Font Size:

You are familiar with the scenario: one of your employees leaves to go work for a competitor, but before he goes, he copies confidential information for use at his new job. While the scenario may not have changed much, the means of obtaining the information has.

The days of photocopying documents and sneaking out the door with hard copies are long gone. Most information is now available electronically, and large amounts of data can be copied efficiently and discreetly via computer. The good news is that in many instances, accessing information electronically leaves a distinct trail for a former employer to follow. The bad news, though, is that if the proper steps are not taken, this trail can quickly be lost.

In fact, in many cases, simply doing nothing can result in valuable information being lost forever. There are a number of pitfalls to avoid when building a case against a former employee who you believe has taken your confidential information.

To begin with, there are some inadvertent pitfalls to avoid. The root of the problem is that most HR and IT personnel, while good at what they do, are not trained in computer forensics and the steps necessary to build a case through computer evidence. Oftentimes, building a case against a former employee rests on proving that he or she copied or deleted certain confidential company information. An overzealous company representative trying to find evidence of misconduct can actually do more harm than good, including inadvertently altering the evidence.

For example, a primary method of obtaining evidence of a former employee's misconduct comes from analyzing the date stamps used by most computers. Most operating systems used today, and their respective file systems, record three basic types of date stamps with respect to computer file activity: the last modified date, the last accessed date and the file creation date.

The last modified date refers to the date and time a file was last written to. Typically, a file is modified or written to when a user opens and then saves a file, regardless of whether any data is changed or added to the file.

The last access date, on the other hand, is affected by just about any activity that a user or even the computer system itself might do to a file. The last access date will change when a file is printed, moved, copied or merely viewed (in other words, opened but not saved).

Finally, creation dates indicate when a file came into existence on a particular storage medium, such as a hard drive, and can therefore indicate when a user or computer process created a file. They can also reflect the date and time that a file was copied onto a particular storage medium.

Of the three dates involved here, the last access date often provides one of the most valuable sources of evidence, since it can provide a road map of those files that a former employee looked at, copied, moved or printed shortly prior to the end of his employment. However, this blessing can also be a curse. HR personnel, or even IT employees investigating the former employee's computer, will inadvertently alter the last access dates of files simply by going on the former employee's computer and opening files that are located on it. Therefore, the best intentions of finding evidence of wrongdoing are nullified if crucial evidence is inadvertently altered.

Perhaps even more noteworthy is that these last access dates can also be changed even without undertaking any investigations. Antivirus, backup and other system maintenance programs will also typically update the last access dates every time they run. Therefore, simply leaving a former employee's computer connected to the network can result in routine programs destroying potential evidence of wrongdoing.

The date stamps are not the only useful sources of computer information. When information is deleted from a computer, it often temporarily remains in a computer's unallocated space (the space on the computer not assigned to named files). Fragments and often even large chunks of this information can frequently still be retrieved from computers, even though they have been deleted. Therefore, a computer forensics expert may also be able to recover information that a former employee attempted to delete from his computer. However, if left to its own devices, an operating system will routinely move around clusters of files as part of the ordinary process of organizing all the information on the computer. In doing this, the operating system will overwrite the information that may otherwise remain in the unallocated space.

It is highly important to know how to preserve your evidence and safeguard your case. Now that you know some of the challenges in protecting computer evidence, you can understand the importance of having a plan, moving quickly and involving someone familiar with computer forensics. There are some steps that can help in effectively dealing with the situation.

If the departing individual is still employed, conduct an exit interview during which you remind the employee of his confidentiality obligations and inquire whether he possesses any company documents or information, including anything in electronic format on home computers, CDs, DVDs, thumb drives or any other forms of electronic storage media.

Restrict the employee’s access to confidential information for the remainder of his employment.

After the employee leaves, identify all sources of electronically stored information that the former employee may have accessed. These may include not only computers and laptops, but also company cell phones, PDAs, CDs and DVDs.

Gather all sources of electronically stored information. Power down and unplug and/or disconnect the computers from the network. Do not reassign any of the equipment to new employees.

Place the computers and electronic storage devices in a secure area. Do not search the equipment prior to involving someone familiar with computer forensics. This individual will ensure an exact image of all the information is first created in order to protect potential evidence.

At the end of the day, what you don't know can hurt you because valuable computer evidence will be lost. This can be the difference between a clear case with a quick resolution and a prolonged and costly one. Follow the steps outlined above and you will be able to efficiently and effectively protect your confidential information.

Carl J. Rychcik is a partner in the Pittsburgh office of Fox Rothschild. He focuses his practice on litigation, including trade secret, restrictive covenant and breach of contract claims as well as employment termination cases.

Subscribe to Corporate Counsel