Defensive Exit Interviews and Records Retention for Departing Employees

 By Jason Park, CCE; ISFCE

 

Most companies have taken care to insure that new and departing employees have completed Human Resource files with Non Disclosure Agreements, Non Competition Agreements (where applicable), Invention and Assignment Agreements and various other agreements, acknowledgements and forms. Are companies doing enough to protect themselves from Intellectual Property theft by departing employees and consultants?

 

Typically, departing employees turn in their keys, access cards, and computers on their last day. The keys are re-used, access cards destroyed, and the departing employee’s computer makes its way back to the I.T. department to be reformatted and reissued to a new employee. When companies re-issue computers without making a forensically sound copy of the hard drive prior to reformatting, they hinder their ability to proactively prosecute theft of Intellectual Property by departing employees.

 

Properly securing the original or making forensically sound copies of the computers and storage devices of employees with access to Trade Secrets and Intellectual Property may be the best proactive protection against theft. In the case of a pending termination of an employee considered to have significant risk, making forensic copies of their computers should be “standard operating procedure.” This action may be the best defense against theft and misappropriation of assets. Laptop computers, internet e-mail accounts, USB drives, compact flash cards, CD and DVD burners and other technology advances have made copying and removing large amounts of information from a company all but invisible to the eye.

 

What needs protecting? In the case of sales and support staff; customer lists, prospect lists, competitive analysis, product development schedules, features and price lists are typically easily accessible. With engineers; future patents, methodologies, product development schedules, CAD and design files, and algorithms are typically accessible and used frequently. Executives and senior staff have access to all of these assets in addition to business plans, financing, compensation plans, legal defense strategies, financials, and many other proprietary or damaging forms of information and data.

 

How can you protect the company and what do you look for? First and foremost, the forensic securing of information through the use of proper procedures and utilizing licensed or certified personnel or vendors is key to avoiding spoliation or unintentional compromise of the electronic files. In some states the collection of electronic evidence must be performed by a licensed individual. Depending on the state, Licensed Private Investigators, Attorneys and in some cases trained Certified Public Accountants may be licensed, albeit not trained, nor qualified, to collect evidence.  By using a properly licensed vendor, who can be called as an independent expert witness, you can avoid claims of evidence being collected by unlicensed individuals which in some states carries criminal penalties for both the party securing the evidence AND the person who hired the non-licensed person to secure the evidence. In addition to the correct licensing, the party engaged to make the forensically sound copies of the hard drives should be certified. Certification is completely voluntary in this field; however, hiring a certified individual will ensure that a minimum standard of knowledge has been attained by the expert.

 

So, should companies use their own internal I.T. people to make forensically sound copies of the hard drives of departing employees? Some companies choose to do just this, and don’t run into problems providing that they have adequately trained (and preferably certified) personnel performing the hard drive acquisitions using “forensically sound procedures.”

 

Procedurally, the collection of electronic evidence should follow similar processes to any other criminal/corporate investigation:

 

  1. Every step should be documented with the evidence (pristine forensic copies) being sealed and signed.

 

  1. The computer storage devices should be copied, using a special hardware device that is a “read only” device that will not update or modify the date and time stamps on any file. These write blocking devices are made by companies like Intelligent Computer Solutions (ICS.) The forensically sound copy is generated by forensic acquisition software like Access Data’s “Forensic Toolkit” or Guidance Software’s “EnCase.” The copy made at this stage will be an exact bit-for-bit replica of the original drive, including deleted files, unallocated space and file slack, not just a copy of the “active files”.

 

  1. Repeat this procedure on all hard drives, Flash Drives, USB drives, and external media.

 

  1. A minimum of two copies should be made if you are intending to perform any immediate investigation. The first copy should be the “pristine copy” sealed, logged and endorsed by the licensed collector as the forensic copy. A second “working” copy can be used to perform analysis and used for discovery.

 

  1. Store the evidence in a secure, appropriate location.

 

 

Now that the evidence has been “collected”, what next? Using only the “working” copy:

 

 

  1. Look for unusual activity such as;
    1. Unusual large file transfers
    2. Unusual files residing locally (like a downloaded customer list from your hosted CRM).
    3. CAD files on a computer not having the CAD program, or not used as a workstation
    4. File types not normally used by the individual
    5. Large files, especially those with recent date stamps
    6. Large numbers of files, outside the normal, saved by date
    7. Unusual after-hours, weekend, or holiday activity
    8. Significant increases in outbound e-mails
    9. Link files from writing to CD-ROM or USB drives
    10. Recently added or deleted software
    11. Recently upgraded or “downgraded” software and applications

 

 

  1. Identify and log;
    1. Password protected files
    2. Encrypted files

 

 

  1. Special software can then be utilized to;
    1. Recover “deleted” files
    2. Expose “hidden” files
    3. Recover temporary files used to copy data to other storage devices

 

 

  1. Check the network and file server logs for the individual for;
    1. Unusual activity and activity times
    2. Large file transfers
    3. Deleted files
    4. If necessary, check the server back-up tapes and restore the files onto another “working” server

 

 

Once you review the evidence for suspicious “activity”, and have restored any deleted files, you can proceed sequentially with your discovery process and decide the extent full discovery is required.  Procedurally;

 

  1. Is there any “suspicious” activity which calls for further investigation?

 

  1. Do the deleted files disclose any evidence or pattern requiring further investigation?

 

  1. Upon review of the deleted files, do their contents exhibit any suspicious or intentional behavior for further investigation?

 

  1. If necessary, all native files (e-mails, word processing and spreadsheet documents, PDFs, etc.) along with their full text, and metadata can be loaded into an eDiscovery system for a more complete review and investigation.

 

 

While all of this may not be necessary, it is almost impossible to perform if addressed “after the fact” or without forensic acquisition of the data being performed in short order. When dealing with electronic data, time is of the essence. It is important to note that any time a computer is turned on, a file is accessed, or information is transferred, potentially valuable evidence can be overwritten, sometimes making a prosecution extremely difficult. Similarly, “deleted” files are not necessarily deleted, but in most cases the file is still on the computer but the “pointer” to the file has been removed creating the appearance that the file has been deleted. The space that has been released by the “deletion” will be re-used by the computer over some period of time – sometimes very quickly. There are ways to more permanently delete files which more technically knowledgeable individuals may utilize, but it should be noted that in this event – the act of intentionally and permanently deleting files and activity records, if not performed as a normal activity, would provide inference of intent (see the recent case against Sanjay Kumar, the former CEO of Computer Associates International Inc., who pleaded guilty to obstruction of justice and perjury).

 

 

What is a company to do these days?

1. Having a defined policy for forensic storage declared in your employee manual, just as statements on computer usage and access are addressed, provides notice to employees of your intended commitment to safeguard company assets, intellectual property and trade secrets. 

 

2. Beyond agreements and contracts, companies should consider forensically storing copies of departed employees’ electronic files, at least those of key executives and “at-risk” employees, as a safeguard and proactive offensive or defensive insurance against future litigation – before the electronic records are destroyed. Whether employees’ departures are voluntary or involuntary, some may be classified as “at-risk” employees due to the nature of their jobs, understanding of the law, the employees’ intension for starting a competing business, intent to join a competitor, or even their attitude when departing the company.

 

If you have cause for concern, or if your review of the recent activity of the individual is suspect, a reminder letter of obligation restating the agreements the employee endorsed may be all that is needed to protect the company. If a stronger notice is required, a cease and desist can be sent with specific mention of activities and files providing notice of the company’s intention and dedication to protecting its assets.

 

3. Should there be a need to litigate, finding evidence of the stolen Intellectual Property is sometimes as simple as analyzing the ex-employee’s home computer and new work computer for evidence of the files owned by the previous employer.  Each file on the hard drives has a unique “digital fingerprint” called a MD5 hash. This fingerprint is calculated using a mathematical algorithm and can be calculated on recovered deleted files as well as active files. Finding files with matching MD5 hashes or “fingerprints” allows the employer to prove that their Intellectual Property exists or existed on the ex-employee’s home computer, or on the competitor’s computer system, allowing for additional defendants to be named in the suit.

 

Remember, electronic data is volatile. Making a forensically sound copy of the data as soon as possible enhances your chances of prevailing down the road.

 

 

Jason Park

Litigation Solution, Inc.

901 Main Street; Suite C-121

Dallas, TX 75202

214-939-9700 Office

jpark@lsilegal.com

 

 

Mr. Park is a Certified Computer Examiner (CCE) and is a Licensed Private Investigator in the State of Texas.

He is a member of the International Society of Forensic Computer Examiners, and has been involved in the digital litigation support field since 1994.

 

First printed in Volume 14, Number 3 of Employment Law Strategist (R), an ALM publication. Reprinted with permission.