Some say that the insider threat is the most serious threat to a business and without debating whether one threat is worse than another, here is a great example of the insider threat and how not to deal with it.
First, the story. Last month, three executives of the Denver Post resigned and formed an ad agency that would, potentially, compete with the Post. The executives are SVP of advertising Richard Wicoff, senior digital sales strategist David Staley and director of digital advertising operations Nicole Brennan, all pictured below.
If that was the end of the story, it wouldn’t be a story. But it is not the end.
From the Post’s perspective, their company would compete directly with the Post’s Adtaxi with one major distinction. Digible would be able to steer customers away from advertising in the Post if they thought that was best for the customer; it is unlikely that Adtaxi would tell clients that their ad dollars would be better spent at Denver Post competitors.
The group and their company Digible, Inc. is being sued on a variety of grounds and the Post is asking a court for a temporary injunction. Among other things the group is accused of doing is soliciting current clients and employees and downloading hundreds of files.
The Post’s attorneys are claiming theft of trade secrets and confidential information among other claims.
Obviously, for a new company, starting out with a big lawsuit is not great for business.
Regarding the non-solicitation issues, Digible’s attorneys claim that the three never signed a non-solicitation agreement.
Regarding competing, they never signed a non-compete agreement either.
Regarding the theft of trade secrets and other confidential information, Digible’s attorney said that they did not take any trade secrets. It is likely hard to claim that a list of your advertisers is either confidential or a trade secret. All you have to do is find that is to go to the library and read a few week’s worth of newspapers. Likewise a list of their employees could probably be found on LinkedIn or other social media sites.
According to the complaint, both Brennan and Wicoff agreed that any intellectual capital they helped develop while employees was the property of the Post. I am not a lawyer and don’t even pretend to be one on the Internet, but there are significant limits to what you can tell people to erase from their brains. You can stop them from stealing, say, a strategy document that they created while employees, but you cannot ask them to unlearn any that they learned. And, if the Post’s information security practices were as bad as claimed, well that becomes problematic for the Post as well.
However, the Post’s forensics person said that they did take hundreds of pages of documents. The expert did say that he had no idea what, if anything, they did with those documents. Their expert said that the day after Brennan resigned she downloaded hundreds of files into Dropbox and the next day they were not there. Without arguing whether you download files to Dropbox or upload those files (I think it is the second, but whatever), that raises some issues.
Let’s recap where we are so far.
- Due to sloppy, lax or simply bad HR practices, key executives of the company did not sign important legal documents – which the Post, apparently, does not deny. Those documents would be a non-solicitation agreement and a non-compete agreement.
- In the absence of documents like those, there is likely nothing to stop them from soliciting employees or customers (unless there is language in other agreements that they did sign prohibiting that. If that was so, I assume they would have produced those documents at the hearing requesting an injunction, which they apparently, did not).
The employees uploaded a number of files to Dropbox after they resigned. Completely ignoring the contents of those files, the optics of that do not look good for the employees. The employees understood that doing that left digital footprints and tried to erase those footprints using the software CCleaner. The fact that the forensics team was able to determine that they uploaded files indicates that likely, they were using a company Dropbox account and probably on a company computer.
More recap –
- The employees uploaded files to Dropbox after they resigned, likely from a company computer and company Dropbox account. Without telling crooks how to get away with stealing stuff, doing that doesn’t seem very smart. Assuming Flash drives were not blocked on their computers, it is LIKELY that copying those files to a Flash drive would have left fewer footprints and certainly taking those hundreds of files and zipping them into one file and encrypting it and then getting it off their computers using a different tool that had less tracking would have been smarter.
- The trio’s attorney suggested that using CCleaner to wipe their computers would have just been good practice to stop confidential information from leaking and it had nothing to do with them uploading files to Dropbox. Maybe so if they could show that they did this as a matter of practice on, say, a daily basis, but doing it only after they resigned is probably a stretch to defend.
- Letting the employees back into the office or back onto the network after they resigned – that qualifies as really, really, stupid. Especially since the resignations occurred after the group was confronted the day before about starting a competing agency. Short version – you confront someone about starting a competitor, they resign, you continue to let them work there. I do have better words than stupid to describe that action by management, but this is a “G” rated blog.
Digible’s attorney argued that the Post’s oversight of business and other information was “not as strict as necessary”. I am not sure why he brought that up. Showing that the plaintiff is doing at bad job at managing their business is really not much of a defense. It might be embarrassing, but that’s about it. Saying that is a justification for, if, in fact they did, which they deny, stealing trade secrets – well, I don’t think that is going to work.
The Business Journal’s article said that they had been discussing forming a competitor and leaving since February 2016. If that were true and the group was even remotely smart and wanted to steal trade secrets, wouldn’t they have been doing that very slowly, below the radar, over the last 15 months rather than the day after they quit? Maybe it is them who are not so smart.
The Post also claims that they breached their duty of loyalty and contractual confidentiality obligations. The Post claims that they did sign confidentiality agreements, but it may have a challenge on their hands enforcing that if they had, as is claimed, sloppy information security practices – such as not identifying what documents were confidential or trade secret and/or not training employees on how to handle those types of documents.
Last recap –
- Badly managing your digital assets such as lack of policies, lack of policy enforcement and lack of employee policy training could, possibly, weaken the Post’s case.
We should hear about the injunction request soon and if granted, we should see what the next steps are.
All of this looks like a super-sized mess. It appears that Digible did some pretty stupid things and the Post isn’t exactly acting like a model for protecting it’s intellectual assets.
It seems like this would make a great college textbook case study on how not to protect company proprietary information and it could prove useful if companies look at what the Post was doing and made sure that they were not following in the Post’s footsteps.