14 / MAY / 2014

Protecting Your

Digital Assets

JEREMY HARRIS

ALISON REA

PETER DALTON

Strategy for dealing with digital

asset theft

How to Handle a Digital Asset Emergency

Digital Asset

Emergency

Talk 1 - How

the Law

Protects

Talk 2 - Practical

Litigation

Response

Talk 3 – System

Integrity/Forensic

Response

Talk 4 – Digital

Asset Risk

Solutions

_2

IP and CI increasingly embodied in digital form

Companies have unprecedented amounts of digital assets

Strategic importance

Available to more people/in multiple formats

Technology transformation has led to distribution around the world

Increased vulnerability

_3

Introduction

Software powers companies

Data helps them to understand customers/exploit sales opportunities

Digital content allows interaction with the public

Value of digital assets – 1 in 3 global executives believe data alone comprises

10% to 50% of the total assets of their organisation (the Economist Intelligence

Unit)

But the value of digital assets is directly linked to the steps taken to protect

them

_4

Introduction

Many different types of digital asset emergency

Each emergency requires a distinct approach

However, senior business leaders are ill-prepared – only 23% know enough to

take the lead in the event of a breach (Economist Intelligence Unit)

Businesses need to be able to:

– react quickly

– investigate

– devise an appropriate strategy

– remediate

_5

Introduction

Talk 1 – How the Law

Protects

Software

_7

Digital Assets

Databases

Background IP Digital

Media

Copying

Digitised

Content

Digital Asset Emergency

_8

Internal Threats:

Ex-employee walking off with digital assets e.g. software; valuable data

(customer database); confidential trade secret

Current employee accidentally leaking digital asset (e.g. posting on their

Facebook about confidential company news)

External Threats:

Attack from external source which enables a third party to access past your

firewall e.g. hacker, bot, malware

_9

What are the Threats?

Legal Action & Digital Assets

_10

(3) Breach of Confidence

Software

Database

Digital content

Digital media

Background IP

(2) Sui generis

Database right

(1) Copyright

Copyright, Designs and Patents Act 1988 (CDPA) traditionally used to protect creative

works:

original literary, dramatic, musical, artistic works [films, sound recordings, broadcasts]

• Software - source code & object code (not functionality)

• Databases (s3A(1) CDPA)

Original?

– Previously quite a low threshold in the UK – skill, labour and judgment

– New EU standard - author’s own intellectual creation (Infopaq)

_11

(1) Copyright - Subsistence

Infringement – carrying out one of the restricted acts below in relation to a substantial

part of the work (judged qualitatively, not quantitatively):

– Copying

– Issuing copies to the public

– Renting or lending the work to the public

– Performing, showing or playing the work in public

– Communicating the work to the public

– Making an adaptation

Not a monopoly right – need to prove digital copying

_12

(1) Copyright - Infringement

_13

(1) Copyright – Summary Table

Advantages

Disadvantages

Covers a wide variety of work, including

Background IP

Need to prove copying – evidence trail is

key

Works created by employees during the

course of employment - owned by the

employer

Works created by independent consultants

(not employees) are not owned by

commissioner

Long duration = life of author + 70 years (in

most cases)

Advantages & Disadvantages of Copyright as a cause of action:

Copyright and Rights in Databases Regulations 1997 (Database Regulations):

_14

(2) Databases – Copyright + sui generis DB right

Database Copyright Sui generis DB right

Type of work

covered?

s3A(1) CDPA - Collection of independent works, data or other material which are:

• Arranged in a systematic or methodical way; and

• Individually accessible by electronic or other means.

Subsistence test Author’s own intellectual creation

– cannot take into account any

intellectual effort in creating data

Protects “substantial investment in obtaining, verifying or

presenting the contents of the database” (regulation 13 Database

Regulations).

Cannot take into account investment in creating data

Infringement test Substantial part (judged

qualitatively)

• Extraction or re-utilisation of all or substantial part (judged

qualitatively) of the contents of the database without the

owner's permission (regulation 16(1)).

• Repeated and systematic extraction or re-utilisation of

insubstantial parts of the contents of the database

(regulation 16(1)).

Duration Life of author + 70 years 15 years from end of year DB is completed/first made available to

public

Powerful cause of action – likely to cover most digital assets & Background IP

No statute – breach of confidence action comes from common law (for the moment

anyway – proposed EU directive)

3 Requirements:

Information must have the necessary quality of confidence

Imparted in circumstances importing an obligation of confidence

Unauthorised use or disclosure

_15

(3) Confidential Information

_16

(3) Confidential Information II

Advantages Disadvantages

Applies to most commercial information that

is not public + Background IP

Know-how of ex-employees not covered

Flexible litigation tool – applies to any

“unconscionable” misuse

Scope for argument about whether the

information is confidential and/or was

disclosed in confidential circumstances

Covers the new employer of your departing

employee

Confidentiality once lost is lost forever –

damages claim only.

Advantages & Disadvantages of Breach of Confidence Action:

Contract Claims – there may also be a breach of contract claim e.g. breach of website

terms; breach of consultancy or employment agreement

Defamation – sometimes your digital assets can be misused in a way that is damaging

to your reputation e.g. posting documents online in a derogatory manner

Criminal – e.g. Computer Misuse Act 1990:

– s1 – Unauthorised access to a computer (e.g. bypassing password protection)

– s2 – Unauthorised access to commit further offences (e.g. blackmail)

– s3 – Unauthorised acts to impair operation of a computer (e.g. virus, DDoS attacks)

– s3A – Supply of hacking tools

_17

Additional Claims

There is a lot of legal protection available for digital assets:

Subsistence - take time now to consider how your digital assets would be classified in

the eyes of the law e.g. mark documents or assets as “confidential” or “protected by

copyright”; consider who has the “keys” to confidential information

Infringement – going to have to prove evidence trail

Internal threats – educate your employees about their contractual obligations &

working-from-home policies; conduct exit interviews when they leave

External threats – make sure there is a Planned Internal Response

_18

To summarise…

Damages OR account of profits

Permanent injunction

Delivery up or destruction of infringing copies or confidential information

_19

Final Remedies

What about the immediate response?

Talk 2 – Immediate Strategy

_22

Goals

Forensic investigation

Interim injunctions / Procedures

Secure status quo

Preserve evidence

Stop interim damage

Resolve

Compensation

Prevent long term

damage

Pursue claim

Identify

Who?

What?

How wide and how

far?

Engaging IT and key stakeholders

Search approach

Internal investigation? Or independent 3rd party experts?

Litigation hold

_23

Identify

Forensic Investigation

Do nothing?

- Is prevention of future incidents the most cost effective solution?

Pre-action correspondence?

- Request undertakings

- Request disclosure of materials

- Notify of intention to issue claim

Interim injunctions?

- Without notice if legitimate concerns as to respondents actions.

- On notice if respondent has ignored pre-action correspondence.

_24

Identify

Pre-Action Strategy

Option What it achieves When to use What do you need? Practical example

Norwich Pharmacal

Order

(Injunction)

Compels a third

party to disclose

documents and

information

Pre Action

To identify wrong doer

To identify full extent/nature

of wrongdoing

To obtain source of

information

A third party who is

involved in the

wrongdoing

No other procedures

can assist

Identification of parties

from IP addresses / email

addresses behind:

copycat websites;

file sharing;

anonymous posting

etc.

Pre-Action

Disclosure

(Procedure)

Disclosure of

particular

document(s)

Pre Action

To determine whether

proceedings necessary.

To properly plead case.

Identifiable documents

and defendant.

Minimal risk defendant

will destroy documents.

Disclosure of source code

to enable expert review

Non-party

Disclosure

(procedure)

Compels a third

party to disclose

documents

After proceedings issued

To obtain documents from a

third party

Identifiable documents

which are likely to

support / adversely

impact a party’s case

Disclosure of documents

indicating sales

Identify

Injunctions/Procedures

_25

Option What it achieves When to use What do you

need?

Practical example

Search and Seizure

Order

Gain entry to

respondent’s

premises to search

for, copy, remove

and detain materials

Pre action

To preserve evidence where

there is a real possibility that

respondent will destroy it

Identifiable materials

Extremely strong prima

facie case

Very serious damage

To remove computer

hardware where

respondent has deleted

evidence in the past.

Freezing Injunction Prevents

respondent dealing

with asset (and third

parties allowing

such dealing)

Pre action or soon after issue

To prevent destruction or sale

of assets

Identifiable asset

Good arguable case

Risk of dissipation

Freezing an email account

and serving order on email

account provider to prevent

respondent amending

contents.

Springboard

Injunction

Prevents a ‘head

start’ where

confidential

information has

already been

misused

Pre action or soon after

issue.

Often where an ex-employee

has taken a trade secret –

e.g. customer list, product

information, code samples.

Evidence of unlawful

activity and ongoing

unfair competitive

advantage.

To prevent former

employee dealing with ex-

customers on a stolen

customer list for a set time.

Prohibitory /

mandatory

injunction.

Prohibits / requires

the respondent to

do something.

Pre action, soon after issue,

at trial (final injunction)

A risk of loss not

remediable by

damages.

Prevent disclosure or use

of confidential information

Require consent to

disclosure of emails by

account provider

Secure status quo

Injunctions

Do you need one?

– Who has the asset in question?

– Do you know what they have done with it / threaten to do with it?

– Is there a risk of deletion / dissipation?

– Is there an ongoing risk?

– Is it worth upfront cost and cross-undertaking in damages?

– How sure are you of success? Failure can be hugely damaging

Who are you serving?

Options are not mutually exclusive

_27

Identify / Secure status quo

Strategic considerations - Injunctions

Identify

•Forensic investigation/Norwich pharmacal to identify operator

Secure status quo

•Freezing Injunction on account – serve on ISP •Search and seizure – to secure other computer records •Prohibitory / Springboard injunction – to prevent publication/misuse of confidential information

Identify

•Pre Action Disclosure: to compel individual to consent to the disclosure of emails by account provider

Resolve

• Issue proceedings using information obtained to properly plead case. Seek damages and final injunctions.

Example:

Email account used to receive/post confidential information

Statements of Case

Disclosure (e-disclosure)

Witness statements (IT department?)

Expert evidence (forensic / IT)

Trial

_29

Resolve

Court process

Within the first 24 hours

Work with legal, IT and key decision-makers in the company:

– Identify the leak

– Plug the gaps

Within the first 1-6 weeks:

Initial forensic investigation – Internal or external investigator? Beware of destroying

evidence trail.

Emergency legal measures i.e. interim injunctions

6 weeks onwards:

Issue claim

Forensic investigations / Further applications to support litigation process

Take home message: rapid response

_30

Our people

_31

Jeremy Harris

Partner IP & Litigation Department +44 (0) 20 7710 1658 jeremy.harris@kemplittle.com

Alison Rea

Solicitor IP & Litigation Department +44 (0) 20 7710 1614 alison.rea@kemplittle.com

Peter Dalton

Solicitor IP & Litigation Department +44 (0) 20 7710 1658 peter.dalton@kemplittle.com

• Call in Incident Response Team

• Begin to determine type of breach:

– External hacker

– Deliberate insider action

– Inadvertent insider leak

– Leak via advisor/third party

• Be aware that the hacker could still be ‘in’ the system

• Will investigation be discreet or transparent?

Discovery of a breach

• Contain damage and protect evidence

• Take affected hardware offline where possible

• Log analysis and event correlation. Which logs are available for analysis?

– System audit log files

– Firewall logs

– Intrusion Detection System/Intrusion Prevention System

– Antivirus

• Protect other data, starting with the most valuable

External Breach

• Full compromise assessment (1-4 weeks)

– Network based - Monitor all gateway traffic to detect abnormal data

– Host based - Collect data from laptops/workstations on the network

• Malware analysis

– Reverse engineer any discovered malware

– Build picture of attack origin and intentions of attacker

• Implement a permanent fix

External Breach

• Identify who had access to the data

• Further restrict access to sensitive data

• What levels of user auditing/logging are in place? Is there a DLP system in

place?

• Forensic imaging of all computers/mobile devices that had access to the data

• Data review:

– Analysis of emails

– Analysis of corporate landline and mobile records

• Interview people who had access to the data if appropriate

Internal breach

• Audit and monitor your organisation’s digital footprint

– Social media conversation on company and key people

– Pinpoint employees attractive to attackers

– Be on alert around negative media coverage

– Know which corporate email addresses are in the public domain

– Deep and dark web. Frequented by cyber criminals

– Domain information and other technical information

– Reduce attack surface as much as possible

Proactive measures

• Conduct regular penetration testing and gap analysis

• Have an incident response team ready to react quickly to potential breach

• User awareness training sessions. Educate workforce about latest threats

• Ensure policies and procedures are in place and up to date.

• Consider Data Loss Prevention (DLP) systems, Intrusion

Detection/Prevention systems (IDS/IPS)

Proactive measures

• Reduce attack surface - Proactively monitor your digital footprint

• Educate workforce on latest threats and dangers of social media

• Ensure all systems are logging events in as much detail as possible

• Have an Incident Response Team in place

Take-home messages

14 MAY 2014

Management and technology

solutions

Protecting your

digital data – KLC

Input

CHRIS WRAY

KEMP LITTLE CONSULTING PARTNER

The need to protect different layers of digital data

Understanding how your data security layer maps against your data

architecture and infrastructure is key to success

_42

Identify what to protect using a logical data model

Business

Information Model

Logical Data

Model

Integration

Specific

Data

Model

Application

Specific

Data

Model

Data

Warehouse

Specific

Data

Model

Database

Specific

Data

Model

End to End

Scenarios

End to End

Processes &

Activities

Integration

Processes

Computer

Independent

Model

Platform

Independent

Model

Platform

Specific

Model

IT Systems

&

Components

Private

Cloud Hybrid

Cloud

Public

Cloud

On

Premise

Clear adoption of data security standards to be used across the organisation and

with 3rd parties

Adoption of online password managers – single sign-on strategy

Secure solutions to cover multiple logons as SaaS cloud applications increase

Two stage authentication for securing critical data

eDiscovery tools to monitor restricted email / data exchange

Crowd source testing of web applications

Ethical hacking initiatives

_43

Data Security Solutions to consider

Continuous monitoring of your platform infrastructure, applications and

connections

Software solutions that classify data as confidential and monitor / flag access to

its use through learning algorithms

Digital asset management software to ring-fence and provide a focus on high

value digital assets

Use of cross-platform security solutions for on-site, private and public cloud

Cyber risk insurance

_44

Data Architecture and Platform Solutions to consider

A single technology solution / approach across the business is unlikely to be

feasible

The challenge is too great to believe protection is enough – monitor and respond

Your response should be risk focused and reflect the capability of your

organisation to deploy

Best practice advocates “Context specific security technologies”

_45

Key Messages

Contact Details

Chris Wray

Kemp Little Consulting

Partner 020 7710 1629

Chris.wray@kemplittle.com

_46