Subscribe to Blog Updates

Investigating Employee Theft: Uncovering the Tracks

Posted: 10-Dec-2015 16:02:25
Author: Emily Forrest


In the second of our 'Employee Theft' series, IT Group collaborated with Andrew Lee of Brandsmiths and Daniel Burgess of Blackstone Chambers to talk through the steps that a legal team would take to protect an organisation in the event of employee theft. 

There's nothing unusual about employees leaving the business. With the upturn in the economy, an increasing number of ex-employees are joining competing businesses, or even competing directly as a new start-up. For some, the temptation to take confidential information to assist in the springboarding of a new business proves too strong.  

This article describes a method of tackling litigation head-on with the aim of uncovering wrongdoing and preserving evidence at an early stage without giving the ex-employees the chance to cover up.

Stage 1:  Client Contacts Instructing Solicitor 

Something will have triggered the client's concern that its business is under attack. It might be the discovery of an email attaching confidential material being sent to an external address by the defendants prior to leaving. Often however, such clear evidence is not available and the defendant will have taken steps to cover their tracks. Suspicion might arise via a tip off or as a result of customers mentioning they have been offered a better deal by the defendant. Customer lists and databases of contacts  are very valuable to ex-employees as they not only provide a ready client base but may also contain confidential information of considerable value to competitors.  

The client will want to know its options. While in most types of litigation the defendant is written to in the first instance in the hope of reaching a resolution without court proceedings. A concern here is that if the defendant becomes aware that the client is 'on to them' they might try and hide or destroy evidence. Most clients are unware that it is possible to make an application to court without telling the defendant. This is a key weapon that can be deployed.

The client will be asked to provide as much information and evidence as possible. In appropriate cases the client will be advised that the steps detailed at stage 2 below will assist. Going to the court without notice to the defendant requires the client to provide all relevant evidence (whether or not in its favour); the clearer the evidence of misuse, the more likely the court is to intervene.

A range of court orders is available. Typically the claimant will be asking the court to grant an injunction against the ex-employee, preventing them  from carrying out further acts (such as contacting customers or using the claimant's information) until trial. The court may order the 'delivery up' of documents belonging to the client. In some cases a court may order that a client's solicitors should be permitted entry into the ex-employee's premises in order to forensically image computer devices (and other equipment) in order to preserve evidence. An order granting entry to premises is a more invasive order and will require more compelling evidence of harm.

The court will expect the client to move quickly once it is aware of an attack. Delay can be fatal to any application as the court will ask how the client can possibly be suffering irreparable harm if it has known about the situation but has not acted.

Making an application of this type is front-loaded. A lot of the work that would be done in the later stages of a claim over an extended period is instead done quickly, before the claim has even begun. That necessarily involves cost but, in circumstances where a client is suffering irreparable harm and is trying to save its business from an attack, the client will often realise such costs are a necessary part of that business protection.   

Stage 2: The Plan 

IT Group will devise a plan of the likely digital evidence and examine the leaver's laptops, memory sticks, server access and web usage logs. The client will often already have evidence from its own records that raises suspicion. This initial suspicion will need to be supplemented with hard technical evidence of wrongdoing. If the user returned his or her laptop or mobile phone this can be the source of the initial evidence.

Previous examinations have focused on the hours before or after the letter of resignation had been drafted. We often observe a correlation between this specific letter being drafted and the activity of accessing confidential information and transferring it to media where it can be accessed later. Currently favoured activities are transferring to cloud-based storage such as Dropbox, iCloud, SkyDrive, Google Docs, transfers via Skype chat or simply emailing the files and plugging in USB memory sticks.  

This article originally appeared on the SCL website. Click here to read the full article.

Read part 1 of the 'Employee Theft' series:

Investigating Employee Theft: Curiosity Kills The Evidence

Share this article

facebook-yellow.png    twitter-yellow.png    Linkedin-yellow.png    pinterest-yellow.png    google-yellow.png