Recent studies indicate over 92 percent of all business information is stored electronically. It’s no surprise then that companies invest heavily in network security to guard against outside threats.
But the greatest threat may come from the inside: An employee who walks out the door with reams of intellectual property secreted in his pocket on a device no larger than a pack of gum. Once copied, that information can be easily taken to a competitor or used by the employee to form a new competitive venture.
When a company suspects its IP has been stolen by an insider, in-house counsel’s first instinct may be to examine the data on the departed employee’s computer, find the “smoking gun,” and stop the thief cold.
Don’t touch the hard drive
Although the critical evidence is usually found on the employee’s computer, prematurely following one’s instincts may irrevocably compromise the investigation. Do not immediately search the ex-employee’s computer, because there is a real danger of altering or overwriting data critical to your investigation by merely turning on the computer. Instead, secure the computer under lock and key for later analysis.
The second thing to consider is there may not be “smoking gun” evidence. Most successful investigations are built on many small and large pieces of evidence from multiple sources, which may collectively show wrongdoing or, just as importantly, a lack of wrongdoing.
Because an analysis of computer data may be the lynchpin of an investigation, it must be approached in a way that preserves, but does not destroy or create evidence. As has been seen time and time again, a botched “crime scene” preservation leads inevitably to a failed investigation.
Who, what, where
The first step, which is often overlooked, is to learn the basics about the ex-employee, such as the type of trade secrets he had access to and supposedly took, and the nature of the competitor’s business. This step, which may involve witness interviews, Google searches and a review of papers documents, is the bedrock of an investigation that leads to: (1) identifying the kind of information taken, (2) a legal theory as to why the information can be protected, and (3) a time line of events.
Once developed, the investigator will have an informed hunch to view the disparate strands of evidence in the proper context and make the right connections.
Mirror, mirror
The key to preserving critical computer evidence is to make an exact duplicate copy of the computer hard drive without changing a single bit of information. The creation of a duplicate hard drive is sometimes called a bit-stream or mirror-image copy. Professionals trained in forensically sound acquisition methods use specialized software that prevents the computer itself from overwriting or destroying data in the analysis process.
The forensic analyst will verify or authenticate a successful acquisition by applying an electronic fingerprint, which matches the original data to any exact copy. Once properly authenticated, useful data harvested from the copy is now turned into admissible evidence while the “original” bit stream copy is safely locked away.
Follow the data trail
Among the best evidence of a theft of trade secrets is the data clues unwittingly left by the employee on the computer hard drive in the act of misappropriation. These clues include metadata, which is data about time stamps indicating creation, last modification, and last access, print dates and author information.
Analysis of this type of information may show wholesale access to and copying or printing of files, as well as searches run by the employee for particular client or file names. The metadata may also show the mass deletion of files, or “cached” copies of web surfing history, including access to personal web-based e-mail accounts the ex-employee used just before departing.
This information can create a time line essential to show the ex-employee had inappropriate access to and critical knowledge of confidential information. It alone may be sufficient to bring a legal action or persuade a new employer to take remedial steps.
When a deletion is not a deletion
Typically, a trade secret thief will open documents, save data to a new file and copy these files to a thumb drive or some other portable storage medium, and then delete the files from the computer, believing he has eliminated the evidence of copying.
However, if the thief (in a Windows environment) only hit the delete button, all the accessed files are not truly deleted but remain easily recoverable from the “Recycle Bin” A more sophisticated thief may “empty” the Recycling Bin or the computer operating system itself may automatically perform this function when the computer is started or shut off.
This alone, however, will not necessarily erase the data from a computer disk and such information can often be retrieved through computer forensic software. In reality, data saved or “cached” to a computer hard drive is never removed until is completely overwritten with new data. Until the operating system (or specialized data destruction tools) overwrites the data, the information is recoverable.
Similarly, “snapshots” of the web pages visited prior to departure may be saved to “temporary” files on the hard drive, which are also recoverable if not overwritten. This data may still be recoverable months later if the ex-employee’s computer has been effectively preserved.
Additionally, forensic examiners can recover data from the computer’s registry, which stores hardware and software application information. The registry captures details on the connection of removable devices to the computer, such as flash drives, including the manufacturer of the device, date and time of the connection and the drive letter assigned to the device. When placed into context with the metadata analysis, such information may establish a time line of events and show the intent of the employee in accessing and copying the data.
To preserve is to protect
In sum, if a person untrained in computer forensics, including in-house IT professionals, simply turns on the computer of a suspected IP thief to “take a look,” critical evidence may destroyed and the investigation doomed before it has even begun.
While not every investigation needs a forensic professional, savvy in-house counsel will be sure to preserve the computer evidence for future analysis – and the company’s options – until the investigation is complete.
Brian T. Moriarty is a principal at Hamilton Brook Smith Reynolds P.C. specializing in IP, trade secret and patent investigations and litigation. Mr. Moriarty is one of the few registered patent attorneys who also served as a federal prosecutor. Mr. Moriarty was a federal prosecutor in New York City.
John F. Curran Jr. is managing director and deputy general counsel for Stroz Friedberg, LLC, a computer forensics and investigations firm. Mr. Curran previously served as a federal prosecutor in New York City and deputy general counsel for National Security Affairs at the FBI in Washington, D.C., where he provided counsel to the FBI Director and senior FBI executives on counter-terrorism, counter-intelligence and counter-espionage programs.