Information technology advances have many salutary effects, allowing workplace flexibility and reduced IT spending. IT advances have also established a host of new intellectual property security issues stemming from data breaches, computer hacking, and theft of proprietary data by departing employees or consultants. These issues now affect companies large and small because all aspects of a company’s intellectual assets are preserved electronically, and companies are increasingly relying on employees and independent contractors to access these assets remotely, 24 by 7.

When a valuable employee departs to a competitor, or leaves to start an unspecified "new venture," or even leaves for some "time off," an employer must be vigilant regarding the possibility that electronic copies of company trade secrets — such as confidential customer data, source code, business plans, or technical documents — may follow the former employee out the door. This "departing employee" scenario is probably the most common fact pattern that leads to trade secret litigation.

Companies are increasingly using computer forensics to investigate the who, what, when, where, and why of data theft by departing employees. "Computer forensics" in this context refers to the examination of digital devices, such as smartphones and laptops, and storage media, such as hard drives and thumb drives, in a forensically sound manner that preserves the contents and operating systems of these devices while extracting information regarding file creation, deletion, modification, and copying, and internet and software application usage, amongst other things. Though the field of computer forensics is continually evolving, computer forensic experts are playing an increasingly integral role in the trade secrets and business litigation landscape; it will not be long before litigants point to a company’s failure to undertake forensic investigations as a lack of reasonable diligence that can bar a trade secrets claim.

So what should a company do when it learns that a newly departed employee has taken a prominent role at a competitor, or made suspicious statements, tweets, or blog posts? A typical action plan could look like this:

  1. Terminate any remote access privileges or user credentials that the employee may have to company proprietary information, and make sure that all company-issued electronic devices (e.g. laptop, smartphone, tablet, USB and external drives, etc.) have been returned. These steps should have been done at the time of the employee’s termination but are sometimes overlooked.
  2. Interview the employee’s manager and co-workers about what the employee was working on and had access to, and whether there was unusual activity during the employee’s last days, and whether the employee was acting secretively or left the company on bad terms.
  3. Collect and sequester any electronic media (e.g. smartphones, laptops, and removable hard drives) that the employee used, and store it in a safe location accessible to one or only a few people to ensure the devices are not tampered with and that a chain of custody is preserved.
  4. Retain outside counsel experienced in trade secrets and hacking cases to oversee the investigation and analyze the intellectual property and other legal rights that are available.
  5. Retain an experienced computer forensic consultant.

Engaging a computer forensic expert early on is crucial because time is the single most important factor in mitigating harm from IP theft. A company that sits idly by while its trade secrets are being used unlawfully invites significant commercial harm, and even potentially risks waiving its rights to an injunction to protect those secrets, or even from claiming them as secrets at all. Second, making sure that a forensic consultant, as opposed to in-house IT or engineering personnel, investigates the electronic media is important because it ensures the data is analyzed without altering the contents or operating parameters of the devices and drives in question.

Forensic consultants start their work by first making forensically sound (i.e. bit-for-bit identical) copies of electronic media using tools such as those provided as part of Guidance Software’s EnCase Forensic suite of tools. This imaging is a critical step, because an improper copy risks altering or destroying important data, such as file metadata (e.g. the "date modified" information of a files saved on MS Windows), which can lead to an incorrect analysis and admissibility issues in litigation.

The forensic consultant will then examine usage activity. The consultant tracks patterns such as late-night log-ins to the network, file downloading patterns, the timing and use of USB devices to copy files from a computer, atypical and excessive remote log-ins to the network, access to previously unused network resources, and use of personal email accounts or cloud storage accounts, in the days or weeks leading up to the employee’s departure. The forensic consultant may study internet and messaging usage, as traces of this activity can often be recovered forensically as well. The forensic expert will compare these data points against the employee’s previous typical computer and data usage to look for anomalies, and then identify company information that may have been copied or downloaded.

Besides looking at system artifacts, the forensic consultant will also examine user-generated files. This includes what emails, documents, presentations, or source code the employee was creating, accessing, copying, or deleting in the days and months prior to the employee’s departure. User-generated files typically have both system metadata and file metadata, which update depending on what the user does with any file. If the employee copied a source code file from a thumb drive onto his computer, the system metadata will reflect information about last access, modification, and deletion times from the moment that file was first stored on that computer system. The file metadata will add to the picture by including information based on when that file was first created or modified on any computer system, helping to nail down the timing and mechanics of file copying.

Other forensic artifacts can also reveal suspicious activity. If an employee suddenly deletes files, or uses a software program that wipes system information, such activity could indicate a cover-up and may even help determine what files or activity the employee was interested in taking. The best investigations combine forensic and legal analysis, and will compare forensic anomalies against the timeline of events leading to an employee’s departure. These investigations carefully assess the relative value of any information that may have been unlawfully copied to draw conclusions, such as:

  • Does it appear that deliberate copying took place?
  • Is the data taken commercially important?
  • Is there a risk that the company will be harmed if the departed employee uses or disseminates the information?
  • Does the company have a potential claim worth pursuing?
  • Does the company risk losing a claim by doing nothing?

This analysis can inform a company as to the appropriate way forward, whether the decision is to litigate, do nothing, or something in between. Failing to get the facts, however, leaves a company in the dark with nowhere to go.

Sid Venkatesan is a partner in Orrick’s Intellectual Property Group based in Silicon Valley. Elizabeth McBride is a managing associate in Orrick’s Intellectual Property Group. This article reflects Venkatesan’s and McBride’s general views and not the views of Orrick or its clients.

This article originally appeared in Law Technology News.