Companies and other organizations increasingly must face serious and complex threats to their business and infrastructure. Whether the threat is trade secret theft, rogue insiders, cybercrime adversaries, aggressive competitors, or misconduct by business and supply chain partners, companies should remain constantly vigilant and defense ready. Adversaries, including especially cybercriminals operating exclusively in the digital domain, are often highly motivated, sophisticated, resourced, and innovative. The opaque, pervasive, and global nature of modern digital networked environments presents opportunities for criminals. The sophistication and relentless creativity of these bad actors pose significant challenges to companies and law enforcement agencies in being able to detect, assess, mitigate, attribute, and deter these threats. Because available tools and real-world practices to address these threats often outpace the law, companies are called upon to develop their own comprehensive approaches to investigate and remediate these forms of risk. In doing so, companies must be willing to assume a certain level of risk to effectively investigate and obtain sufficient insight to counter the problems.
This post provides guiding principles for in-house legal, intellectual property, asset protection, and security teams during the development of robust investigations capabilities and execution of digital investigations. These principles are intended to bolster a company’s ability to deploy technical solutions—either internally or with assistance from external partners—to protect networks, assets, people, and intellectual property, including trade secrets. Keeping these principles in mind will allow companies to gain deeper insight about adversaries, follow stolen data, obtain visibility into attacker infrastructure, and more closely monitor and respond to attacker activity.
- Law Enforcement: Companies often contact law enforcement to assist in investigating digital crimes. It is advisable to forge relationships and contacts with the most relevant agencies before problems arise, rather than wait until the company is in the midst of an emergency digital crime event. Law enforcement agencies are a good resource because they have established authority and, to a degree, more effective tools to identify attackers and mitigate theft. But law enforcement may be slow to respond, lack specific motivation to redress certain categories of digital crimes, and, as a state actor, may be subject to limitations that do not apply to private actors. In addition, companies that involve law enforcement risk losing control of any internal investigation and/or civil litigation strategy and, as a result, compromise the goals of immediate risk mitigation through more focused investigation and technical disruption. Companies may also risk losing recovery of substantial damages in civil litigation by handing the investigation over to law enforcement agencies.
- Express Consent: One of the most critical concepts for risk management in complex digital threat investigations is consent. Targeted companies and/or their technical infrastructure may need to interact with various stakeholders for information sharing in order to identify an attacker. However, information sharing in the digital domain may be difficult under various laws—including especially the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR), Electronic Communications Privacy Act (ECPA), Computer Fraud & Abuse Act (CFAA)—without some form of agreement providing for information sharing. Thus, it is imperative to consider the nature and scope of consent or “no expectation of privacy” provisions in documents such as company policies, employment agreements, and vendor and business partner contracts.
- Implied Consent: The same concepts of consent may be applied directly to interactions between victim companies and attackers in order to enable more robust investigation of the attackers and their malicious technical infrastructure. But of course, attackers rarely, if ever, sign contracts that would include express consent provisions. Therefore, companies should consider implementing technical measures to gain at least implied consent from these malicious actors. Companies can obtain that consent by implementing messages within network gateways, file systems, login banners, or other software registries. These statements should clearly state that, should the attacker access a company’s systems without authorization, then the attacker consents or acquiesces to the company’s ability to collect information from the attacker, including the right to track outgoing information, access the attacker’s computers to investigate the digital crime, or take even more robust countermeasures.
- Audit Rights: Companies should consider including audit rights in contracts with customers, employees, and infrastructure vendors. These rights are effectively “self-help” and can be deployed strategically to gain access to third party information to protect a victim company’s rights. For example, software developers can exercise audit rights to monitor whether a customer is complying with the terms of a software license and can then determine what steps, if any, are needed to ensure compliance and recover lost profits.