Last week, we witnessed, live and in real time – one of the most high-profile lawsuits in recent history, alleging Uber used Google/Waymo’s self-driving car IP to further its own technology development. While the settlement announcement on Friday brought an abrupt halt to the case just four days after the trial began, it has left in its wake many of us asking ourselves, What can our company do to avoid becoming the next Waymo?
Employees taking valuable data with them is certainly not a new phenomenon, but never have we seen such a public example as we did here. Known as leavers and joiners, this is one of the most prevalent areas of risky behavior that we at Dtex are tasked with monitoring and investigating. And before we get distracted by the next big breach or scandal that’s inevitably on the horizon, these are five critical lessons I believe we can learn from the Uber / Waymo story.
Every company is a potential Waymo. There’s an overwhelming amount of evidence out there to support the notion that employees are riskiest when they’re about to exit. One study says that 23% of workers admitted that they would take data from their employer if it would potentially benefit them, and more than half of all companies we engage with have faced potential data theft by a leaver. What amazes me, though, is the number of executives that we speak with who still assert that either their employees are above data exfiltration, or that their company really has no data that would be worth exfiltrating. I think it is fairly safe to say that if you have nothing worth stealing, then you have nothing worth selling (so this feels more like an existential question than a data protection one). The bottom line is that if you have a viable business, then you likely have both valuable data as well as employees who will come and go, and therefore, you have risk.
But, both sides are equally vulnerable. This lawsuit shows that both the company the employee is leaving and the one they’re joining are equally at risk. We often worry about what employees might take with them or what they’re keeping at home but tend to think less about what new hires might be infusing into our existing IP. We’ve seen several cases where an inbound employee has injected inappropriate data, data that they do not own and should have access to – into their new organization, and therefore injected the risk and liability that comes along it. We have also had cases where a company then needs to protect themselves from that liability and has to prove that – despite this data entering the building – it was never touched, there was no benefit gained, or there was no knowledge of it.
It is much more expensive and difficult to recreate the past. What I mean by this is that it’s much more time-consuming and costly to have to sift through log analysis than it is to monitor for risky employee behavior in the first place. The Stolz-Freeburg report reviewed in the Uber / Waymo details the attempt to piece together the whole story after the fact – from investigators chasing down leads on if data was taken or destroyed, the obfuscation of log events and secret applications used to communicate outside of the corporate eye. The effort required to reverse engineer all of it – not to mention the time and money required – must have been massive. Imagine an alternative: you receive alerts that an employee is behaving in a way that signals they may be a retention risk. And then, in near real time, are able to monitor for sensitive information being packaged for exfiltration. Or, knowing that a former employee joined a competitor, being able to retrace their behaviors to assure yourself that sensitive data did not go with them. Having that visibility and the ability to act swiftly could save you millions of dollars after the fact.
Employees believe that they own the data. An interesting aside in the Uber / Waymo case is a former nanny of Anthony Levandowski – the individual being charged with allegedly stealing trade secrets, filing a separate lawsuit that makes public detailed observations and conversations she allegedly documented during her employment. The whole story is fascinating, but this quote allegedly attributed to him serves as the punchline: It’s all mine, the money, the deals, it’s all mine. Levandowski would not be alone in believing that any data he might have taken with him was his. Recent research shows that one third of all employees believe they own, or share ownership of the corporate data they work on, with half thinking they can take the data with them when they leave. (It’s also worth noting that 92% of those same respondents said they would not take corporate data if they knew they were being monitored.)
The reason you fear them is the same reason you hired them. You look for brilliant engineers and creative salespeople, and then all of a sudden, what you value in your employees is exactly what concerns you when they are departing. All of that genius and creativity, when applied to data exfiltration, is how employees find a way to manipulate systems and circumvent policies. In the Uber / Waymo litigation materials, you see the messages exchanged between employees, allegedly discussing about what the corporate policies are and how to get around them. In fact, nearly all — an overwhelming 95% – of companies we work with have incidents of employees bypassing security policies with hacking tools like anonymous web browsers or anonymous VPNs (and more often than not, their circumvention ends up causing even more security problems as they create an opening for malicious actors to snoop into unencrypted company data.)
As the industry moves increasingly toward perimeter-less security, and the lines between corporate and personal data get even more blurred, this case, at the very least, should serve as a cautionary tale. Every company, of any size, across all industries is susceptible to the devastating impact that leavers and joiners can have on your organization. And it’s up to you to keep your valuable data inside your enterprise.