How Metadata Changed the Outcome of a Complex Employment Case

In this case, a group of key executives left one company (Company A) for another company (Company B) to compete directly with Company A, notwithstanding their non-competition agreements. Company A sued Company B ' along with the former executives ' for millions of dollars for violating the non-competition agreements, poaching employees and taking trade secrets and proprietary documents to Company B for use against Company A.

At the beginning of this case, we learned that individual defendants from Company B had accessed our client's (Company A's) shared server, individual laptops and other media for information. This made us suspect that the defendants were copying data, but we knew we needed the metadata to demonstrate that the documents were not only taken, but also utilized at and by Company B. The internal footprint that metadata constitutes would have the ability to draw a line between two sets of documents and prove that the defendants stole them from the plaintiff.

Collection and Analysis

We requested electronic discovery, including access to the defendants' computers and media, by DSi. DSi helped us develop a forensic protocol to outline what information would be collected, how to ensure it was done correctly and how to make sure privileged information would not be exposed accidentally.

A DSi forensic evidence specialist traveled across the country to collect data from four defendants' corporate and personal devices, including phones, laptops and desktop computers. The data were brought back to DSi for in-depth analysis.

The forensic investigation began with a general look at the data and a goal of proving that certain files originated with Company A. File listings were created of everything on the devices, including e-mails, communications, Internet history, fileshare sites, connections/removals of other media (flash drives, etc.), and more.

As DSi's forensic analysts drilled down into the data, they found proof of what was taken, copied, transferred, deleted ' and when.'(The figure below shows what kind of metadata is viewable to any user'(confidentail information has been blacked out).

[IMGCAP(1)]

At the same time, the collected data was loaded into DSi's Web-based review platform so we could screen for privilege and request forensic analysis of specific documents that we thought could be pertinent ' mostly Microsoft Office documents and e-mails. For example, one defendant's computer had a folder called “noncompete.” Another defendant had a folder explicitly labeled “documents from Company A.”

DSi's forensic analyst looked at the metadata of these documents individually. The analyst was able to interpret the data based on his knowledge of what metadata can be changed, what is inherited when a document is saved as a new file, and more.

DSi looked at the point of origin for relevant files, and this analysis showed files that definitively originated at Company A. (The figure below is an example of the metadata we were able to see'(confidentail information has been blacked out).

[IMGCAP(2)]

' The investigation also revealed that Company B was using proprietary formulas from Company A on Excel spreadsheets. Additionally, DSi found strong circumstantial evidence of file transfers through thumb drives and record of a mass copy on one defendant's computer.

Deleted files also have metadata and, in this case, DSi found deleted documents. One defendant had a second computer that he did not initially turn over for collection. His first computer showed backups of the second computer even though the files were deleted from the first computer he provided for collection. The second computer was shipped to DSi to copy and analyze.

Trial

DSi prepared a report on its findings, and a DSi digital forensics analyst testified at the trial. Using the metadata, he testified about when, where and by whom documents were created and when, where and by whom they were last saved. For example, he was able to prove that one document that originated from Company A's server was e-mailed as an attachment between defendants. The end result was a rebranded version of a proprietary document from Company A. DSi's expert compared the documents from Company A and Company B and explained the metadata to prove the documents were copied.

DSi's forensic analyst also laid out dates to show intent since metadata logs who accessed which documents and when they did so. As a critical witness, DSi's expert testimony included the authors, revisions, who made the changes, when the changes were made and the original author. See the figure below.

[IMGCAP(3)]

Conclusion

The detailed forensic analysis of data and its metadata produced the “smoking gun” ' metadata properties revealing points of origin and information about file transfers and revisions. This critical evidence was used in court, and verified by DSi's expert witness, to help win the case. Thanks to the investigation into the metadata, the client was awarded close to $7 million, including punitive damages and attorneys' fees.

It's important to note that not every case involving metadata will uncover several smoking guns as this one did. In this case, the metadata proved that the defendants took contact lists, accounting spreadsheets with proprietary formulas, organizational documents and brochures and pamphlets with advertising copy.

This case proves that e-discovery is not just busy work. The digital forensics evidence that DSi found changed the direction of the case. It is possible for anyone to alter some of a file's metadata, such as the title, subject and authors. However, the metadata critical to this case ' including what revisions were made, who made those revisions and when ' cannot be changed. DSi's forensic analyst was a critical witness for us because he was able to find this information, understand the implications and explain this information to the court. Not only did it help us win the case, but it was also a big factor when it came time to determine damages, including punitive damages.

Victor Vital is a shareholder of Greenberg Traurig, LLP based in the firm's Dallas office. A trial lawyer who handles a wide variety of cases for businesses, executives and high net worth individuals in court battles across the country, Vital has tried more than 100 cases in his civil and white collar criminal defense practice and as a former state prosecutor. He may be reached at [email protected].

By definition, metadata is data about data. For computer files, it includes file name, file type, date last opened, date last edited and more. In addition to that kind of file information, which most people can see, there are many more metadata fields that are hidden to typical users. When a file is created or revised, details may be embedded about who created or changed the document, when, on what computer, at what company, what was changed and more. This information can be valuable for a court case, and it goes beyond standard electronic discovery data collection: it must be gathered and analyzed by a digital forensics specialist.

My firm recently represented a company in a complex employment case with non-compete covenants and trade secrets at stake. Although we have extracted metadata in-house in the past, for this case we needed to be absolutely certain the work was done in a forensically sound manner so that we could use it during the trial. We used DSi, an e-discovery and digital forensics company that uses a combination of proprietary and leveraged technology to cover the entire electronic evidence lifecycle, to forensically collect and investigate the digital files for the case because they are this client's preferred national e-discovery vendor.

Background

In this case, a group of key executives left one company (Company A) for another company (Company B) to compete directly with Company A, notwithstanding their non-competition agreements. Company A sued Company B ' along with the former executives ' for millions of dollars for violating the non-competition agreements, poaching employees and taking trade secrets and proprietary documents to Company B for use against Company A.

At the beginning of this case, we learned that individual defendants from Company B had accessed our client's (Company A's) shared server, individual laptops and other media for information. This made us suspect that the defendants were copying data, but we knew we needed the metadata to demonstrate that the documents were not only taken, but also utilized at and by Company B. The internal footprint that metadata constitutes would have the ability to draw a line between two sets of documents and prove that the defendants stole them from the plaintiff.

Collection and Analysis

We requested electronic discovery, including access to the defendants' computers and media, by DSi. DSi helped us develop a forensic protocol to outline what information would be collected, how to ensure it was done correctly and how to make sure privileged information would not be exposed accidentally.

A DSi forensic evidence specialist traveled across the country to collect data from four defendants' corporate and personal devices, including phones, laptops and desktop computers. The data were brought back to DSi for in-depth analysis.

The forensic investigation began with a general look at the data and a goal of proving that certain files originated with Company A. File listings were created of everything on the devices, including e-mails, communications, Internet history, fileshare sites, connections/removals of other media (flash drives, etc.), and more.

As DSi's forensic analysts drilled down into the data, they found proof of what was taken, copied, transferred, deleted ' and when.'(The figure below shows what kind of metadata is viewable to any user'(confidentail information has been blacked out).

[IMGCAP(1)]

At the same time, the collected data was loaded into DSi's Web-based review platform so we could screen for privilege and request forensic analysis of specific documents that we thought could be pertinent ' mostly Microsoft Office documents and e-mails. For example, one defendant's computer had a folder called “noncompete.” Another defendant had a folder explicitly labeled “documents from Company A.”

DSi's forensic analyst looked at the metadata of these documents individually. The analyst was able to interpret the data based on his knowledge of what metadata can be changed, what is inherited when a document is saved as a new file, and more.

DSi looked at the point of origin for relevant files, and this analysis showed files that definitively originated at Company A. (The figure below is an example of the metadata we were able to see'(confidentail information has been blacked out).

[IMGCAP(2)]

' The investigation also revealed that Company B was using proprietary formulas from Company A on Excel spreadsheets. Additionally, DSi found strong circumstantial evidence of file transfers through thumb drives and record of a mass copy on one defendant's computer.

Deleted files also have metadata and, in this case, DSi found deleted documents. One defendant had a second computer that he did not initially turn over for collection. His first computer showed backups of the second computer even though the files were deleted from the first computer he provided for collection. The second computer was shipped to DSi to copy and analyze.

Trial

DSi prepared a report on its findings, and a DSi digital forensics analyst testified at the trial. Using the metadata, he testified about when, where and by whom documents were created and when, where and by whom they were last saved. For example, he was able to prove that one document that originated from Company A's server was e-mailed as an attachment between defendants. The end result was a rebranded version of a proprietary document from Company A. DSi's expert compared the documents from Company A and Company B and explained the metadata to prove the documents were copied.

DSi's forensic analyst also laid out dates to show intent since metadata logs who accessed which documents and when they did so. As a critical witness, DSi's expert testimony included the authors, revisions, who made the changes, when the changes were made and the original author. See the figure below.

[IMGCAP(3)]

Conclusion

The detailed forensic analysis of data and its metadata produced the “smoking gun” ' metadata properties revealing points of origin and information about file transfers and revisions. This critical evidence was used in court, and verified by DSi's expert witness, to help win the case. Thanks to the investigation into the metadata, the client was awarded close to $7 million, including punitive damages and attorneys' fees.

It's important to note that not every case involving metadata will uncover several smoking guns as this one did. In this case, the metadata proved that the defendants took contact lists, accounting spreadsheets with proprietary formulas, organizational documents and brochures and pamphlets with advertising copy.

This case proves that e-discovery is not just busy work. The digital forensics evidence that DSi found changed the direction of the case. It is possible for anyone to alter some of a file's metadata, such as the title, subject and authors. However, the metadata critical to this case ' including what revisions were made, who made those revisions and when ' cannot be changed. DSi's forensic analyst was a critical witness for us because he was able to find this information, understand the implications and explain this information to the court. Not only did it help us win the case, but it was also a big factor when it came time to determine damages, including punitive damages.

Victor Vital is a shareholder of Greenberg Traurig, LLP based in the firm's Dallas office. A trial lawyer who handles a wide variety of cases for businesses, executives and high net worth individuals in court battles across the country, Vital has tried more than 100 cases in his civil and white collar criminal defense practice and as a former state prosecutor. He may be reached at [email protected].