Defendants in Trade Secret Case Try to Trick Court by “Re- Naming” Their Computers Prior to Presenting Them for Computer Forensics Analysis

The Background
A Fortune 500 technology company filed suit against a Chinese – based competitor and a number of former employees for misappropriating “3G” wireless technology. After many months, the defendant was ordered by the Judge in Federal Court to produce three computers that were believed to contain critical and responsive Electronically Stored Information (ESI). The defendants reluctantly complied after weeks of debate and challenges

The Allegations
Source code was at the heart of the dispute. The plaintiff had reason to believe that their former employees (all wireless technology developers) had misappropriated code by emailing it to their home computers and new work computers from the Plaintiff’s workplace. (as discovered by internal corporate security immediately after the employees departed). The only way to determine what happened to the code was to perform computer forensics analysis of those machines. During previous disclosures, those computers were identified by the users of having specific “names”. (Eg., The “Tan1 Computer”, etc.)

When the computers were finally produced, it was quickly discovered that the users had produced the incorrect computers and had tried to cover their tracks by “re-naming” the produced computers within the computer’s system registry to make it look like they were complying with the court order. The defendants had essentially provided “decoy” computers. Beyond that, the defendants had manipulated the computer’s internal clock and used an evidence “erasure” product to try to remove files. By altering the computer’s clock, (and then trying to remove the associated system log evidence) the users were attempting to create the illusion that the files had been removed several months ago…rather than just hours before the computers were presented for analysis.

The Result

The Take-Aways

  1. Policy. Consider issuing a company policy prohibiting employee use of third party data storage sites. Require employees to back-up their data ONLY on company-provided file servers.
  2. Preserve. Always preserve a terminated employee’s computer  when you suspect trade secret theft or other wrong-doing. Do not re-issue these computers to other employees until and unless you know that the departing employee has no bad intentions. Consider performing computer forensics on these computers when suspicions are high. The installation of third party hosting software almost always leaves remnants of file transfer activity behind…including dates it was installed and any efforts to “un-install” it to remove evidence. This recovered user activity can be critical to proving your case.
  3. Proactive. Remember the power of an exit interview for employees that resign under suspicious conditions. An exit interview can be an ideal time to remind an employee of their obligations under their non-compete and handling of company confidential information policies. (or a perfect time to have the departing employee sign a policy if they have not done so). These interviews are also excellent opportunities to “lock-in” statements from a departing employee who indicates he has no intentions of directly competing with you. Judges have taken a harsh stand against employees who are deceptive during these interviews when it is later determined they had sinister plans.