The potential for data flight is exacerbated further by the increased prevalence of cloud-based data sources for communications and storage, which provide users with additional opportunity for data proliferation and flight. Somewhat ironically, while the format of these electronic records may increase the ease with which the sensitive data may be transferred, it also heightens the potential for leaving an electronic trail—artifacts and traces of the attempts to exfiltrate and transfer documents outside an organization’s domain. For these reasons, among others, a digital forensics expert can be an invaluable ally in matters involving allegations of IP and trade secret theft or misappropriation.
When such allegations present themselves, a trusted digital forensics expert can offer critical support and guidance throughout the course of an investigation, from the initial scoping and discovery phases, which may occur pre-litigation during an internal investigation, to the production of key findings, and when necessary, expert testimony.
This article focuses on key considerations for attorneys and primary stakeholders within an organization, from the early stages of determining the extent of a forensic expert’s involvement to the different phases that such involvement may entail for IP and trade secret investigations.
Need Assessment, Vetting, and Identification of a Reliable Expert in the Digital Forensics Process
Whether your organization is looking for advisory and expert support for an internal investigation into allegations of misappropriation or outside counsel preparing a client for pending litigation, specific needs may vary.
Forensic work can range from being deeply technical, such as a deep-dive recovery of fragmentary deleted data, or relatively straightforward, such as exporting mailbox data from an email server environment. Law firms and in-house stakeholders need to assess their specific requirements and look for that level of expertise when aiming to retain a forensics consultant. Trusted experts retained through referrals by other law firms or organizations should go through a vetting process that includes a review of credentials, including prior experience specific to IP and trade secret theft investigations, as well as related expert testimony.
The following sections dive more deeply into certain would-be scenarios that may aid in determining the extent of a forensic consultant’s involvement.
Preliminary Assessment, Scoping, Data Preservation, and Collection
In matters involving allegations of theft or misappropriation of sensitive documents such as trade secrets or IP, there may be an initial internal investigation conducted by in-house counsel (though outside counsel may also be involved in these early stages) with support from other key stakeholders (human resources, the chief technology officer, etc.). Depending on the extent of in-house experience in conducting such investigations, it can be beneficial to retain a forensics consultant early to determine the viability of the allegations made and offer guidance on exploring the potential that data flight may have occurred.
These initial steps may lead to a more formal scoping exercise, where key individuals and date ranges of interest are fleshed out, along with a better understanding of the information technology (IT) infrastructure in place within the organization. This is often accomplished through brief scoping calls with key stakeholders or questionnaires, though in certain contentious scenarios, scoping information may be limited, and the forensic expert may need to proceed with readily available information.
During this phase, those tasked with the initial investigation can gather information on any existing litigation holds or preservation notices in place, or otherwise discuss implementation of new preservation holds and suspending normal deletion or retention policies once litigation or a formal inquiry is anticipated. A forensic consultant can help assess current policies to develop a sound preservation plan or work with in-house stakeholders or outside counsel (or both) in recommending adjustments that may be prudent. This is often a critical step, as failure to properly assess and revise existing policies may lead to spoliation and subsequent sanctions, as exemplified in a recent matter in which the failure to identify and disable an auto-delete setting on the company’s email server led to a company-wide destruction of emails. Weride Corp. v. Kun Huang (N.D. Cal. 2020). In another case, a defendant deleted documents from his laptop after receiving numerous preservation demands, as well as after the court explicitly ordered the preservation of all data on the defendant’s electronic devices, again resulting in sanctions. Roadrunner Transp. Servs., Inc. v. Tarwater (C.D. Cal. 2014). As underscored in the prior examples, sound preservation of ESI is critical in trade secret cases, as it often revolves around whether or not sensitive documents were accessed or transferred outside an organization’s domain, and for that reason, it is critical to preserve key metadata attributes such as date and author name.
In addition to proactive preservation of electronic records, scoping and matter circumstances may require that additional data collections be performed. Particularly when in support of litigation, data collection must be a defensible process that maintains the integrity of the source data. Source data must be preserved without alteration, which in turn can be verified as an exact bit-by-bit duplicate by a forensics professional representing the opposing party. Collection steps include setting up proper chain-of-custody and related documentation of the data sources with the anticipation that the procedures employed, and related documentation, will likely require presentation in court.
There are several ways ESI can be collected, each with its own risk profile. In certain instances, an organization may opt to have in-house IT, or perhaps even the custodians of interest, self-collect electronic records for the purpose of litigation. This may be a viable option depending on in-house IT’s prior experience performing such collections. Even when an organization employs IT with requisite experience and credentials for performing data captures, it may prefer to avoid the liability of an in-house employee potentially testifying in court.
To offset this concern, in certain instances parties involved may opt to perform self-collection but with oversight or guidance or both from a forensic expert on the collection steps to be performed by IT and also to corroborate the steps taken. This approach offers the benefit of placing the responsibility of formal court reporting and testimony on the expert.
The forensic expert may also be retained to perform all of the services required for the litigation, including data preservation, analysis, reporting, and related consulting or advisory services. This may be preferred for high-profile matters or matters anticipated to be contentious.
The above considerations should be weighed against the specifics of a given matter to determine the best course of action to minimize the potential for sanctions and increase the odds of a satisfactory outcome.
Forensic Analysis, Testimony, and Remediation
Once data sources—mobile devices, computers, cloud-based repositories, etc.—are preserved and collected in a defensible manner, the forensic analysis phase is critical to both identifying the misappropriation of IP or trade secrets and fleshing out the viability or identification of spoliation claims. In matters involving allegations of data theft, a trained expert can analyze electronic records to uncover evidence of mass deletion of documents, usage of data-wiping software, transfer of data to external USB devices, cloud-based repositories, or personal webmail accounts, and remote access to company documents, among other artifacts that may be deemed to be of evidentiary value, all of which can assist counsel in bolstering a case for data exfiltration and spoliation claims. During this phase, as in nearly all phases of these types of matters, open discussion of preliminary findings and how these findings affect the next steps or case strategy are often key differentiators in the outcome. A seasoned forensic expert can provide timely and detailed findings, discuss the potential ramifications and evidentiary value of the findings with counsel and stakeholders, collaboratively develop recommended next steps, and prepare expert reports, declarations, and affidavits that may later lead to in-court testimony.
In certain instances, such as part of a settlement agreement, there may be a remediation phase, whereby parties agree that IP or trade secret documents that were wrongly or erroneously exfiltrated from one organization (plaintiff) to another (defendant) can be identified and defensibly disposed of or quarantined. This often culminates in a report summarizing remediation steps performed by the forensic expert overseeing the remediation. As with the other procedures discussed, companies should conduct a proper vetting of qualifications and prior experience when considering a forensic expert for such remediation.
These considerations are by no means exhaustive but can help to guide an organization in determining the need for a digital forensics export to obtain the best possible outcome of a case.