When it comes to legal recourse for security breaches, many Canadians aren’t confident in the legislation out there to effectively prosecute offenders — and for good reason — Canada’s laws on corporate espionage lack the legal might of our neighbours to the south.
Seventy per cent of data stolen is through corrupt employees, according to Phonebusters, a joint effort between the Royal Canadian Mounted Police and the Ontario Provincial Police.
“Your biggest risk is a corrupt employee,” said OPP detective staff sergeant Barry Elliott. “It’s hard to monitor that situation.”
Despite numbers like this, nearly half of Canadians polled in a recent survey don’t think their organization would be willing to take legal action to protect their information assets from being used by former employees. An Ipsos-Reid study commissioned by technology consulting firm EDS Canada surveyed 700 working Canadians from January 12 to 16. The results of the study were released this week.
The legal ramifications in Canada for such crimes are a slap on the wrist compared to our U.S. counterparts. When EDS Canada legal chief Richard Austin started practicing law over 20 years ago, he was involved in a research project for a joint federal-provincial effort on trade secrets. The group recommended a civil statute dealing specifically with the misappropriation of trade secrets.
“The sense was that it was necessary to clarify some of the assets in the law in Canada,” said Austin.
That statute, however, never became law. In the U.S., there is civil and criminal legislation that pertains to the theft of trade secrets.
Forensic intelligence specialist Robert Ing said many companies choose not to prosecute offending employees criminally because of the unwanted negative press.
“Even the whiff of a breach could drive your share price down,” said Ing. “Even if you say you have this corporate espionage policy, you could raise red flags among investors. As a result it’s something that’s handled with kid gloves.”
High profile corporate espionage cases like the Westjet/Åir Canada scandal in which Air Canada sued Westjet, alleging corporate spying, have brought attention to the issue. But one-third of survey respondents said they don’t feel their organization has established policies and guidelines that limit how employees use information assets during and after their employment.
“Information is the currency of commerce today,” said Austin. “Companies need to take steps to protect that information.”
To do that, enterprises need to adopt a holistic approach that combines good technology and best practices, said Entrust vice-president of content analysis Sue Abu-Hakima.
“Although a lot of organizations may have an e-mail policy, they don’t necessarily address it with respect to what employees are doing,” said Abu-Hakima. “We’re seeing much more of a push to that now with an emphasis on information asset leakage.”
Abu-Hakima added some organizations use real time monitoring tools to keep tabs on what information is leaving a company while others archive data.
Likewise, detective Elliott said companies need to monitor themselves at all times and ensure that they have a good identity theft plan in place — something many companies don’t have. This leaves them reacting to these situations rather than taking proactive steps to prevent them from happening in the first place.
“The companies will act tactically,” said Austin. “They’ll see a specific issue and they’ll respond to that immediate issue but they won’t take a strategic approach to protecting their assets which involves looking at it from the first day an employee walks in the door until the day they leave.”
Other technology tools used to combat corporate espionage include biometrics and software that monitors passwords. Beyond that, companies need to incorporate rules such as a code of conduct and ensure that employees are kept up to date and understand them.
“It’s not enough to just have these policies,” said Austin. “It’s fundamental to make sure that the employees know about the policies and that they are reminded of them on a periodic basis.”
Survey results indicate companies are lacking in this area as well. About half of respondents said their organization does not regularly review information asset guidelines with employees.