful cause of action – likely to cover most digital assets & Background IP
No statute – breach of confidence action comes from common law (for the moment
anyway – proposed EU directive)
3 Requirements:
Information must have the necessary quality of confidence
Imparted in circumstances importing an obligation of confidence
Unauthorised use or disclosure
_15
(3) Confidential Information
_16
(3) Confidential Information II
Advantages Disadvantages
Applies to most commercial information that
is not public + Background IP
Know-how of ex-employees not covered
Flexible litigation tool – applies to any
“unconscionable” misuse
Scope for argument about whether the
information is confidential and/or was
disclosed in confidential circumstances
Covers the new employer of your departing
employee
Confidentiality once lost is lost forever –
damages claim only.
Advantages & Disadvantages of Breach of Confidence Action:
Contract Claims – there may also be a breach of contract claim e.g. breach of website
terms; breach of consultancy or employment agreement
Defamation – sometimes your digital assets can be misused in a way that is damaging
to your reputation e.g. posting documents online in a derogatory manner
Criminal – e.g. Computer Misuse Act 1990:
– s1 – Unauthorised access to a computer (e.g. bypassing password protection)
– s2 – Unauthorised access to commit further offences (e.g. blackmail)
– s3 – Unauthorised acts to impair operation of a computer (e.g. virus, DDoS attacks)
– s3A – Supply of hacking tools
_17
Additional Claims
There is a lot of legal protection available for digital assets:
Subsistence - take time now to consider how your digital assets would be classified in
the eyes of the law e.g. mark documents or assets as “confidential” or “protected by
copyright”; consider who has the “keys” to confidential information
Infringement – going to have to prove evidence trail
Internal threats – educate your employees about their contractual obligations &
working-from-home policies; conduct exit interviews when they leave
External threats – make sure there is a Planned Internal Response
_18
To summarise…
Damages OR account of profits
Permanent injunction
Delivery up or destruction of infringing copies or confidential information
_19
Final Remedies
What about the immediate response?
Talk 2 – Immediate Strategy
_22
Goals
Forensic investigation
Interim injunctions / Procedures
Secure status quo
Preserve evidence
Stop interim damage
Resolve
Compensation
Prevent long term
damage
Pursue claim
Identify
Who?
What?
How wide and how
far?
Engaging IT and key stakeholders
Search approach
Internal investigation? Or independent 3rd party experts?
Litigation hold
_23
Identify
Forensic Investigation
Do nothing?
- Is prevention of future incidents the most cost effective solution?
Pre-action correspondence?
- Request undertakings
- Request disclosure of materials
- Notify of intention to issue claim
Interim injunctions?
- Without notice if legitimate concerns as to respondents actions.
- On notice if respondent has ignored pre-action correspondence.
_24
Identify
Pre-Action Strategy
Option What it achieves When to use What do you need? Practical example
Norwich Pharmacal
Order
(Injunction)
Compels a third
party to disclose
documents and
information
Pre Action
To identify wrong doer
To identify full extent/nature
of wrongdoing
To obtain source of
information
A third party who is
involved in the
wrongdoing
No other procedures
can assist
Identification of parties
from IP addresses / email
addresses behind:
copycat websites;
file sharing;
anonymous posting
etc.
Pre-Action
Disclosure
(Procedure)
Disclosure of
particular
document(s)
Pre Action
To determine whether
proceedings necessary.
To properly plead case.
Identifiable documents
and defendant.
Minimal risk defendant
will destroy documents.
Disclosure of source code
to enable expert review
Non-party
Disclosure
(procedure)
Compels a third
party to disclose
documents
After proceedings issued
To obtain documents from a
third party
Identifiable documents
which are likely to
support / adversely
impact a party’s case
Disclosure of documents
indicating sales
Identify
Injunctions/Procedures
_25
Option What it achieves When to use What do you
need?
Practical example
Search and Seizure
Order
Gain entry to
respondent’s
premises to search
for, copy, remove
and detain materials
Pre action
To preserve evidence where
there is a real possibility that
respondent will destroy it
Identifiable materials
Extremely strong prima
facie case
Very serious damage
To remove computer
hardware where
respondent has deleted
evidence in the past.
Freezing Injunction Prevents
respondent dealing
with asset (and third
parties allowing
such dealing)
Pre action or soon after issue
To prevent destruction or sale
of assets
Identifiable asset
Good arguable case
Risk of dissipation
Freezing an email account
and serving order on email
account provider to prevent
respondent amending
contents.
Springboard
Injunction
Prevents a ‘head
start’ where
confidential
information has
already been
misused
Pre action or soon after
issue.
Often where an ex-employee
has taken a trade secret –
e.g. customer list, product
information, code samples.
Evidence of unlawful
activity and ongoing
unfair competitive
advantage.
To prevent former
employee dealing with ex-
customers on a stolen
customer list for a set time.
Prohibitory /
mandatory
injunction.
Prohibits / requires
the respondent to
do something.
Pre action, soon after issue,
at trial (final injunction)
A risk of loss not
remediable by
damages.
Prevent disclosure or use
of confidential information
Require consent to
disclosure of emails by
account provider
Secure status quo
Injunctions
Do you need one?
– Who has the asset in question?
– Do you know what they have done with it / threaten to do with it?
– Is there a risk of deletion / dissipation?
– Is there an ongoing risk?
– Is it worth upfront cost and cross-undertaking in damages?
– How sure are you of success? Failure can be hugely damaging
Who are you serving?
Options are not mutually exclusive
_27
Identify / Secure status quo
Strategic considerations - Injunctions
Identify
•Forensic investigation/Norwich pharmacal to identify operator
Secure status quo
•Freezing Injunction on account – serve on ISP •Search and seizure – to secure other computer records •Prohibitory / Springboard injunction – to prevent publication/misuse of confidential information
Identify
•Pre Action Disclosure: to compel individual to consent to the disclosure of emails by account provider
Resolve
• Issue proceedings using information obtained to properly plead case. Seek damages and final injunctions.
Example:
Email account used to receive/post confidential information
Statements of Case
Disclosure (e-disclosure)
Witness statements (IT department?)
Expert evidence (forensic / IT)
Trial
_29
Resolve
Court process
Within the first 24 hours
Work with legal, IT and key decision-makers in the company:
– Identify the leak
– Plug the gaps
Within the first 1-6 weeks:
Initial forensic investigation – Internal or external investigator? Beware of destroying
evidence trail.
Emergency legal measures i.e. interim injunctions
6 weeks onwards:
Issue claim
Forensic investigations / Further applications to support litigation process
Take home message: rapid response
_30
Our people
_31
Jeremy Harris
Partner IP & Litigation Department +44 (0) 20 7710 1658 [email protected]
Alison Rea
Solicitor IP & Litigation Department +44 (0) 20 7710 1614 [email protected]
Peter Dalton
Solicitor IP & Litigation Department +44 (0) 20 7710 1658 [email protected]
• Call in Incident Response Team
• Begin to determine type of breach:
– External hacker
– Deliberate insider action
– Inadvertent insider leak
– Leak via advisor/third party
• Be aware that the hacker could still be ‘in’ the system
• Will investigation be discreet or transparent?
Discovery of a breach
• Contain damage and protect evidence
• Take affected hardware offline where possible
• Log analysis and event correlation. Which logs are available for analysis?
– System audit log files
– Firewall logs
– Intrusion Detection System/Intrusion Prevention System
– Antivirus
• Protect other data, starting with the most valuable
External Breach
• Full compromise assessment (1-4 weeks)
– Network based - Monitor all gateway traffic to detect abnormal data
– Host based - Collect data from laptops/workstations on the network
• Malware analysis
– Reverse engineer any discovered malware
– Build picture of attack origin and intentions of attacker
• Implement a permanent fix
External Breach
• Identify who had access to the data
• Further restrict access to sensitive data
• What levels of user auditing/logging are in place? Is there a DLP system in
place?
• Forensic imaging of all computers/mobile devices that had access to the data
• Data review:
– Analysis of emails
– Analysis of corporate landline and mobile records
• Interview people who had access to the data if appropriate
Internal breach
• Audit and monitor your organisation’s digital footprint
– Social media conversation on company and key people
– Pinpoint employees attractive to attackers
– Be on alert around negative media coverage
– Know which corporate email addresses are in the public domain
– Deep and dark web. Frequented by cyber criminals
– Domain information and other technical information
– Reduce attack surface as much as possible
Proactive measures
• Conduct regular penetration testing and gap analysis
• Have an incident response team ready to react quickly to potential breach
• User awareness training sessions. Educate workforce about latest threats
• Ensure policies and procedures are in place and up to date.
• Consider Data Loss Prevention (DLP) systems, Intrusion
Detection/Prevention systems (IDS/IPS)
Proactive measures
• Reduce attack surface - Proactively monitor your digital footprint
• Educate workforce on latest threats and dangers of social media
• Ensure all systems are logging events in as much detail as possible
• Have an Incident Response Team in place
Take-home messages
14 MAY 2014
Management and technology
solutions
Protecting your
digital data – KLC
Input
CHRIS WRAY
KEMP LITTLE CONSULTING PARTNER
The need to protect different layers of digital data
Understanding how your data security layer maps against your data
architecture and infrastructure is key to success
_42
Identify what to protect using a logical data model
Business
Information Model
Logical Data
Model
Integration
Specific
Data
Model
Application
Specific
Data
Model
Data
Warehouse
Specific
Data
Model
Database
Specific
Data
Model
End to End
Scenarios
End to End
Processes &
Activities
Integration
Processes
Computer
Independent
Model
Platform
Independent
Model
Platform
Specific
Model
IT Systems
&
Components
Private
Cloud Hybrid
Cloud
Public
Cloud
On
Premise
Clear adoption of data security standards to be used across the organisation and
with 3rd parties
Adoption of online password managers – single sign-on strategy
Secure solutions to cover multiple logons as SaaS cloud applications increase
Two stage authentication for securing critical data
eDiscovery tools to monitor restricted email / data exchange
Crowd source testing of web applications
Ethical hacking initiatives
_43
Data Security Solutions to consider
Continuous monitoring of your platform infrastructure, applications and
connections
Software solutions that classify data as confidential and monitor / flag access to
its use through learning algorithms
Digital asset management software to ring-fence and provide a focus on high
value digital assets
Use of cross-platform security solutions for on-site, private and public cloud
Cyber risk insurance
_44
Data Architecture and Platform Solutions to consider
A single technology solution / approach across the business is unlikely to be
feasible
The challenge is too great to believe protection is enough – monitor and respond
Your response should be risk focused and reflect the capability of your
organisation to deploy
Best practice advocates “Context specific security technologies”
_45
Key Messages
Contact Details
Chris Wray
Kemp Little Consulting
Partner 020 7710 1629
_46