14 / MAY / 2014
Protecting Your
Digital Assets
JEREMY HARRIS ALISON REA PETER DALTONStrategy for dealing with digital asset theft
How to Handle a Digital Asset Emergency
Digital Asset Emergency Talk 1 - How the Law Protects Talk 2 - Practical Litigation Response Talk 3 – System Integrity/Forensic Response Talk 4 – Digital Asset Risk Solutions
IP and CI increasingly embodied in digital form
Companies have unprecedented amounts of digital assets
Strategic importance
Available to more people/in multiple formats
Technology transformation has led to distribution around the world
Increased vulnerability
Software powers companies
Data helps them to understand customers/exploit sales opportunities
Digital content allows interaction with the public
Value of digital assets – 1 in 3 global executives believe data alone comprises
10% to 50% of the total assets of their organisation (the Economist Intelligence
Unit)
But the value of digital assets is directly linked to the steps taken to protect
them
_4
Many different types of digital asset emergency
Each emergency requires a distinct approach
However, senior business leaders are ill-prepared – only 23% know enough to
take the lead in the event of a breach (Economist Intelligence Unit)
Businesses need to be able to:
– react quickly
– investigate
– devise an appropriate strategy
– remediate
Talk 1 – How the Law
Protects
Software
Digital Assets
Databases
Background IP
Digital
Media
Copying
Digitised
Content
Internal Threats:
Ex-employee
walking off with digital assets e.g. software; valuable data
(customer database); confidential trade secret
Current employee
accidentally leaking digital asset (e.g. posting on their
Facebook about confidential company news)
External Threats:
Attack from
external source
which enables a third party to access past your
firewall e.g. hacker, bot, malware
Legal Action & Digital Assets
(3) Breach of Confidence
Software
Database
Digital content
Digital media
Background IP
(2)
Sui generis
Database right
(1) Copyright
Copyright, Designs and Patents Act 1988 (CDPA) traditionally used to protect creative works:
original literary, dramatic, musical, artistic works [films, sound recordings, broadcasts]
• Software - source code & object code (not functionality)
• Databases (s3A(1) CDPA)
Original?
– Previously quite a low threshold in the UK – skill, labour and judgment – New EU standard - author’s own intellectual creation (Infopaq)
Infringement – carrying out one of the restricted acts below in relation to a substantial
part of the work (judged qualitatively, not quantitatively):
– Copying
– Issuing copies to the public
– Renting or lending the work to the public
– Performing, showing or playing the work in public
– Communicating the work to the public
– Making an adaptation
Not a monopoly right – need to prove digital copying
(1) Copyright – Summary Table
Advantages Disadvantages
Covers a wide variety of work, including Background IP
Need to prove copying – evidence trail is
key Works created by employees during the
course of employment - owned by the employer
Works created by independent consultants (not employees) are not owned by
commissioner Long duration = life of author + 70 years (in
most cases)
Copyright and Rights in Databases Regulations 1997 (Database Regulations):
(2) Databases – Copyright +
sui generis
DB
right
Database Copyright Sui generis DB right
Type of work covered?
s3A(1) CDPA - Collection of independent works, data or other material which are: • Arranged in a systematic or methodical way; and
• Individually accessible by electronic or other means.
Subsistence test Author’s own intellectual creation
– cannot take into account any intellectual effort in creating data
Protects “substantial investment in obtaining, verifying or
presenting the contents of the database” (regulation 13 Database Regulations).
Cannot take into account investment in creating data Infringement test Substantial part (judged
qualitatively)
• Extraction or re-utilisation of all or substantial part (judged qualitatively) of the contents of the database without the owner's permission (regulation 16(1)).
• Repeated and systematic extraction or re-utilisation of insubstantial parts of the contents of the database (regulation 16(1)).
Duration Life of author + 70 years 15 years from end of year DB is completed/first made available to public
Powerful cause of action – likely to cover most digital assets & Background IP
No statute – breach of confidence action comes from common law (for the moment
anyway – proposed EU directive)
3 Requirements:
Information must have the necessary quality of confidence
Imparted in circumstances importing an obligation of confidence
Unauthorised use or disclosure
(3) Confidential Information II
Advantages Disadvantages
Applies to most commercial information that is not public + Background IP
Know-how of ex-employees not covered
Flexible litigation tool – applies to any “unconscionable” misuse
Scope for argument about whether the information is confidential and/or was disclosed in confidential circumstances Covers the new employer of your departing
employee
Confidentiality once lost is lost forever – damages claim only.
Contract Claims – there may also be a breach of contract claim e.g. breach of website terms; breach of consultancy or employment agreement
Defamation – sometimes your digital assets can be misused in a way that is damaging
to your reputation e.g. posting documents online in a derogatory manner
Criminal – e.g. Computer Misuse Act 1990:
– s1 – Unauthorised access to a computer (e.g. bypassing password protection) – s2 – Unauthorised access to commit further offences (e.g. blackmail)
– s3 – Unauthorised acts to impair operation of a computer (e.g. virus, DDoS attacks) – s3A – Supply of hacking tools
There is a lot of legal protection available for digital assets:
Subsistence - take time now to consider how your digital assets would be classified in
the eyes of the law e.g. mark documents or assets as “confidential” or “protected by copyright”; consider who has the “keys” to confidential information
Infringement – going to have to prove evidence trail
Internal threats – educate your employees about their contractual obligations &
working-from-home policies; conduct exit interviews when they leave
External threats – make sure there is a Planned Internal Response
Damages OR account of profits
Permanent injunction
Delivery up or destruction of infringing copies or confidential information
Final Remedies
Goals
Forensic investigation
Interim injunctions / Procedures
Secure status quo
Preserve evidence
Stop interim damage
Resolve
Compensation
Prevent long term damage
Pursue claim
Identify
Who?
What?
How wide and how
Engaging IT and key stakeholders
Search approach
Internal investigation? Or independent 3rd party experts?
Litigation hold
Identify
Do nothing?
- Is prevention of future incidents the most cost effective solution?
Pre-action correspondence?
- Request undertakings
- Request disclosure of materials - Notify of intention to issue claim
Interim injunctions?
- Without notice if legitimate concerns as to respondents actions. - On notice if respondent has ignored pre-action correspondence.
Identify
Option What it achieves When to use What do you need? Practical example Norwich Pharmacal Order (Injunction) Compels a third party to disclose documents and information Pre Action
To identify wrong doer
To identify full extent/nature of wrongdoing
To obtain source of information
A third party who is
involved in the wrongdoing
No other procedures can assist
Identification of parties
from IP addresses / email addresses behind: copycat websites; file sharing; anonymous posting etc. Pre-Action Disclosure (Procedure) Disclosure of particular document(s) Pre Action To determine whether proceedings necessary. To properly plead case.
Identifiable documents and defendant.
Minimal risk defendant will destroy documents.
Disclosure of source code to enable expert review
Non-party Disclosure (procedure) Compels a third party to disclose documents
After proceedings issued
To obtain documents from a third party
Identifiable documents which are likely to
support / adversely
Disclosure of documents indicating sales
Identify
Option What it achieves When to use What do you need?
Practical example
Search and Seizure Order
Gain entry to respondent’s
premises to search for, copy, remove
and detain materials
Pre action
To preserve evidence where there is a real possibility that respondent will destroy it
Identifiable materials Extremely strong prima facie case
Very serious damage
To remove computer hardware where
respondent has deleted evidence in the past.
Freezing Injunction Prevents
respondent dealing with asset (and third parties allowing
such dealing)
Pre action or soon after issue To prevent destruction or sale of assets
Identifiable asset
Good arguable case Risk of dissipation
Freezing an email account and serving order on email account provider to prevent respondent amending contents. Springboard Injunction Prevents a ‘head start’ where confidential information has already been misused
Pre action or soon after issue.
Often where an ex-employee has taken a trade secret – e.g. customer list, product information, code samples.
Evidence of unlawful activity and ongoing unfair competitive advantage.
To prevent former
employee dealing with ex-customers on a stolen
customer list for a set time.
Prohibitory / mandatory injunction. Prohibits / requires the respondent to do something.
Pre action, soon after issue, at trial (final injunction)
A risk of loss not remediable by damages.
Prevent disclosure or use of confidential information Require consent to
disclosure of emails by
Secure status quo
Do you need one?
– Who has the asset in question?
– Do you know what they have done with it / threaten to do with it? – Is there a risk of deletion / dissipation?
– Is there an ongoing risk?
– Is it worth upfront cost and cross-undertaking in damages?
– How sure are you of success? Failure can be hugely damaging
Who are you serving?
Options are not mutually exclusive
Identify / Secure status quo
Identify
•Forensic investigation/Norwich pharmacal to identify operator
Secure status quo
•Freezing Injunction on account – serve on ISP
•Search and seizure – to secure other computer records
•Prohibitory / Springboard injunction – to prevent publication/misuse of confidential information
Identify
•Pre Action Disclosure: to compel individual to consent to the disclosure of emails by account provider
Resolve
• Issue proceedings using information obtained to properly plead case. Seek damages and final injunctions.
Example
:
Statements of Case
Disclosure (e-disclosure)
Witness statements (IT department?)
Expert evidence (forensic / IT)
Trial
Resolve
Within the first 24 hours
Work with legal, IT and key decision-makers in the company: – Identify the leak
– Plug the gaps
Within the first 1-6 weeks:
Initial forensic investigation – Internal or external investigator? Beware of destroying evidence trail.
Emergency legal measures i.e. interim injunctions
6 weeks onwards:
Issue claim
Forensic investigations / Further applications to support litigation process
Take home message: rapid response
Our people
Jeremy Harris Partner
IP & Litigation Department
+44 (0) 20 7710 1658
jeremy.harris@kemplittle.com
Alison Rea Solicitor
IP & Litigation Department
+44 (0) 20 7710 1614
alison.rea@kemplittle.com
Peter Dalton Solicitor
IP & Litigation Department
+44 (0) 20 7710 1658
• Call in Incident Response Team
• Begin to determine type of breach:
– External hacker
– Deliberate insider action
– Inadvertent insider leak
– Leak via advisor/third party
• Be aware that the hacker could still be ‘in’ the system
• Will investigation be discreet or transparent?
• Contain damage and protect evidence
• Take affected hardware offline where possible
• Log analysis and event correlation. Which logs are available for analysis?
– System audit log files
– Firewall logs
– Intrusion Detection System/Intrusion Prevention System
– Antivirus
• Protect other data, starting with the most valuable
• Full compromise assessment (1-4 weeks)
– Network based - Monitor all gateway traffic to detect abnormal data
– Host based - Collect data from laptops/workstations on the network
• Malware analysis
– Reverse engineer any discovered malware
– Build picture of attack origin and intentions of attacker
• Implement a permanent fix
• Identify who had access to the data
• Further restrict access to sensitive data
• What levels of user auditing/logging are in place? Is there a DLP system in
place?
• Forensic imaging of all computers/mobile devices that had access to the data
• Data review:
– Analysis of emails
– Analysis of corporate landline and mobile records
• Interview people who had access to the data if appropriate
• Audit and monitor your organisation’s digital footprint
– Social media conversation on company and key people
– Pinpoint employees attractive to attackers
– Be on alert around negative media coverage
– Know which corporate email addresses are in the public domain
– Deep and dark web. Frequented by cyber criminals
– Domain information and other technical information
– Reduce attack surface as much as possible
• Conduct regular penetration testing and gap analysis
• Have an incident response team ready to react quickly to potential breach
• User awareness training sessions. Educate workforce about latest threats
• Ensure policies and procedures are in place and up to date.
• Consider Data Loss Prevention (DLP) systems, Intrusion
Detection/Prevention systems (IDS/IPS)
• Reduce attack surface - Proactively monitor your digital footprint
• Educate workforce on latest threats and dangers of social media
• Ensure all systems are logging events in as much detail as possible
• Have an Incident Response Team in place
14 MAY 2014
Management and technology solutions
Protecting your
digital data – KLC
Input
CHRIS WRAY
The need to protect different layers of digital data
Understanding how your data security layer maps against your data
architecture and infrastructure is key to success
Identify what to protect using a logical data model
Business Information Model Logical Data Model Integration Specific Data Model Application Specific Data Model Data Warehouse Specific Data Model Database Specific Data Model End to End Scenarios End to End Processes & Activities Integration Processes Computer Independent Model Platform Independent Model Platform Specific Model IT Systems & Components Private Cloud Hybrid Cloud Public Cloud On Premise
Clear adoption of data security standards to be used across the organisation and
with 3
rdparties
Adoption of online password managers – single sign-on strategy
Secure solutions to cover multiple logons as SaaS cloud applications increase
Two stage authentication for securing critical data
eDiscovery tools to monitor restricted email / data exchange
Crowd source testing of web applications
Ethical hacking initiatives
Continuous monitoring of your platform infrastructure, applications and
connections
Software solutions that classify data as confidential and monitor / flag access to
its use through learning algorithms
Digital asset management software to ring-fence and provide a focus on high
value digital assets
Use of cross-platform security solutions for on-site, private and public cloud
Cyber risk insurance
A single technology solution / approach across the business is unlikely to be
feasible
The challenge is too great to believe protection is enough – monitor and respond
Your response should be risk focused and reflect the capability of your
organisation to deploy
Best practice advocates “Context specific security technologies”
Contact Details
Chris Wray
Kemp Little Consulting Partner
020 7710 1629