eClaris Blog | When Employees Leave - What about their data

<< GPSolo Fall Meeting and National Solo & Small Firm Conference | Seventh Circuit Ediscovery Pilot Program >>

When Employees Leave - What about their data

Tuesday, 20 October 2009 08:27 by slkatz

When I was a General Counsel, we started a policy in my company of retaining the hard drive of the employee. In some cases we would also copy the email store from the server and the network share to a DVD and keep a copy. This isn't something we started out doing, we had a couple of employees leave to work for competitors who we were pretty certain had taken our proprietary data when they left. Once we experienced that, we realized that we would have been better off to have the original hard drive. Forensic tools can capture whether data was copied onto an external drive, whether data was deleted, and can often recover deleted data. If we had kept the hard drive, we would have been more able to substantiate our case that our intellectual property had been stolen. Subsequently we kept the hard drives, and there were several instances over the next few years when referring back to them was useful, not just for purposes of potential litigation, but also to find records that were otherwise unavailable.

If I were still the General Counsel I would change this policy slightly and instead of just keeping the hard drive I would keep a forensic image which I would store on a server in an archive. I would do this for two reasons (a) hard drives can fail too easily if just put in storage, and (b) once an image is made I can review information from the image without damaging metadata or deleted data on the files.

If a company does this, it also is smart to have the image made forensically, using forensic recordkeeping, write blockers and software in case it needs to be used in litigation. That way there is less concern about authenticity or spoliation.

Frequently when disputes arise with employees, one of the first things that happens is that IT looks at the computer. This is a bull in a China shop approach that makes alterations to the data, and causes it to be looked at by technicians who are not trained in finding data. It also could put the internal staff at risk of being called as witnesses. Not all employees may be likely to steal data or bring lawsuits, so some companies may adopt a policy of imaging drives only for employees who have had access to critical data or who are likely to sue. In my experience, the cost of keeping the data was small, and there were many times we were glad to have kept it.

Be the first to rate this post

Currently 0/5 Stars.
1
2
3
4
5

Categories:		Articles \| Data Forensics
Actions:		E-mail \| Permalink \| Comments (0) \| Comment RSS

Sample eDiscovery Court FormsDisclaimer: Due to the changing nature of the law, the forms contained on this blog may become outda...Litigation Support Computer Forensics Challenges Most litigation support staff understand the basic challenges of electronic discovery. However, w...Navigating eDiscovery: A Guide for Law FirmsThe description is used as the meta description as well as shown in the related posts. It is recomme...

When Employees Leave - What about their data

Related posts

Search

Tags

Categories

Pages

Archive

Blogroll

Disclaimer