Forensics for Theft of Trade Secrets

Trade secret theft is on the uptick again. Proactively understanding what it is, how it happens and what to do when it occurs will help prepare organizations to handle these incidents.

Our digital forensics practice has seen a recent uptick in theft of trade secrets (also called theft of intellectual property) cases. These cases typically follow a specific pattern:

  1. An employee or group of employees leaves.
  2. Prior to their last day, the employees harvest—steal—information considered proprietary to the employer.
  3. The employees surface at a competing business or sometimes form their own competing business, where the compromised information will be put to use.

Methods of Data Harvesting

Ten to 15 years ago, employees would harvest confidential information via printing, copying it to a floppy disk or burning it to a CD. As technology has evolved, the process came to include DVDs, sending information to personal email accounts and copying to removable USB devices. Today, some of these methods persist, but they’ve been joined by cloud storage, e.g., Dropbox or Google Drive, or remote access. Regardless of the method, the illegal harvesting of information remains.

Evidence of Data Harvesting & Related Activities

When a potential theft of trade secrets has occurred, digital forensics becomes necessary to properly preserve evidence and later examine it for evidence of the theft. Areas commonly analyzed for evidence of data harvesting include, but are not limited to:

  • System files and hives – items that log the insertion and usage of USB devices, remote access to the system and history of file and directory access
  • Internet history – evidence of cloud storage sites, personal email, social media usage and search engine queries
  • Email analysis – evidence of files sent to personal or other email accounts (includes both company-based and personal Web-based email)
  • Timeline analysis – history of activities near the end of employment, particularly in the final days
  • Mobile device backups – text messages, email and call history, etc.

In addition, artifacts on the computer may point to the social aspect of trade secret theft—using search engines to identify and contact potential new employers, mapping sites to identify locations, social media activity related to connecting with new employers or customers and evidence of communications between employees and their prospective employers. We often find evidence in the form of offer letters, employment agreements and contracts and other communications.

Best Practices

Following some of these simple best practices can help companies prepare for and respond to trade secret theft matters:

  1. Preservation – Hard drives are relatively cheap; when an employee is terminated or leaves the company, IT professionals should pull the hard drive and place it in a secure location, noting who pulled the drive, the date it was pulled and the employee’s name. The employee’s corporate email account also should be preserved along with any firewall or other logs related to the employee’s Internet usage. If the employee used a company-owned mobile device, that also should be preserved as well as any call or data usage logs kept by the service provider.
  2. Legal Team – Internal and outside counsel should be alerted when a potential incident occurs. These matters often “go legal” quickly; the earlier the legal teams jump in, the better the response can be formulated and put into action.
  3. Forensic Integrity – Having IT staff look around on the former employee’s computer may be the quickest way to determine if there’s an issue, but it also calls into question the forensic integrity of the evidence. Browsing through files on a live system can overwrite delicate evidence. Analysis should be handled by forensics professionals in a manner that keeps any evidence admissible in court.

To have a successful plan in place to handle trade secret theft, planning should start before an incident occurs. Both internal and outside legal counsel should make sure all computer and Internet use policies are updated to cover any theft or destruction of data and that IT professionals are properly trained on how to handle preservation and chain-of-custody matters related to employee computers, devices and email accounts.

Companies best prepared for these incidents also have seamless communication among management, legal, IT, security/risk management and outside experts such as legal counsel and digital forensics consultants. That way, if an incident does occur, everyone’s on the same page concerning the protocols.


Lanny has experience in computer forensics and electronic data discovery assisting attorneys in litigation and disputes by uncovering electronic data to be admitted into evidence. He performs forensic image copying of computer media, as well as mining, analyzing and reporting on the recovered data.

Lanny Morrow – who has written posts on BKD Forensics.

Leave a Reply

Your email address will not be published. Required fields are marked *