Using Digital Forensics to Protect Trade Secrets

Surveillance Video of Robbery Was Properly Authenticated by Eyewitness
March 16, 2021
Categorical Privilege Logs: Don’t Shoot a Mouse with an Elephant Gun
March 25, 2021

Misappropriation of trade secrets cases are increasingly digital. For example, a former employer may seek discovery of a new employer’s information.  As discussed in “The Gang That Couldn’t Spoliate Straight,” forensic analysis is often necessary.  Craig Ball’s post, “What’s in a Name (or Hash Value)?” discussed some forensic options.

A recent American Bar Association article, M. Kreiter, M. Cook, and R. Lopez, “How Can Digital Forensics Prevent the Misappropriation of Trade Secret and Confidential Information?” (ABA Section of Litigation, Jan. 12, 2021), offers some helpful tips.  As a starting point:

“When employee data theft is suspected, act quickly, consistently, and decisively….”

That axiom is followed by three steps:1) identify the available evidence; 2) preserve it with a litigation hold; and, 3) collect it.

The ABA authors suggest that one area of forensic inquiry is outgoing email.  One of the first things I do is perform a search for emails sent from the employer’s email system to a suspected tortfeasor’s Gmail or any other personal email account.

The authors also suggest looking for unusual log-in activity and database access, as well as large downloads.  In one recent case, I found several days of downloading immediately before the employee quit.  Further, the database was able to pinpoint the geographic location of the downloading, providing evidence to support personal jurisdiction in this forum.

The ABA article suggests that deletion and wiping may provide evidence to support an inference of misappropriation.  For example, a Windows Registry analysis by a forensic expert may prove that wiping occurred.  That analysis may also show whether external storage devices were connected to copy information.

Frequently, a settlement of a theft of trade secrets case will require searches of the malfeasor’s system to identify and permanently remove the stolen confidential information.  As Craig Ball’s article points out, if the employer has collected and preserved its relevant ESI, that may assist in locating ESI on the former employee’s information technology system:  “Forensic examiners track purloined IP using several strategies: among them, searching for matching filenames, hash values, metadata and content.”

Some causes of action are discussed in “The Gang That Couldn’t Spoliate Straight.”