Hacking Exposed
Page 40
The general purpose and use of such agreements is fairly intuitive. Companies expend substantial sums in recruiting, training, developing, and supporting their employees, and in return they entrust their employees with access to critical information and clients that are instrumental to the company’s ongoing success. When an employee leaves such a position, the company naturally wants to protect against the employee’s use of that information to compete against it through another company or enterprise, as well as protect against the loss of information critical to its success. These types of agreements also limit or prevent departed employees from soliciting business from the same clients, as well as soliciting other employees with similar knowledge and skills from leaving and joining them in their new endeavor. While these types of agreements take many forms, in essence they all attempt to protect a company’s competitiveness in the marketplace.
However, while these types of agreements are often fairly specific in their application, many departed employees intentionally, or inadvertently, violate the provisions of their agreements. Often the relative availability of customer lists, sales databases, and other proprietary information that could be critically important to an employee’s new endeavor are too tempting to pass up. In other situations, the lines between what is considered an employee’s personal files and information versus corporate-owned information are often ill-defined.
If an employee fails to abide by the terms of a non-compete and non-solicitation agreement, it’s often the case that any “illegal” actions were contemplated before the employee left her company. Such employees often lay the groundwork for their competing interests before they leave, including initiating efforts to solicit customers, as well as employees, to their company or venture. The efforts to lay that groundwork are often evidenced throughout a company’s electronic records and files, including efforts to copy and extract propriety customer lists, sales databases, and marketing materials; communications with customers and other employees; and efforts to develop business and sales plans for new ventures based on the framework of their existing company.
What to Understand
When an individual is suspected of violating the terms of a non-compete and/or non-solicitation agreement, your first step is to define and understand the actual terms of the agreement(s) in question and specifically to what activities or actions they apply in relation to what is suspected or alleged of the former employee. Often what is or is not covered under such agreements may need to be defined by an attorney, especially since such agreements are most often written by a company’s lawyers. Understanding what activities are specifically prohibited may define the initial parameters for an internal review.
Second, you should understand what is suspected of the former employee to help you define what efforts should be undertaken from a computer forensics perspective to investigate the allegations. Do the allegations involve the simple appearance of a former employee’s efforts to compete against or solicit customers, or do the allegations involve the employee’s suspected use of corporate proprietary information in that effort? Often employees who violate, or intend to violate, non-compete and/or non-solicitation agreements also misappropriate proprietary company information to assist them in their efforts. Is the former employee simply in the marketplace advertising similar services or is the former employee advertising a similar product using a similar model, approach, and pricing structure, or suspected of using proprietary information (such as customer lists, sales databases) that may have been misappropriated from the company in his efforts? The answer to these questions can sometimes mean the difference between a violation of the former employee’s agreement to not compete against the company and, a more significant concern, that the employee misappropriated proprietary corporate information in support of that effort.
Third, you must determine whether the alleged or suspected activity of the former employee involves, or appears to be endorsed by, the former employee’s new company. Is the observed or suspected activity limited to the former employee or is there a concern that the former employee’s new employer may be supporting or even encouraging such behavior? Such questions have larger legal implications for a company beyond just a former employee’s violation of his employment agreement.
Finally, and more obviously, you must understand the timeframe of the alleged or suspected activity relative to the former employee’s departure. Such employees may gradually drift back into an area of competition against the former employer and in soliciting the same customers, especially if the company’s efforts to monitor and police the non-compete and/or non-solicitation agreement appear to be lax. The timing, and intensity, of a former employee’s violation may provide an indication as to whether the intent existed prior to his departure and the likelihood as to whether forensic evidence may exist to document such violation. However, the rapid development of a competing interest, the loss of customers, or the loss of other competitive advantages may give an indication as to the planning and resources involved and the potential misappropriation of proprietary information required to accomplish this feat.
Many employees who leave one company to join another, or form their own company, leave with the intent of continuing to provide the same level of service to the same customer base as in their former job, often in violation of non-compete and non-solicitation agreements. Those that do also often start their planning and transition process while working at their former companies. They also often succumb to the temptation to use, and remove, proprietary information from their current employers to enhance the opportunities for success in their new ventures. That fact, combined with the ease of copying and removing (or e-mailing) proprietary electronic information including customer lists, sales databases, and marketing materials, raises significant concern for many companies in relation to critical employees who leave where noncompete and non-solicitation agreements exist.
What to Look For
What to look for, as well as what time period to review, largely depends on the allegations or suspected behavior involving the former employee and whether it is believed the former employee initiated his efforts to violate the applicable non-compete and non-solicitation agreements before his departure and the likelihood that other materials and proprietary information may have been taken to assist in that process. However, we have observed definite patterns and/or trails of evidence in relation to the violation of these agreements, and these patterns typically start at the company before the employee’s departure, providing good starting points for conducting an initial investigation.
Theft of IP
It is very common to see violations of employment agreements and IP theft. As such, proving that an employment agreement has been violated is often more easily accomplished through demonstrating that the former employee is also guilty of IP theft. Generally, if an individual intends to walk out the door with her team, she will usually take customer lists and other proprietary information as well. From an organizational standpoint, this can pack a real one-two punch, as not only has company talent walked out the door, but they have taken the company secrets and information along with them.
Detecting Theft of IP
We discussed IP theft in detail in Chapter 16. Everything there applies in this situation as well. Look for evidence of customer lists being accessed and data being downloaded from servers and other large data dumps. Find out how the employee copied the information off the computer, whether it was through burning a CD-ROM, using a USB drive, or e-mailing out files. Keep in mind that in situations when an entire team leaves a company, the person who commits the IP theft rarely seems to be the main individual. Usually it is someone else on the team, so it is important to identify who else was involved and employ the same IP theft investigation techniques to them as well as the main players.
Who Is Involved?
Sometimes the violations of employment agreements occur in a vacuum, where one rogue employee is off doing his own thing. Often, however, this is not the
case. It is important that you investigate who else may have been involved and what that person contributed.
Determining the Scope
The first phase in determining who is involved is good, old-fashioned gumshoe work. Figure out who the person associated with, who were his friends, and who reported to him. As you are going through the computer of the individual under suspicion, look at who he e-mailed, both with corporate e-mail and in the webmail caches. If he communicated on a regular basis or if questionable content was sent to other employees at the company, you’d be prudent to take a look at their computers as well. I worked on a case in which a team leader took his team to a new company, along with his assistant. His assistant was dating the purchaser at the company they left, a connection that we didn’t discover until late in the investigation. We couldn’t figure out how they were getting the internal pricing and customer lists over to the new company until we took a look at the purchaser’s computer and realized that the purchaser was actually sending the information to them. Understanding who was involved and how they all related to each other was vital in digging up this piece of information that broke the case wide open.
Evidence of Solicitation
Determining the web of those involved is vital; so, too, is finding evidence that the employment agreement was actually broken. The key is to find the documents or other timeline events that can show that solicitation occurred. Meetings, phone calls, and e-mails can all be helpful. In one situation, we actually found an offer letter that stipulated that if the person successfully brought over his entire team, he’d get a bonus from the new company.
Finding the Evidence
While trying to find the evidence of solicitation, keep in mind what is needed to solicit someone. E-mails are the obvious first place to look. But don’t forget to consider evidence beyond that as well. Look at calendar entries to determine whether any meetings were set up at the request of the alleged solicitor. If you have access to them, phone logs can also indicate who was talking to the new company before leaving the present firm. A thorough document review can be vital as well. After we found the offer letter mentioned above, the case was settled the next day.
Evidence of Improper Competition
Looking for violations of the non-compete can be a tricky thing. If you are fortunate, you’ll find evidence of solicitation or IP theft on the computer. In such a case, you can use that evidence to get the computer and e-mails of the individual from the new company. Obtaining this data is vital in these types of investigations. Getting this data will also require the assistance of outside counsel and generally outside experts. Once you do get it, however, you can do a few things to find the pertinent evidence.
Finding Evidence of Improper Competition
After you have acquired the other company’s computer, you will run all the same types of searches you ran on the original computer, but with some slight modifications. Generate a customer list from the company that may have been improperly approached. Run these customer names as keyword searches across the hard drive, including unallocated space. More often than not, you will find keyword hits both in the allocated and unallocated space that are contained in e-mail fragments. The individual at the competing organization may feel “safer” by communicating with clients openly, thinking that the company he left won’t be able to get hold of his communications. You may also find evidence in both e-mail and user documents that tie up loose ends from leads you find on the original company’s network. For instance, in one case, an employee used code words for his meetings to avoid scrutiny. Once he got to the new company, he stopped using those terms, and it was easy for us to see that when he wrote “meet me about a personal issue,” he actually meant “meet me so I can take your business with me to the new company.”
Also, additional data can be helpful to see who he is still communicating with at the old company and what his future plans may be. In one situation, we actually found an Excel spreadsheet on the new company’s network that contained a list of employees at the old company and the dates they would be transitioning to the new company, all without the old company’s knowledge.
TYING IT TOGETHER
Employee misconduct encompasses a wide array of behavior by current and former employees that may be in violation of corporate policies and procedures, employment agreements, and/or federal and state employment laws. While companies endeavor to provide guidance to their employees through employee handbooks, by posting required federal and state regulations for employees in the workplace, and in monitoring various aspects of their employees’ day-to-day responsibilities, employees can abuse and misuse the responsibility with which they are entrusted in myriad ways.
Employee misconduct can pose significant risks to the operational productivity and efficiency of a company’s workforce, and it can expose the company to the risk of lawsuits and investigations in relation to employment discrimination and harassment matters. The misuse of corporate assets, as well as the conduct of former employees and their adherence to the terms of conditions of employment and severance agreements, can also cause disruptions and inefficiencies in the workplace and put a company at risk for the loss of customers, competitive advantages, and ultimately revenues and long-term profitability and success.
A company’s objectives can be varied in responding to the various allegations of employee misconduct, depending on the nature of the allegation and the perceived risks to the company. In some situations, a company may want to ensure only that the behavior is identified and corrected. In others, a company’s efforts may lead to termination of the employee or employees. In other situations, the company may seek restitution or legal remedies in court against the individual, especially when employment agreements have been violated or when assets or other proprietary information may have been misappropriated. In each instance, the company may need to rely on documented evidence of the misconduct and/or in appropriate behavior to support its arguments for change, termination, or legal recourse in the form of monetary damages.
While not all types of employee misconduct will involve computers, networks, and other electronic systems, the proliferation of the use of e-mail, text messaging, shared network drives, removable storage devices, and voice mail, among other systems, increases the likelihood that evidence of questioned conduct has been recorded, tracked, or memorized in some form by the employee in question or perhaps the employee’s coworkers. Your ability to identify that evidence and the manner in which the evidence is collected can be important in working with management, outside counsel, and others to address the identified concerns, including efforts to mitigate the potential risks to the company.
What Is the Risk to the Company?
After the identification of potential misconduct by an employee, you need to determine the risk to the company. The greater the perceived risk, the greater the effort focused on identifying and collecting evidence to support some action by the company, whether it be in terminating an employee, seeking restitution, or filing a lawsuit. The perceived risk will likely dictate the required level of response and the relative importance of employing the computer forensic techniques outlined in this book.
You must attempt to define the level of perceived risk so that the relative response can be formulated, including the company’s efforts to investigate the alleged misconduct. Regardless of the perceived risk, the computer forensic techniques and procedures defined here provide a strong framework for identifying, gathering, analyzing, and documenting evidence in relation to identified incidents. Often, single pieces of evidence can be the difference between an employee keeping her job or being terminated, whether post-termination benefits are paid, whether an individual’s misuse of corporate assets was limited to personal pursuits or larger potential risks to the company, and whether the company is at risk for losing customers or other competitive advantage to a former employee and her new competing interest.
Poorly or sloppily gathered evidence and/or presentations of finding
s can undermine the level of confidence outside parties will place in the evidence in determining whether alleged conduct occurred or rises to a level of termination or other potential legal action. Likewise, incomplete evidence and unanswered questions may leave the company exposed if a broader pattern of misconduct existed or involved proprietary corporate information.
Looking at Intent
While the question of intent (that is, why something was done) is of paramount importance in relation to matters of IP theft, fraud, and other illicit activities, it can also be important in employee misconduct matters. In many cases, employee misconduct is driven by inappropriate behavior, personal biases, and prejudices in the workplace. In other cases, it is primarily the result of a lack of unawareness of corporate policies and procedures and federal and state laws. Misconduct can often be addressed through education and training or by termination of the employee in question. However, some employee misconduct is driven by motives for personal gain or with the intent of doing harm to the company. In these cases, understanding intent, as well as identifying and gathering evidence in support of intent, may be important in defining the scope and breadth of the investigation undertaken, as well as the potential recourse that can be sought from the employee through legal or other means.