When All Agree to Delete

Want to get a lawyer’s attention? Just mention “data wiping” and “litigation” in the same breath. You might need to administer CPR. Yet there are cases where both sides recognize the need to thoroughly eradicate electronic data, such as when an employee has spirited away proprietary information to a new job and the old employer needs assurance it won’t be exploited. It’s a simple-sounding task that’s harder and more expensive than many lawyers and judges appreciate.

Sure, you could wipe every sector on the hard drives or scuttle the machines into the Mariana Trench, but then you’d have no record of what went where or how it was used. Think also of the legitimate business and personal data that would be lost. Shifting noncontraband data to new media might work, but who can be entrusted with that job, and how will they divvy up the contents of e-mail container files and other amalgams tainted by stolen information?

The former employer could supervise the process, but affording a competitor such unfettered access is often out of the question. Even if these issues are resolved, will ordinary deletion be sufficient? What’s to prevent the other side from resurrecting the deleted data once the case is dismissed?

Before you include data obliteration as a condition of settlement, be certain you’ve considered all the steps needed to effectuate reliable eradication, as well as the total cost and potential disruption. Start by determining what’s been taken by a focused forensic examination of the ex-employer’s machines previously used by the departed employee, a job made harder, but not impossible, if machines have been re-tasked to new users or the employee tried to cover his tracks.

Data enters and leaves computers via a handful of common vectors, such as e-mail, thumb drives, external hard drives, optical media or network transfer. So you’ll want to know what files, network areas, Internet sites — especially Web mail services — and external storage media the employee accessed, especially in the last weeks on the job.

You’ll also want to gather the information needed to perform a thorough search of the other side’s relevant machines, such as the names, sizes, last modified dates and hash values of stolen files as well as unique phrases or numerical values within those files. Searching for stolen data by its hash value is useful and cost-effective, but it won’t turn up data that’s been altered or deleted. For that, forensic examiners must analyze file metadata, carve unallocated clusters, run keyword searches and review content.

Next, you’ll want to account for all the media that housed any of the contraband data. Forensic examination of the former employer’s machines can pin down the portable devices employed to transport the data, while analysis of the new employer’s systems usually reveals if and when the transport media were connected and whether other portable storage devices helped copies fly the coop.

The trail of stolen data often leads first to home systems, particularly where the errant employee took time off between jobs. It naturally progresses to the new employer’s laptop and desktop machines and network storage areas to which the employee had access. These are typically searched for files with matching hash values, similar or identical file names, and files containing distinctive words, phrases or numeric values present in the stolen data.

Machines are analyzed to see if file deletion, data hiding or file wiping were used to conceal the stolen data. Metadata and registry keys are examined to identify notable events (such as the arrival of a large numbers of files, drive swapping or operating system re-imaging). It’s a lot of old-fashioned detective work using newfangled technology.

Even when no one has deleted or hidden stolen data, some of it routinely finds its way into the unallocated clusters, a vast digital landfill where operating systems dump transient data like the contents of swap memory or working copies created by word processing applications. Data may also lodge in file slack space, the area between the end of a file and the end of the last cluster in which it’s stored. Consequently, a thorough eradication includes identifying any stolen data that’s wormed its way into these hard-to-access regions.

It’s so important to examine these obvious places where stolen data lodge and determine whether and how the data’s been used, abused or disseminated because that knowledge guides resolution of a costly, contentious issue: Where do you stop?

Victims of data theft understandably fret about the potential for missed or hidden copies of contraband data and demand the broadest and most exacting search, especially when they bear none of the cost , and regard the new employer as complicit in the theft. However, extending search beyond machines with a clear connection to the former employee should be based on evidence signaling their involvement or a sensible sampling protocol.

Courts and counsel should be wary of imposing or agreeing to a search and eradication method that’s so wide-ranging, costly and disruptive as to be unintentionally punitive.

Once found, it’s fairly easy to delete and overwrite contraband active data files and the entirety of the unallocated clusters and slack space (the contents of which have no value to the user). However, separating contraband transmittals and attachments from e-mail containers is a laborious process necessitating selective deletion, compaction and/or recreation of the container files on local hard drives, as well as agreement concerning the handling of server mail stores and back up media. These enterprise storage areas don’t lend themselves to piecemeal deletion, necessitating considerable effort, ingenuity and expense to purge contraband data.

Employee data theft is a common, costly and growing problem, so lawyers handling these cases must understand the expense and complexity attendant to expunging purloined data and recognize that an agreement to “delete it” sounds straightforward but may be biting off more than the client intends to chew.

Craig Ball, a member of the editorial advisory boards of both LTN and Law.com Legal Technology, is a trial lawyer and computer forensics/EDD special master, based in Austin. E-mail: [email protected].

Featured Firms

Law Offices of Gary Martin Hays & Associates P.C.

75 Ponce De Leon Ave NE Ste 101

Atlanta, GA 30308

(470) 294-1674

www.garymartinhays.com

Law Offices of Mark E. Salomone

2 Oliver St #608

Boston, MA 02109

(857) 444-6468

www.marksalomone.com

Smith & Hassler

1225 N Loop W #525

Houston, TX 77008

(713) 739-1250

www.smithandhassler.com

Presented by BigVoodoo

More From ALM

There is no one-size-fits-all model for legal remote work, but there are some considerations that are important for every firm and legal department to address before choosing whether to adopt or update a remote work framework.

The Ultimate Guide to Remote Legal Work

Brought to you by Filevine
Download Now

Gain a comprehensive understanding of the Corporate Transparency Act (CTA) and its implications for law firms and their clients.

Law Firm Operational Considerations for the Corporate Transparency Act

Brought to you by Wolters Kluwer
Download Now

As generative artificial intelligence inspires one of the biggest transformations in generations, Practical Guidance continues to provide the latest tips to help you prepare for the rapid evolution in the way attorneys work.

Practical Guidance Journal: Protecting Work Product in a Generative AI World

Brought to you by LexisNexis®
Download Now

Premium Subscription

With this subscription you will receive unlimited access to high quality, online, on-demand premium content from well-respected faculty in the legal industry. This is perfect for attorneys licensed in multiple jurisdictions or for attorneys that have fulfilled their CLE requirement but need to access resourceful information for their practice areas.
View Now

Team Accounts

Our Team Account subscription service is for legal teams of four or more attorneys. Each attorney is granted unlimited access to high quality, on-demand premium content from well-respected faculty in the legal industry along with administrative access to easily manage CLE for the entire team.
View Now

Bundle Subscriptions

Gain access to some of the most knowledgeable and experienced attorneys with our 2 bundle options! Our Compliance bundles are curated by CLE Counselors and include current legal topics and challenges within the industry. Our second option allows you to build your bundle and strategically select the content that pertains to your needs. Both options are priced the same.
View Now

From Data to Decisions

Dynamically explore and compare data on law firms, companies, individual lawyers, and industry trends.

Exclusive Depth and Reach.

Law.com Compass includes access to our exclusive industry reports, combining the unmatched expertise of our analyst team with ALM’s deep bench of proprietary information to provide insights that can’t be found anywhere else.

Big Pictures and Fine Details

Law.com Compass delivers you the full scope of information, from the rankings of the Am Law 200 and NLJ 500 to intricate details and comparisons of firms’ financials, staffing, clients, news and events.

Middle East Legal Awards 2024

April 25, 2024
Dubai

Law firms & in-house legal departments with a presence in the middle east celebrate outstanding achievement within the profession.

Learn More

BenefitsPRO Broker Expo 2024

April 29, 2024 - May 01, 2024
Aurora, CO

The premier educational and networking event for employee benefits brokers and agents.

Learn More

Pennsylvania Legal Awards 2024

May 15, 2024
Philadelphia, PA

The Legal Intelligencer honors lawyers leaving a mark on the legal community in Pennsylvania and Delaware.

Learn More

Senior In-House Contracts Administrator

A large and well-established Tampa company is seeking a contracts administrator to support the company's in-house attorney and manage a wide...

Apply Now ›

COMMERCIAL FINANCE ATTORNEY - STAMFORD, HARTFORD OR NEW HAVEN OFFICES

We are seeking an attorney to join our commercial finance practice in either our Stamford, Hartford or New Haven offices. Candidates should ...

Apply Now ›

CORPORATE ATTORNEY (8+ Years) - REMOTE, CT

We are seeking an attorney to join our corporate and transactional practice. Candidates should have a minimum of 8 years of general corporat...

Apply Now ›

MELICK & PORTER, LLP

04/15/2024
Connecticut Law Tribune

MELICK & PORTER, LLP PROMOTES CONNECTICUT PARTNERS HOLLY ROGERS, STEVEN BANKS, and ALEXANDER AHRENS

View Announcement ›

Apruzzese, McDermott, Mastro & Murphy, P.C.

04/11/2024
New Jersey Law Journal

Professional Announcement

View Announcement ›

Robbins Alloy Belinfante Littlefield

04/08/2024
Daily Report

Daily Report 1/2 Page Professional Announcement 60 Days

View Announcement ›

When All Agree to Delete

Share with Email

Thank you for sharing!

Trending Stories

Featured Firms

More From ALM

Subscribe to Law.com