Are IT Employees Your Weakest Link?

This morning, I read this article about how an IT worker at an investment-management firm tried to frame one of his co-workers:

Back in September 2013, executives at a well-known Coral Gables investment management firm got a shocking e-mail from a tech employee demanding to be promoted.

Jeffrey Bau threatened to leak “sensitive information” that would spur clients to “withdraw” their business from Bayview Asset Management.

But Coral Gables police detectives say Bau never sent the e-mail – in fact, it was a former co-worker scheming to frame Bau.

It’s not clear what motivated the IT worker. But he was sloppy. According to the article, he used his credit card to pay for the VPN connection he used to send the email.

While it sounds like the company’s sensitive information was not actually at risk, this article highlights a major security problem when it comes to protecting proprietary information: your IT employees/consultants.

These employees typically have complete access to your servers, including all proprietary information and trade secrets stored there. Thus, these employees have a unique ability to cause damage.

I litigated a case dealing with this issue. One of my client’s disgruntled IT employees downloaded a huge amount of customer data, including sensitive personal information, to a hard drive. He then threatened to make that info public. Although we were able to obtain an ex parte injunction and recover the hard drive before any damage was done, it was a harrowing experience for the client.

It is critical that your company implements protections to mitigate the risk that these employees will abuse their power to your detriment. For example, all IT employees or consultants should, at a minimum, sign a confidentiality agreement.

The confidentiality agreement you are using for other employees may not work for your IT employees. Consult with a lawyer who can help decide whether the IT employees’ agreements need to be altered in light of the unique access that IT employees have. Consider putting in a liquidated damages provision for unauthorized disclosure of any company information.

By the way, you may have noticed that I haven’t posted in a few weeks. I’ve been dealing with multiple evidentiary hearings, including for an emergency injunction. since I last posted. This hasn’t left me with much time for blogging. Hopefully, I’ll be posting more frequently starting soon.

Leave a Reply

%d bloggers like this: