Published in Thomson Reuters Practical Law and Practical Law The Journal

An organization faces substantial and time-sensitive business risks when it discovers that a recently departed employee shared the company's trade secrets or other sensitive materials with a competitor or that a current employee is secretly taking steps to create their own competing business or misappropriate the organization's proprietary information for another purpose.  When investigating these activities or pursuing related litigation, an organization often needs to quickly identify, preserve, and, if necessary, collect important electronic evidence.

If not addressed in a timely manner, e-discovery issues may unduly complicate the employer's assertion of claims against the former employee (and, when applicable, other third parties).  Delays may also impact the organization's ability to fully determine the extent of the employee's actions or prevent any further misappropriation of the company's electronic assets.

This Note examines the types and sources of electronically stored information (ESI) and other evidence that is often important in these types of investigations, outlines the relevant considerations for preserving, searching, and remediating those sources of information, and offers practical workflows to navigate personal privacy objections from the former employee or other concerns raised by third parties.  This Note also discusses how organizations can establish data loss prevention practices by setting policies and using technologies that can help safeguard trade secrets.

Potential Claims and Relevant Evidence

Employees who leave their employer and take proprietary information to a competitor may subject themselves (and possibly their new employer) to potential claims for theft or misappropriation of trade secrets, conversion, breach of fiduciary duty, or breach of an employment agreement (including provisions regarding confidentiality and non-competition) (see, for example, CaramelCrisp LLC v. Putnam, 2022 WL 1228191 (N.D. Ill. Apr. 26, 2022)).  If other employees leave with the former employee, the employer may also have viable claims for violation of a restrictive covenant for the non-solicitation of employees, tortious interference with contract, employee piracy, corporate raiding, or unfair competition.

Types of Potentially Relevant Evidence

In restrictive covenant or trade secret litigation involving a current or former employee, the employee's electronic devices are often a treasure trove of relevant information.  In addition to the organization's proprietary information, relevant ESI may also reveal how and to where the employee copied or transferred the company's information, communications about what the former employee was doing, or how the employee may have attempted to conceal the improper conduct.  While it is impossible to provide an exhaustive list for every case, the types of relevant documents or ESI to search for in these types of cases may include: 

  • Documents (for example, Microsoft Word, PDF, spreadsheets, presentations, or other office documents), which may exist in the exact form copied from the former employer or in an altered state. In many situations, metadata from these documents may also reveal the original author or date of creation or last modification.
  • Email communications.
  • Text messages (short message service (SMS) or multimedia message service (MMS)).
  • Instant messages from workplace collaboration tools or other messaging platforms or applications (for example, iMessage, Slack, and What's App) (see Red Wolf Energy Trading, LLC v. Bia Cap. Mgmt., LLC, 2022 WL 4112081 (D. Mass. Sept. 8, 2022) (awarding sanctions for failure to produce highly relevant Slack messages related to trade secret misappropriation and alteration of algorithm evidence)).
  • Ephemeral messages (for example, Snapchat, Signal, and Telegram).
  • Call logs and voicemails.
  • Electronic calendars, contacts, tasks, notes, and memos.
  • Photographs and videos.
  • Human resources or personnel files, employment applications or agreements, and company policies.
  • Structured data from company databases (such as customer relationship management (CRM) systems or other systems housing company trade secrets), which may include the trade secrets themselves, the user's profile, or the user's activities (audit trail) within the system.
  • Global positioning system locations and activity.
  • Internet protocol (IP) addresses and login information, which can help identify devices the employee used.
  • Evidence of recent activities on the device, such as:
    • copying, printing, accessing or transferring certain documents or files;
    • logging in to a cloud-based email account or file-sharing system;
    • obtaining access to physical sites or document storage locations;
    • internet activity, such as browser logs or Google search histories, that may reveal what the user was viewing or searching; and
    • efforts to conceal the user's activities, such as deleting documents, clearing internet browsing history or cache, performing a major system update, installing other software, or restoring or "wiping" a device (see Int'l Fin. Co., LLC v. Jabali-Jeter, 2019 WL 2268961 (E.D. Pa. May 28, 2019); Systems Spray-Cooled, Inc. v. FCH Tech, LLC, 2017 WL 10154221 (W.D. Ark. Feb. 22, 2017); Organik Kimya v. Int'l Trade Comm'n, 848 F.3d 994 (Fed. Cir. 2017)).

Common Sources of Relevant ESI

An organization may store relevant evidence across many devices and other data sources, including:

  • Email accounts.
  • Computers (laptops or desktops).
  • Servers.
  • Cell phones and tablets, possibly including backups of cell phone data stored on iTunes or iCloud (see Prudential Def. Solutions, Inc. v. Graham, 2021 WL 4810498, *7 (E.D. Mich. Oct. 15, 2021)).
  • Removable media (such as hard drives, USB or flash drives, CDs, and DVDs).
  • Collaboration or instant messaging platforms (such as Slack, Microsoft Teams, and Google Hangouts Chat).
  • Ephemeral messaging platforms (such as Snapchat, Signal, and Telegram).
  • Document Management Systems (DMS) or cloud-based document storage accounts (such as Dropbox, Box, Google Drive, OneDrive, and SharePoint). In addition to the documents themselves, these systems may also include audit trails or account histories that track logins, views, printing, downloading, file transfers, or file sharing, which may also be relevant.
  • Social media accounts. This may include public posts, an individual's contacts and connections, private messages, the dates of any updates made to the profile or account, photographs or videos, devices or IP addresses used to access the account, and other relevant account history.
  • Printer spool logs on computers, which may show which documents were last printed and when.
  • Paper documents or physical items.
  • CRM systems or other databases used to store or export customer and client information or other trade secrets.

Some sources may be owned by (or in the possession, custody, or control of) the organization, while others may be owned or controlled personally by the former employee or a third party.  For each relevant individual in a case, counsel should try to identify all devices and data sources used and determine which individual (or what entity) owns or is in possession of each device or source.

While certain kinds of evidence may not be readily accessible to or detectable by a layperson, forensic specialists can often find evidence of a user's activities by using forensic tools.  Specialized tools often work best when working with an original device or a complete forensic image, instead of a backup or copy of the user-created content (like a My Documents folder).

Preservation Obligations and Common Risks of Loss

Parties generally must take reasonable and proportional steps to preserve relevant information once they are aware of pending or reasonably anticipated litigation (see, for example, Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 217-18 (S.D.N.Y. 2003); The Sedona Conference, Commentary on Legal Holds, Second Edition: The Trigger & The Process, 20 Sedona Conf. J. 341, 351 (2019)). 

The duty to preserve arises "when that party has notice that the evidence is relevant to litigation or should have known that the evidence may be relevant to future litigation." (Prudential Def. Solutions at *5, quoting John B. v. Goetz, 531 F.3d 448, 459 (6th Cir. 2008) (duty was triggered based on defendants' emails contemplating legal action and noting some text messages were saved "in case they needed to be used as evidence"); Sonrai Sys., LLC v. Romano, 2021 WL 1418405, *10 (N.D. Ill. Jan. 20, 2021) ("a demand letter threatening litigation may trigger the duty to preserve documents within its scope"); Int'l Fin. Co. at *15 (duty arose when defendant sent demand letters claiming IT investigation was pretext for pregnancy discrimination); Steves and Sons, Inc. v. JELD-WEN, Inc., 327 F.R.D. 96, 106 (E.D. Va. 2018).)

Scope of Preservation

An organization need not need to preserve every piece of paper, email, or electronic document in its possession, nor must it preserve duplicative copies of the same ESI (see The Sedona Principles, Third Edition: Best Practices, Recommendations & Principles for Addressing Electronic Document Production, 19 Sedona Conf. J. 1 (2018) (Sedona Principles), Principle 5, at 93-96; Zubulake, 220 F.R.D. 212.)  An organization instead generally must only preserve key players' unique evidence that may be relevant to the pending or anticipated dispute.  (In re Ethicon, Inc. Pelvic Repair Sys. Prod. Liab. Litig., 299 F.R.D. 502, 517 (S.D.W.V. 2014), citing Zubulake, 220 F.R.D. 212; CAE Integrated, LLC v. Novak, 2021 WL 3008296, *6 (W.D. Tex. Jun. 7, 2021)).

Regarding the electronic devices used by a former employee, it is sometimes difficult to tell which party must preserve certain ESI because it is unclear which party is actually in possession, custody, or control of the evidence.

Complicating this determination, various jurisdictions define possession, custody, and control differently.  Some courts determine whether a party has a legal right to obtain the ESI. Others apply a legal right plus notification standard.  Other courts consider whether there is a practical ability to obtain the evidence. (See The Sedona Conference, Commentary on Rule 34 and Rule 45 "Possession, Custody, or Control," 17 Sedona Conf. J. 467 (2016)

Therefore, the ability to preserve or collect the information may depend on how and where the company stores the devices, documents, or ESI at issue and the terms of any contracts or company policies addressing the ownership of those assets.  This further illustrates the need to begin investigating quickly. 

Common Risks of Loss

An unreasonable delay in preserving ESI may result in the loss of relevant information in any matter and the risk is heightened in matters involving trade secrets.  In addition to potential spoliation concerns, because electronically stored trade secret information can be transferred with ease to other individuals, devices, email accounts, backup media, and cloud storage areas, it may be difficult (if not impossible) to track down and remediate all copies that may exist.   

While it is not possible to list all the ways information can be lost, the following risks to ESI are common in these types of cases:

  • When former employees are accused of wrongdoing, they may panic and begin deleting documents or even reformat or wipe their devices (see, for example, Sonrai Systems, 2021 WL 1418405 (N.D. Ill. Jan. 20, 2021)).  These actions, whether malicious or not, may permanently alter the documents and their metadata.
  • Even when innocently compiling information, an individual may move or reorganize files, print documents, change file names, or slightly alter a document's content.  These actions or even simple attempts to copy or save over the original document, may alter the document and its metadata or make the original versions unavailable. (See, for example, Healthplan Serv., Inc. v. Dixit, 2020 WL 12048884, *15 (M.D. Fla. July 29, 2020); OmniGen Research v. Wang, 321 F.R.D. 367, 375-76 (D. Or. 2017).)
  • The act of turning a computer on and off (particularly many times over a period of weeks or months) can flush out the older history of a user's activities, such as data contained in temporary storage areas of a device.  Depending on the condition of the computer, turning the computer on and off may also cause the hard drive to crash, making data recovery difficult or impossible.   
  • Many organizations have retention policies calling for the permanent deletion of emails, documents, or other information after a period of time.  It can be important to determine whether those policies exist, if and how they can be suspended or modified, and whether a collection is necessary to ensure no important information is lost while the investigation or litigation is pending.
  • Devices can get lost, stolen, damaged, discarded, repurposed, or simply more difficult to identify or track down over time.

Ways to Mitigate the Risk of ESI Loss

It can be important to ensure that the devices used by the former employee and other relevant witnesses are handled carefully.  When determined to contain relevant information, reasonable and prompt actions to preserve relevant content may include:

  • Talking with the organization's information technology (IT) personnel to identify devices and sources of relevant information to which the former employee had access and ensure that reasonable steps are taken to preserve relevant data located on the devices or sources.
  • Identifying any other individuals who may become witnesses and investigate what devices and relevant ESI they have. 
  • Sending litigation hold notices or preservation notices to individuals or entities in possession, custody, or control of relevant information, such as:
    • individuals within the organization;
    • cloud service providers that maintain some or all of the organization's relevant ESI;
    • neutral third parties maintaining relevant information; and
    • other parties to the litigation, including the former employee (see QueTel Corp. v. Abbas, 2017 WL 11380134, *5 (E.D. Va. Oct. 27, 2017) (detailed, specific and clear preservation letter established notice of potential litigation and employee's duty to preserve); Konica Minolta Bus. Solutions, U.S.A. Inc. v. Lowery Corp., 2016 WL 4537847, *4 (E.D. Mich. Aug. 31, 2016) (same)).
  • If necessary and appropriate, requesting in writing that the former employee return any company-owned devices remaining in their possession (ideally, this occurred when the former employee left the company).
  • Avoiding repeatedly powering any physical devices on and off to prevent further access or modification of relevant information until the device is imaged.
  • Identifying and suspending (or modifying), as appropriate, any organizational policies or practices that may impact relevant devices or ESI, including:
    • retention policies calling for the automatic deletion of relevant emails or other documents after a period of time; and
    • policies that the organization's IT department may have in place, such as deleting a former employee's email account or wiping and repurposing their devices at a set time (such as within 30 to 90 days after their departure), or overwriting backups.
  • Determining whether the organization has any policies in place concerning ownership of and access to any electronic devices used for work and the data on those devices.
  • After ensuring that disabling a user's access does not also delete their account or alter other relevant information, disabling the departing employee's access (and others' access as needed) to the organization's data to prevent them from logging in.
  • Obtaining and memorializing any user passwords, login credentials, and encryption keys necessary to open and decrypt the relevant devices.
  • Assessing whether a forensic e-discovery vendor may be needed to image or otherwise preserve relevant information on the devices, perform a forensic examination of the devices, or conduct other searches for relevant information.
  • When a device must be forensically analyzed, ensuring that untrained individuals do not analyze the device in a manner that alters relevant data (see CaramelCrisp, 2022 WL 1228191).
  • Creating and maintaining a chain of custody form related to any devices or data sources containing relevant information.  If preserving a physical device (in addition to or in lieu of copying files or imaging the device's contents), ensure that it is clearly labeled or otherwise identified as subject to a litigation hold and store it in a safe location to prevent it from being lost, damaged, stolen, wiped, recycled, or repurposed.
  • Preserving and collecting relevant ESI.  This may include imaging the most critical devices, collecting the most critical ESI promptly, and applying the proportionality factors to determine an appropriate preservation strategy for the remaining sources of relevant ESI (see FRCP 26(b)(1). 
  • Documenting efforts made to identify, preserve, and collect the information, including:
    • questions asked and facts learned about relevant documents and ESI;
    • the availability and location of relevant information;
    • the representations made by the custodians and other individuals with knowledge of where and how relevant information resides; and
    • decisions made not to collect or preserve certain data sources and the reasons why those decisions are reasonable or proportional.

An organization often does not know or even suspect foul play until it begins analyzing the former employee's computer, email account, or other data sources, possibly under the organization's departure policy or standard IT operating procedures.  A duty to preserve the evidence also may not arise until there is a reasonable anticipation of litigation.  In these situations, it may be unduly burdensome and expensive and not proportional to the needs of the matter, to image all of the former employee's devices before the initial review begins. 

An organization may instead wish to start its initial investigation by reviewing data sources that are unlikely to be altered during the review, such as email accounts, network storage locations, or other systems that are fully backed up.  If the cursory investigation reveals the potential for litigation involving the former employee, it may then be helpful for the company to image or otherwise collect relevant information from devices that may present preservation risks (such as computers, flash drives, and cell phones) before further searching those devices.

As the scope of discovery may change throughout the litigation or new facts are learned that may impact the relevance or availability of materials in the organization's possession, custody, or control, it can be prudent for parties to periodically revisit and adjust their preservation efforts (including the scope of the legal hold) as appropriate.  It can also be prudent to periodically follow up with custodians and others in possession or control of relevant information to remind them of their legal hold obligations and ensure that they are continuing to preserve relevant information.

Inspecting Another Party's Devices and Use of Third-Party Intermediaries

Disputes frequently arise when an employer demands direct access to devices and data sources that the former employee (or another third party) personally owns (for example, where the organization had a Bring Your Own Device (BYOD) program). In these situations, employees may:

  • Store sensitive company trade secret information in one folder on a personally owned computer or flash drive and personal photographs, financial information, private health information, or passwords in one or more other folders. 
  • Use a personal cell phone to text or send trade secret information to the new employer, but also text with family or friends about completely unrelated personal matters. 

In addition to irrelevant personal content, direct access to another party's computer systems or devices may also reveal confidential attorney-client communications or work product or their new employer's trade secrets and confidential information.  Gaining access to another party's devices or network may also unreasonably disrupt the former employee's ongoing work or business, endanger the stability and security of their new employer's systems, or expose private or confidential information belonging to other individuals or third parties. 

As a result, courts are typically reluctant to provide one party with access to another's devices or network. However, courts sometimes make exceptions, such as on a showing of:

  • Substantial need or a material failure of the responding party to meet their discovery obligations (see Sedona Principles, at Comment 6.d; see also Henry Schein, Inc. v. Cook, 191 F.Supp.3d 1072, 1078-79 (N.D. Cal. 2016).)
  • Good cause and the entry of a protective order to guard against any release of proprietary, confidential, or personally identifiable information (see Sedona Principles, at Comment 10.e). 

Frequently, related court orders appoint a neutral forensic examiner and establish a protocol for the inspection of the devices and ESI (see Intel Corp. v. Rivers, 2019 WL 7212314 (E.D. Cal. Feb. 19, 2019); Genworth Fin. Wealth Mgmt., Inc. v. McMullan, 267 F.R.D. 443, 449 (D. Conn. 2010)).  Benefits of using a neutral forensic examiner to assist with collecting, imaging, and analyzing the devices at issue may include:

  • Preventing spoliation or later transfers or use of the former employer's information by removing the relevant devices and data from the former employee's possession.
  • Securing the examiner's analysis and report on the user's activity (or lack of activity) and assistance with searching for and locating relevant documents and information on the devices.
  • Working with the examiner or their colleagues to load any disputed documents into a document review platform where the parties and their counsel can establish a protocol to search for and identify relevant documents and address any concerns regarding privilege, confidentiality, ownership rights, and potential steps for remediation related to any particular documents.
  • Obtaining the examiner's advice on or assistance with remediating the devices at the conclusion of the project.


When pursuing litigation against a former employee, the organization often seeks to remediate any devices that the employee used during their employment to store proprietary or confidential information that belongs to the former employer.

Remediating a device is often complex and difficult. Merely deleting a file from a user's desktop or My Documents folder and emptying the recycling bin does not fully delete the file.  This action instead simply removes the file from the more accessible areas of the hard drive. Specifically, this attempt to delete a file may only mark the space the file occupied as available memory (that is, memory that is available to be used for storing other files). Until that available memory actually is used to store another file, the original file may still be recoverable. 

To truly delete a document, forensic technicians often recommend wiping the entire device using US Department of Defense standards.  This approach returns the device to its out of the box condition, destroying all documents, software, and other content in the process.  However, one or more parties may have important content on the devices they want to keep (such as the individual's personal information or either employer's proprietary documents) and, if the litigation is ongoing, the parties may need to retain certain documents or information for litigation hold purposes. 

It is important to factor in all of these competing issues and develop a plan before remediating any electronic devices.  A remediation plan often requires:

  • The initial imaging and preservation of relevant devices.
  • A transparent process to review and identify both parties' information and resolve ownership issues.
  • An agreement on the appropriate disposition of the devices and data at issue.
  • The ultimate destruction of the forensic copies. 

Until a remediation plan is in place, the party in possession of the devices or data should be advised not to make copies of documents, move them to another location (even on the same computer or device), or rename or change any of the files.  Any of these activities can alter the documents' metadata and make it difficult to locate or match up those files later.

Cost Control

E-discovery costs can easily reach into the tens or hundreds of thousands of dollars, especially when using one or more vendors to assist with the forensic examination, search for relevant information, provide document hosting and production services, and perform remediation.  An organization is often best able to obtain good results and control costs if it is the first party to select and engage the vendor.  An organization may also address cost shifting in a third-party forensic examination protocol.  (See Genworth, 267 F.R.D. 443.)   

To save costs, an organization can:

  • Confirm that the e-discovery vendor is qualified and properly equipped to handle all phases of the project for which they are engaged.
  • Act early and perform a diligent investigation into the relevant devices and data sources, but factor in the proportionality considerations to exclude devices and data sources not reasonably likely to contain unique, relevant information (FRCP 26(b)(1).
  • Ask the vendor for a cost estimate or budget for each phase of e-discovery work.  If the vendor's scope of work changes during the matter, they should be able to provide an amended or supplemental budget that reflects the revised scope. 
  • Inquire about whether the vendor offers a departing employee package that provides discounts or specific cost-saving protocols for cases involving investigations or claims against a former employee.
  • Where possible, be transparent and reasonable with the other party in developing a protocol and exploring the use of an intermediary vendor that may help both parties reach their discovery goals.  Both parties may potentially spend enormous amounts of money on e-discovery, so selecting a single vendor and entering into a cost-sharing agreement may be a way for both sides to save costs.

Protecting Your Organization’s Trade Secrets

Organizations can proactively establish policies and data loss prevention practices to reduce the risk of employee misappropriation of trade secrets and other proprietary information.  Specifically, organizations can:

  • Identify and classify the organization's most sensitive and valuable trade secrets and, where possible, limit access to only those who require access.
  • Establish employment agreements and policies that contain clear but reasonable terms regarding confidentiality and nondisclosure of the organization's trade secrets and confidential information.
  • Tailor IT security around specific trade secret assets to include audit trails, ownership, and documents.
  • Establish an acceptable use policy providing:
    • the organization with a clear right of ownership and possession of all work-related devices and the information they contain; and
    • employees with notice that they should have no expectation of privacy related to company devices and that the employer has the right to monitor the use of those devices. 
  • Establish a litigation hold policy requiring employees to turn over any devices, documents, and ESI the organization must preserve for pending or anticipated litigation. 
  • Adopt a mobile device policy that balances the organization's risks and needs and includes terms to satisfy its legal hold obligations and data security interests.  For example, an organization may adopt a BYOD policy allowing employees to select and pay for and own their devices (sometimes with the employer paying for some of the related expense in a stipend or by paying for monthly cell phone service).  While BYOD policies may present initial cost savings, they can also create risks of confusion, complication, and add cost and delays in an e-discovery and legal hold setting. 
  • Use Mobile Device Management (MDM) software that:
    • containerizes company-owned email accounts, document stores, and information in other applications or databases and ensures that the organization's data stays on its servers instead of on the device itself;
    • prevents users from copying information from a secured area of the network onto personal or unmonitored areas of a device; and
    • if a device is lost or stolen (or the employee leaves the company), allows the organization to remotely wipe the device and discontinue access to the organization's network and data.
  • If allowing employees to access the organization's network remotely from a home computer or other personal device, establish secure connections, encryption, passwords, authentication, and access points to containerize company data and prevent it from being exfiltrated to a non-company-owned device or other external storage areas.
  • Train employees to keep their personal and work information separate, as the intermingling of personal and work data is one of the reasons why e-discovery expenses often spiral out of control (and in some instances, may be what causes litigation in the first place).  For example, they can be advised that if a device is to be wiped and personal data cannot be easily parsed from work data without great time or expense, the employee may lose personal information the employee preferred to keep. 
  • Consider adopting IT policies preventing users from copying or saving organization information on flash drives or other removable media.  If an organization allows the use of removable media, at a minimum, it should consider requiring it to be encrypted.  Organizations may also take steps to only allow specific individuals to copy to or from removable media and train these individuals to document and flag potential risks.
  • Adopt IT security protocols allowing the organization to monitor computers, cell phones, email accounts, and other points of access to the network to detect exfiltration of information from either external or internal sources (such as large transfers of documents and information). Some organizations use analytics and artificial intelligence to detect patterns in emails and communications that may signal when an employee is disgruntled or exhibiting other red flag behavior.
  • Create a policy calling for the organization's IT department to collect departing employees' devices and inspect them for suspected violations of the company's policies governing its trade secrets.  When establishing a timeline to recycle or repurpose former employees' devices, organizations should also consider their need to preserve evidence if there is a potential claim.
  • Audit all security measures and network access regularly.
  • Provide regular policy training and reminders.

Technology continues to evolve in both business and personal settings.  Organizations should continually reassess their policies, practices, and the tips outlined above, as they face new, practical considerations for preserving relevant evidence in litigation and safeguarding their most sensitive trade secret information.

By Josh HummelCounsel, and Lynne Hewitt, Senior Advisor, Redgrave LLP

The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.

Download PDF