In a case where I’d identified evidence of a departing employee’s data theft, plaintiff’s counsel sought an affidavit in support of a motion to gain direct access to the new employer’s data storage to see how the stolen data was distributed and used. I replied that I could supply the testimony but offered that the wiser strategy was not to move for direct access but instead seek an agreement or order that the other side’s forensic expert hew to an agreed-upon examination protocol. That would afford opposing counsel a proper opportunity to withhold and log content deemed privileged or otherwise outside the scope of discovery.
I’ve worked both sides–and the middle–of countless so-called “bad leaver” cases, where employees are accused of taking data from one employer to another to secure a better job or a competitive advantage. When I’m in the middle, I’m a court-appointed neutral examiner and, in that trusted role, it’s appropriate that I see the whole picture by looking at all implicated devices and accounts: the sources from which data was taken, the transfer media and the target devices and accounts where stolen data and its progeny reside. As a neutral examiner and attorney, I’m well-situated to balance the need to know what happened against the need to guard against improper or abusive discovery.
But when I’m acting for the party suing a competitor alleging data theft, viz., as a partisan expert, the party suspected of benefitting from the theft must be protected from unduly intrusive access to their devices. Both sides have trade secrets requiring protection and both engage in privileged communications with counsel. As well, material encountered on examination often has no relevance yet hurts and shames just by being divulged.
As a partisan working for one side or the other, I’d like to be able to say, “trust me, I’ll be bulwark against revealing your privileged communications and irrelevant stuff,” but that’s not a role I covet absent considerable trust and an express agreement. Trying to be partisan and neutral fosters divided loyalties, and as an attorney, I’m obliged to avoid conflict of interest or anything that looks like it. Lay examiners should, too.
Trust is devoutly to be wished in these situations…but it’s hard to trust those you believe to be thieves. Justified or not, that mistrust frequently extends to those protecting the thieves, i.e., their counsel. So, in the absence of trust in people, the law trusts in sound and transparent processes. In these matters, a well-crafted forensic examination protocol ensures that the right evidence is scrutinized in the right ways, and material legitimately withheld is protected.
By setting out what devices and sources need to be examined, what artifacts must be assessed and reported upon and how much oversight and transparency is allowed, the opposing expert serves as proxy for my hands and eyes. Keyword searches and hash matching alone don’t cut it; a good examination protocol encompasses the singular signs of data theft and makes it difficult to suppress indicia of bad behavior. A good protocol makes production of evidence and artifacts the rule unless there’s legal justification to withhold relevant and responsive evidence—and then there must be disclosure via a privilege log or other means. I discuss drafting forensic examination protocols further in this article. The points made in the article are just a start: proper protocols are tailored to the issues and evidence in the case, and constructed to promote integrity of process.
Can all this be abused? Sure. But, effective e-discovery is a marathon, not a sprint. Certainly, this is true of efforts to seek sanctions. If the process just described can be proven to have been gamed or corrupted, judges respond aggressively to protect the integrity of their courts, among those responses the turnover of an opponent’s devices, that is, the dread direct examination.
So, the takeaway: though sometimes direct access can be secured by agreement, don’t jump straight to a motion to compel access to an opponent’s computers and data storage when the other side says “no.” Instead, pursue alternatives that fairly balance legitimate needs for disclosure against legitimate needs to protect trade secrets, privacy and privilege. Do this using a well-crafted forensic examination protocol that obliges the other side to engage competent people, deploy them competently and afford reasonable transparency. The other side remains responsible for discovery until it’s clear they can’t be trusted. Then, follow up by asking the Court to appoint a properly trained and -certified neutral examiner. Seeking to compel access to an opponent’s digital media is a last resort and should be treated as an extraordinary remedy—a punishment for discovery abuse more than a tool of discovery.