Trade Secret Theft – Local Man Arrested

Trade secret theft of intellectual property, data misappropriation or corporate espionage is a growing trend. All are considered criminal acts that cost employers and employees millions of dollars and future income. This growing trend has attorney’s teaming up with data and computer forensic experts to find the smoking gun and save their clients a great deal of money. Ultimately saving companies or businesses that may be at risk of closing!

How to Avoid Trade Secret Theft of Intellectual Property and Data Misappropriation?

Corporate trade secret theft of intellectual property and data misappropriation with a competitive international company. All sounds right out of a James Bond movie!

Employee Resigns but Doesn’t Tell He Will Be Working for the Competitor

In September of 2015, an employee of a metal company was caught red-handed at O’Hare International airport with his luggage filled with company documents. That employee was Robert O’Rourke. O’Rourke was unhappy working for Dura-Bar, a McHenry County metal manufacturing firm he started working for in 1984 as a metallurgical engineer and eventually became a salesperson. He accepted a new position for a Chinese competitor named Hualong as Vice President of research and development. When he resigned he didn’t tell Dura-Bar management he was going to work for Hualong company. A company that manufactures cast-iron products and is in direct competition with Dura-Bar. On his last day of work, O’Rourke goes out for drinks with some of his colleagues. He slips up and tells them he is going to work for Hualong.

Departing Employee Downloads Electronic Data and Documents Belonging to the Company.

According to evidence at trial, in late 2013, O’Rourke began several months of negotiations to take a similar job with a rival firm in Jiangsu, China. While still employed at Dura-Bar, he then downloaded electronic data and documents belonging to Dura-Bar without authorization two days before officially leaving the company.  The following week, he packed up the proprietary information and went to O’Hare International Airport in Chicago to board a flight to China.  Federal authorities intervened at the airport and seized the stolen trade secrets from O’Rourke before he could travel to China. Gotcha!

Employee Charged and Convicted

About four years later, in October 2019, a federal judge sentenced a 30-year employee of a McHenry County manufacturing firm to a year and a day in federal prison for stealing trade secret information while planning to work for a rival company in China.

Hire an Expert (HAE)!

Enigma Forensics has over 20 years of experience. We work with attorneys on recovering and proving trade secret theft of intellectual property and data misappropriation for their clients. Criminal acts such as these can cost companies millions of dollars to defend and recover damages. Companies need to protect themselves by setting up protocols to alert when large quantities of data are being downloaded. To further protect themselves, employers must use non-compete agreements when hiring employees that work with proprietary company information.

To Learn More…

Trade Secret Theft and Misappropriation in the Food Industry

Rarely do we hear about trade secret theft and misappropriation in the food industry. It happens! Read about this high profile case involving a famous food celebrity chef!

America’s Test Kitchen (ATK) sues Christopher Kimball for Misappropriation of Trade Secrets

Here is another example of trade secret theft. Check out this blog to see how business and personal emails played a role in the misappropriation of trade secrets. Yes, there is trade secret theft in the food industry!

Who isn’t a fan of cooking shows?

Have you ever watched American’s Test Kitchen (ATK) on public television? In addition to the show, ATK is a multimedia company that has holdings in public television programs such as America’s Test Kitchen, Cook’s Country, cooking magazines and books, and several websites? Who knew? We love watching celebrity chefs like Christopher Kimball and other specialized professionals test the great American recipes like meatloaf, roast chicken, and apple pie!

Trade Secret Missappropriation Lawsuit or Foodie Divorce?

Christopher Kimball was the face and personality behind America’s Test Kitchen and Cook’s Country. In November 2015, Kimball left ATK’s program and started his own program called Christopher Kimball’s Milk Street. When two parties split it’s called a divorce, well, you guessed it, ATK sued Christopher Kimball, the co-founder, part owner, celebrity chef, and the former host of its TV shows. Almost a year later, America’s Test Kitchen Inc. filed a lawsuit on October 31, 2016, as the Plaintiff. They wanted Kimball to change his business model. We call this a foodie divorce.

ATK said Kimball duplicated what he did on the show on Milk Street and that he misappropriated its trade secrets and breached his fiduciary duty to the company. In addition, they claimed that while Kimball was working at ATK as he actively created his new company Milk Street. According to ATK, Kimball stole its collection of recipes, TV show ideas, media contacts, and subscriber information. As a result, ATK sought damages against Kimball and wanted a large sum of all profits that he has derived through the use of the trade secrets he allegedly misappropriated from America’s Test Kitchen.  Other defendants named were Melissa Baldino, Kimball’s wife and a former executive director of ATK, Christine Gordon, and Deborah Broide. ATK claimed they aided and abetted Kimball’s breach of his fiduciary duties.

Non-Compete Agreement between ATK and Kimball

It seems that ATK and Kimball did not have a formal non-compete agreement in place. To protect intellectual property, corporations use a non-compete agreement where the employee agrees not to enter into competition with the employer during or after employment. If an employee departs and takes intellectual property without permission that’s considered trade secret theft and misappropriation.

It’s all in the Email!

This case is an example of where most evidence of trade secret misappropriation can be found. It’s all in the email! A variety of emails were attached to the complaint that included notes between Gordon and real estate brokers, between Kimball and an IT consultant covering such issues as how to copy and store tons of recipes. There were emails discovered between Broide and Kimball regarding the media lists; between Gordon and the ATK help desk about whether company scanners would keep copies of documents she scanned.

The Foodie Divorce finally settled!

To all our fellow foodies the good news is that both parties settled. Kimball agreed to return his ATK shares to the company for an undisclosed price. In the end, they agreed to business terms that will allow America’s Test Kitchen and Kimball’s company, Milk Street to co-exist. Giving us foodies the benefit of watching both shows!

Enigma Forensics is a computer forensic company with litigation experts that partner with attorneys to represent plaintiffs and defendants to help prove their case. We dig for evidence of trade secret theft or misappropriation of intellectual property. Most of all we are foodies! We found this story about trade secret theft and misappropriation in the food industry fascinating and wanted to share.

To learn more about Trade Secret Misappropriation

Top Things That Will Protect Company Trade Secrets

Trade Secret theft = loss in revenue. Use your spider sense when someone from your team departs the company. They can unsuspectedly upload electronic data to the Cloud for later use that will drain your company of future revenue and present an immediate loss! Be aware-hire an expert to forensically image the departed employees hard drive. It will save you money and headaches!

Every company will have an employee leave but how do you protect the company’s trade secrets from leaving with them?

It is more common that you know for employees to leave for a competitor. On their way out the door, they will take with them proprietary data that can result in great harm to an organization including; loss of employees, customers, and important revenue streams. If someone on your team recently left your company and is suspected of having joined a competitor, it is vitally important to take immediate steps to protect your organization’s electronic assets.

What types of data do departed employees take?

Enigma Forensics has seen it all!
1. Client Lists
2. Blueprints
3. Historical quotations
4. Programming files
5. Source Code
6. Rebate levels offered from various vendors
7. Supply Chain information
8. Business protocols that competition can replicate

Hire an Expert!

When investigating departed employees the first step is to create a forensic image of the past employee’s hard drive. We recommend NOT to ask an internal employee to perform this task but most importantly hire a qualified computer expert from outside your company. This avoids any underlying loyalty current employees may have for the departed team member. An expert is trained to ensure the chain of custody is preserved so that it can be presented during a trial. Many have learned that hiring an expert is worth every dime!

What are the benefits?

Enigma Forensics computer experts will look for all types of activity that took place, including websites visited, files accessed, files transferred to external media, files uploaded to DropBox or other cloud accounts, concealment activities; encryption, and deletion of electronic evidence.

If your company is on the other side of a trade secret misappropriation litigation, we encourage you to hire an expert that will perform an initial assessment of the new employee’s activities. This will provide you with the benefit of knowing if the employee did something that could prove harmful to your company. It’s not uncommon that misappropriated trade secrets are done without the new employer’s knowledge. Yet, the new employer can be named in litigation as a co-defendant! Ouch!

Enigma Forensics has worked for both the plaintiff and defendant in trade secret litigation. Our experts are CISSP certified, what is CISSP? Certified Information Systems Security Professional. This advanced level of certification is considered the gold standard in the field of information security. It is a globally recognized certification offered by (ISC)2. (ISC)2 is known to be the world’s leading organization specializing in certifications and training for professionals in the cybersecurity domain. Click here to learn more about ICS2. https://www.isc2.org/

Call Enigma Forensics at 312-668-0333 for a complimentary consultation.

To Learn More about Trade Secret Theft

Tesla’s Latest Trade Secret Theft Lawsuit

Enigma Forensics experts investigate, preserve and recovery data to prove or disprove Trade Secret Theft. We have assisted many clients in financially recovering what was stolen from them or to help clear their name. Are you interested in learning more about trade secret theft? Check out Tesla’s latest law suit against a former software engineer.

A large portion of our business is forensically recovering and preserving data that is vital in proving or disproving trade secret theft. Enigma Forensics experts love to follow Tesla! We love the look of their beautifully engineered electric cars and we’re very interested in Elon Musk, the controversial character behind the engineering. Who is now labeled the most wealthiest man in the world. Our interest was piqued when we heard about Tesla’s latest lawsuit and that prompted us to write this blog.

On January 22, Tesla filed a lawsuit against Alex Khatilov, a former software engineer over Trade Secret Theft and Breach of Contract. Tesla contends that within days after Khatilov started his position on December 28, 2019, he began stealing thousands of highly confidential software files from Tesla’s secured internal network, transferring them to his personal cloud storage account on Dropbox to which Tesla has no access or visibility.

How did Tesla discover this trade secret theft or misappropriation of data?

On January 6, Tesla’s information security personnel detected Khatilov’s unauthorized download of a complete set of all the automation scripts produce by the Quality Assurance Engineering team for WARP Drive over the last twelve years! He was confronted the next day via Microsoft video chat due to Khatilov working remotely because of COVID-19 restrictions. Khatilov claims he installed a Dropbox desktop application to his Tesla issued laptop to allow him to upload administrative files to his personal Dropbox. He swore over and over that he only transferred administrative documents and then when he finally shared his screen with Tesla investigators he could be seen deleting the Dropbox files while on video chat confirming he had willfully destroyed evidence.

Why all the fuss?

How important are these scripts? These scrips are unique to Tesla and run on WARP Drive, the backend software for much of Tesla’s business. These files consisted of “scripts” of proprietary software code that Tesla has spent years of engineering time to build. When executed, these scripts automate a broad range of functions throughout Tesla’s business and only a few select employees have access to these files. It gets better! This is the good part…Khatilov contends he forgot about downloading thousands of confidential files!

The reality of this trade secret theft or misappropriation of confidential data is that Tesla has no way of knowing whether Khatilov copied the scripts onto a thumb drive, a mobile device, or a cloud based storage or most importantly sent them to another individual. To understand more thoroughly how important these “scripts” or trade secrets are…They map out Tesla’s innovations! Making them extremely valuable and beneficial to any competitor.

What measures ensure against trade secret theft or misappropriation?

  1. Tesla limited the “scripts” access to only members of the Quality Assurance Engineering team in which Khatilov was one of forty employees to have access. The engineers that have access are not permitted to download scripts to the cloud or personal devices. This makes us wonder how Khatilov was able to download data!
  2. Only eight people within the Tesla company are approved to grant access to these scripts.
  3. Each engineer signs an extensive employment agreement and agrees to policy conditions of their employment with includes a non-disclosure agreement (NDA), that holds each employee to the strictest confidence of proprietary information, technical data, trade secrets so on and so forth.
  4. The NDA also states that upon termination or departure each employee will immediately return to the company all original document electronic or hard copies.
  5. Each physical facility has restricted access to only authorized personnel that are monitored by security guards and cameras.
  6. All visitors must check in with security, sign a NDA, submit to a photograph and be escorted by an employee.
  7. Tesla also used password-protected and firewall-protected networks and servers that are only accessible to current Tesla employee with the proper credentials.

Moral of this story is…

Even high level technology companies has issues with trade secret theft. If your company suspects something like this, immediately hire a computer forensics expert to electronically preserve data of soon to be departing or a departed employee that has already left the company. Enigma Forensics can analyze data that was misappropriated or stolen to help clients recover financial loss.

Chinese Suspects: Li Xiaoyu and Dong Jiazhi charged with trade secret theft

FBI deputy director David Bowdich said “The sale and scope of the hacking activities sponsored by [Chinese] intelligence services against the US and our international partners is unlike any other threat we’re facing today.”

On July 7th, the United States Department of Justice (DOJ) filed a criminal indictment against Chinese cyber-criminals who acted as both self-employed criminals and employees of the Chinese Ministry of State Security (MSS).

Their names are Li Xiaoyu and Dong Jiazhi both are former classmates and chums. They attended an electrical engineering college in Chengdu, China. Li and Dong worked as a tag team to combine their technical training to hack the computer networks of a wide variety of victims. They included companies engaged in high tech manufacturing; civil, industrial, and medical device engineering. The theft didn’t stop there! They stole and replicated intellectual property and important trade secrets from businesses in the educational, and gaming software development; solar energy; and pharmaceutical sectors. Their stolen booty included information about military satellites and ship to helicopter integration systems, wireless networks, communications systems, high powered microwave systems, laser system technology, counter chemical intelligence, and finally, COVID-19 vaccine bio-development information. They left no stone unturned and literally left their criminal digital fingerprints everywhere.

The United States Department of Justice (DOJ) indictment includes 27 pages of a long laundry list of cyber-criminal attacks starting from 2015. Li and Dong were elevated to the top of the list when they were recently discovered looking for vulnerabilities of certain biotech and pharmaceutical companies who are researching and developing Coronavirus / COVID-19 vaccines.

Basically, China is using their students as cybercriminals to steal, and copy their way to technological advancement instead of developing their own. How did they gain such vital and important information?

Li and Dong used web shells, particularly one called “China Chopper.” This widely available and easy to use hacking tool provided the attackers with remote access to targeted business networks. They would also run credential-stealing software to grab user names and passwords. By creating easy access into a victim’s systems, they would copy the data they wanted to steal into an encrypted Roshal Archive Compressed file (RAR). Like other archives, the RAR file is a data container storing one or several files in compressed form. Windows Operating Systems has a default setting that allows a folder to be created and stored where the “Recycle Bin” is located, making it almost invisible to system administrators. Li and Dong operated within the “Recycle Bin” and create extensions such as “.jpg” to make those files appear as images. Thus, disguising the stolen data. The Ministry of State Security (MSS) allegedly provided the two with Zero Day hacking tools that could be used to penetrate corporate networks.

Once they stole the data they would bring it back to China and either sell it to the highest bidder or as directed and allegedly provide it to the MSS. After they breached a company they would go back and re-victimize the same company or organization they attacked in the first place. In addition to hacking and extorting U.S. technology companies, the two allegedly attacked messaging platform tools favored by Hong Kong protestors. The attackers appear to have motivations other than pure financial extortion strengthening the DOJ’s position that the attackers are connected to the MSS.

Check out Related Blogs

Click here to view FBI Press Conference

https://www.fbi.gov/news/pressrel/press-releases/fbi-deputy-director-david-bowdichs-remarks-at-press-conference-announcing-charges-against-chinese-hackers

Click here to view the Indictment

https://www.justice.gov/opa/press-release/file/1295981/download

Security Risks When Working From Home

Working from home? Have you been transferring files between work and personal computers? Be aware of the security risks that are out there. Experts talk about how to protect your company’s private data. Where should you start to make sure your remote workforce is secure? Listen to these experts!

Using Your Personal Computer to Work From Home

What are implications when working from home?

Let’s face it, these are weird times! Never before have we had the bulk of the country’s work force sheltering-in-place and working from home. We’re going on four months battling the spread of COVID-19. Workers have resigned, been terminated and furloughed and many have sensitive trade secrets loaded on their personal computers. Experts Lee Neubecker and the Data Dive Debbie Reynolds discuss currents situations and different audits they have performed for companies to retrieve intellectual property and company data. Check out this blog with transcripts.

Video Transcripts Follows

Lee Neubecker(LN): Hi, this is Lee Neubecker from Enigma Forensics. And I have Debbie Reynolds, the data diva back on the show from Reynolds consulting. Thanks for being on. Thank you so much for having me Lee. So what are your thoughts about the shift and changes that have happened over the last couple of months with everyone being stuck at home with their computers?

Debbie Reynolds(DR): I think it’s a interesting issue now, because as you know, even before the pandemic, there were people working at home. But now since there’s so many more people at home, it’s bringing up other security risks, especially with devices. And I’m sure you know, you probably explain more of your experience about working especially a forensic with people who are remote. And some of the challenges with those machines, especially, you know, the same people. They’re either working from home, people are getting furloughed or people are losing jobs where they’re, they’re not in the office. But they still have equipment. So I’m curious to see what you think about all that in terms of the device, the equipment, and some of the risks that come with that.

(LN) We’ve had a number of projects happen during this period where workers either have resigned, they’ve been terminated, or they’ve been furloughed, and there’s a need to get the company data back. And sometimes that data is on their personal computers. Other times the data is on a company issued laptop, but there are companies are just starting to get back to work. And there’s a whole host of issues. If you have sensitive trade secrets, and confidential electronic data on an employee’s personal or work computer, and you don’t have physical custody of that, there’s a real risk of that data getting disseminated to a new employer, maybe leaked online to the web, or maybe even you know, someone’s kid at home installs a game that opens up malware that puts those trade secrets at risk.

(DR) You know, we know a lot of people working from home, and a lot of people are using, I think the statistics said, the majority of people, maybe a slight majority, are using their own computers to, you know, tunnel in via VPN or whatever. But we all know that people still, under a lot of circumstances, let’s say they’re printing, or they have a file they want to, you know, leave locally or something. What is your advice from a forensic perspective? ‘Cause we can, we always see a lot of data co mingle together, unfortunately, where the personal and people’s business stuff maybe, you know, together in some way, so what is kind of your advice for people working at home for stuff like that?

(LN) If an employee’s is being asked to work from home, they should ask for a work issued computer.

(DR) Right

(LN) Also you should be using a virtual desktop of sorts.

(DR) Right. Yeah, exactly. But you’ve seen I’m sure you’ve seen a lot of situations where you’re asked to do forensic work. And there is a lot of personal stuff, even on a company.

(LN) Yeah, we’ve had situations where people have, despite having work issued computers, they’ve still connected their personal computer up to corporate resources, office 365. I’ve seen situations where there’s drives that are syncing to personal, former employees, personal computers, and even though the accounts are severed, so it can’t continue to sync, then all that data might still reside. So we’re doing audits right now for clients to look for, you know, what devices are synchronizing with corporate data stores, and some of those devices. You know, there really needs to be accounting and audit to match up those devices to ensure that only accounts of active employees are syncing and that those devices are company issued devices, not personal devices because it poses a real risk. It’s a problem that could be preempted by issuing, you know, work equipment, not co mingling work and home stuff.

(DR) Are you seeing problems where people are, let’s say they have a phone. And they have like, for example, let’s say they have an Apple phone and they have a iCloud account. And the phone belongs to the company, but their iCloud account is their own personal account where you have problems getting those passwords.

(LN) Yeah, for the most part, we’ve had compliance and I’ve worked to try to help solve the problem, you know, the employee might have stuff they need. And usually what we’re doing in most cases where we have co mingle data, where we’re giving the employee or former employee the opportunity to put all their personal stuff onto a drive that will then do a search against and then we’ll wipe, wipe, completely wipe, the original device. They’ll sign a certification of sorts, and then they’ll only copy the stuff that they, that they copied off that we verified, didn’t contain trade secrets, and they’ll pull that back down to the computer. But that relies on some level of trust that if the employee or former employee signs, a declaration or affidavit saying that they returned everything that they’re being honest.

(DR) Do you have people that are concerned, especially in the legal field about people doing remote document review, and having sensitive documents viewed on their computers at home?

(LN) Well, I think that’s a legitimate question. And you know, if, if companies are outsourcing document review, they should be asking the provider, provider questions about, you know, how, what steps are you taking to make sure that those endpoint reviewers aren’t using computers that are compromised? In many cases, companies are using independent contractors as their reviewers and they’re not issuing corporate equipment. So that that’s a real risk that the whole ediscovery industry really needs to grapple with, because someone’s going to get burned at some point in time, especially during this, this pandemic with, you know, resources taxed and people working from home.

(DR) I have one more burning question for you, actually. And this is about BYOD. What do you think? Because the pandemic, do you think more companies will start to do more or less, bring your own device things as a result? I think we’re going to see a lot of problems come out of BYOD devices where companies see the problem of losing control of their data. And, at least with the larger companies, I think you’re going to see probably more strict, more strict enforcement of using corporate resources. I mean, there were many companies right before Illinois shut down went into effect they were ordering laptops going running out to, you know, retail stores to quickly grab whatever they could, so they can issue laptops to their employees. And, and so I think you’re going to see, I think you’re going to see a movement away from BYOD in the future.

(LN) I agree with that. I think it’s been a long time coming. I don’t know if you remember when they were first doing this, you know, at first companies were giving people devices, then they decided well we’ll save money will be out BYOD Now it seems like a pain in the neck to deal with it. And it’s all these risk issues. So I really feel that they’re going to start to go back the other way.

(DR) Now, well there’s a cost associated with BYOD. And now people are furloughed and all your sensitive data is on former employees, personal computers. So then you’ve got to hire a forensic expert like me to try to work through to get the data back and to solve that problem, which, you know, it might have been much easier to issue a 500 dollar laptop to employee, then to have them synchronize that ’cause they’re going to pay more than $500 dollars to try to solve the problem of getting their data back. So after we get through this next bump in the business cycle where companies are paying out to have to retrieve their data, I think you’ll see that most CFOs will see it’s smart sense to issue corporate laptops and to block access to BYOD devices. But thanks for the question. It was a good one.

(LN) Thank you. Fascinating. Thank you for sharing.

(DR) Thanks

Related Articles

Check out our COVID-19 Statistics – Track your county!

Issues When Working From Home

Issues when working from home are bubbling up. Are you working from the dining room table on important company information? We discuss the importance of forming a work from home policy.

We have reached a new era of remote business at levels few companies ever planned for. We all know, COVID-19 has driven businesses and their employees to operate from makeshift home offices. As a result, many issues when working from home have been exposed. In some of our past blogs, Enigma Forensics has provided insight to trade secret theft and given direction on how to protect company trade secrets from cyber attacks. In this blog we will address the current issues that have risen since we are all working from home.

First and foremost, the mass exodus from the business office to the home office was done at the flip of a switch. Working from home took many companies by surprise, sending employees home expecting this to be a short period of time. Most companies didn’t have time to prepare a proper security plan. In an effort to offer more accessibility to their employees some companies loosened their security standards to allow faster and more convenient access for employees. Some encouraged employees to use their own personal devices. These procedures have increased the risks that companies will be cyber attacked and offer opportunities for trade secret theft and loss of business confidential information. To lessen these possibilities companies must develop policies that address the risks.

Enigma Forensics suggests creating a work from home policy to inform employees of their obligations. Companies need to communicate how important it is to stay secure and that the future of the company depends on it. Employers must insist each employee maintain a two-factor authentication process to secure sensitive information. Each employer must restrict unauthorized access to company data. In other words, keep the kids off the company’s computer. It’s also imperative to prohibit the use of unauthorized third party cloud storage sites, and to make sure to apply security software to protect company data. Most importantly, no sharing of company devices.

Some more simple procedures companies can implement to protect their end points include:

  • Ensure endpoints have patch software and security updates applied monthly
  • Audit and enable Windows Defender or other Antivirus Solutions to protect end points
  • Ensure computers accessing company data are set to auto lock after five minutes of intactivity
  • Provide employees with dedicated work only equipment
  • Audit and ensure satellite workers have a firewall protecting their endpoints from potential attackers

Kids at home with not much to do may be interested in installing the latest video game on your computer which could introduce security vulnerabilities at home.

Enigma Forensics also suggests developing an inventory of what employee has access to which files. Know who is printing confidential information, and identify if family members have access to the same devices. Once all this is mapped out, a risk assessment needs to be conducted. Identify which employees have access to sensitive information should be prioritized and secured appropriately.

Eventually we will all be back working in the office but COVID-19 has exposed the need to increase security and to learn more about how your employees are utilizing company owned devices.

To Learn More About Trade Secret Theft Check out our blog below

Trade Secret Theft

When employees leave a company, it is common that departing staff may take electronic files belonging to their former employer. Matthew Prewitt, a trade secret litigator shares his experiences pursuing and defending against such litigation. The role of computer forensics and the importance it plays in getting to the truth is discussed in this informative interview.

Leading computer forensics Expert Lee Neubecker discusses trade secret misappropriation by a departing employee and how that can lead to a competitor gaining an unfair competitive edge. The Chair of Schiff Hardin’s trade secret practice, Matthew Prewitt, emphasizes the importance of working with a computer forensics expert to preserve digital evidence and perform effective discovery that can later be used if litigation is necessary. Enigma Forensics staff are experts when investigating a departed employee using computer forensics.

The transcript of the video follows:

Lee Neubecker: Hi, I’m here today with Matt Prewitt. Matt is the chair of Schiff Hardin’s trade secret practice, and is an experienced litigator that focuses on the area of trade secret theft. Matt, thanks for being on the show.

Matthew Prewitt: Thanks for having me, Lee.

Lee Neubecker: We’ve had cases we worked on before involving departed employees. Could you tell everyone a little bit about your experience in this area, dealing with trade secret theft?

Matthew Prewitt: Sure, I mean as a trial lawyer, I’ve litigated both sides, sometimes, defending the departing employee, and/or that employee’s new employer, other times representing as the plaintiff, the company that the employee left.

Lee Neubecker: So, can you tell people generally what happens when you’re on the side of that had the employee that left? What happens at ground zero?

Matthew Prewitt: Well, ideally, the company would already have in place a structure of trade secret protection, and contractual, policy, and technology protections against unfair competition by the departing employee. So, that framework consists of, typically, a confidentiality agreement with the employee, perhaps a set of restrictive covenants, like a non-compete agreement, and then, hopefully, handbook policies that govern the conduct of the employee. Those will be coupled with restrictions, of course, that integrate with the company’s relationships, with its vendors and customers. Basically what the company ideally should be doing, is sitting down with outside counsel, in-house counsel, IT, and thinking about all the places where the company has sensitive, competitive information, trade secrets, or other confidential information, that are at risk when an employee turns out to be disloyal.

Lee Neubecker: So, when a client calls you, and they suspect that someone took stuff, what do you advise them to do, initially?

Matthew Prewitt: Well, I mean the first is to assess the situation and, that consists of identifying, with these days, almost everything is electronic of course, so, the first part of the assessment is to identify the types of electronic information that the departing employee would have access to. Either legitimately, during the course of that employee’s work, or, by exceeding the policy limits or protections that the company had in place. You’re doing, you’re identifying those areas for two reasons, one, preservation of evidence is very very important. And there’s no way to know what you need to preserve if you don’t know what the employee had access to, or potentially could’ve stolen. And then the other reason is to assess the competitive risk, and to begin to develop a plan for the investigation, and perhaps litigation response if it turns out to be warranted.

Lee Neubecker: And, so, typically, I know part of that initial response, when I’ve worked with you in the past, you want a forensic image made of the employee’s computer, before anyone mucks it up.

Matthew Prewitt: That is a, certainly an important starting point. With the changes in technology, for better or for worse, the places where the relevant data reside and the places that need to be preserved are, are multiplying instead of getting narrower, so, the hard drive of the laptop remains a very important source, because, forensically, it is often times the area that is most susceptible to forensic analysis and investigation. But there certainly are other places, as well. Cloud storage, the company’s computer network, personal email account of the employee, personal phone, company-issued phone, it goes on.

Lee Neubecker: I know when I first started in this area many years ago, the misappropriation was on a CD-ROM, and now, you’ve got smart phones, you’ve got USB drives, but the cloud is a whole other area of concern, because, companies can connect to Dropbox, Box.com, various other place, AWS, and move data to the cloud, so that, that becomes another point of concern in a need to be able to collect and preserve data from sources other than the computer.

Matthew Prewitt: You’re absolutely right, Lee.

Lee Neubecker: So can you tell us any war stories about what, what’s happened in the past when you’ve used forensics to pursue a case, and what kind of result you’ve been able to get for your clients?

Matthew Prewitt: Sure. I mean the forensic examination is really a critical part of a trade secrets case, especially if you’re on the plaintiff side, because, in, when you’re in court, trying to enforce restrictions against a departing employee, the, for better or for worse, the court is typically going to start that process with having, with some sympathy to the departing employee. I mean we are in America, and people are supposed to be rewarded for their ingenuity and hard work, and, employee mobility from one company to another is a basic value of our society. So, showing the court that the employee cannot be trusted to do the right thing, to be an honest and ethical employee at the new employer, at the new, at the competitor that she or he’s goin’ to, is really really important for building an effective non-compete case, or trade secrets theft case as a plaintiff.

Lee Neubecker: So for instance, if your client had a policy of no USB drives, and didn’t use USB drives, but yet, your forensic expert reported that a USB device was plugged into the computer the day before they filed their resignation, and that various files appear to have been copied to that drive, that would be something that would be compelling in support of an injunction, correct?

Matthew Prewitt: It’s certainly a brick in the building that you’re trying, or the story that you’re trying to build from court, absolutely.

Lee Neubecker: So there’s other pieces too, have you had situations where you’ve petitioned the court to allow discovery of that departed employee’s home computer, or the new workplace computer?

Matthew Prewitt: Yes, part of the forensic exercise is demonstrating the need for that discovery. And so, what you’ll want to start with as part of your initial investigation, is to have your forensic expert look for evidence that will show that the employee has used her home computer, has used external devices, has copied to the cloud, and once you can show the migration of data, under suspicious circumstances, off the realm of the company-owned hardware or accounts, then that’s the central starting point for demonstrating the court that you need a more invasive approach into the personal devices and accounts of the departing employee.

Lee Neubecker: Great so, let’s say that the plaintiff attorney has established convincingly with their forensic expert that data was misappropriated, and that the data clearly is confidential, and trade secret-type information. If you’re advising the new company that hired the sales person, and you saw the report and you believed the report to be credible, how might you try to help that new employer end the litigation and get things to a peaceful place?

Matthew Prewitt: Hopefully that they, the new employer has already laid the foundation for that scenario by instructing the employee before arriving, that they should not copy or take things with them, from their previous employment, should not load things onto the company network that are… belong to the previous employer, et cetera. And, to have done that in writing. If that’s happened, that puts the new employer in a potentially awkward spot, because you have an employee who not only has, has taken his former, his or her former employer’s stuff, but then has also disregarded the instructions of the new employer as well. That’s the situation where the new employer may be seriously considering terminating its relationship with the new employee.

Lee Neubecker: I’ve seen that happen, I’ve also seen situations where, the employee who departs agrees to have forensic inspections on his computer, and, signs an agreement that pretty much guarantees that if he’s caught doing something with this, that he’s going to have, face massive legal costs, and admit to wrongdoing.

Matthew Prewitt: That’s where that trust factor or credibility factor, that comes, that’s one example of where it becomes really critical. Not only is the court typically going to be inclined to the defendant departing employee’s situation, and want that employee to be able have gainful employment, many courts are also going to want to give that employee a second chance. And the second chance here is the chance to turn over the, turn over the information, and provide exactly the kind of affidavit or certification you’re referring to.

Lee Neubecker: Great well, I appreciate you being on the show and talking about this topic. It’s one that impacts most businesses, so, thanks again for being on the show.

Keys to Investigating Departed Employees using Computer Forensics

  • Forensically preserve the departed employee’s computer storage media before any examination of the contents occurs
  • Look for recently accessed files as reported by shortcuts and other system activity logs
  • Analyze recently deleted files to look for evidence of trade secret theft
  • Investigate recent connections of external storage to the computer
  • Build a timeline of events that led up to the departure to assist in an efficient investigation
  • Hire an experienced computer forensics expert – that’s us

Read More on Trade Secret Theft:

Defend Trade Secrets Act of 2016

Learn more about the Defend Trade Secret Act

Enigma Forensics CEO & President, Lee Neubecker discusses the of the Defend Trade Secrets Act with Trademark Attorney Brian Michalek.

The transcript of the Defend Trade Secrets Act 2016 video follows:

Lee Neubecker: I’m here today with Brian Michalek. He’s a trademark and IP attorney. Brian tell us what you’ve come on the show to talk about today?

Brian Michalek: Yeah, well first of all thanks for having me Lee. I appreciate you coming down here and spending some time with me today. You know what I wanted to talk about today is kind of some new applications of the Defend Trade Secrets Act. Which is, it’s about two years old now but it’s basically a federal cause of action concerning trade secret law.

Lee Neubecker: And what this means basically is if you’re an employer and you have someone who stole trade secrets, it offers you an opportunity to file in federal court as opposed to the state courts statutes.

Brian Michalek: Yeah, I think that’s right. And kind of taking like a step back, you know prior to 2016, what we had when we were talking about trade secret law were really a bunch of different states that had their own specific type of trade secret statutes. Some of these statutes were in fact pretty similar and shared a lot of consistencies but there were others that kind of had their own nuances and what that meant was that trade secret jurisprudence wasn’t completely harmonized. And it made it a lot more difficult to account for situations where we often encounter in the digital age where misappropriation of trade secrets happens across state lines or if we have a scenario where an individual who misappropriates a trade secret, resides in one state and the server in which they access to take the trade secret is in another state. We found that there was a lot of clunkiness with trying to figure out which state law would apply and how we could best go forward to making sure that the owner of the trade secret could get restitution appropriately. So, really what we have now in 2016 is a federal cause of action as you stated correctly that allows us to go straight into the federal courts and manage trade secret litigation from that vantage point. And I think it’s important to say also, that what we’re having is not a federal law that preempts state law but it supplements it. So, both can be acted upon.

Lee Neubecker: So, here in Illinois we have the Computer Fraud and Abuse Act that is often one venue. Why would someone who’s contemplating filing litigation against an employee who stole trade secrets here in Illinois. Under what circumstances would they want to try to pursue the Defend Trade Secret Act, a federal option as opposed to the Computer Fraud and Abuse Act.

Brian Michalek: Yeah, well it’s really going to depend on the particular fact scenario. That’s an issue here. The Computer Fraud and Abuse Act, you know, that generally is tailored to somebody who goes into a computer without authority to do so or oversteps their bounds and oversteps their access. So, it’s a little bit of a different cause of action but then again, there are situations where you have a fact pattern where an employee could run afoul of both statutes. Both the Computer Fraud and Abuse Act as well as the new federal Defend Trade Secrets Act.

Lee Neubecker: So, what are some of the advantages for someone who perceives a claim using the Defend Trade Secrets Act?

Brian Michalek: Yeah, I think there several advantages. I kind of hit on some of them earlier when we’re talking about the kind of this discord among different state laws and how they’re actually applied to certain fact patterns. But one advantage is that you get access to the federal court system. Previously when you have a state law you can do some things to get the claim into federal courts but it takes a little bit more, little more effort and you often times need to show that there’s diversity or you need to tack on a federal cause of action like the Computer Fraud and Abuse Act in order to do so. Right now with this cause of action, we’re actually allowed to file in federal court right from the get-go. And you know, there’s certain bit of strategy and advantage for employers to do that from an efficiency standpoint, from a practicality standpoint which allows to redress this misappropriation as soon as possible because you know, we’re dealing with a situation many times that when you have a trade secret that’s misappropriated, you need to act very quickly. Otherwise it can be disseminated and ultimately lost if things aren’t done to stop that.

Lee Neubecker: I understand the Act requires you to present your case of sorts as to why there’s an urgency to seize this information, when you’re trying to get the evidence. What would you try to do before you file your case to bolster your chances of getting a judge to grant you relief in terms of obtaining your trade secrets and getting that information back?

Brian Michalek: Yeah, that’s a good question. I think what you’re getting at is the defend Trade Secrets Act has a very special and new kind of prong to it. It’s a mechanism for a civil seizure and what that basically says it gives the court the power to and it’s ex parte I should say. So, it allows you if you feel that your trade secret is misappropriated to go to the court ex parte and explain to the court why you need redress and you need to, you know get your trade secret back or have it deleted of someone’s computer who misappropriated it or whatever recourse is appropriate. Now, this is new to the 2016 statute but there are some very specific hurdles that you need to get over. The statute itself says that this is really only for extraordinary circumstances and you have to show that other equitable means would not serve your interest like a preliminary injunction or a temporary restraining order. So, it is kind of a special remedy that’s offered and I think you know, we’ve had the statute for about two years now and there’s only been a handful of cases. There’s one in particular where the judge in fact did grant a civil seizure order and one of the reasons was because they found that failure to do so would cause the trade secret to be disseminated and ultimately lost. And really the next step there is to get the Federal Marshal Service involved and they will go in and actually reclaim that trade secret or delete it or make sure that appropriate recourse is made.

Lee Neubecker: Now, when you’re filing, would you encourage your clients to have an independent forensic analysis done with affidavit to support their claims? Do you think that would help the likelihood of actually getting that relief?

Brian Michalek: It’s again, it’s going to depend on the situation but I think kind of what you’re getting us is when you’re dealing with something that is taken from a computer. You know, we’ve dealt with situations where and I think these are becoming more and more common in the digital age, where an employee will do something with his computer before he quits and goes to competitor, he will transfer a file or copy a file or do something he’s not supposed to and the employer finds out and if they believe that there is some type of misappropriation or the employee took something that he worked here or she was not supposed to you know, they may have cause of action under this this federal action. And to your point, a lot of times doing a dealing with computers you do have to get a forensic expert involved so that you can actually know what was happening because people sometimes thinks that they can delete something or they can transfer it or hide it and you know, I’ve dealt with this enough times and I know you too, you have to Lee is that, you know, it’s very, very difficult to actually cover up your tracks unless you really know what you’re doing and that’s really where a forensic expert can help. Is when somebody tries to cover up their missteps, their tracks and if you get the right expert involved early, then you can at least have that evidence to really show the fact that or what was going on and why you are entitled to remedy under this federal act.

Lee Neubecker: And so Brian can you tell everyone some of the benefits, financially filing under this act?

Brian Michalek: Well, I think what you’re referring to is this act has one other wrinkle. It’s known as the whistle blower provision and basically it allows employees to blow the whistle and disclose what could be a trade secret and very limited fashion, if they believe that there is some wrongdoing. On the flip side of things, employers if they want to take full advantage of this act and maybe receive attorney’s fees should they win or exemplary damages in certain situations. They’re now tasked with including this whistle blower provision in employee agreements. Meaning they have to make note of it and specifically instruct the employee that this is an option and the mechanisms for which apply.

Lee Neubecker: So, the fully benefit from those people should revisit their paperwork, their confidentiality agreements and whatnot with their vendors and employees. Is that something that you could assist people with?

Brian Michalek: Yeah, absolutely. That’s something that we’re happy to talk with you about and if need be, we’re going to help and assist.

Lee Neubecker: Great, well thanks for being on the show.

Brian Michalek: All right thanks so much.

Lee Neubecker: Take care.