Paper-based Data Leakage Still a Concern

There is an intriguing article in the Saturday Washington Post about the lawsuit involving Hilton Hotels and Starwood Hotels regarding boutique hotel branding. In a suit filed in federal court in New York on April 16th, Starwood’s suit alleges that Hilton stole more than 100,000 electronic and hard copy files containing trade secrets to help it expand its luxury hotel offerings. “The large volume of confidential information taken is extraordinary,” the filing says.

This past week, as it was moving from Beverley Hills to Tyson’s Corner, Hilton Hotels decided to send boxes and boxes of Starwood documents back to the company “in an abundance of caution.” Lawyers from Hilton wrote a letter saying they found the material in the homes and offices of prominent employees recruited from Starwood. The sheer volume of paper recovered is an interesting observation in light of the availability of jump drives and CD burners.  While we spend a lot time worrying electronic files and removable media, paper is still one of the easiest ways to remove confidential information from an organization.

Some things to consider when you are writing or auditing information security policies  regarding employee access and Intellectual Property (IP).

  • Are employees required to sign a Non Disclosure Agreement (NDA) prohibiting them from passing on company IP either during or after employment?
  • Does your organization have a clean desk policy? That means employees are required to remove files and paperwork from their desk, and secure items before they leave for the night.
  • Do your awareness programs discuss leaving sensitive material in cubes and on desktops? How many employee telephone directories have been stolen from the receptionist by social engineering tactics?
  • Are employees required to shred company documents and dispose of them in locked recycled bins?
  • Does your organization discourage employees printing documents through copy machine charges and ‘green initiatives’?
  • Create an audit trail which tracks and documents access to and movement of confidential data and critical IP so that any possible leaks can be investigated. Pay careful attention to this audit trail once an employee indicates that they may be leaving the company. Reduce that employee’s access to sensitive data as well as review his or her activities during the period before the departure.

Paper-based data leakage is still a big concern for companies and making sure that your organization addressing paper documents will help protect your organization’s  vital assets.