If you have given a former employee access to your company’s electronic information by virtue of assigning a desktop or laptop computer and you suspect he or she of having taken electronically stored data, there are several steps to follow to preserve electronic forensic evidence from spoliation.
Assigning another employee to the same computer brings a serious risk of corrupting the data. This can happen by overwriting data in the same location which will replace the data that the former employee had taken or the “tracks” that the former employee had left showing misappropriation of the data. In the event of a trial, it can also result in an expert for the former employee criticizing you — the employer — methods and claiming that the data is so corrupted that it does not stand as proof of anything.
Therefore, if you have access to the hard drive, you should pull the hard drive and secure it in a location where it cannot be tampered. If the drive is in a laptop and there is no absolute need to repurpose the laptop immediately, set the laptop aside in a protected location so that somebody with a level of forensic skill can examine it.
Employers should also take steps to safeguard data in regards to mobile and wireless-enabled cellular devices. If an employee is given use of firm-owned mobile technology, such as tablets and smartphones, steps should be taken to obtain these devices at or before termination. If employees use their own devices, policies should be drafted and enforced regarding firm data on an employee-owned device. Lastly, any remote access connection to the company network should be monitored, and terminated quickly upon departure of an employee.
Pros and cons of using in-house IT staff versus forensic experts.
There are a lot of very talented IT professionals, but they are not necessarily forensic examiners. In a high-stakes case, it is likely worth the expense of retaining an independent forensic expert from the beginning. In-house “experts” are subject to challenge for not having sufficient forensic expertise but also for potential bias since they are employees of the organization. Additionally, if the in-house “expert” does something with the original media that results in its destruction, an employer could be faced with an argument of spoliation of evidence.
One thing that an expert can do for a very low cost but can be very helpful to employers who want to play detective on their own is to “ghost” the storage media (the hard drive or other storage media). The employer should have two identical copies made—one to preserve for later forensic use, and one for the employer to look at to see whether or not any signs of misconduct can be found. Even if the employee has tried to destroy the drive physically, it may still be possible to pull some data from the drive.
Remedies available to employers.
If an employee has taken electronically stored data, then there are several remedies that an employer may pursue. These include the following:
1. Breach of contract claim: If the employee signed an agreement containing a confidentiality clause, then the employer may sue the employee for breach of contract.
2. Statutory claim: Most states have adopted the Uniform Trade Secrets Act (UTSA). That statute typically provides several remedies, including injunctive relief, a claim for damages, a possible claim for royalties, in some instances an award of double damages or punitive damages, and recovery of attorneys’ fees if the misappropriation of the electronic information is willful and malicious.
3. Common law claims: Even if an employer does not have an agreement and is not able to show that the information taken constituted trade secrets, the employer may have a common law claim for conversion of its confidential information.
4. Federal claim: Under special circumstances the organization may have a claim under a federal statute known as the “Computer Fraud and Abuse Act” (CFAA). This statute provides a civil remedy under which employers may sue former employees who intentionally access a computer without authorization or exceed authorized access. When employees are terminated they should be told in writing that they no longer have authorized access to the computer system. The CFAA also allows an employer to sue a former employee who has caused damage of $5,000 or more to the protected computer.
5. Remedies against third parties: In addition to bringing a lawsuit against a former employee, an organization may also be able to sue third parties, including competitors who have received misappropriated electronic information from an employee of a different organization and at the time of such disclosure knew or had reason to know that the electronic data was derived by using improper means or was acquired under circumstances giving rise to a duty to maintain secrecy of the electronically stored data.
In sum, an employer has a number of avenues of relief for misappropriation of electronically stored data but in order to be successful in recovering damages or obtaining other relief, the organization must be able to prove the misappropriation of the electronically stored data and avoid defenses that the data has been corrupted or compromised by the employer or its agents or employees.
Richard Hunt is a partner at Barran Liebman LLP where he practices employment law, including non-competition and trade secrets litigation, and other matters concerning employee theft. Contact him at 503-276-2149 or rhunt@barran.com.