FCPA Compliance and Ethics Blog

March 26, 2014

Tales From the Crypt-Rule 4: Cover Your Tracks

Tales from the CryptEd. Note-this week on am on a Spring Break college tour with my daughter. The Two Tough Cookies whom are penning the Tales From the Crypt Series have graciously agreed to contribute a week’s worth of workplace Tales from their crypts so help illustrate some key compliance and ethics concepts. Today they look at covering your tracks…

This week’s Tale from the Crypt is a Tale of Two Cities, and the importance of leaving no trace behind of your “extracurricular” activities…. If your office is like ours, there are always “orphaned” documents lying around the community printer…for days!  Sometimes they are even mine!!!  It’s easy to forget, so many interruptions.

That’s what spawned a call about an unusual find on a copier in one of our European offices.  We asked the caller to fax a copy to us and send the original to headquarters here in the States via interoffice mail.  What we received was an invoice from Company A (not a vendor of ours) to Company B (not a customer of ours).  The invoice was for engineering services, indicating the name of one of our engineering staff as the engineer for Company A.  It also appeared from the invoice that the engineering services provided were similar to our employee’s duties.  The customer was in the same industry that we serve, so immediately it became apparent we had a case of an engineering employee providing competitive services to potential customers, a true conflict of interest, in violation of our conflict of interest policy that requires annual disclosure of all non-employment-related commercial relationships.  We checked – the employee had not disclosed any conflicting employment or consulting services to us, and there were no waivers in his employment file.

His forgetfulness at the copier indicated a comfortable and casual nature with respect to doing his own business on company time. It raised our concerns enough to launch a stealth search of his computer, which revealed CAD drawings on his work computer.  In fact, thousands of our CAD drawings, much more than he needed to perform his duties, and enough to slow his work station down, explaining the IT repair ticket he had placed just recently for slow performance issues.  Our preventive and detective controls were not designed to identify these unusually large volumes of engineering drawings on an employee’s work station.  Combined with email, CD burner and memory sticks, unlimited possibilities existed for intellectual property leakage given the control weaknesses we had unearthed.

We also found drawings with his company’s name on them stored on his work computer’s hard drive, but it was unclear whether or not he was using his work-provided laptop and company-provided software to create them, and if he, or someone else, was the actual creator of the drawings. What could have been a long and involved forensic investigation with very technical comparisons of his drawings to our extensive catalog of reference drawings was made simple by another casual misstep he made –  as we started to probe deeper, we noticed that his company logo was an addition, pasted on the document, and that there was evidence that he (or someone else) had used our CAD software to make the drawing.  It was also possible to tell from the customized stamp that the CAD software used that the drawings were unique without reference to existing intellectual property. So while we had no direct evidence of theft of our own drawings, we could not state with certainty that he was the creator, or that the drawings, if created by someone else, were authorized for his use.   In either event, they were on our systems without our knowledge or authorization, so we considered them to be misappropriated IP.

While we believed that our possible exposure was limited given this was an unauthorized act by a rogue employee, this 30 year employee with unblemished service was suddenly at risk for personal use of company resources for his own commercial enterprise.  When confronted, he exposed a heart bitter with perceived injustices leading to an entitlement mentality and confessed to operating a small engineering business on the side for extra money.  Apparently he felt that he was not being compensated appropriately given increasing demands from work, so he felt entitled to help himself to company resources to make up the perceived shortfall in income.  What the employee did was clearly wrong.  But our process of eliminating the threat was painful indeed.  We learned first-hand the difficulties in terminating an employee in the European Union, even with clear evidence and an admission of wrongdoing.  In this case, his tenure worked to protect his pension as well as provide him with a de facto severance which amounted to nearly two years’ pay as “notice” of termination, a result we were not happy with, given that misappropriated IP was at issue.  Our stance had always been not to reward bad conduct with severance, and we pushed the issue with our European counsel, who was sympathetic, but not optimistic of an outcome in our favor. We were forced to plead before the court that his conduct amounted to criminality, which would sever his benefits and pension if he was found guilty (which he eventually was, but of a lesser charge, thus saving his pension, but permitting us to terminate for cause without notice).   For the sake of extra spending money, he lost his job and his reputation, and put his pension at risk.

Needless to say, this presented us with an opportunity to institute controls in our systems that would require employees to check drawings out of the reference files, and return them, with a size limitation of how many proprietary drawings they could have on their work stations at any given time. While not perfect, it helped with performance issues on workstations, as well as created an auditable log of access to proprietary materials. While it was a sad outcome for our European engineer, it did leave us  debating what role companies play in creating an environment for poor ethical choices when they  mandate 24-7 accessibility from their professional staff.

Let’s contrast this with the outcome of another case of misappropriated IP which occurred here in the US.  In this instance, we were called by the General Counsel of our biggest competitor, putting us on notice that there had been a company presentation at a trade conference the week prior, and in the presentation were some our competitor’s copyrighted materials.  We thanked our lucky stars that our competitor’s General Counsel (GC) opted to deal with this via a courtesy call, and promised we would give it our immediate attention.

We looked at travel records to determine who had attended the conference, and noted three engineers in particular who were former employees of the competitor. We had a fairly robust process when we hired from our competition, including an acknowledgment that the new employee would not bring onto our premises any proprietary materials from their former employer.   We checked their files, and all three had signed acknowledgements in their employment records.

Once again, a stealth investigation was undertaken, and we made a ghost copy of all the files on each of the implicated employee’s computers.  We instructed IT to make ghost copies nightly, so we could see if there was any unusual activity, given that we would be interviewing not one, but three potential suspects (talk travels fast).  We also realized early on that we would need IP counsel’s help in reviewing the files to determine what was proprietary to us, and what was sourced from outside the company.  A monumental task lay ahead of us, and we rolled up our sleeves. We started our interviews while the files were being reviewing, asking questions regarding the trade presentation (which had been sent to us by our competitor’s GC with pages circled indicating their proprietary materials), asking the engineers, one by one, who had been responsible for preparing the presentation, and where the materials were sourced from.  We also asked extensive questions as to each engineer’s understanding of Intellectual Property law, namely copyright.   To our surprise, we learned from Engineer X, that if it was published on the internet, it was public domain and free for anyone to use.  Okay, make a note, additional copyright training, and in particular, training on the use of materials sourced from the internet, is definitely a priority….. especially for marketing, sales and engineering staff!

While we did get an admission as to who had prepared the presentation (Engineer X, again), we were told he had “just found” the materials on the shared drive used by engineering.  We asked him to point out to us where he found them on our systems, to which he replied he’d look, but he couldn’t tell us off hand where he got them from.  We told him that we would like to know for certain in the next day or so. The following day our IP counsel informed us that he went to look at Engineer X’s files that had been ghosted, and sure enough, several large files that were on Monday’s ghost image were missing on Tuesday night’s ghost image, and even more were missing from Wednesday’s ghost image, and that all evidence of the presentation he had made had simply vanished during one of the “purges.”  He did verify that the other two engineers’ hard drives were only showing normal file changes from work activities. We advised IP counsel that he could stop examining the reference files for similarities to our competitor’s works, and thanked him for the report.

We called Engineer X back, and started interviewing in earnest.  While we never obtained an open admission of wrongdoing, we did take the opportunity to counsel him in earnest about IP rights, and his ongoing obligation to us to keep our systems clean of any competitor information.  We then verbally warned him against a repeat offense, and made a written note of the verbal warning in his employment file.  We also took that opportunity to issue a company-wide reminder about the use of third party information at work.  Fortunately for us, the GC at our competitor was happy with our actions, and chose not to pursue a more aggressive course of action against us. What surprised me, though, was the executive team’s response to our findings.  Because we could not “pin” this on Engineer X as an intentional act, they were inclined to be lenient with him.  It was only when I revealed that he had begun to systematically purge his work computer as soon as he was alerted to an  investigation that they agreed to the disciplinary action we eventually took.  Was that fair?  I suppose so.  But I think hardly appropriate.  Highly skilled professionals, such as engineers, should, in my opinion, be held to a higher standard of knowledge of intellectual property rights.  It comes with the territory, and companies should take steps to ensure that these professionals understand, from the start, what the expectations are. Maybe even go so far as a quasi “liquidated termination” clause in their employment arrangement should they ignore these rights, particularly in jurisdictions that make termination difficult, such as our friends in Europe. Simply too much is at risk for the employee as well as the company – I realize that European workers’ councils would probably balk at including such a clause in their co-determination agreements, but at least the dialogue should occur, and perhaps a compromise could be struck, that protected the interests of both parties, and gave employees a reason to behave appropriately.  Another opportunity to close a compliance gap pertaining to IP… wouldn’t you agree?

Who are the Two Tough Cookies? 

Tough Cookie 1 has spent the more than half of her 20+ legal career working in the Integrity and Compliance field, and has been the architect of award-winning and effective ethics and compliance programs at both publicly traded and privately held companies.  Tough Cookie 2 is a Certified Internal Auditor and CPA who has faced ethical and compliance challenges in a variety of industries and geographies and recently led a global internal audit team. Our series “Tales from the Crypt: Tough Choices for Tough Cookies” are drawn largely from real life experiences on the front line of working in Integrity & Compliance, and personal details have been scrubbed to protect, well, you know, just about everyone… 

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: