Legal Words
Pin It

Computer forensics and legal implications

By Aniko Kiss and Matthew Law

Companies frequently have to deal with departing employees who try to take confidential information to a competitor and/or use the company’s confidential information to poach its clients and customers.

Electronic evidence – emails, USB file-transfers and cloud storage – often forms the most important and compelling evidence available in investigating and preventing these situations.

There are five important steps companies can and should take to preserve electronic evidence and protect their interests.

1. Identify sources of data

Many employees will have access to multiple devices and locations, each of which can hold important evidence. These typically include hard drives, email and document servers, cloud storage services and mobile devices. Where owned or paid for by the company, these can usually be accessed and reviewed.

2. Move quickly to quarantine devices

For both legal and technical reasons, it is essential to immediately quarantine and prevent any access to the devices at issue. From a technical standpoint, continued access to and use of a computer significantly increases the chances that key evidence will be inadvertently deleted or over-written, especially if it is assigned to a new user. The kind of electronic evidence forensic searches can reveal is regularly over-written by the operating system and, in the case of mobile devices, is typically wiped entirely when the device is reset. Legally speaking, the company must be able to demonstrate that the evidence was immediately quarantined and that there was minimal risk of contamination. Failing to move quickly can also prejudice the company’s ability to seek relief in court if that is ultimately necessary.

3. Forensically image devices

A forensic image is an exact duplicate of a computer at a given point in time. It cannot be altered in any way. Server data and mobile devices can also be forensically collected. A forensic image is essential both to conducting an investigation and to protecting the company if legal proceedings become necessary. It assures the court that an independent expert has carefully preserved the evidence and undermines any argument that the company has tampered with the files. It also avoids the common problem that important evidence is inadvertently deleted or written over in the course of the investigation. Creating a forensically sound copy is usually not expensive, but it does require specific expertise.

4. Forensic searches

Using the forensic image, several forensic searches can be done (in addition to the email or document review the company might otherwise undertake). First, an expert can search the device’s “unallocated space” to recover files that the employee deleted – this is often where the most significant evidence is found. Second, an expert can reconstruct past access to file sharing and cloud storage services to determine what, if anything, was transferred in this way. Third, an expert can review different computer files to determine whether and when USB devices were inserted, and what files were moved. The searches are quite different depending on whether the devices are PCs or Macs and the expert must have the relevant skills and knowledge. Again, these files are often an important source of evidence, particularly in departing employee cases.

For both legal and technical reasons, it is essential to immediately quarantine and prevent any access to the devices at issue.

5. Watch out for privilege

While a company may own and have the right to access an employee’s work devices and work email accounts, that does not mean the employee has waived solicitor-client privilege over any documents or emails found in them. Companies must be very careful to identify and avoid reviewing anything that is potentially privileged. Experts are able to isolate and withhold such material from the company, minimizing the impact on the privilege. If the company is conducting the investigation, it should seek legal advice in this regard.

Case study

A case study (drawing on two recent cases) demonstrates the importance of these principles, and of points three and four above, in particular.

A mid-level employee in the company’s sales division quit his job without warning and immediately began working for a competitor. The company suspected, but did not know for sure, that he had taken confidential information. It identified and quickly isolated his desktop computer, laptop, work email account and mobile device – good first steps.

But then the company’s IT department began searching the employee’s devices and email account, without first making a forensic image of any of the devices (this is not surprising, as creating such images is usually outside the scope of their expertise). As a result, the IT department’s searches ran the risk of destroying or over-writing the very evidence they were looking for. And, although the IT department knew to search for USB insertions, without a forensic image and without proper forensic tools, their search yielded only partial results and inadvertently deleted the remaining information.

It soon became clear that the employee had indeed stolen confidential customer lists, pricing and technical data and that both he and the competitor were using this information to poach the company’s customers. The company therefore brought an injunction to prevent the use of its confidential information and to require the employee and competitor to return it. Although the court granted a partial injunction – prohibiting the employee and competitor from soliciting the company’s customers – it declined to make an order for the return of confidential information. This was for two reasons, both of which could potentially have been avoided if the company had followed the steps set out above.

First, because there was no forensic image of the devices, the company could not prove what information was on them prior to its investigation, nor could the defendants carry out their own forensic analysis on them. Second, although the company could demonstrate that the employee had inserted certain USB devices on certain dates, its investigation had inadvertently deleted any evidence of what was transferred to those devices. Given the frequent and legitimate use of USB devices, the court was not willing to infer that confidential information had been taken.

While the injunction against soliciting the company’s clients was an important victory that “stopped the bleeding,” the weakness of the electronic evidence meant the employee and competitor were able to retain the company’s confidential pricing and technical data.

It does not need to be an expensive and time-consuming process to engage an expert to carry out these key steps. Creating a forensic image and running the forensic searches described above can be done relatively quickly and inexpensively and is essential to ensuring important evidence is properly collected. As the case study demonstrates, failing to do so can seriously prejudice the company’s position going forward, especially if court proceedings are ultimately required.

By contrast, when a forensic investigation is conducted properly, the company has a wide range of options available to it.

If there is evidence the employee has taken or transferred confidential information to a competitor, the company can seek a court order that the information be returned and that the competitor forensically search its computers and servers to delete any information it received. This will prevent any further harm to the company’s interests.

If there is evidence that the employee is breaching restrictive covenants in the employment agreement, such as non-solicitation or non-competition provisions, the company can seek a court order that the employee immediately stop the solicitation or competition. This again prevents any further harm from occurring.

In either case, the court will expect the company to produce objective evidence demonstrating the alleged misconduct and will often require the company to provide the original source of that evidence (the forensic images) to the employee and his or her own forensic expert. 


Aniko Kiss is the principal and lead computer forensic expert at Digital Excellence Forensics Inc. Matthew Law is a litigator at Lax O’Sullivan Lisus Gottlieb LLP.

Pin It