Although discovery in employment cases tends to be lopsided, with the bulk of the discovery burden resting on employers, computer forensics and eDiscovery projects can be handled in a cost-effective and defensible manner to control costs. Focused forensic analysis coupled with efficient collection and review will make the discovery burden lighter and the cost of investigating an errant employee’s digital conduct more manageable.
Using computer forensics begins early in a matter, either when you first become aware of a potential claim against your company or when an employee’s misconduct is first discovered. Properly preserving the right data early – such as taking out of service a computer used by an employee who may file a claim or is suspected of misconduct – is inexpensive insurance and can save you money in the long run. If the need to review the system later arises, evidence will not have been lost. When terminating a key employee, it’s advisable to preserve all their data either offline or online for a time. This will leave the option open should the need to analyze their computer activity later arise and will save the expense of having to collect from inaccessible sources.
If the computer used by a former employee is issued to someone else, evidence you may later need could be lost. Simply turning on a computer causes the system to run programs and update files that may overwrite deleted data. A new user accessing files and changing data on a system may create new activity, and an employer may have to pay a forensic expert to interpret which data belonged to whom at a later date, which can be costly. The more a system is altered from the time the former employee last used the computer, the more work must be done – and the more you will have to pay a forensic analyst for her time.
Depending on the type of employment case you are involved in, preserving the right data may involve a backup of a single computer or perhaps more. In trade secrets cases, for instance, a plaintiff will likely investigate a user’s computer, his or her email, file server data and perhaps other types of systems. If the trade secret is a client list, perhaps a customer relationship management (“CRM”) database must be preserved and later queried during discovery and/or used for evidence of the suspected theft. Preserving the right data and focused forensic analysis early is the key to saving costs.
When a senior salesperson resigns and you later learn he is calling on key accounts to entice them to a competitor, his preserved hard drive may yield important evidence. In anticipation of leaving, an employee may use non-company email accounts to send client lists or other data to a personal account. Ubiquitous cloud storage and sync services, with most providing some level of storage for free, allow users to simply select a folder on their computer, and any file placed in that folder will sync with other remote computers or with their cloud account. DropBox, SugarSync, Google Drive and many others offer such options. Forensic analysis of that former salesperson’s company computer may also show that a USB device was introduced to the computer in the days leading to his resignation and that certain files may have been copied to the USB drive. A forensic image backup will be done before analysis is performed to freeze the condition of the data on the drive and allow for the use of forensic tools for this analysis.
From the forensic backup an analyst can apply filters to identify user-created files, apply date filters, and otherwise search or cull the data to reduce the volume that is submitted for eDiscovery processing. Work done by computer forensics analysts is generally at an hourly rate and should involve people time, not machine time. This will normally reduce the cost of processing data. Unless the hard drive is very large, the data is complicated, and the filtering is complex, usually this will not involve a large amount of analyst time to prepare the filtered data for processing into a legal review system.
The stakes in your cases will dictate the resources you need to apply to computer forensics and eDiscovery tasks. A single midlevel employee with a potential claim will warrant a much more narrow approach than will the suspected theft of your company’s latest design information by employees who start a competing firm. In either case, a focused set of protocols is a must.
Peter Garza is the Managing Director Forensic West, Legal Services at DTI. Peter Garza has worked as a consulting, testifying or neutral expert on hundreds of civil litigation cases. Previously he worked as a Special Agent with the Naval Criminal Investigative Service specializing in computer forensics.