by Steven F. Rosenhek and David A. Ziegler, partners, Fasken

You are the general counsel of A, a large Canadian company.   

Early one morning, you receive a telephone call from the general counsel of B, a competitor of A. She is calling as a courtesy to inform you that a process server is on his way to your office to serve you with injunction motion materials.  She tells you that the materials allege that one of A’s employees (and a former employee of B), Sam Sneed, took confidential information from A and has been misusing it while working for B 

The following synopsis should allow you to “hit the ground running” by providing you with an overview of the steps you will need to take in conjunction with your external counsel to direct the forensic investigation necessary to defend the company’s interests. This necessarily involves understanding what confidential information was taken, how it was circulated and/or used,  and what is necessary to do to contain any damage and take remedial action. Given that proceedings for misuse of confidential information are often hard-fought and involve high reputational and financial stakes, having carried out the most effective forensic investigation and remediation will be crucial  to success in defending your company’s position. 

Forensic Investigation  

(a) - Immediate Steps
You have called your outside counsel. They will engage an e-discovery vendor, or an IT forensic investigation firm, on your behalf.  They will also implement a plan of action, with the following key steps to be undertaken immediately. (These steps will be informed, of course, by the information contained in the motion materials you have received.) 

First, it is essential that Sam Sneed needs to be interviewed. He should not be given advance warning of the interview (to avoid his trying to delete the sensitive information, which would only worsen the company’s position). 

For an effective interview, you need to appreciate the many ways in which confidential information can be collected.  You will want to learn, through focused, effective questioning, whether Sam has collected B’s confidential information in some or all of the following main ways, which are typical in these situations:

  • forwarding email chains between himself and his former colleagues at B to his personal email account (e.g. Gmail);
  • attaching confidential data to emails he sent to his personal email account; 
  • transferring confidential data to personal external hard drives and/or USB keys; and 
  • printing confidential documents to take with him.  

You also need to understand how confidential information is spread, and appreciate how quickly A could have become infected with B’s confidential information. Some of the ways this happens are: 

  • sending emails containing information to fellow employees; 
  • sending sensitive documents to fellow employees as attachments to emails; 
  • sending extracts from B’s confidential documents in emails; and 
  • posting B’s confidential information on A’s shared network drive, which employees view and either send to each other by email, or input into documents they create. 

It will be important to ask detailed questions about all of the above and obtain precise, specific answers about what documents were taken, where they were stored, in what form, and how they were circulated or shared with other employees of A.

You should also have a litigation hold notice on hand to give to Sam before he leaves the meeting, making it clear to him as per the notice that all relevant information and documents need to be preserved, and that no confidential information should be used going forward. Have a representative from A’s IT group ready to collect his company devices immediately, including his laptop, smartphone and any other mobile devices. Either before (if there is time) or during the meeting with him, have a representative of IT save a copy of his emails, and a copy of his company shared network drive file, should one exist. After the meeting, walk with Sam to his office and have him identify and hand over any hardcopy documents he admits to taking. Bar him from returning to his office until a search has been carried out of his office for any suspicious documents, hard drives or USB keys. Consider whether you need to retrieve his home computer or other devices. If he is willing to cooperate, and does not argue that the company has no right to confiscate and review such devices, have him accompanied by a forensic consultant or lawyer (to ensure a chain of custody) to his home to retrieve any relevant devices. 

Second, you will need to interview anyone with whom Sam has admitted to sharing information. However, regardless of what Sam says, you should interview the relevant people with whom you believe confidential information may have been shared (start with those in his department or business unit, and those with whom he regularly interacted, and expand the group based on what you learn). Give litigation hold notices and directives not to use B’s confidential information to those employees and anyone else you believe may have received confidential information as soon as possible after your interview with Sam. You cannot rely on the accuracy of what Sam and his fellow employees tell you. They are scared that they will lose their jobs if they admit involvement or culpability and will likely underplay the situation. Your external lawyers may advise you to send all employees of a department,  business unit, or even the entire company litigation hold notices and directives not to use confidential information from A’s competitors.1 

(b) - Next Steps
Third, you will have to identify and contain the confidential information as quickly as possible to prevent it from being further spread or used. Your IT forensic consultant or e-discovery vendor will assist you in collecting: 

 (1) company devices from each employee who likely received confidential information; 
 (2) email files, both on the active exchange server and anywhere else they may be stored at the company; and  
 (3) data collected on a shared network server. 

It may be recommended that you collect relevant company cell phones as well, though generally speaking it is rare for emails to be stored on phones. 

At the same time as you collect electronic devices, you also need to collect any hard copy documents your employees received from Sam or created using Sam's information. 

Data collection is essential but very expensive. E-discovery vendors typically charge $125-$150/GB merely to process the data. The charges can add up to hundreds of thousands of dollars, depending on the volume of data. 

(c) - Challenges and Complicating Factors in Data Collection
One common complicating factor relates to the use of personal email accounts. You may learn that Sam or some of his colleagues have used private email accounts (such as Gmail) for company business. As a result, B’s information may  be located on servers over which A’s IT group does not have access or control.  If so, you should ask those employees for permission to access their private accounts, or at a minimum ask them to review the accounts, and forward to your forensic investigator or e-discovery vendor anything relevant to the inquiry, and then delete that data. Ideally, they should attest to the fact that they have done so.2  

One major challenge to consider is disruption to employees’ day to day job responsibilities while collecting their devices for the purposes of the investigation. If you take an employee’s laptop, issuing a replacement containing all the same information provides them with an opportunity to use and spread the confidential information all over again, and therefore must be avoided. If you provide a clean laptop, the employee will (at least temporarily) lose access to important material that they require on a day-to-day basis. Unfortunately, such disruption is unavoidable. 

 (d) - Manual Review
It will be necessary to decide how to identify and remove the information which has been circulated. A manual review, using search terms, of all of the data files collected is by far the most effective, but also most costly, approach. 

One way to manage a manual review is to begin by reviewing Sam’s files and emails. That will provide a good initial understanding of what he circulated and to whom, and the search can be expanded as required from there. Of course, it is important to keep in mind that Sam could have deleted his sent emails, so it may not be a complete picture. Ask A’s IT group to determine whether they can recover any emails Sam deleted since he joined the company.  

(e) - Modern Processing Tools
There are also modern processing tools that can assist in the identification and removal of the offending information. The most basic is duplicate searching.  If you know which of B’s documents were taken by Sam, you can run a one to one match against the data that has been collected to determine whether such documents are located as attachments to emails, saved on laptops, or in the shared drives, of any of A’s employees.  

Another tool is near-duplicate searching. If, for example, one of A’s employees received a confidential document and then tweaked it a bit before sending it on, you can still locate it using this type of search. You determine the match threshold, whether it is a 10% match to the confidential document or an 80% match. The lower the match, the more false positives you will have to weed through. 

There is also email threading. If, for example, you know that Sam sent an email containing confidential information to a colleague, and you want to know if that colleague thereafter sent it elsewhere, email threading will provide the answer. It collects all chains and provides complete sets, letting you know if that email is located in any other chain. There are different types of email threading techniques, though, so ensure that your e-discovery vendor is not merely collecting like-emails using subject titles, which will not provide a full universe of relevant emails. 

Another potentially useful tool is timeline analysis. Your e-discovery vendor can provide a timeline listing communication between Sam and all of his colleagues. Using this information, you can prioritize chronological clusters of emails or other communications exchanged to determine whether Sam circulated confidential information.

(f) - Removal of Confidential Information
It is essential that you ensure that the confidential information you have identified is no longer accessible by A’s employees. 

A’s IT group will need to work closely with either the IT forensic consultant or e-discovery vendor you hired to ensure that everything that was identified as B’s confidential information has been rendered inaccessible. This will likely require an onsite visit. 

Of course, it is vitally important that before anything gets deleted, you have ensured that it is preserved so that you can meet any discovery obligations.