chevron-down Created with Sketch Beta.

ARTICLE

How Can Digital Forensics Prevent the Misappropriation of Trade Secret and Confidential Information?

Maria Kreiter, Erin M Cook, and Rebeca Lopez

Summary

  • With virtual workforce mobility rapidly moving from the exception to the norm, companies must be extra vigilant of their employees’ activities and be ready to immediately act if there is any suspicion of trade secret theft.
  • The time period immediately following a key employee’s departure is critical to identifying, preserving, collecting, and investigating trade secret and confidential information theft so that the employer can discover and present what may be incriminating, dispositive evidence.
  • The means of misappropriating competitive intelligence is limited only by the creativity of a dishonest employee.
  • Evidence of misappropriation, even if circumstantial, can very quickly destroy a departing employee’s credibility or at least plant a seed of doubt.
  • By acting swiftly to uncover potential theft, employers increase the chances of recovering stolen information, preventing further misappropriation, and deterring others by developing a reputation of enforcing restrictive covenant agreements.
How Can Digital Forensics Prevent the Misappropriation of Trade Secret and Confidential Information?
urbazon via Getty Images

Digital forensics can be a game changer. It can mean the difference between winning and losing a trade secret case. In today’s environment, confidential information and trade secret theft is often an inside job. Technological advances and the pandemic-induced remote-work environment have made it easier for departing employees to take a company’s valuable proprietary business information to a competitor. Despite these facts, many companies fail to ask departing employees whether they have taken any trade secret or confidential business information with them. Even more companies fail to conduct a forensic investigation to be sure their competitive intelligence is safe and secure. With virtual workforce mobility rapidly moving from the exception to the norm, companies must be extra vigilant of their employees’ activities and be ready to immediately act if there is any suspicion of trade secret theft.

When Employee Data Theft Is Suspected, Act Quickly, Consistently, and Decisively

The time period immediately following a key employee’s departure is critical to identifying, preserving, collecting, and investigating trade secret and confidential information theft so that the employer can discover and present what may be incriminating, dispositive evidence. In general, the employer should take following steps:

  1. Identify. When misappropriation is suspected, the first step is to identify what evidence may be available. Digital evidence can be pulled from most devices. An initial scoping call between company representatives and outside counsel, with knowledge and experience in collecting data from electronic devices, can help a company identify which information and data sources need to be preserved.
  2. Preserve. Once information and data sources are identified, a litigation hold should be implemented. If a company device is not preserved and instead is reimaged or reallocated to another employee, important information revealing the former employee’s actions may be overwritten.
  3. Collect. The collection of evidence can be done in myriad ways. Companies with larger information technology teams might have enough resources to execute a portion, or even all, of the collection efforts in house. Some companies are capable of conducting targeted email collections, collecting personal and shared server space, imaging computers and phones, and collecting data from proprietary customer relationship management systems. Another option is to engage a forensic expert to conduct some or all of the collection. No matter how collection efforts are conducted, it is important to maintain a chain of custody for all devices and to clearly document the data collection methodology for each device and source.

What Evidence Should the Employer Look For?

The means of misappropriating competitive intelligence is limited only by the creativity of a dishonest employee. There are, however, some more common means of misappropriation that an employer should look for when concerned about possible theft. Examples are as follows:

Emails Transmitting Competitive Intelligence to a Personal Email Account

While not the most sophisticated means of misappropriation, departing employees sometimes send information they believe will be useful in future employment to a personal email account. As a rule of thumb, employees tend to take such information within six months of resigning. For that reason, searching six months’ worth of email, in a targeted way, can be an effective investigatory tool. For example, an employer concerned about theft of a client list can search for terms such as “client list” or “mailing list” or can use the employee’s personal email address and the name of the new employer as search terms. For high stakes cases, an employer could review each email in the six-month period. For other cases, the employer may want to take a more measured approach, which is to start by reviewing all emails within one or two weeks (or another time interval) of resignation and work backward. Targeted search terms can also be deployed to get to potentially relevant emails and information more efficiently. The employer can tailor or abandon the search efforts if no evidence is discovered after reviewing a date-filtered subset of emails or, conversely, broaden the search if the employer discovers incriminating emails.

Unusual Log-In Activity and Access of Key Databases

If an employee logs into databases or systems that contain competitive intelligence on the night before, or even the morning of, his or her resignation, the fact of the log-in itself can be incriminating. Chances are high the employee is not trying to further the employer’s interests at that point but, rather, is more likely, or even arguably, furthering his or her own interests and those of a competing new employer.

Excessive Downloading

The downloading of large volumes of data or the unauthorized export of large volumes of data via Box.com or other similar sites can indicate a significant data breach.

Deletion of Data

If an employee deletes or alters documents just before resigning, it could be an attempt to hinder the employer’s ability to retain business. For example, deleting or altering a client list on the eve of resignation could mean remaining employees engaged in client retention efforts do not have current contact information for the clients—but the departed employee calling on those same clients on behalf of a competitor does. In that instance, the self-serving effort to gain an unfair competitive advantage dramatically undercuts a common narrative put forward by those in breach of a non-solicitation provision: that the employee simply had the clients’ best interests in mind and wanted to make sure they were being served.

Wiping of a Device

If an employee wipes his or her employer-issued computer, smartphone, or other electronic device, the finder of fact can and should reasonably infer the employee used the device to misappropriate competitive intelligence.

Insertion of a Mass Storage Device

Here again, while an employee may claim legitimate business purposes, an e-forensic vendor confirming that the employee inserted a thumb drive, external hard drive, or other mass storage device into his or her computer on the eve of resignation can be irreparably damaging to the employee’s credibility.

What Are the Benefits of E-Forensic Evidence?

The benefits of e-forensic evidence are abundant. As an initial matter, evidence of misappropriation, even if circumstantial, can very quickly destroy a departing employee’s credibility or at least plant a seed of doubt. This is true as to the potential misappropriation event itself, as well as to unrelated fact issues on which the case may turn. Moreover, departing employees who misappropriate trade secrets or other confidential business information often deny their wrongdoing. While the misappropriation itself is damaging, an employee’s denial of the theft—in a letter, at a deposition, or at an evidentiary hearing or trial—creates a second act of dishonesty. The finder of fact may forgive one indiscretion, but it is very difficult for the employee to maintain credibility after a second strike. Credibility is always at issue and often determinative.

Although damages may be appropriate, employers often prioritize recovery of trade secret and confidential information over money. But how can meaningful recovery be accomplished when a former employee denies having or taking any data? Having digital forensic evidence increases an employer’s likelihood of meaningfully recovering its most valuable business information by (1) obtaining a temporary restraining order requiring the return of confidential information; (2) being positioned to pursue targeted discovery, such as a request for production of a certain mass storage device known to have been used by the employee; and (3) incentivizing the new employer to search its own systems for misappropriated data (and quarantine such data if discovered).

Importantly, having evidence of misappropriation at the outset of a case will better position the employer to obtain e-forensic discovery of the former employee’s privately owned devices. The importance cannot be understated of having the ability to uncover where the employee is keeping stolen data, whether a trade secret is now in the hands of a competitor, and whether a competitor knew about or encouraged the theft.

However, the employer’s ability to meaningfully vet misappropriation claims in discovery should not be assumed, particularly if the employer has only concerns and speculation, without actual evidence of wrongdoing. In fact, the advisory committee note to Federal Rule of Civil Procedure 34 cautions against making forensic examination of an opposing party’s devices the default and encourages courts to “guard against undue intrusiveness.” Fed. R. Civ. P. 34 advisory committee’s note (2006). Because forensic examinations of an opposing party’s devices raise issues of confidentiality and can produce volumes of documents that must be reviewed, “compelled forensic imaging is not appropriate in all cases, and courts must consider the significant interests implicated by forensic imaging before ordering such procedures.” Id.

Elaborating further on these concepts, federal courts have reasoned that an e-forensic examination constitutes an “extraordinary remedy” required “only if the moving party can actually prove the responding party has concealed information or lacks the expertise necessary to search and retrieve all relevant data.” Covad Commc’ns Co. v. Revonet, Inc., 258 F.R.D. 5, 11–12 (D.D.C. 2009) (collecting authorities); Mintel Int’l Grp., Ltd. v. Neergheen, 636 F. Supp. 2d 677 (N.D. Ill. 2009) (denying motion to compel because owner of computers sought to be examined was third party and plaintiff lacked any evidence that defendant placed confidential info on new employer’s computer system). Stated differently, “[m]ere suspicion or speculation that an opposing party may be withholding discoverable information is insufficient to support an intrusive examination of the opposing party’s electronic devices or information system.” Belcastro v. United Airlines, Inc., No. 17 C 1682, 2019 WL 7049914 (N.D. Ill. Dec. 23, 2019).

But when an employer has conducted an e-forensic investigation on its own systems and devices, including those devices previously used by the former employee in the course of employment, and incriminating evidence is found, the equities balanced under the Federal Rules can quickly shift in favor of the employer. It can mean the difference between the employer obtaining discovery—and actually locking down its data—and getting no relief at all.

Trade secret and confidential business information is often a company’s most valuable asset. And while a judge or jury may view litigation initiated by a large employer, represented by sophisticated counsel, against a single employee, through a David versus Goliath lens, when there is evidence of theft, the fact finder’s sympathies can quickly change. By acting swiftly to uncover potential theft, employers increase the chances of recovering stolen information, preventing further misappropriation, and deterring others by developing a reputation of enforcing restrictive covenant agreements. The potential benefits justify the effort.

    Authors