Companies frequently have to deal with departing employees who may be taking confidential information to a competitor, or with employees who are accused or suspected of wrongdoing.
Electronic evidence — emails, USB file-transfers, and cloud storage — often forms the most important and useful evidence available in investigating these situations.
There are five things companies can and should do to preserve this evidence and protect their interests.
1. Identify sources of data: Many employees will have access to multiple devices/locations, each of which can hold important evidence. These typically include hard drives, email and document servers, cloud storage services, and mobile devices. Where owned or paid for by the company, these can usually be accessed and reviewed.
2. Move quickly to quarantine devices: For both legal and technical reasons, it is essential to immediately quarantine and prevent any access to the devices at issue. From a technical standpoint, continued access to and use of a computer, especially if it is assigned to a new user, significantly increases the chances that key evidence will be inadvertently deleted or over-written. Electronic evidence of the kind that forensic searches can reveal is regularly over-written by the operating system and, in the case of mobile devices, is typically wiped entirely when the device is reset.
Legally speaking, the company must be able to demonstrate that the evidence was immediately quarantined and that there was minimal risk of contamination. Failing to move quickly can also prejudice the company’s ability to seek relief in court if that is ultimately necessary.
3. Forensically image devices: A forensic image is an exact duplicate of a computer at a given point in time. It cannot be altered in any way. Server data and mobile devices can also be forensically collected. Creating a forensically sound copy is usually not expensive, but it does require specific expertise. A forensic image is essential both to conducting an investigation and to protecting the company if legal proceedings become necessary.
It assures the court that an independent expert has carefully preserved the evidence and undermines any argument that the company has tampered with the files. It also avoids the common problem that important evidence is inadvertently deleted or written-over in the course of the investigation.
4. Forensic searches: Once a device has been forensically imaged, there are several forensic searches that can be done, in addition to the email or document review the company might otherwise undertake. First, an expert can search the device’s “unallocated space” to recover files that the employee deleted — this is often where the most significant evidence is found.
Second, an expert can reconstruct past access to file-sharing and cloud storage services to determine what if anything was transferred in this way. Third, an expert can review different computer artifacts to determine whether and when USB devices were inserted, and what was copied to them.
The searches are quite different depending on whether the devices are PCs or Macs (for example, registry and link files versus kernel.log and sidebar.plist), and the expert must have the relevant skills and knowledge. Again, these artifacts are often an important source of evidence, particularly in departing employee cases.
5. Watch out for privilege: While a company may own and have the right to access an employee’s work devices and work email accounts, that does not mean the employee has waived solicitor-client privilege over any documents or emails found in them. Companies must be very careful to identify and avoid reviewing anything that is potentially privileged.
If an expert is conducting the investigation, the expert can isolate such material and withhold it from the company. If the company is conducting the investigation, it should seek legal advice in this regard.
Once the review of electronic files is complete, the company has several options depending on the circumstances.
If there is evidence the employee has taken or transferred confidential information to a competitor, the company can seek a court order that the information be returned and that the competitor forensically search its computers and servers to delete any information it received. This will prevent any further harm to the company’s interests.
If there is evidence that the employee is breaching restrictive covenants in the employment agreement, such as non-solicitation or non-competition provisions, the company can seek a court order that the employee immediately stop the solicitation or competition. This again prevents any further harm from occurring.
In either case, the court will expect the company to produce objective evidence demonstrating the alleged misconduct and will often require the company to provide the original source of that evidence (the forensic images) to the employee and his or her own forensic expert.
Similar considerations apply in the case of workplace investigations. If the company concludes that there has been wrongdoing, it may decide to take legal action, or it may decide that termination or other disciplinary measures are sufficient. Either way, objectively verifiable evidence is crucial in supporting the company’s position and protecting its interests.
Engaging a forensic expert and carrying out forensic searches does not have to be an expensive and time-consuming process. Creating a forensic image and running some of the searches described above can be done relatively quickly and inexpensively. These steps are essential both to ensuring important evidence isn’t lost or accidentally deleted, and to protecting the company’s interests. Without a forensic image that can be inspected by others, the company will have a much harder time relying on the electronic evidence it has gathered.
Following the five key points set out above will lead to more effective and efficient investigations, and put companies in a much better position to protect and advance their interests in dealing with departing employees and workplace investigations.
Disclaimer: Nothing in this article is intended as legal advice and should not be relied upon as such. Legal advice should be sought regarding the circumstances of any particular case.
Aniko Kiss is the Principal and Lead Computer Forensic Expert at Digital Excellence Forensics Inc.
Matthew Law is a litigation lawyer at Lax O’Sullivan Lisus Gottlieb LLP.