Employee separation commonly involves investigations, litigation, and eDiscovery. Many employees continue to access information from their employers after separation and almost ¾ of employers report that they’ve been negatively impacted by an employee breaching their digital security.
Many employees also keep passwords, either their own or others, which they can use to take data or monitor activity after their departure. This is a frightening prospect for employers, to be sure, who must also consider the potential for data exfiltration through accounts on third party platforms (such as Salesforce).
Data theft is rife and the vectors of stealing data are numerous, but this doesn’t mean the people that left the company are bad. In fact, as we discuss below, there are times when the removal of data was unintentional, and times when the removed data doesn’t result in easily quantifiable damages. Often there’s some analogies to a domestic relations case in the sense of betrayal, anger, and resentment on all sides.
Employee Separation Event
The players in any given employment separation investigation are the old employer, the new employer, the employee, and HR/IT/Management. The best way to prepare for employee separation is to have a robust set of procedures in place for return of the company technology, reminders not to destroy information, and reminders about NDAs and non-competes.
It can be difficult to account for all the possible external devices, but it’s crucial for employers to do so before and during the exit interview – because afterwards, it’s much harder to find and request such devices. The exit interview can also provide information about where data might be that the employer doesn’t know about. Exit interviews can be treated much like custodial interviews, so consider using a similar template.
It is also critical to address the separation between personal data the employee intends to take vs. company intellectual property. Some employees may not know the difference, or think they are entitled to certain data. Clarity is the key here.
Since the timing of document transfer is a crucial point in most employee separation events, it’s important to understand that created, modified and accessed dates are very context-sensitive.
A file’s last accessed date of a file can be updated by Windows, antivirus application, or other activity that may not be user-generated. “Created” typically means created onto the media where it was copied (in Windows), which could be important in a data theft investigation.
The party bringing the action can help the investigation tremendously by flagging items that are the “keys to the kingdom” – the most important items that were taken. Examiners will come across many thousands of files in the course of a case, but when it comes to showing damages, it’s important to know which of the files were actually harmful from a Plaintiff’s perspective.
Possible Scenarios
There are four possible scenarios from a data removal perspective: data loss that is not malicious, believed data loss that did not occur, bad actor who hid the data loss, and conspiracy to take data. Non-malicious data loss includes taking personal information, whistle blower actions, accidental removal of data, or someone who believes that their former company may owe them money. Conspiracies are far less common than believed and the most difficult to investigate.
The most commonly seen situations in forensics investigations are where the employer believes that was data loss and the bad actor situation. In the latter, those that wish to hide their actions typically come in after hours, connect a recently obtained personally purchased device, email key documents to their personal account, or make efforts to cover tracks (data hiding or mass deletion). In the former, someone may have simply dragged and dropped a set of files thinking more about their family photos rather than thinking it’s about the employer information – it’s the difference between a kick and a stumble.
The digital forensics is essentially the same for all these scenarios, with the exception of the conspiracy. There, the investigators must show how all the parties relate together, usually with text messages and other information sharing. These are long, complex investigations that require time and resources that standard cases do not.
Litigation and Damages
The standard for forensics evidence needed for a temporary restraining order vs. an injuction is the court’s belief that there is potential for irreparable harm. When seeking a TRO, it’s necessary to show the court that unless it acts immediately to stop the destruction or loss of evidence the irreparable damages will be beyond money. In order to mature those TROs into an injunction requires a hearing. Mediation is typically not seen until further down the line in the discovery phase when both sides have learned more.
It’s very important to determine early what the end game will be, and what the client hopes to gain. Common options are money damages, preventing an employee from assisting the competitor for a period of time, or just something to ease the pain of the betrayal.
As forensics professionals, we ask the lawyers whether their clients really want to go the distance on remediation from data theft. It is a very expensive process, and common requests are to “destroy everything they took” or “agree to allow a third party company to delete data.”
Remediation ties a neat bow around the work a forensics examiner has done identifying stolen data and how it has radiated through an organization. On the other hand, it’s one of the most futile undertakings it’s a way to make everyone feel better. At expense to the Defendant everything on one devices may be deleted, but it only takes one thumb drive to undo all that work. Also, time is not on anyone’s side because data has a lifespan. Pricing from 2024 may be significant and secret but 2021 pricing stolen in a case that has taken it’s time may not be very valuable. Because old data doesn’t have the same kind of foothold, the angry client willing to do whatever it takes to stop the travesty may not feel that way two years later.
Conclusion
Forensics examiners are brought in to prove someone stole data, but these cases are defensible. You can lose a battle on taking the data and win the war, which is being able to demonstrate that it was no harm but a minor foul. It’s not just proving that the departing party was innocent but proving that the employer wasn’t an unwitting benefit or victim and that other people weren’t complicit. The more serious challenge in these types of investigations is being able to show that it wasn’t done under the auspices of the new employer and that the damages were little or none.
Resources
Note that there are a few resources available for some of the items we’ve talked about here: · First Responder’s Guide to Employee Data Theft · Drafting Digital Forensic Examination Protocols · Annotated ESI Protocol
Avansic and Dr. Manes would like to thank Craig Ball for his contributions.
[View source.]
