Intellectual property theft is often linked to cases of redundancies or team moves, where an employee leaves the company, taking with them sensitive documents such as business plans, customer information, or financial results. The employee will then offer a next employer this IP or will use it to start a competing business.

For obvious reasons, cases of IP theft have risen during the recession, which means law firms’ clients need to have in place sound employment contracts and policies which are routinely reviewed and can justify subsequent action to prove wrongdoing. Law firms need to be aware that a company’s electronically stored information (ESI) is likely to be stored in a variety of devices, all of which have the capacity to hold large amounts of data. Laptop computers present the most obvious and frequently used method for this but employees are also utilising other means of data storage such as USB memory sticks, tablets, digital cameras, iPod/MP3 players and smartphones and cloud storage all which can pose serious difficulties for a company trying to ensure a secure environment.

To really understand the power of these devices and the risks they pose, consider that just 1GB of storage capacity equates to roughly 30,000 pages of data. Moreover, many of these devices are widely available both easily and cheaply.

Most clients’ employees will have easy access to one or many of these devices and used with the wrong intentions, are capable of breaching company policy and pose a potential security nightmare. But what would motivate their employees to take data? Many cases of data theft occur when an employee leaves or plans to set up a rival business, taking with them important customer information and company sales data. More prosaically, many employees consider files that they have worked with as their own and do not consider it to be theft. In a survey carried out by Prefix IT, 30% of workers believe sales leads/business contacts are rightfully theirs.

Indeed, a typical case of IP theft is when a sales team of a manufacturing or chemical company decides to defect to the competition, perhaps just in time to coincide with a major marketing push by their current employers. They take with them not just contact details for customers, but also details of contracts and renewal dates, as well as an outline of what has been ordered in the past and plans for the new products.

In many cases, law firms’ clients may not be aware of the loss of customer data until people leave. We have known some instances when soon-to-be ex-clients have entered the office at the weekend, unchallenged by security staff who recognise them and are unaware of their planned activities. So what can your clients do to protect themselves, and how should law firms be prepared to advise them?

Computer forensic investigation

When an employee is suspected of wrongdoing it is likely that their computer will be looked at. A well-meaning manager or HR team member will typically ask their IT team to ‘take a look’ to retrieve the evidence of wrongdoing. Although the intention is genuine, most IT departments are not equipped with the necessary tools or expertise to perform intricate computer forensic examinations and extract this valuable evidence without compromising its quality. Even just a ‘small poke around’ can be enough to overwrite or destroy it, and this in turn can then jeopardise the entire case.

To preserve the data in its original form, it is vital that a company employs the correct techniques to extract and piece together key evidence in order to determine a clear chain of events leading to the transfer of data. Imaging the hard drive is the first step. The computer must not be switched on.

This process of ‘imaging for preservation’ ensures that your client will have a copy of a hard drive stored for future use if needed. It also means that you can put an ex-employee’s computer back into company circulation knowing that a complete copy of its history is available in archive. This can include scope for the covert imaging of a current employee’s machine as a pre-emptive measure should you think that he or she may be currently engaged in wrongdoing.

Companies are now routinely performing this process for key positions/departments which are considered to be of particular risk to protect themselves against the following scenarios:

  • An employee leaves, deleting company information that may be useful or ‘mission critical’ to the business.
  • An employee leaves and six months later starts a new business in competition and corporate clients start to defect.
  • An employee is dismissed, claims harassment, bullying and unfair dismissal.

In these scenarios a copy of the hard drive is available to perform a post-event investigation, if required. A forensic investigator will consider:

  • What systems the suspect has access to and what means are used to access these?
  • Can anyone else other than the suspect access these systems using the same methods?
  • If so, can we determine who is responsible for any given action?
  • Does the suspect work off several machines or just one?
  • Do they have a personal drive?
  • Is it possible that there are other people involved?

It is vitally important that this process is undertaken professionally. Employees are becoming much better informed of their rights and if the investigation is performed incorrectly then it is often the company that can be shown to be at fault and an employment tribunal could ensue. Should the results of an investigation be questioned by an employment lawyer, your client may easily find itself accused of evidence tampering, discrimination and wrongful dismissal.

What can we do about it?

It is vital that law firms advise their clients to have a robust, well-communicated policy dictating the use of company systems, electronic devices and the transfer of company information making the necessary caveats governing the acceptable transmission of data. This policy should not stand alone, but should be part of every employment contract.

It is equally important that the policy be continually updated - along with non-compete and non-solicit agreements - to reflect changes in company technology, equipment and evolutions in the outside digital world. For example, the recent furore about compromised LinkedIn accounts raised questions about whose information was actually at risk: the individual LinkedIn account holder, or the company they work for.

Training should be conducted on a suitably regular basis or when the policy is updated and must be documented thoroughly. If an employment dispute regarding the theft of data ever does develop, taking these steps will demonstrate that your client underwent significant efforts to ensure compliance with the policy. From a technical standpoint, the challenge arises as clients attempt to balance the protection of sensitive business information whilst still providing employees with access to information required to fulfil their daily job responsibilities. This is a constant juggling act because of the requirement to allow sensible access to data, while also taking steps to protect it. A middle ground needs to be found in line with an organisation’s policy on application control and use of USB ports/portable devices.

Finally, law firms should advise clients on their readiness to deal with computer forensics investigations when faced with a potential case of IP theft. This involves having roles and responsibilities assigned internally, including ensuring someone is able to give authority to proceed with an investigation and who is allowed to communicate to questions from the media.


When faced with a data-theft incident, employing the correct practices the first time are crucial in helping organisations to defend their position and protect what belongs to them. A small investment which equips key staff with the knowledge and understanding of how to respond to a relatively rare but complex situation could make all the difference to the outcome of their case.

Ben Fielding is business development manager at Kroll Ontrack