Investigating Employee Theft: Uncovering the Tracks

December 9, 2015

There’s nothing unusual about employees leaving the business. With the upturn in the economy, an increasing number of ex-employees are joining competing businesses, or even competing directly as a new start-up. For some, the temptation to take confidential information to assist in the spring boarding of a new business proves too strong.  

This article describes a method of tackling ensuing litigation head-on with the aim of uncovering wrongdoing and preserving evidence at an early stage without giving the ex-employees the chance to cover up.

Stage 1  Client contacts instructing solicitor 

Something will have triggered the client’s concern that its business is under attack. It might be the discovery of an email attaching confidential material being sent to an external address by the defendants prior to leaving. Often, however, such clear evidence is not available and the defendants have taken steps to cover their tracks. Suspicion might arise via a tip off or as a result of customers mentioning they have been offered a better deal by the defendants. Customer lists and databases of contacts  are very valuable to ex-employees as they not only provide  a ready client base but may also contain confidential information of considerable value to competitors.  

The client will want to know its options. While in most types of litigation, the defendant is written to in the first instance in the hope of reaching a resolution without court proceedings, a concern here is that if the defendants become aware that the client is ‘on to them’ they might try and hide or destroy evidence.  Most clients are unaware that it is possible to make an application to court without telling the defendants. This is a key weapon that can be deployed.

The client will be asked to provide as much information and evidence as possible. In appropriate cases the client will be advised that the steps detailed at stage 2 below will assist. Going to the court without notice to the defendants requires the client to provide all relevant evidence (whether or not in its favour); the clearer the evidence of misuse, the more likely the court will intervene.

A range of court orders is available. Typically the claimant will be asking the court to grant an injunction on the ex-employees preventing them carrying out further acts (such as contacting customers or using the claimant’s information) until trial. The court may order the ‘delivery up’ of documents belonging to the client.  In some cases, a court may order that a client’s solicitors be permitted entry into the ex-employee’s premises in order to image computer devices (and other equipment) and thus preserve evidence. An order granting entry to premises is a more invasive order and will require more compelling evidence of harm.

The court will expect the client to move quickly once it is aware of an attack. Delay can be fatal to any application as the court will ask how the client can possibly be suffering irreparable harm if it has known about the situation but has not acted.

Making an application of this type is front-loaded. A lot of the work that would be done in the later stages of a claim over an extended period is instead done quickly before the claim has even begun. That necessarily involves cost but, in circumstances where a client is suffering irreparable harm and is trying to save its business from an attack, the client will often realise such costs are a necessary part of that business protection.   

Stage 2 The Plan 

IT Group will devise a plan of the likely digital evidence and examine the leavers’ laptops, memory sticks, server access and web usage logs. The client will often already have evidence from its own records that raises suspicion. This initial suspicion will need to be supplemented with hard technical evidence of wrong-doing. If the user returned his or her laptop or mobile phone this can be the source of the initial evidence.

Previous examinations have focused on the hours before or after the letter of resignation had been drafted. We often observe a correlation between this specific letter being drafted and the activity of accessing confidential information and transferring it to media where it can be accessed later. Currently favoured activities are transferring to cloud based storage such as Dropbox, iCloud, SkyDrive, Google docs or transfers via Skype chat or simply emailing the files and plugging in USB memory sticks.  

Stage 3 Client Review 

The evidence from the initial examination is reviewed by the client and the instructing solicitor with support from IT Group.

If there is a lot of potentially relevant evidence to be reviewed, then it is often advisable to set up a review platform so that the client and the instructing solicitor can review the evidence remotely and at little additional cost. At this stage, the core objective is to ensure that any key evidence is collated so that it can be presented to the court in an easily accessible and understandable manner. 

Stage 4 Presentation and Advice 

IT Group creates a usage timeline and suggests what other information may be available, what devices have been plugged into the laptops and which websites or cloud storage may have been used to store confidential material.

Modern forensic examination tools and techniques allow practitioners to assemble a graphical timeline of a suspect’s user activities across all examined devices (servers, PCs, laptops, tablets and mobile phones). This can provide a single, consolidated view of files accessed, chat messages, emails, websites visited, USB sticks plugged in and Google searches completed. It is often the case that this timeline, together with some thoughtful searches, quickly reveals any wrong-doing.

One of the initial searches that IT Group recommend is the search for the wink emoticon ;-). It is surprising how many tech-savvy suspects use this wink in emails and chat messages to mirror real life ‘just between you and me’ comments made face-to-face. This may be evident in emails the defendants were sending themselves from or to their work emails which even if then deleted may be recoverable. 

Stage 5 The ex parte order 

A barrister is instructed and together with the instructing solicitor they draft an application for an ex parte order.

An affidavit must usually sworn by a director in the claimant company. This will set out the background to the claim, the investigations, what has been uncovered and why the claimant believes there has been wrong-doing.

The court will require a number of safeguards to be put in place before any order can be executed. A ‘supervising solicitor’ will need to be appointed (ie an independent solicitor), who will make sure that when the defendant’s premises are searched, everything is explained to the defendant and the search is carried out appropriately.  IT Group will also be required to comply with certain rules (see stage 6 below).

It is important the barrister is involved in the drafting and presentation of the evidence from the start. He or she will need to produce a skeleton argument setting out the basis for the application, how the relevant legal tests are satisfied in this case and why it should be granted. The court will want to ensure that any order is clear and is limited only to those matters necessary to prevent further harm to the client.   

Stage 6 Reporting 

IT Group, acting as a technical expert witness, files a report and witness statement.

Part 35 of the Civil Procedure Rules governs the duties of experts. As part of being involved in the process IT Group need to give certain undertakings to the court and often file an affidavit and/or witness statement confirming these undertakings. They will be known as the independent ‘computer expert’. Even though IT Group will be instructed and paid by the claimant, they have a duty of independence and a duty to the court.  The focus will also often be on helping the court to understand whether the counterparty has taken steps to delete material and/or whether any ‘forensic wiping’ software has been used. This type of evidence can be important and will have an impact on the court’s decision on whether to grant the order. It may justify the without notice hearing because you can show the court that the ex-employees have already taken steps to cover their tracks and might do so again if given notice of the application.  

Stage 7 The application  

Due to their urgent nature, applications of this kind will often be heard on the day the application is made or in the subsequent couple of days.

The judge will expect the legal team to ensure he has all available material in his possession and is aware of any arguments that the defendants would likely have raised if they were present at the application. The Judge will order that there be a ‘return date’ – a further hearing set for a week or two weeks after the order is executed – which will be on notice to the defendants.

It is at the initial hearing that the legal team earns its corn. They must ensure that the client’s case is presented fully but also ensure the court is not misled and in doing so protect the client’s position further. The legal team must also take a full and complete note of the hearing to be produced in a coherent form as soon as possible and this must be provided to the defendants in due course. Failure to comply with these procedural points can have severe consequences, including the discharge of any order at the return date and payment of costs. 

To grant an order for delivery up of documents or evidence preservation, the court will need to be satisfied that the claimant has presented a ‘case to answer’. It does not look too much into the legal merits of the overall claim but considers only whether the client has an arguable case. The main task the court undertakes is to look at the prejudice to either side that will occur if the order is granted or not granted.

If the order sought includes an order for entry to premises, the test that the claimant must meet is higher, requiring a strong prima facie civil case, risk of serious harm to the claimant, clear evidence that the target of the order has the evidence in their possession, a real possibility that they will destroy such evidence. Furthermore, the harm that will be caused to the ex-employees must not be disproportionate to the legitimate aim of the order.

The claimants will be expected to give an undertaking to the court that if, for whatever reason, the order is discharged and the ex-employees have suffered loss, they will be compensated. 

Assuming an order is made, the court will expect it to be executed as soon as possible and will expect the claim to be formally issued without delay.

The order itself will contain a penal notice. This explains to anyone served with it that failure to comply with its provision could result in them being sent to prison. The supervising solicitor will need to explain the order fully to the defendants.

The legal team must now prepare for the ‘raid’. This will include preparing copies of all the documents that were before the court to be given to the defendants, liaising with the supervising solicitor and IT Group to make sure everyone can attend on the same day and making covert enquiries as to when the defendants will be at the premises.  

Stage 8 The Raid 

The execution of the order is attended by the instructing solicitor, a supervising solicitor and IT Group’s on-site forensic investigators.

Dependent on the subjects of the order, it is served on the defendants/respondents at their home, at the premises or registered office of the new company, any combination of these or any other location the court deems relevant. The appointed supervising solicitor will enter the property and serve the papers to the surprised subject(s).

Once in the premises, the computer expert will first photograph and label all items covered by the order (computers, laptops, memory sticks, etc.) so that they are ready to start the process of forensic imaging (a technical process which creates a complete and identical duplicate of all content on a device). This is quite a slow process and could take two to three hours per computer and 30 minutes for each mobile phone. The end result is forensic disk images which are effectively a complete copy of everything on the defendants’ systems at that date. This will often include deleted data.

Once the disk images have been obtained, the instructing solicitor is permitted to search them for certain things as defined in the order (eg for the claimant’s confidential information or evidence of misuse documents). This is typically done in the presence of the defendants, the supervising solicitor and the computer expert.  Typically a searching platform is set-up to facilitate this thus for example enabling keyword searches or searches for specific types of documents. The client’s input into what key terms to use will be vital.

Whilst at the premises the defendants will also be interviewed and asked whether they have taken any confidential information. Failure to answer these questions truthfully is a breach of the order.  

Stage 9 The aftermath of the order, settlement – the views of the parties  

One advantage of this type of order is that convincing evidence will commonly be uncovered at an early stage that shows that information was stolen. Such evidence will often show that the defendants have lied. This gives the claimant a great advantage in proposing a settlement.  Now is the perfect time to ‘cut a deal’. The client will as its core objective want its information returning and its costs paid. It will also expect the defendants to give promises to the court that they will not do this again.  

Stage 10 Post settlement, the clean-up and purge of the information 

Assuming the case settles, a clean-up that can now be completed with some certainty by using relatively new techniques called ‘hash matching’. Hash matching involves a process of calculating the MD5 hash value of the complete set of one party’s confidential documents (this could include office documents, databases, photographs and any electronic files) and then comparing these hash values (a series of 15 character simple text files) with all of the hash values of all documents on the counterparties’ servers. This allows the identification of any confidential material that has been found on the defendants’ computers without revealing the content of any material to them.   

Andrew Lee is a solicitor and Senior Associate at Brandsmiths ( specialising in contentious intellectual property matters along with media and privacy work. Andrew has successfully obtained many orders for clients of the type described in this article.

Daniel Burgess is a barrister at Blackstone Chambers specialising in a number of areas of law including commercial litigation. He is regularly instructed in applications of the type described in this article.

Jason Coyne is a Partner at IT Group ( and an IT Expert specialising in dispute resolution. Jason is frequently instructed to undertake forensic examinations relating to ex parte orders and in criminal defences and prosecutions.