One of the biggest threats to modern corporations involves departing employees who take confidential business information (CBI) and/or trade secrets with them prior to or upon their departure. Indeed, the misappropriation of trade secrets and CBI can cost companies millions of dollars in legal fees, reputational harm, and lost revenue. In recent years, three new trends in the way that companies do business have led to unintended growth in this area of risk. First, companies are creating data at an unprecedented rate and storing that data across a multitude of complex data sources, resulting in most IT ecosystems being three times as diverse as in the prior decade. In turn, departing employees have greater access to larger volumes of business information than ever before. Next, the “great resignation” saw a record number of employees, 24% higher than pre-pandemic, voluntarily quitting their jobs. Lastly, a majority of employees not only admit to taking CBI with them but also defend doing so because they believe that they have a right to documents and information that they designed, created, and/or compiled during their employment. These factors have created a “perfect storm” for the misappropriation of critical and sensitive corporate data. With a few thoughtful strategies, however, it is possible to avoid or mitigate the risks associated with the theft of CBI and trade secrets. This article outlines three such strategies.
Proactive Information Governance
Integrating proactive information governance into corporate policies and procedures is critical because today’s businesses have sprawling IT ecosystems that include a wide variety of data sources. Leveraging these sprawling IT ecosystems, employees have access to information that is not germane to their work responsibilities, which they can access not only in-office but also remotely due to the rise of “working from home” initiatives. Because the movement of data is so frequent and easy, managing data location and access has become challenging, while unauthorized access and theft of data have become easier. Typically, theft of data is the result of either bad actors or employees who do not believe that they are doing anything unethical by taking data that they worked on during their employment.
Fortunately, there is cutting-edge technology available to combat this modern data challenge. For instance, information governance tools can assist companies in identifying the location of their “crown jewels” throughout their IT ecosystem by scanning and cataloging the contents of many data sources at once. Knowing the location of this data allows a company to take at least one of the following actions: (i) remediate legacy data that has confidential business information but no longer serves a business purpose, (ii) reorganize and deduplicate business data in a streamlined manner so sensitive information is only stored in known locations, and (iii) limit the risk of theft by restricting employee access rights to only those documents necessary to their job responsibilities.
Forensic Investigations to Prevent the Spread of Misappropriated Data
Despite an organization’s best efforts to identify and protect its most important data, some employees may still take steps to steal or misappropriate CBI and trade secrets. It is therefore essential that businesses investigate promptly when they have reason to believe a departing employee has misappropriated corporate information. Through early identification, the company can take steps to prevent the spread of that sensitive information before it gets to a competitor’s IT ecosystem. After all, once critical business information lands in a new IT ecosystem, it is extremely difficult to “put the genie back in the bottle.”
Given the complexity of most modern IT systems, a forensic investigation should consider the many different means by which an employee might extricate data. This could include, inter alia, USB thumb drives or hard drives, remote desktop connection, file-sharing sites, and email. Any one of these methods might involve the use of corporate computers, mobile devices, or cloud accounts, each of which retains forensic “artifacts” or markers that can help to identify changes in the volume or location of corporate data. These artifacts can provide direct evidence of actions taken by a former employee on a company device before departing.
It is critical to utilize forensics tools and experts to execute such an investigation. Relying on forensic experts can help to prevent the loss of sensitive information in a way that is controlled and targeted to identify potential theft attempts. The first prudent step in this process is to preserve the employee’s devices, including computers, mobile devices, cloud-based accounts, and user activity logs, using forensic technology. A forensic image or collection also ensures that no digital content or artifacts are altered in any way and allows for existing and potentially deleted data to be recovered from a device or cloud account. It is important to properly preserve such digital information in the event that formal litigation follows the discovery of misappropriation.
Successful Strategies in Litigation
If, despite the foregoing protective measures, an employee has successfully absconded with CBI or trade secrets and litigation ensues, it is critical for the team alleging misappropriation to include forensics analysis in their efforts to procure injunctive relief and to ultimately succeed on the merits. In order to demonstrate misappropriation of trade secrets, the following three factors typically must be shown: (i) secret, economically valuable information left the company; (ii) improper means were used to acquire knowledge of the trade secret; and (iii) a competitor is using or knows the information.
Element two of a trade secret action is critically important, and proving it can be facilitated by forensic experts. Examples of bad actions that would support a claim of improper means could include evidence of, inter alia, downloading files to a personal device or email account, mass downloading or printing documentation, or accessing a competitor’s computer using the company network. Evidence of these actions might be found in emails, USB or hard drive activity, file-sharing or cloud-storage sites, device logs, web browser history, chat platforms, deleted (but recovered) files, and/or local files.
Companies and their counsel should work collaboratively with forensics experts to discover evidence on devices and accounts that could prove that an employee in fact misappropriated CBI and/or trade secrets. Experienced forensics teams have the ability to look for signs across all of the data sources mentioned above. Forensic experts can identify and provide a report of “red flag” activity including the use of external drives, access to restricted files, large data transfers, and sending emails with company data attached to personal email accounts. In addition, third-party forensic teams are unbiased and have the expertise to prevent data spoliation, maintain and record a proper chain of custody, and authenticate any evidence they uncover.
