Tesla Suit Highlights Need for Internal Data Controls

Less than a week ago, it felt like (and was!) a big day in the news for e-discovery, as e-discovery sanctions landed on the front page of the New York Times in the case of Fish v. Kobach in the Kansas District Court determining the constitutionality of a restrictive voter registration law.

Well, it turns out that was only the start of what proved to be a very busy week in e-discovery and information governance news. Making the rounds of a variety of news outlets, Tesla sued a former employee, Martin Tripp, for allegedly stealing gigabytes of data. According to the Washington Post, Tripp claims to be a whistleblower speaking out after seeing “some really scary things” inside the company, including the alleged use of punctured batteries in cars. But the suit, filed by Tesla in US District Court (Nev.), alleges that Tripp:

• Admitted to writing software that hacked Tesla’s systems and transferred data, including IP, to outside entities
• Installed the software on other employees’ computers so it would continue to function after his departure
• Acted in retaliation for negative performance reviews and re-assignments
• Made exaggerated and/or false claims about Tesla’s materials, manufacturing process, and use of damaged battery cells

Given the nature of the case, we can certainly anticipate that e-discovery will play a major role in its resolution as legal teams attempt to ascertain Tripp’s true motivations and get to the bottom of issues like the installation of malicious code on other employees’ machines. But given that those matters will unfold over the coming months, what can e-discovery professionals take away at this point in time?

Perhaps the biggest takeaway from this case so far (with strong emphasis on “so far”) is that while we often hear about security breaches, hacks, malware and ransomware, the reality is that internal security threats pose huge risks. (Check out this interesting survey article from Digital Guardian for a sense of what security experts think on this topic.) Internal security risks include rogue actors, as is alleged in the Tesla case, but also poorly conceived or implemented policies and simple human error:

• Accidental or incorrect file attachments
• Lost storage devices (thumb drives)
• Lack of understanding of IT/security requirements
• Inadvertent error
• Lack of controls or policies around employee transitions

Fortunately, there are steps that organizations can take to assess and minimize the risks these threats pose. IT and security training programs and policies can help—as can programs like Employee Change Monitor that automate processes, thereby eliminating the possibility of human error. Integrating information governance and e-discovery solutions with common human resources platforms can allow organizations to mitigate the risks of employee changes—departures, reassignments, and transfers—by automating procedures to secure data that is on legal hold.

And that’s just one possible solution. Learn several more ways you can control the risks associated with employee changes in Exterro’s white paper Don’t Let Data Walk Out the Front Door.