On January 5, 2023, the Federal Trade Commission (FTC) proposed a new rule that would prohibit new and require the rescission of all non-compete agreements as an “unfair method of competition.” The proposed rule defines a non-compete agreement as “a contractual term between an employer and employee that typically blocks the employee from working for a competing employer, or starting a competing business, within a certain geographic area and period of time after resignation or termination.”

The public comment period closes in April and, at the time of this article, more than 9,300 comments had been logged.

Should the rule become final, employers will no longer be able to rely on contractual non-compete language to seek judicial relief when a former employee begins working at a competitor or starts a competing business. Instead, companies will need to establish that the former employee breached confidentiality agreements or trade secrets laws when litigating against former employees in a competitive landscape. In turn, it will be increasingly important for companies to identify and present evidence of specific wrongdoing by the departing employee, such as misappropriation of company information.

Some businesses already follow a formal process to investigate potential misappropriations by departing employees that includes preserving the employee’s computer and conducting a forensic review of their download/upload and file-share history. However, most companies do not do this and instead, when an employee departs, IT simply wipes and re-issues corporate hardware and document storage account credentials without further thought. This process not only overwrites any evidence that the previous employee accessed or misappropriated confidential information but effectively precludes successful litigation in the future.

When data is suspected of leaving an organization, the evidence is usually contained in the former employee’s digital fingerprints—their computer logs that record their activities. These logs contain lists of what storage devices or printers were connected, what files were last accessed, internet histories, file transfer and activity reports, backup logs, etc. These logs are highly susceptible to being overwritten, so when this type of theft is suspected or when evidence of this type of activity becomes apparent to IT, the computer should be immediately preserved and forensically imaged.

What happens when companies find forensic evidence of misappropriation?

In April 2022, the Northern District of Illinois provided a roadmap of what may happen in a post-non-compete world. Caramel Crisp LLC v. Aisha Putnam is a trade secret matter where Putnam was fired for issues unrelated to misappropriation. During the process of redeploying Putnam’s computer for use by another employee, the plaintiff discovered that Putnam had emailed herself and downloaded thousands of confidential business documents to a portable drive. Nevertheless, Caramel Crisp pursued its routine hardware reissuing process, including reissuing the defendant’s computer to a new user. Only subsequently was the relevant computer forensically preserved.

During discovery, the computer was turned over to Putnam for her expert’s forensic analysis. That analysis revealed that more than 39,000 files had been modified by Caramel Crisp after Putnam’s last day of employment and that Caramel Crisp had inadvertently overwritten the computer’s system logs associated with Putnam.

Armed with evidence of a failure to preserve, the defendant sought spoliation sanctions against the plaintiff. While Caramel Crisp successfully overcame the spoliation motion on the grounds that at the time the defendant’s computer was reissued, the duty to preserve had not yet been triggered, the court did permit the defendant to present evidence to the jury of the file deletion by Caramel Crisp, which risked undermining the plaintiff’s credibility with the jurors.

Takeaways:

1. The duty to preserve is not triggered until the investigating party uncovers wrongdoing and has a reasonable anticipation of litigation.
2. IT personnel need to be cautious and obtain a forensic image of any device when suspicious or actual evidence of misappropriation is uncovered or suspected.
3. A motion for sanctions under FRCP 37(e) may fail because the duty to preserve may not be triggered, but admissibility, reliability, authenticity, and weight-of-the-evidence challenges should all remain as potential options.

Counsel at Redgrave LLP, Josh Hummel, dissected the Caramel Crisp matter in “Navigating eDiscovery Concerns When Investigating a Former Employee’s Devices for Potential Trade Secret Misappropriation or Other Misconduct” and subsequently drew the corollary to the FTC rule in preparation for a live CLE webinar, “Strategies for Non-Compete and Trade Secret Matters,” on April 14.

Instead of relying on a non-compete clause, what can organizations do to protect their rights when they believe a former employee is competing unfairly through misappropriated business information?

In-house lawyers and IT teams need to be trained on a protocol to follow when suspicious activity or wrongdoing is discovered or suspected during the hardware redeployment process. Most importantly, when suspicion of this activity is found, IT should immediately stop and forensically preserve the departing employee’s computer and other data sources (e.g., email accounts, online data repositories, etc.).

Companies may also want to consider looking at their information governance programs for relief. A robust information governance program addresses all company assets and identifies, moves, deletes, or encrypts sensitive information. The principle of least privilege means that a user is only provided privileges that are essential to that person’s work. Only those employees that need the most sensitive or confidential information should have access, and that access should be locked down and secured in virtual data rooms.

Companies may also want to consider implementing an employee departure program to forensically investigate whether departing employees are taking confidential business information with them. This step must be taken before IT redeploys hardware assets or business account credentials to allow a digital forensics examiner to investigate artifacts of misappropriation and suspicious activity.

Should this FTC rule become final, organizations will need to rely on technology along with IT and digital forensic professionals to find evidence of misappropriation before litigating against a former employee that may have joined a competitor or opened a competing business.