05:00 PM
Connect Directly

Banks' Intellectual Property at Great Risk Amid Layoffs

As banks let go thousands of employees to cope with the crisis, many overlook the importance of recovering company data from former workers.

In Depth: Enterprise Risk Management.The Age of ERM.BMO Taps Compliance Tool for ERM.Boosting the ROI on AML.
Trade secrets and intellectual property are perhaps two of the areas most overlooked at banks. However, now that the industry is facing unprecedented change, financial institutions would be wise to turn their attention toward protecting such proprietary information -- especially as it relates to erstwhile employees, says attorney Bradford Newman, chair of the Silicon Valley Employment Law Department and leader of the International Employee Mobility and Trade Secrets practice with the law firm Paul Hastings Janofsky & Walker LLP (New York).

"Most global financial institutions have fairly robust data usage policies. What's different now," Newman says, "is that we're seeing an unheralded number of employees being laid off at one time -- they are transitory. Banks need to recognize that when they have this kind of employee movement, controlling their data is of paramount importance." It's not unheard for laid-off workers to seek a position with a competitor of their former employer, he notes.

The key is accounting for all the company data that employees possess. Banks must ask themselves who owns the data, Newman advises. "The type of commercially sensitive, nonpublic information employees possess can be so complex," he explains. "There are thumb drives and printouts. It's so easy for people to do this. [This data] can be lying around someone's house innocuously too." After all, data loss isn't always the result of a concerted, malicious effort by a rogue employee.

Information on technology, trademarks, customer lists, finances, strategy, prototypes and M&A plans are all at great risk of falling into the wrong hands. "And look at the TARP banks," Newman comments. "They don't want their identities disclosed. But a departing employee who was laid off may know if their former employer was a TARP bank. This is a highly valuable trade secret."

To prevent such scenarios from coming to pass, banks and other companies have relied on having new employees sign non-compete or nondisclosure agreements upon hire. Newman says these documents really mean nothing. "If you're on your way out and you sign something saying you'll abide by a form you signed two years ago, that doesn't mean anything. You may have six thumb drives with company data sitting at home. If employees aren't asked for this data, they won't say anything."

One way some of the more sophisticated financial institutions get around this, explains Newman, is by making return of the data a condition of receiving one's severance package. Departing employees certify whether they have company data, and if they do they agree to comply with the company's requests to return that data within a certain time frame.

The first step in keeping data where it belongs -- within the confines of the company -- is to find ways to manage it effectively. Newman notes that there are a variety of technologies that can help banks and other firms accomplish this. "One thing to do is to identify your high-risk departures. You image their PCs forensically and create a library of images of their machines," he explains. By referencing such a library, it may be possible for a bank to infer whether a former employee is implementing proprietary initiatives at a competing firm.

Newman also emphasizes the importance of access control on company servers, which enables a bank to ascertain whether people attempting to access data are authorized and doing so in the proper manner.

When it comes to portable storage devices, like thumb drives, rather than prohibiting them outright, task someone from IT to create a library of storage devices and require employees to sign out the cataloged devices, suggests Newman.

Keystroke-capture software, Internet site monitoring and checking phone call logs are other methods that can be used to protect trade secrets and data, but with care. "You have overlapping and conflicting laws here with regard to privacy, employment law and IT storage," Newman relates. "But even the financial institutions doing the layoffs don't want to see news articles discussing the theft of their trade secrets and having their security processes vetted publicly."

Newman believes banks do understand the importance of protecting this information when it is in the hands of employees. Closer inspection, however, often reveals many gaps in the protective umbrella. "Once you make banks understand that non-compete forms are not enough, then they get it. Most banks do have good data security practices. But to recover that data from the thousands of employees across the globe is a new risk," he explains.

In essence, protecting company secrets is a personnel issue, Newman states. "This is the movement of data with employees. Most [human resources] folks don't initially see it that way. Once they do, they team up with the internal IT folks for a solution. But companies first have to ask themselves what their trade secrets are, where the most at-risk secrets lie, and, in connection with the recent layoffs, how they can reduce the risk of disclosure and maximize the chance of recovering the data."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.