As a forensic consultant, the phone is constantly ringing. Calls come from law firms and from corporations; you never know who you will be talking to when you pick up the phone. More importantly, the other unknown when you pick up the phone is the level of technical knowledge the person you are talking with has. Over the years, we have worked with people that we have had to educate on technology and in other instances we have dealt with technologically savvy individuals. I am not saying that your legal team needs to understand technology at the same level as your forensic consultant, but it is critically important to your case that whoever is involved, knows how to properly work a theft of IP case.
One of the first cases that I ever worked on for a theft of IP was with a senior partner of a mid-sized law firm. While talking with him, it was readily apparent that his understanding of technology was fairly low. He would never ask questions and wanted me to believe that he completely understood technology he was dealing with. As we worked together, I realized that I would have to mix case details with technology education, without making him realize I was teaching him. Lucky for us, the lawyer on the other side knew even less about technology than the lawyer I was working with. My client won their case and everyone was happy, but I have to share one last question that I was asked by the lawyer I had been working with after the case was completed. He asked - “What is a hard drive?” I was shocked. I didn’t know if I should laugh or cry, as we had been talking about data being stolen from hard drives throughout the entire case. From that moment on, I paid very close attention to the technical knowledge level of everyone that I worked with.
Before I continue, a disclaimer. I’m not here to tell you which law firm or specific lawyer you should work with. I’m not talking negatively about any specific firm or specific lawyer. But as my years of experience have shown me, I have found it very important that when you are selecting counsel for a case; make sure to retain lawyers that truly understand technology and that your case is not the first time that they have been involved with theft of IP. I would encourage asking for a list of theft of IP cases that they have taken to trial and ask for references.
And here is why.
Home Based Employee Case Study Continued:
I’m going to jump back in to our home based employee case study that we have been discussing in previous blog posts. Again, I am not here to say this is a bad firm, nor am I hear to say that the lawyers at the firm that I worked with should not be used again for cases like this. I want to point out opportunities to work the case differently, allowing the case to move along faster. Perhaps more importantly, potentially reduce and maybe even eliminate legal fees for our client.
Let’s recap a few of the key things that happened after we gave our initial findings report to the original law firm:
· Our client thought they would be better represented by having a law firm that was based in the location of the two employees that left.
· The firm that they chose was a very large international firm.
· The transition to the new law firm for our part of the case was not smooth. Weeks passed and no contact was made even though we were the only ones with “smoking gun” evidence in this case.
· Knowing that time was of the essence in order to get a TRO; concern was growing that I had not heard from the new law firm for weeks after I was told about the change.
· When the new law firm called us, it as an associate of the senior partner that the corporation had hired, and we were told that they had received the report and that someone would get back to me.
· Weeks went by and I received another call to “understand” the findings of the report. To the law firm’s defense, because of the home based network that one of the employees had, it was not your typical report and the complexity of the report would have been difficult for all but the most technical lawyers to understand.
· In the end, the new law firm opted not to pursue a TRO against the two departed employees. They wanted to “play nice” assuming that the employees would just turn over their personal devices when requested to do so.
· The employees each retained their own lawyers to fight turning over their personal devices and instead of heading to court to fight this battle of stolen IP, it was decided to opt for arbitration instead.
· Upon the decision to go through arbitration, we did not hear from the new law firm for the next 8 months.
So we pick up the story 8 months later. To be honest, we thought the case had settled and we were not notified, as our emails and phone calls were going unanswered. Then out of the blue, I got a phone call from the associate at the firm. We were told that they were in settlement discussions with both of the former employees and they needed our help finishing up writing a settlement agreement. I asked them to send what they had up to this point and I would make changes and recommendations to it. What she told us next was very alarming. We were told that the agreement was actually in final stages of development and both the arbitrator and the lawyers for the other sides had already seen it. At this point, we knew we had a potential problem.
From the discussions 8 months prior, I had already figured out that both the associate and the senior partner at this firm had limited knowledge about technology. Because of the very technical details of this case with this large home network, concern was growing over what we might see in a settlement agreement that had been drafted without our help. When the document arrived, my suspicions were correct. It was one of, if not the worst settlement agreement that I had seen in 20 years being a forensics examiner. Here are some of the highlights:
1. One employee admitted that he still had the virtual machine (VM) that contained corporate email but yet the settlement agreement stated that they agreed to take at face value the word of the former employees that they had no data in their possession.
2. The employees agreed to send the computers to check for IP, but there was no timeline for when the machines needed to arrive at our facility for forensics investigation.
3. In the initial reports, we listed countless devices that were used and might contain stolen IP, and they didn’t ask for most of those devices to be sent to be investigated.
4. We were prohibited from telling our lawyers and our corporate client what devices were actually coming in.
5. We were prohibited from telling our lawyers and our corporate client how much data we were searching on the devices that came in.
6. We were prohibited from telling our lawyers and our corporate client if we were finding any stolen IP.
7. We were prohibited from telling our lawyers and our corporate client how much stolen IP we had found.
8. We had to redact our invoice to remove any identifiable information that would inform the lawyers or our corporate client anything relating to points 4-7. Basically we were only able to hand them an invoice with a dollar amount and no supporting documentation. Not the way we usually do business.
9. Most importantly, the company that had their IP stolen had to pay.
Horrified does not even begin to describe how we felt about this agreement. This agreement failed to take in to consideration the type of technology in question and how that technology can not only be used to store IP but how we as a digital forensics company can identify our corporate client’s data contained on the machines and drives. We feared this agreement would end up being a very large and costly mistake. We raised our concerns with our client but they said they trusted the new law firm.
We suggested corrections/changes to technical aspects of the settlement agreement and at the same time, we created an internal protocol for how we were going to be handling the data that arrived from these two former employees. We were able to change the settlement so that the individuals would have to turn over anything that they had in their possession or household that could store electronic information. Items that this included were:
1. All laptops/desktop computer (including ones belonging to kids/spouse)
2. All USB devices that were used at the former employer, their new employer and at home (including kids/spouse).
3. Cell/Smart phones that could store email or documents (including kids/spouse)
4. Cloud based storage accounts
5. Online email (ie, gmail, yahoo, etc)
6. All NAS and DAS devices
7. Their new work computer
8. Their new work email and network shares
The reason we created that list is that we had evidence that the stolen IP had been moved and stored on some of the first 6 types of devices listed. Based on our experience, we assumed that the data also made its way to the new work computer and network. It took a few more months, but the technical changes we suggested finally made their way into the settlement agreement. Our requests to remove the language which did not allow us to effectively communicate was not granted so points 4-7 remained in the settlement agreement. I knew this was a disaster waiting to happen as we had never not been allowed to talk to our client about what was happening – especially when they were paying for the work.
Jumping ahead, some of the devices from the large home network started to show up. Surprise! The devices we received had large amounts of storage space and they were all pretty full. We quickly realized that we would not be searching a few GB’s of data; we were going to be searching terabytes and terabytes of data (one device alone had 8 terabytes on it) blowing our price estimates out of the water. But now we have a problem – we can’t tell our client any of this, but they are asking for an estimate of what the cost would be. When we told them a dollar number, there was dead silence on the phone. Then there was anger. Then there was a demand to tell us how we got that number and all we could say was there is a lot of data but I can’t tell you anything else because of the settlement agreement. They had no idea the amount of data that we were being sent, and we had not even received 50% of the data yet. It was finally beginning to sink in to them that this might not have been a very good settlement agreement. The project was immediately put on hold due to cost considerations.
We told them that there was not much we could do unless some part of our hands were untied. The attorneys went back and got part of the settlement agreement removed so I could now tell them how many devices had come in and how much data was on each device. When we told them – their jaws dropped. But yet, I still could not tell them how much IP I was finding.
The law firm decided to have us search for very specific extensions to reduce costs. While this might sound like a reasonable idea to reduce cost, we had already found IP in file formats that were images, audio and video. The only way to search these types of documents is to actually put “eyes on the file”, meaning someone would have to take the time to review each one. The law firm and the client decided in a cost benefit analysis it was not worth having someone review those non searchable files.
The law firm also decided to reduce the number of devices that were going to be delivered to us. They had already agreed on doing the search and delete on a rolling production, meaning we would get a few machines to run the protocol on them and then send them back. Here is the problem with this scenario. If there were other machines still at their homes that were not sent to us, yet contained IP, they could very easily go ahead and move the files between machines. In our initial protocol, we would have looked for this type of file movement, but our original protocol was scrapped. The law firm had limited understanding of what technology could do and at what cost. They also decided not to take a look at all machines and devices in their household. This meant all the former employees had to do was say a computer belonged to their spouse, and they wouldn’t have to send it in for inspection, even if it contained IP.
All along we were ringing alarms bells to our client as much as possible. I even asked our corporate client, if you are not going to do it right, why even do it at all. They went silent and couldn’t answer the question. They finally came back to us confirming their trust in their law firm. Here is the sad reality. We finished the project with the new protocol developed by the law firm, objected to by us. The law firm wasted their clients’ money and after all was said and done; we know that the two employees still have copies of IP that they took.
The mistakes that were made by the new law firm because of their lack of understanding in both technology and IP theft cases were some of the worst we have ever seen. If you remember in my last blog post, the other case that I outlined had roughly 2000 documents stolen and they were awarded $14 million in damaged. In this particular case, there were millions of documents stolen (we assume well over 8 million files were stolen) and we believe that some of them are probably still in the employee’s possession. In the end, our client was awarded nothing due to the settlement agreement, yet they had more than $1 million in legal and third party fees that they had to pay for out of pocket.
The choice not to listen to our expert advice and the decision to “play nice” backfired costing the corporation millions in legal and other associated fees and their competition is probably using their IP as we speak. Had the law firm worked the case differently, understood the forensics process, and understood the capabilities of the technology, the company would have been able to have all the IP identified and removed and have the other side pay for it.
Moral of these stories - when you have a theft of IP case, do your due diligence. Do not assume that the law firm you currently utilize can handle a theft of IP case. Theft of IP is very serious and very costly. Make sure law firm treats it that way also.