In previous blog posts we covered the in’s and out’s regarding employee’s stealing confidential company information (hyperlink) and the role of forensics after employee data theft has occurred (hyperlink). To provide some context, we discussed how having the most efficient and thorough internal policy or preventive measures in place can still result in employee data theft. It may be unsettling to realize that a resourceful and persistent employee may inevitably be able to steal Company data. The role of computer forensics is pivotal in helping to gather information and evidence about the perpetrator, which enables the employer to seek legal redress. Legal Remedies may include monetary damages or an injunction.
Unfortunately, many employers do not realize an employee has taken confidential information until weeks or months have passed and this will hinder any legal claim. As is the case in most legal settings, by altering the former employee’s computer it will diminish the value of the evidence uncovered and consequently prevent a successful claim. That is why digital forensics Corporation recommends preserving the digital contents of a former employee’s computer by making a forensics copy of the hard drive or mobile device. Should suspicions arise in the future concerning theft of confidential information or other potential causes of action, the evidence obtained from a forensic examination conducted on the hard drive “mirror” will be as credible in Court as if the original hard drive had been preserved and examined.
Once a breach of security has been detected the remedies available to the former employer are limited. The Computer Fraud and Abuse Act (CFAA) have limited application to stolen confidential electronic information. This statute authorizes losses to be recovered in a civil action. However, “losses” are defined as loss or damage suffered by computer systems. This means that losses of revenue, unfair competition, among others are not recoverable under the statute. Therefore, an injunction is used more frequently as the legal remedy in a case of stolen electronic information followed by a claim for damages based on misappropriation of trade secrets.
However, to support this claim of theft, evidence of actual damages must be shown. One example of a successful injunctive order that was issued and upheld was the case of Dental Health Products, Inc. v. Ringo. In this case, Ringo was accused of stealing confidential information from his employer. He had been issued a laptop by his employer which allowed him to access highly confidential information about customers, business practices, negotiating strategies, and sales reports. In 2008, Ringo’s employer noticed that his sales were declining and Ringo submitted his resignation soon after. That same month, his employer learned that Ringo was divulging trade secrets with a direct competitor.
Computer forensics investigated Ringo’s company laptop in which it was revealed that Ringo had installed and used special software (Norton Ghost) to copy the entire hard drive onto an external hard drive on multiple occasions. Although the Court deemed this evidence insufficient to grant injunctive relief on a violation of CFAA because ‘loss’ to the computer system must be shown, the court granted injunctive relief on the grounds that it found the plaintiff had presented a case sufficient to find that Ringo misappropriated trade secrets of his employer.