Protecting Your Digital Assets

14 / MAY / 2014

Protecting Your

Digital Assets

JEREMY HARRIS ALISON REA PETER DALTON

Strategy for dealing with digital asset theft

How to Handle a Digital Asset Emergency

Digital Asset Emergency Talk 1 - How the Law Protects Talk 2 - Practical Litigation Response Talk 3 – System Integrity/Forensic Response Talk 4 – Digital Asset Risk Solutions



IP and CI increasingly embodied in digital form



Companies have unprecedented amounts of digital assets



Strategic importance



Available to more people/in multiple formats



Technology transformation has led to distribution around the world



Increased vulnerability



Software powers companies



Data helps them to understand customers/exploit sales opportunities



Digital content allows interaction with the public



Value of digital assets – 1 in 3 global executives believe data alone comprises

10% to 50% of the total assets of their organisation (the Economist Intelligence

Unit)



But the value of digital assets is directly linked to the steps taken to protect

them

_4



Many different types of digital asset emergency



Each emergency requires a distinct approach



However, senior business leaders are ill-prepared – only 23% know enough to

take the lead in the event of a breach (Economist Intelligence Unit)



Businesses need to be able to:

– react quickly

– investigate

– devise an appropriate strategy

– remediate

Talk 1 – How the Law

Protects

Software

Digital Assets

Databases

Background IP

Digital

Media

Copying

Digitised

Content

Internal Threats:



Ex-employee

walking off with digital assets e.g. software; valuable data

(customer database); confidential trade secret



Current employee

accidentally leaking digital asset (e.g. posting on their

Facebook about confidential company news)

External Threats:



Attack from

external source

which enables a third party to access past your

firewall e.g. hacker, bot, malware

Legal Action & Digital Assets

(3) Breach of Confidence

Software

Database

Digital content

Digital media

Background IP

(2)

Sui generis

Database right

(1) Copyright

Copyright, Designs and Patents Act 1988 (CDPA) traditionally used to protect creative works:

original literary, dramatic, musical, artistic works [films, sound recordings, broadcasts]

• Software - source code & object code (not functionality)

• Databases (s3A(1) CDPA)

Original?

– Previously quite a low threshold in the UK – skill, labour and judgment – New EU standard - author’s own intellectual creation (Infopaq)

Infringement – carrying out one of the restricted acts below in relation to a substantial

part of the work (judged qualitatively, not quantitatively):

– Copying

– Issuing copies to the public

– Renting or lending the work to the public

– Performing, showing or playing the work in public

– Communicating the work to the public

– Making an adaptation

Not a monopoly right – need to prove digital copying

(1) Copyright – Summary Table

Advantages Disadvantages

Covers a wide variety of work, including Background IP

Need to prove copying – evidence trail is

key Works created by employees during the

course of employment - owned by the employer

Works created by independent consultants (not employees) are not owned by

commissioner Long duration = life of author + 70 years (in

most cases)

Copyright and Rights in Databases Regulations 1997 (Database Regulations):

(2) Databases – Copyright +

sui generis

DB

right

Database Copyright Sui generis DB right

Type of work covered?

s3A(1) CDPA - Collection of independent works, data or other material which are: • Arranged in a systematic or methodical way; and

• Individually accessible by electronic or other means.

Subsistence test Author’s own intellectual creation

– cannot take into account any intellectual effort in creating data

Protects “substantial investment in obtaining, verifying or

presenting the contents of the database” (regulation 13 Database Regulations).

Cannot take into account investment in creating data Infringement test Substantial part (judged

qualitatively)

• Extraction or re-utilisation of all or substantial part (judged qualitatively) of the contents of the database without the owner's permission (regulation 16(1)).

• Repeated and systematic extraction or re-utilisation of insubstantial parts of the contents of the database (regulation 16(1)).

Duration Life of author + 70 years 15 years from end of year DB is completed/first made available to public

 Powerful cause of action – likely to cover most digital assets & Background IP

 No statute – breach of confidence action comes from common law (for the moment

anyway – proposed EU directive)

3 Requirements:

 Information must have the necessary quality of confidence

 Imparted in circumstances importing an obligation of confidence

 Unauthorised use or disclosure

(3) Confidential Information II

Advantages Disadvantages

Applies to most commercial information that is not public + Background IP

Know-how of ex-employees not covered

Flexible litigation tool – applies to any “unconscionable” misuse

Scope for argument about whether the information is confidential and/or was disclosed in confidential circumstances Covers the new employer of your departing

employee

Confidentiality once lost is lost forever – damages claim only.

 Contract Claims – there may also be a breach of contract claim e.g. breach of website terms; breach of consultancy or employment agreement

 Defamation – sometimes your digital assets can be misused in a way that is damaging

to your reputation e.g. posting documents online in a derogatory manner

 Criminal – e.g. Computer Misuse Act 1990:

– s1 – Unauthorised access to a computer (e.g. bypassing password protection) – s2 – Unauthorised access to commit further offences (e.g. blackmail)

– s3 – Unauthorised acts to impair operation of a computer (e.g. virus, DDoS attacks) – s3A – Supply of hacking tools

There is a lot of legal protection available for digital assets:

 Subsistence - take time now to consider how your digital assets would be classified in

the eyes of the law e.g. mark documents or assets as “confidential” or “protected by copyright”; consider who has the “keys” to confidential information

 Infringement – going to have to prove evidence trail

 Internal threats – educate your employees about their contractual obligations &

working-from-home policies; conduct exit interviews when they leave

 External threats – make sure there is a Planned Internal Response



Damages OR account of profits



Permanent injunction



Delivery up or destruction of infringing copies or confidential information

Final Remedies

Goals

Forensic investigation

Interim injunctions / Procedures

 Secure status quo

 Preserve evidence

 Stop interim damage

 Resolve

 Compensation

 Prevent long term damage

Pursue claim

 Identify

 Who?

 What?

 How wide and how



Engaging IT and key stakeholders



Search approach



Internal investigation? Or independent 3rd party experts?



Litigation hold

Identify

 Do nothing?

- Is prevention of future incidents the most cost effective solution?

 Pre-action correspondence?

- Request undertakings

- Request disclosure of materials - Notify of intention to issue claim

 Interim injunctions?

- Without notice if legitimate concerns as to respondents actions. - On notice if respondent has ignored pre-action correspondence.

Identify

Option What it achieves When to use What do you need? Practical example Norwich Pharmacal Order (Injunction) Compels a third party to disclose documents and information Pre Action

To identify wrong doer

To identify full extent/nature of wrongdoing

To obtain source of information

A third party who is

involved in the wrongdoing

No other procedures can assist

Identification of parties

from IP addresses / email addresses behind: copycat websites; file sharing; anonymous posting etc. Pre-Action Disclosure (Procedure) Disclosure of particular document(s) Pre Action To determine whether proceedings necessary. To properly plead case.

Identifiable documents and defendant.

Minimal risk defendant will destroy documents.

Disclosure of source code to enable expert review

Non-party Disclosure (procedure) Compels a third party to disclose documents

After proceedings issued

To obtain documents from a third party

Identifiable documents which are likely to

support / adversely

Disclosure of documents indicating sales

Identify

Option What it achieves When to use What do you need?

Practical example

Search and Seizure Order

Gain entry to respondent’s

premises to search for, copy, remove

and detain materials

Pre action

To preserve evidence where there is a real possibility that respondent will destroy it

Identifiable materials Extremely strong prima facie case

Very serious damage

To remove computer hardware where

respondent has deleted evidence in the past.

Freezing Injunction Prevents

respondent dealing with asset (and third parties allowing

such dealing)

Pre action or soon after issue To prevent destruction or sale of assets

Identifiable asset

Good arguable case Risk of dissipation

Freezing an email account and serving order on email account provider to prevent respondent amending contents. Springboard Injunction Prevents a ‘head start’ where confidential information has already been misused

Pre action or soon after issue.

Often where an ex-employee has taken a trade secret – e.g. customer list, product information, code samples.

Evidence of unlawful activity and ongoing unfair competitive advantage.

To prevent former

employee dealing with ex-customers on a stolen

customer list for a set time.

Prohibitory / mandatory injunction. Prohibits / requires the respondent to do something.

Pre action, soon after issue, at trial (final injunction)

A risk of loss not remediable by damages.

Prevent disclosure or use of confidential information Require consent to

disclosure of emails by

Secure status quo

 Do you need one?

– Who has the asset in question?

– Do you know what they have done with it / threaten to do with it? – Is there a risk of deletion / dissipation?

– Is there an ongoing risk?

– Is it worth upfront cost and cross-undertaking in damages?

– How sure are you of success? Failure can be hugely damaging

 Who are you serving?

 Options are not mutually exclusive

Identify / Secure status quo

Identify

•Forensic investigation/Norwich pharmacal to identify operator

Secure status quo

•Freezing Injunction on account – serve on ISP

•Search and seizure – to secure other computer records

•Prohibitory / Springboard injunction – to prevent publication/misuse of confidential information

Identify

•Pre Action Disclosure: to compel individual to consent to the disclosure of emails by account provider

Resolve

• Issue proceedings using information obtained to properly plead case. Seek damages and final injunctions.

Example

:

 Statements of Case

 Disclosure (e-disclosure)

 Witness statements (IT department?)

 Expert evidence (forensic / IT)

 Trial

Resolve

 Within the first 24 hours

 Work with legal, IT and key decision-makers in the company: – Identify the leak

– Plug the gaps

 Within the first 1-6 weeks:

 Initial forensic investigation – Internal or external investigator? Beware of destroying evidence trail.

 Emergency legal measures i.e. interim injunctions

 6 weeks onwards:

 Issue claim

 Forensic investigations / Further applications to support litigation process

Take home message: rapid response

Our people

Jeremy Harris Partner

IP & Litigation Department

+44 (0) 20 7710 1658

jeremy.harris@kemplittle.com

Alison Rea Solicitor

IP & Litigation Department

+44 (0) 20 7710 1614

alison.rea@kemplittle.com

Peter Dalton Solicitor

IP & Litigation Department

+44 (0) 20 7710 1658

• Call in Incident Response Team

• Begin to determine type of breach:

– External hacker

– Deliberate insider action

– Inadvertent insider leak

– Leak via advisor/third party

• Be aware that the hacker could still be ‘in’ the system

• Will investigation be discreet or transparent?

• Contain damage and protect evidence

• Take affected hardware offline where possible

• Log analysis and event correlation. Which logs are available for analysis?

– System audit log files

– Firewall logs

– Intrusion Detection System/Intrusion Prevention System

– Antivirus

• Protect other data, starting with the most valuable

• Full compromise assessment (1-4 weeks)

– Network based - Monitor all gateway traffic to detect abnormal data

– Host based - Collect data from laptops/workstations on the network

• Malware analysis

– Reverse engineer any discovered malware

– Build picture of attack origin and intentions of attacker

• Implement a permanent fix

• Identify who had access to the data

• Further restrict access to sensitive data

• What levels of user auditing/logging are in place? Is there a DLP system in

place?

• Forensic imaging of all computers/mobile devices that had access to the data

• Data review:

– Analysis of emails

– Analysis of corporate landline and mobile records

• Interview people who had access to the data if appropriate

• Audit and monitor your organisation’s digital footprint

– Social media conversation on company and key people

– Pinpoint employees attractive to attackers

– Be on alert around negative media coverage

– Know which corporate email addresses are in the public domain

– Deep and dark web. Frequented by cyber criminals

– Domain information and other technical information

– Reduce attack surface as much as possible

• Conduct regular penetration testing and gap analysis

• Have an incident response team ready to react quickly to potential breach

• User awareness training sessions. Educate workforce about latest threats

• Ensure policies and procedures are in place and up to date.

• Consider Data Loss Prevention (DLP) systems, Intrusion

Detection/Prevention systems (IDS/IPS)

• Reduce attack surface - Proactively monitor your digital footprint

• Educate workforce on latest threats and dangers of social media

• Ensure all systems are logging events in as much detail as possible

• Have an Incident Response Team in place

14 MAY 2014

Management and technology solutions

Protecting your

digital data – KLC

Input

CHRIS WRAY

The need to protect different layers of digital data

Understanding how your data security layer maps against your data

architecture and infrastructure is key to success

Identify what to protect using a logical data model

Business Information Model Logical Data Model Integration Specific Data Model Application Specific Data Model Data Warehouse Specific Data Model Database Specific Data Model End to End Scenarios End to End Processes & Activities Integration Processes Computer Independent Model Platform Independent Model Platform Specific Model IT Systems & Components Private Cloud Hybrid Cloud Public Cloud On Premise



Clear adoption of data security standards to be used across the organisation and

with 3

rd

parties



Adoption of online password managers – single sign-on strategy



Secure solutions to cover multiple logons as SaaS cloud applications increase



Two stage authentication for securing critical data



eDiscovery tools to monitor restricted email / data exchange



Crowd source testing of web applications



Ethical hacking initiatives



Continuous monitoring of your platform infrastructure, applications and

connections



Software solutions that classify data as confidential and monitor / flag access to

its use through learning algorithms



Digital asset management software to ring-fence and provide a focus on high

value digital assets



Use of cross-platform security solutions for on-site, private and public cloud



Cyber risk insurance



A single technology solution / approach across the business is unlikely to be

feasible



The challenge is too great to believe protection is enough – monitor and respond



Your response should be risk focused and reflect the capability of your

organisation to deploy



Best practice advocates “Context specific security technologies”

Contact Details

Chris Wray

Kemp Little Consulting Partner

020 7710 1629