Viewpoint: How Computer Forensic Examiners Help Investigate Digital Misconduct

​An employee was terminated by his supervisor for misconduct. The fired employee immediately advised HR that his supervisor had been looking at, and sharing, pornography on a work laptop. Possible wrongful termination, whistle-blowing concerns, and violation of policy and procedures were now on the table. Because both parties were IT professionals, HR chose to engage another company to perform a neutral computer forensic examination on the supervisor's laptop.

HR frequently uses in-house IT resources to review digital evidence of wrongdoing. This practice can come with some litigation dangers, conflicts of interest being the most obvious. HR needs to know when using in-house IT is appropriate and when outside resources may be needed. IT's job is to keep the network host and client computers running smoothly and to correct any technical issues. That is their specialty and their training. But computer forensic examinations are investigations that are best conducted by specialized examiners.

In the above case, the forensic examination showed that the supervisor's laptop had fewer than a dozen partially nude photos of adult females. The images were sent to his e-mail by others outside the organization. The images depicted were not meant to be sexual but to be humorous. Closer examination determined that the photos were not forwarded to company employees by the supervisor. A review of other computer data did not show the supervisor searching the Internet inappropriately. All keywords and phrases used in search engines were documented. Browser activity, both archived and deleted, did not reflect any policy violations. The IT supervisor received discipline in the form of a verbal warning but was not terminated.

The advantage to the HR staff was that they had a defendable neutral investigation performed. Had the incident progressed to a hearing or litigation, the company also had a court-verified expert forensic witness to testify on its behalf.

Breaches of Loyalty

Computer forensic examiners have seen an increase in business litigation related to breaches of loyalty and fiduciary duties by employees. Employees are jumping to greener pastures or deciding to start their own competing business. Unfortunately, when employees leave, they frequently are leaving with a part of the company. Customer lists, marketing plans, product designs, bid sheets and invoices can go out the door with them.

A sound HR policy should include a procedure for the preservation and examination of digital media for key employees leaving the company. Suspensions, terminations or unusual resignations should trigger the policy. The policy should include securing any company cellphones, network e-mail archives, cloud accounts and, more important, the hard drives of any employee desktop or laptop.

It is not unusual to discover months after a termination or resignation that a breach of loyalty, theft of proprietary documents or embezzlement has occurred. In addition, individuals can file sexual harassment or discrimination litigation at any time before the civil statute of limitations runs out, which could be months later, as well.

It is also not unusual for IT to simply turn over the departing employee's laptop to the replacement employee. This could destroy evidence and create a disadvantage for the company in any future litigation. Removing the hard drive and securing it is an inexpensive option. IT can easily put in a new hard drive and place the computer back into service. This way, evidence is maintained if needed in the future for litigation.

When HR is notified of a termination, suspension or sudden resignation, part of the HR department's policies should include gathering as much information as it can to determine if preservation of digital evidence is a wise decision. This may include consulting with corporate counsel and IT. Facts that would trigger the policy could include the employee position or access to proprietary information or finances. Once the digital information is preserved, the company doesn't have to worry about accidentally destroying evidence unlawfully. Evidence that the employee exported data or documents to USB devices or personal cloud accounts, unusual accessing of documents beyond the employee's job needs, or evidence of forwarding data to personal e-mail accounts can be preserved, as can Internet browsing history, texts and e-mails, and other communications.

In a recent case, multiple employees resigned from a company on the same day to start a competing company. Forensic examination showed the transfer of the company's intellectual property via USB-connected external storage media, while texts and e-mails revealed the history of the plan and even the sharing of their resignation letter content. Calendar notes reflected meetings with the company's existing clients after the date of the resignation. Internet histories showed maps to possible locations the former employees were looking to rent for office space for the new company. Counsel used all of this as evidence of a breach of loyalty.

Working with Computer Forensic Examiners

If you choose to hire a computer forensic examiner, do your homework. Ensure any examiners have experience testifying as expert witnesses with regard to the type of issues that you have in litigation. Make sure they can present technical evidence in a clear and understandable way to a judge or jury.

It is also important to understand costs. Is there a monthly maintenance (storage) fee for holding on to your digital evidence until it is no longer needed? Will specialized software specific to your company data be needed? These questions should be answered prior to an engagement. Does the examiner use cloud accounts for storage or processing? Depending on how sensitive your data is or government regulations, you may not want your data in a third-party cloud. Despite encryption, cloud accounts have been hacked. The safety of your data should be discussed as part of the process.

In one noncompete case, terabytes of evidence were examined forensically. The company could show that the ex-employee caused a financial loss of only $17,000 to the company. However, the defendant was found to have tampered with the evidence after litigation had begun. Hard drives were switched out of computers, cloud accounts were not disclosed, chat was not documented, and files were deleted. The court, finding unlawful destruction of evidence by the defendant, ordered the ex-employee to reimburse the company for all court expenses, including the forensics and legal costs, in an amount exceeding $400,000. Any incident response plan by HR should include a forensic accounting and computer forensic resource that can be contacted for consultations as soon as possible when these types of events occur.

Brook T. Schaub is the manager of computer forensics and e-discovery for Eide Bailly LLP in its Minneapolis office. He is a retired police sergeant who has been performing computer forensics for more than 20 years. He assisted the Minnesota legislature in updating statutes related to electronic evidence.