United States: Computer Forensics and Its Impact on Employment Litigation: Finding The "Smoking Gun"

Originally published Summer 2005

Bill Gates predicted what IBM missed: that the currency of the computer revolution would not be mainframes but desktops (and now laptops, PDAs, and cell phones). Personal computing devices allow us to move information-even massive amounts of information-with just a few keystrokes or clicks of a mouse. For employers, this aspect of the Information Age presents the significant risk that a disgruntled or former employee will delete or pirate proprietary information.

Employees may also labor under the misconception-fueled by "personal" passwords and the sheer number of hours spent on a certain computer-that their work computer, and especially the information on it, are actually theirs and not their employer's. Of course, few employees actually try to walk out the door on their last day with their employer's computer under their arm, but some employees would not hesitate to e-mail files to themselves at their home e-mail address or burn to a disk valuable information that properly belongs to their employer.

Computer forensics is becoming a routine part of many employment cases. To cite a few recent examples handled by our firm: (1) After a key employee suddenly resigned, the employer hired a computer forensics company to search the hard drive of the employee's work computer. The search uncovered in "unallocated space" (the place where files go when they are deleted) a business plan that described in detail how he was planning to compete with the employer once he left, including a detailed section on how the employer's biggest client would become his own. (2) An executive tendered her resignation, promising to stay on for four days to "assist in the transition." During this time, she deleted almost 3,000 files off the employer's network and then proceeded to e-mail to her home e-mail account 19 megabytes of information (approximately 3,000 pages of documents). (3) A senior vice president resigned after 25 years with his employer. He immediately created a competitor. A computer forensics company scanned his work computer only to discover that a portion of the hard drive had been wiped clean with a program called "Evidence Eliminator." The risk to employers is real.

Computer forensics companies are the private investigators of cyberspace. They can uncover everything from "deleted" files (which do not actually disappear from the computer but are simply moved out of the portion normally accessible) to Web surfing, from profiles to "metadata" (data about data), from e-mail histories to data movement (i.e., evidence about data being written or "burned" to disks). It is important to isolate and preserve the subject computer for the forensics expert. Turning the computer on and off or having a computer-savvy employee-even the company's IT expert-poke around on the computer is counterproductive. Such amateur searches are as damaging to the integrity of the computer forensics investigation as having a company's security guard muck around at a crime scene prior to the arrival of the criminal forensics experts.

A good computer forensics company will "image" the computer, which means they will take a bit-for-bit digital snapshot of the hard drive. This image has a digital fingerprint that will serve to authenticate the image in court, if necessary. Such careful techniques are essential for proving to the other side or to a court that information was not planted on the computer to frame an innocent employee.

The image can then be searched. Keywords in any document, from a Word file to an e-mail, can be found in seconds. Much of the expense of computer forensics comes when there are thousands of documents with certain keywords, each of which must be reviewed for relevance to the case. Privilege or privacy issues may arise for certain documents. There is a growing body of case law in which courts have tackled issues resulting from these sorts of computer forensic searches. Employers can help themselves now if they publish policies reminding employees that work computers, and all information on them, belong to the employer and may be reviewed at any time. Employers likely have similar policies for desks, lockers, and filing cabinets. It is important to provide policies regarding the use of the Internet, instant messaging, and e-mail to employees prior to a dispute.

Once a dispute arises, a former employee should be put on notice that he or she may not destroy or tamper with any electronic evidence. If there is evidence that the employee has moved information to his or her home computer, it may become necessary to obtain a court order permitting the employer's forensics expert to search that computer. Moreover, paper production of documents may be inadequate in such cases. Printing documents to paper prevents a party from examining the electronic context in which those documents were saved and manipulated.

Practical Significance

In sum, parties in employment disputes must recall that almost all documents are now created, stored, altered, and sent electronically. In the Information Age, it is no longer adequate to think in terms of a paper trail.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.