Computer Forensic Evidence in Trade Secret Cases. Trade secret litigation is on the rise. Perhaps the most common fact pattern involves an allegation that one or more former employees stole confidential information from a former employer to use in a separate, often competing venture (whether at an established competitor or new venture). Not surprisingly, the information that is often alleged to have been stolen is digital. Given the nature of this information—i.e., electronic and easily transferrable—a plaintiff’s most critical evidence is likely to come from computing devices such as laptops, cell phones, tablets, thumb drives, external hard drives, home servers, or any other device that can be used to store digital information. These electronic devices may contain critical evidence in a trade secret case because they often contain logs of user activities such as creating, deleting, copying, or altering files, and even logs showing when certain external devices were connected, how long they were connected, and how much data was transferred between the devices. And while this computer forensic evidence can be used to help prove trade secret theft and misappropriation, the process by which the computer forensic evidence is collected and ultimately presented at trial must be carefully thought out, planned, and executed.
The first step in the process is data collection and preservation. To take advantage of computer forensic evidence at trial, it is imperative to swiftly and carefully collect, log, and properly preserve all electronic devices in question in order to reduce the risk that potentially relevant electronic data on a device is not deleted or altered in any way. As a general rule, computer forensic evidence tends to deprecate over time, so it is advisable to seek any potentially relevant computer forensic evidence at the outset of an investigation or case. Typically, the process of collecting computer forensic evidence includes forensically imaging the electronic devices at issue, which effectively creates a digital replica of the device in question, thereby permitting a party and its forensic experts to perform analysis on the imaged version of the device without modifying or corrupting the original. While forensic images of an adversary’s electronic devices can be discoverable, there are limits. For example, courts have prohibited or circumscribed such discovery due to privacy and relevance concerns. See, e.g., Genworth Financial Wealth Management, Inc. v. McMullan, 267 F.R.D. 443, 449 (D. Conn. 2010) (noting that courts are “cautious in requiring the mirror imaging of computers” but are still granting motions to compel forensic imaging by a neutral court-appointed expert). Accordingly, discovery requests seeking forensic images are more likely to be successful when the requests are narrowly tailored (e.g., identify a specific, relevant device) and the proponent can demonstrate a sufficient nexus between the underlying allegations in the case and the requested imaging (e.g., the specific device is believed to have been the device used by a former employee to steal trade secrets). See New Hampshire Ball Bearings, Inc. v. Jackson, 158 N.H. 421, 431 (2009) (affirming denial of motion to compel imaging of company’s entire network in trade secrets dispute because the allegations related to only a small portion of the company’s operations); Ameriwood Industries, Inc. v. Liberman, 2006 WL 3825291, at *4 (E.D. Mo. Dec. 27, 2006) (imaging appropriate in trade secrets case because “allegations that a defendant downloaded trade secrets onto a computer provide a sufficient nexus between the plaintiff’s claims and the need to obtain a mirror image of the computer’s hard drive”).
Once a forensic image has been obtained, the data must be analyzed. Typically, outside vendors with expertise in computer forensics are retained to perform this analysis (as well as the imaging). These experts analyze the forensic image with specialized software targeted at locating potential evidence of trade secret theft by, e.g., determining “what peripheral devices have been connected to the device, what a user accessed, what has been stored on the device, and when it was last accessed or modified.” New Hampshire Ball Bearings, 158 N.H., 424. Gathering these types of forensic evidence—essentially a trail of digital breadcrumbs—can be crucial to developing a trade secrets case: they can establish timelines, access/download records, network activity, data transfer logs, and data modifications/alterations, among other relevant information. Accordingly, computer forensic evidence collection and specialized analysis by experts is a frequently-used and often critical discovery tool. See In re Arvanitis, 2015 WL 5202990 (Bankr. N.D. Ill. Sept. 4, 2015) (relying on computer forensics expert to demonstrate the defendant had downloaded thousands of corporate documents containing trade secrets to his personal laptop); Digital Assurance Certification, LLC v. Pendolino, 2017 WL 4342316 (M.D. Fl. Sept. 29, 2017) (relying on computer forensics expert to allege former employee downloaded files containing trade secrets onto a USB drive); Zarwasch- Weiss v. SKF Economos USA, Inc., 838 F. Supp. 2d 654 (N.D. Ohio 2012) (relying on testimony from computer forensics expert to establish that former employee accessed and transferred data to USB devices).
Of course, to be useful at trial, the computer forensic evidence must be admissible, and a common admissibility issue with computer forensic evidence is showing that it is reliable and authentic. Under Federal Rule of Evidence 901(b)(9), a party seeking to admit forensic evidence will need to offer testimony demonstrating that the processes or systems used to extract the forensic evidence were executed with reliable procedures that produce accurate results. This could be shown, e.g., through testimony that the forensic expert regularly works with and relies on the software used to extract and analyze the forensic evidence. See United States v. Lizarraga-Tirado, 789 F.3d 1107, 1110 (9th Cir. 2015) (authentication requirement that Google Earth produces reliable and accurate digital tack and coordinates can be satisfied with testimony from “a witness who frequently works with and relies on the program.”). Rule 902(b)(13) and (14) permits a similar showing to be made through a certification by a qualified person rather than testimony.
In sum, if a company is faced with a situation where a former employee is suspected or known to have illicitly taken confidential company information, a company should at least consider (i) investigating and analyzing any internal digital logging system, such as software that logs employee access to internal corporate networks, servers, and sensitive company data for unusual or suspicious activity, and (ii) collecting all company-owned electronic devices from the former employee and imaging those devices to preserve the data. If the situation leads to litigation, it is generally recommended to (i) seek early discovery of the former employee’s personal electronic devices in order to ensure that any relevant computer forensic evidence is preserved, (ii) hire a reputable, experienced outside forensic expert to investigate both the employer-provided and personal electronic devices, and (iii) instruct the forensic expert to keep meticulous records of all steps taken to extract any forensic data, so that he or she is able to authenticate that data at trial. Of course, these are just some high-level examples of steps companies can and should consider— this list is not intended to be exhaustive. Different fact patterns may demand additional or different steps and investigative tactics, and each case should be assessed on its own merits.