Departing Employees

Protection Basics

What needs protecting? In the case of sales and support staff: customer lists, prospect lists, competitive analysis, product development schedules, features and price lists typically are easily accessible. With engineers: future patents, methodologies, product development schedules, CAD and design files, and algorithms are typically accessible and used frequently. And executives and senior staff have access to all of these assets in addition to business plans, financing, compensation plans, legal defense strategies, financials, and many other proprietary or damaging forms of information and data.

Electronic Evidence

How can you protect the company and what do you look for? First and foremost, the forensic securing of information through the use of proper procedures, utilizing licensed or certified personnel or vendors, is key to avoiding spoliation or unintentional compromise of the electronic files. In some states, collection of electronic evidence must be performed by a licensed individual. Depending on the state, Licensed Private Investigators, attorneys and in some cases trained Certified Public Accountants may be licensed, albeit not trained, nor qualified, to collect evidence. By using a properly licensed vendor, who can be called as an independent expert witness, you can avoid claims of evidence being collected by unlicensed individuals, which in some states carries criminal penalties for both the party securing the evidence AND the person who hired the non-licensed person to do so. In addition to the correct licensing, the party engaged to make the forensically sound copies of the hard drives should be certified. Certification is completely voluntary in this field; however, hiring a certified individual will ensure that a minimum standard of knowledge has been attained by the expert.

So, should companies use their own internal IT people to make forensically sound copies of the hard drives of departing employees? Some companies choose to do just this, and don't run into problems providing that they have adequately trained (and preferably certified) personnel performing the hard drive acquisitions using 'forensically sound procedures.' Procedurally, the collection of electronic evidence should follow similar processes to any other criminal/corporate investigation:

Every step should be documented with the evidence (pristine forensic copies) being sealed and signed.

The computer storage devices should be copied, using a special hardware device that is 'read only,' that will not update or modify the date and time stamps on any file. The copy made at this stage will be an exact bit-for-bit replica of the original drive, including deleted files, unallocated space and file slack, not just a copy of the 'active files.'

Repeat this procedure on all hard drives, Flash Drives, USB drives, and external media. Make a minimum of two copies if you are intending to perform any immediate investigation. The first copy should be 'pristine,' sealed, logged and endorsed by the licensed collector as the forensic copy. A second 'working' copy can be used to perform analysis and used for discovery.

Store the evidence in a secure, appropriate location.

Analyzing the Evidence

Now that the evidence has been 'collected,' what next? Using only the 'working' copy, look for unusual activity such as:

• Unusual large file transfers;
• Unusual files residing locally (like a downloaded customer list from your hosted CRM);
• CAD files on a computer not having the CAD program, or not used as a work station;
• File types not normally used by the individual;
• Large files, especially those with re-cent date stamps;
• Large numbers of files, outside the normal, saved by date;
• Unusual after-hours, weekend, or holiday activity;
• Significant increases in outbound e-mails;
• Link files from writing to CD-ROM or USB drives;
• Recently added or deleted software; and
• Recently upgraded or 'downgraded' software and applications.

Identify and log:

• Password-protected files; and
• Encrypted files.

Special software can then be utilized to:

• Recover 'deleted' files;
• Expose 'hidden' files; and
• Recover temporary files used to copy data to other storage devices.

Check the network and file server logs for the individual for:

• Unusual activity and activity times;
• Large file transfers; and
• Deleted files.

If necessary, check the server backup tapes and restore the files onto another 'working' server.

Once you review the evidence for suspicious 'activity,' and have restored any deleted files, you can proceed sequentially with your discovery process and decide the extent full discovery is required. Procedurally:

• Is there any 'suspicious' activity that calls for further investigation?
• Do the deleted files disclose any evidence or pattern requiring further investigation?
• Upon review of the deleted files, do their contents exhibit any suspicious or intentional behavior for further investigation?

If necessary, all native files (e-mails, word processing and spreadsheet documents, PDFs, etc.) along with their full text, and metadata can be loaded into an e-discovery system for a more complete review and investigation.

While all of this may not be necessary, it is almost impossible to perform if addressed 'after the fact' or without forensic acquisition of the data being performed in short order. When dealing with electronic data, time is of the essence. It is important to note that any time a computer is turned on, a file is accessed, or information is transferred, potentially valuable evidence can be overwritten, sometimes making a prosecution extremely difficult. Similarly, 'deleted' files are not necessarily deleted, but in most cases the file is still on the computer but the 'pointer' to the file has been removed, creating the appearance that the file has been deleted. The space that has been released by the 'deletion' will be re-used by the computer over some period of time ' sometimes very quickly. There are ways to more permanently delete files which more technically knowledgeable individuals may utilize, but it should be noted that in this event ' the act of intentionally and permanently deleting files and activity records, if not performed as a normal activity, would provide inference of intent (see the recent case against Sanjay Kumar, the former CEO of Computer Associates International Inc., who pleaded guilty to obstruction of justice and perjury).

How to Protect Your Company

Have a defined policy for forensic storage declared in your employee manual, just as statements on computer usage and access are addressed. This provides notice to employees of your intended commitment to safeguard company assets, intellectual property and trade secrets.

Beyond agreements and contracts, companies should consider forensically storing copies of departed employees' electronic files, at least those of key executives and 'at-risk' employees, as a safeguard and proactive offensive or defensive insurance against future litigation ' before the electronic records are destroyed. Whether employees' departures are voluntary or involuntary, some may be classified as 'at-risk' employees due to the nature of their jobs, understanding of the law, the employees' intension for starting a competing business, intent to join a competitor, or even their attitude when departing the company.

If you have cause for concern, or if your review of the recent activity of the individual is suspect, a reminder letter of obligation restating the agreements the employee endorsed may be all that is needed to protect the company. If a stronger notice is required, a cease and desist can be sent with specific mention of activities and files providing notice of the company's intention and dedication to protecting its assets.

Should there be a need to litigate, finding evidence of the stolen intellectual property is sometimes as simple as analyzing the ex-employee's home computer and new work computer for evidence of the files owned by the previous employer. Each file on the hard drives has a unique 'digital fingerprint' called a MD5 hash. This fingerprint is calculated using a mathematical algorithm and can be calculated on recovered deleted files as well as active files. Finding files with matching MD5 hashes or 'fingerprints' allows the employer to prove that their intellectual property exists or existed on the ex-employee's home computer, or on the competitor's computer system, allowing for additional defendants to be named in the suit.

Remember, electronic data is volatile. Making a forensically sound copy of the data as soon as possible enhances your chances of prevailing down the road.

Jason Park works as a Certified Computer Examiner (CCE) and Licensed Private Investigator in the State of Texas. He is a member of the International Society of Forensic Computer Examiners, and has been involved in the digital litigation support field since 1994. Park, based in Dallas, is a Director at Litigation Solution, Inc. and can be reached at [email protected].

Most companies have taken care to ensure that new and departing employees have completed Human Resource files with nondisclosure agreements, non-competition agreements (where applicable), invention and assignment agreements and various other agreements, acknowledgements and forms. Are companies doing enough to protect themselves from intellectual property theft by departing employees and consultants?

Typically, departing employees turn in their keys, access cards, and computers on their last day. The keys are reused, access cards destroyed, and the departing employee's computer makes its way back to the IT department to be reformatted and reissued to a new employee. When companies reissue computers without making a forensically sound copy of the hard drive prior to reformatting, they hinder their ability to proactively prosecute theft of intellectual property by departing employees.

Properly securing the original or making forensically sound copies of the computers and storage devices of employees with access to trade secrets and intellectual property may be the best proactive protection against theft. In the case of a pending termination of employees considered to have significant risk, making forensic copies of their computers should be 'standard operating procedure.' This action may be the best defense against theft and misappropriation of assets. Laptop computers, internet e-mail accounts, USB drives, compact flash cards, CD and DVD burners and other technology advances have made copying and removing large amounts of information from a company all but invisible to the eye.

Protection Basics

What needs protecting? In the case of sales and support staff: customer lists, prospect lists, competitive analysis, product development schedules, features and price lists typically are easily accessible. With engineers: future patents, methodologies, product development schedules, CAD and design files, and algorithms are typically accessible and used frequently. And executives and senior staff have access to all of these assets in addition to business plans, financing, compensation plans, legal defense strategies, financials, and many other proprietary or damaging forms of information and data.

Electronic Evidence

How can you protect the company and what do you look for? First and foremost, the forensic securing of information through the use of proper procedures, utilizing licensed or certified personnel or vendors, is key to avoiding spoliation or unintentional compromise of the electronic files. In some states, collection of electronic evidence must be performed by a licensed individual. Depending on the state, Licensed Private Investigators, attorneys and in some cases trained Certified Public Accountants may be licensed, albeit not trained, nor qualified, to collect evidence. By using a properly licensed vendor, who can be called as an independent expert witness, you can avoid claims of evidence being collected by unlicensed individuals, which in some states carries criminal penalties for both the party securing the evidence AND the person who hired the non-licensed person to do so. In addition to the correct licensing, the party engaged to make the forensically sound copies of the hard drives should be certified. Certification is completely voluntary in this field; however, hiring a certified individual will ensure that a minimum standard of knowledge has been attained by the expert.

So, should companies use their own internal IT people to make forensically sound copies of the hard drives of departing employees? Some companies choose to do just this, and don't run into problems providing that they have adequately trained (and preferably certified) personnel performing the hard drive acquisitions using 'forensically sound procedures.' Procedurally, the collection of electronic evidence should follow similar processes to any other criminal/corporate investigation:

Every step should be documented with the evidence (pristine forensic copies) being sealed and signed.

The computer storage devices should be copied, using a special hardware device that is 'read only,' that will not update or modify the date and time stamps on any file. The copy made at this stage will be an exact bit-for-bit replica of the original drive, including deleted files, unallocated space and file slack, not just a copy of the 'active files.'

Repeat this procedure on all hard drives, Flash Drives, USB drives, and external media. Make a minimum of two copies if you are intending to perform any immediate investigation. The first copy should be 'pristine,' sealed, logged and endorsed by the licensed collector as the forensic copy. A second 'working' copy can be used to perform analysis and used for discovery.

Store the evidence in a secure, appropriate location.

Analyzing the Evidence

Now that the evidence has been 'collected,' what next? Using only the 'working' copy, look for unusual activity such as:

• Unusual large file transfers;
• Unusual files residing locally (like a downloaded customer list from your hosted CRM);
• CAD files on a computer not having the CAD program, or not used as a work station;
• File types not normally used by the individual;
• Large files, especially those with re-cent date stamps;
• Large numbers of files, outside the normal, saved by date;
• Unusual after-hours, weekend, or holiday activity;
• Significant increases in outbound e-mails;
• Link files from writing to CD-ROM or USB drives;
• Recently added or deleted software; and
• Recently upgraded or 'downgraded' software and applications.

Identify and log:

• Password-protected files; and
• Encrypted files.

Special software can then be utilized to:

• Recover 'deleted' files;
• Expose 'hidden' files; and
• Recover temporary files used to copy data to other storage devices.

Check the network and file server logs for the individual for:

• Unusual activity and activity times;
• Large file transfers; and
• Deleted files.

If necessary, check the server backup tapes and restore the files onto another 'working' server.

Once you review the evidence for suspicious 'activity,' and have restored any deleted files, you can proceed sequentially with your discovery process and decide the extent full discovery is required. Procedurally:

• Is there any 'suspicious' activity that calls for further investigation?
• Do the deleted files disclose any evidence or pattern requiring further investigation?
• Upon review of the deleted files, do their contents exhibit any suspicious or intentional behavior for further investigation?

If necessary, all native files (e-mails, word processing and spreadsheet documents, PDFs, etc.) along with their full text, and metadata can be loaded into an e-discovery system for a more complete review and investigation.

While all of this may not be necessary, it is almost impossible to perform if addressed 'after the fact' or without forensic acquisition of the data being performed in short order. When dealing with electronic data, time is of the essence. It is important to note that any time a computer is turned on, a file is accessed, or information is transferred, potentially valuable evidence can be overwritten, sometimes making a prosecution extremely difficult. Similarly, 'deleted' files are not necessarily deleted, but in most cases the file is still on the computer but the 'pointer' to the file has been removed, creating the appearance that the file has been deleted. The space that has been released by the 'deletion' will be re-used by the computer over some period of time ' sometimes very quickly. There are ways to more permanently delete files which more technically knowledgeable individuals may utilize, but it should be noted that in this event ' the act of intentionally and permanently deleting files and activity records, if not performed as a normal activity, would provide inference of intent (see the recent case against Sanjay Kumar, the former CEO of Computer Associates International Inc., who pleaded guilty to obstruction of justice and perjury).

How to Protect Your Company

Have a defined policy for forensic storage declared in your employee manual, just as statements on computer usage and access are addressed. This provides notice to employees of your intended commitment to safeguard company assets, intellectual property and trade secrets.

Beyond agreements and contracts, companies should consider forensically storing copies of departed employees' electronic files, at least those of key executives and 'at-risk' employees, as a safeguard and proactive offensive or defensive insurance against future litigation ' before the electronic records are destroyed. Whether employees' departures are voluntary or involuntary, some may be classified as 'at-risk' employees due to the nature of their jobs, understanding of the law, the employees' intension for starting a competing business, intent to join a competitor, or even their attitude when departing the company.

If you have cause for concern, or if your review of the recent activity of the individual is suspect, a reminder letter of obligation restating the agreements the employee endorsed may be all that is needed to protect the company. If a stronger notice is required, a cease and desist can be sent with specific mention of activities and files providing notice of the company's intention and dedication to protecting its assets.

Should there be a need to litigate, finding evidence of the stolen intellectual property is sometimes as simple as analyzing the ex-employee's home computer and new work computer for evidence of the files owned by the previous employer. Each file on the hard drives has a unique 'digital fingerprint' called a MD5 hash. This fingerprint is calculated using a mathematical algorithm and can be calculated on recovered deleted files as well as active files. Finding files with matching MD5 hashes or 'fingerprints' allows the employer to prove that their intellectual property exists or existed on the ex-employee's home computer, or on the competitor's computer system, allowing for additional defendants to be named in the suit.

Remember, electronic data is volatile. Making a forensically sound copy of the data as soon as possible enhances your chances of prevailing down the road.

Jason Park works as a Certified Computer Examiner (CCE) and Licensed Private Investigator in the State of Texas. He is a member of the International Society of Forensic Computer Examiners, and has been involved in the digital litigation support field since 1994. Park, based in Dallas, is a Director at Litigation Solution, Inc. and can be reached at [email protected].