Want to get a lawyer’s attention? Just mention “data wiping” and “litigation” in the same breath. You might need to administer CPR. Yet there are cases where both sides recognize the need to thoroughly eradicate electronic data, such as when an employee has spirited away proprietary information to a new job and the old employer needs assurance it won’t be exploited. It’s a simple-sounding task that’s harder and more expensive than many lawyers and judges appreciate.
Sure, you could wipe every sector on the hard drives or scuttle the machines into the Mariana Trench, but then you’d have no record of what went where or how it was used. Think also of the legitimate business and personal data that would be lost. Shifting noncontraband data to new media might work, but who can be entrusted with that job, and how will they divvy up the contents of e-mail container files and other amalgams tainted by stolen information?
The former employer could supervise the process, but affording a competitor such unfettered access is often out of the question. Even if these issues are resolved, will ordinary deletion be sufficient? What’s to prevent the other side from resurrecting the deleted data once the case is dismissed?
Before you include data obliteration as a condition of settlement, be certain you’ve considered all the steps needed to effectuate reliable eradication, as well as the total cost and potential disruption. Start by determining what’s been taken by a focused forensic examination of the ex-employer’s machines previously used by the departed employee, a job made harder, but not impossible, if machines have been re-tasked to new users or the employee tried to cover his tracks.
Data enters and leaves computers via a handful of common vectors, such as e-mail, thumb drives, external hard drives, optical media or network transfer. So you’ll want to know what files, network areas, Internet sites — especially Web mail services — and external storage media the employee accessed, especially in the last weeks on the job.
You’ll also want to gather the information needed to perform a thorough search of the other side’s relevant machines, such as the names, sizes, last modified dates and hash values of stolen files as well as unique phrases or numerical values within those files. Searching for stolen data by its hash value is useful and cost-effective, but it won’t turn up data that’s been altered or deleted. For that, forensic examiners must analyze file metadata, carve unallocated clusters, run keyword searches and review content.
Next, you’ll want to account for all the media that housed any of the contraband data. Forensic examination of the former employer’s machines can pin down the portable devices employed to transport the data, while analysis of the new employer’s systems usually reveals if and when the transport media were connected and whether other portable storage devices helped copies fly the coop.
The trail of stolen data often leads first to home systems, particularly where the errant employee took time off between jobs. It naturally progresses to the new employer’s laptop and desktop machines and network storage areas to which the employee had access. These are typically searched for files with matching hash values, similar or identical file names, and files containing distinctive words, phrases or numeric values present in the stolen data.
Machines are analyzed to see if file deletion, data hiding or file wiping were used to conceal the stolen data. Metadata and registry keys are examined to identify notable events (such as the arrival of a large numbers of files, drive swapping or operating system re-imaging). It’s a lot of old-fashioned detective work using newfangled technology.
Even when no one has deleted or hidden stolen data, some of it routinely finds its way into the unallocated clusters, a vast digital landfill where operating systems dump transient data like the contents of swap memory or working copies created by word processing applications. Data may also lodge in file slack space, the area between the end of a file and the end of the last cluster in which it’s stored. Consequently, a thorough eradication includes identifying any stolen data that’s wormed its way into these hard-to-access regions.
It’s so important to examine these obvious places where stolen data lodge and determine whether and how the data’s been used, abused or disseminated because that knowledge guides resolution of a costly, contentious issue: Where do you stop?
Victims of data theft understandably fret about the potential for missed or hidden copies of contraband data and demand the broadest and most exacting search, especially when they bear none of the cost , and regard the new employer as complicit in the theft. However, extending search beyond machines with a clear connection to the former employee should be based on evidence signaling their involvement or a sensible sampling protocol.
Courts and counsel should be wary of imposing or agreeing to a search and eradication method that’s so wide-ranging, costly and disruptive as to be unintentionally punitive.
Once found, it’s fairly easy to delete and overwrite contraband active data files and the entirety of the unallocated clusters and slack space (the contents of which have no value to the user). However, separating contraband transmittals and attachments from e-mail containers is a laborious process necessitating selective deletion, compaction and/or recreation of the container files on local hard drives, as well as agreement concerning the handling of server mail stores and back up media. These enterprise storage areas don’t lend themselves to piecemeal deletion, necessitating considerable effort, ingenuity and expense to purge contraband data.
Employee data theft is a common, costly and growing problem, so lawyers handling these cases must understand the expense and complexity attendant to expunging purloined data and recognize that an agreement to “delete it” sounds straightforward but may be biting off more than the client intends to chew.
Craig Ball, a member of the editorial advisory boards of both LTN and Law.com Legal Technology, is a trial lawyer and computer forensics/EDD special master, based in Austin. E-mail: [email protected].