When is the optimal time to engage a digital forensic investigative expert? Some of the most successful lawyers engage our team as early as possible. For inside counsel, it’s when they first believe they have risk, such as the scenarios listed in our previous post regarding departing employees. For outside counsel, it could be as soon as they’ve cleared conflict checks and are engaged by the business that was victimized. While it’s more work at the beginning, it pays off in multiples when crucial evidence is secured and specific details are discovered, such as the involvement of other employees and 3rd parties. This type of evidence provides an advantage when crafting a complaint or petition, or to reference in a demand letter or a preservation notice.
Another reason to move fast is that the data proving the act of data theft has a short shelf life when on company devices, particularly if left in service or repurposed. You should consider all devices used by the employee(s) including laptops, smartphones and external storage devices, regardless of whether they were company issued. Many cases involve personally owned devices used to steal company data, such as thumb drives, NAS drives or automatic backup systems on home routers or servers, DVD or CDs, and small compact flash cards. This also includes those devices that are not so easily taken “offline” like Dropbox, Office365 email accounts, Gmail accounts, other cloud storage accounts and online accounts associated with a smartphone, like Apple’s iCloud. Securing the individual devices is simple enough but you need to make sure the devices are not still connected. This means shutting down the laptop and ensuring the smartphone is in Airplane mode to prevent remote changes. Also make sure you get the passcodes from the departing employee, especially the password for the smartphone. The online accounts should be disabled and proper credentials noted so that a copy or snapshot can be remotely acquired. Doing all of this quickly not only locks in valuable evidence necessary to prove the wrongdoing but will allow the forensic investigator to quickly uncover additional devices and accounts (USB drives and online accounts) that may have been used. As mentioned earlier, this may also reveal others involved in the data loss that need to be considered. While many people steal data on their own, there is an equal amount that do it in conjunction with others, especially if the plan is to set up a competing entity.
Consider the impact of waiting to engage a forensic investigator. When we are engaged late in the game, we often find memory on devices has been altered or eliminated or data has changed or is no longer in existence (devices lost or reissued to other employees) and online accounts have been altered or deleted altogether. While a good forensic investigator can pull disparate pieces of digital artifacts together to help a case at any stage, having clean evidence early in a case can provide powerful facts.
Equally as important in the early engagement of our services is that more often than not, we are instrumental in the acquisition of additional evidence of wrongdoing, especially if litigation is in play and there is opposing counsel to contend with. If we can quickly find references to additional pieces of evidence that we don’t have in our possession, we can present this evidence to compel the other side to produce these additional items.
In summary, consider engaging a forensic investigator early. Have the facts upfront and the ability to quickly refute claims by the opposing party or their alleged “expert.”
In our next series of this blog, we will look at locating evidence that can tip the scales in your favor.