is often where the most significant evidence is found. Second, an
expert can reconstruct past access to file sharing and cloud stor-age
services to determine what, if anything, was transferred in
this way. Third, an expert can review different computer files to
determine whether and when USB devices were inserted, and
what files were moved. The searches are quite different depend-ing
on whether the devices are PCs or Macs and the expert must
have the relevant skills and knowledge. Again, these files are of-ten
an important source of evidence, particularly in departing
employee cases.
5. WATCH OUT FOR PRIVILEGE
While a company may own and have the right to access an employ-ee’s
work devices and work email accounts, that does not mean the
employee has waived solicitor-client privilege over any documents
or emails found in them. Companies must be very careful to identify
and avoid reviewing anything that is potentially privileged. Experts
are able to isolate and withhold such material from the company,
minimizing the impact on the privilege. If the company is conduct-ing
the investigation, it should seek legal advice in this regard.
CASE STUDY
A case study (drawing on two recent cases) demonstrates the im-portance
of these principles, and of points three and four above,
in particular.
A mid-level employee in the company’s sales division quit his
job without warning and immediately began working for a com-petitor.
The company suspected, but did not know for sure, that
he had taken confidential information. It identified and quickly
isolated his desktop computer, laptop, work email account and
mobile device – good first steps.
But then the company’s IT department began searching the em-ployee’s
devices and email account, without first making a forensic
image of any of the devices (this is not surprising, as creating such
images is usually outside the scope of their expertise). As a result,
the IT department’s searches ran the risk of destroying or over-writing
the very evidence they were looking for. And, although
the IT department knew to search for USB insertions, without
a forensic image and without proper forensic tools, their search
yielded only partial results and inadvertently deleted the remain-ing
information.
legal words
FOR BOTH LEGAL AND TECHNICAL REASONS, IT IS ESSENTIAL TO IMMEDIATELY
QUARANTINE AND PREVENT ANY ACCESS TO THE DEVICES AT ISSUE.
deepadesigns / Shutterstock.com
Continued on page 16
14 ❚ FEBRUARY 2018 ❚ HR PROFESSIONAL