Data Detectives

Specialists in uncovering lost or hidden data are fast becoming strategic legal weapons.
John P. Mello Jr.March 1, 1998

Vermont Microsystems was a comer in the software business. It made a hot add-on to a popular computer-aided design (CAD) program. But after one of its key employees left to join the maker of the CAD software, it found its fortunes sinking. Many of the performance improvements its product added to the CAD program suddenly appeared in new versions of the competitor’s software.

The officers at the Winooski, Vermont company began to suspect the former employee was also a cad.

The question was, how to prove it? Before he left the company, the employee had “wiped” the files on his hard disk. That is, he had destroyed certain proprietary information he’d had access to while at the company.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

But the worker forgot one thing. Although he deleted all the data in the files, he left behind traces of the directory structure–the names of the files and other structural information about them. By comparing the directory structures from the former employee’s old computers with the directories on his computer at his new job (via a court order), Vermont Microsystems obtained weighty evidence that the person had stolen proprietary information. “That was a key factor in convincing the trial court that he had taken our stuff,” says company president Peter Reed.

The detective work done at Vermont Microsystems is characteristic of a new discipline called computer forensics–a discipline that’s fast becoming a cottage industry. Since Vermont Microsystems knew a thing or two about computers, it did most of the forensic work on its own. But to date, more than a dozen computer forensic specialists have set up shop across the country (see sidebar, page 88). Equipped with just a description of the hardware and software in use, these cybersnoops can help a client determine whether certain information exists, and, if it does, where it might be located. Not surprisingly, such data detectives are fast becoming the new best friends of litigants looking for evidence in cases ranging from theft of trade secrets to software piracy to discrimination based on age, sex, or race.

“Computer data provides a strategic weapon for litigators that they never had before,” says Tom Galligan, president of two-year-old Electronic Evidence Recovery, in Middletown, Rhode Island, who has seen revenues jump 300 percent in the past year.

Before the lawyers are called in, however, a computer forensics expert can be a company’s greatest ally–by ensuring that its information house is in order. “Each disaster awaiting corporations unprepared to deal with electronic data discovery is an opportunity for those who do prepare themselves,” write John H. Jessen and Kenneth R. Shear, both of Seattle-based Electronic Evidence Discovery, in a recent article for the American Corporate Counsel Association. “Given current trends, it is only a matter of time until the discovery of electronic data in litigation becomes the primary type of discovery. In the transition period, those who are ahead of the game will reap substantial benefits; those who are unprepared will pay. And pay. And pay.”


The need for data recovery expertise, contends Galligan, is a direct result of a growing loss of control over business information. Sensitive data that was once kept secure in fortress mainframes is now on hard disks and tapes in every far-flung corner of an organization. Companies, he adds, often don’t know what information is accessible for viewing and by whom. “When I go onsite to retrieve data, I have a field day,” he says. “Companies are astonished when they appear in court and see what I’ve recovered.”

No one is more surprised than the company leadership, agrees Joan Feldman, president of Computer Forensics Inc., a provider of electronic discovery and risk control, in Seattle. “[Company executives] are usually at arm’s length from their own data–it’s on an administrative assistant’s machine or down the hall in data services,” she says. They are even more surprised to find that “just as Oliver North discovered, when you hit the delete button on your computer, it doesn’t really delete the data on it,” says Peter Lacouture, a partner with the law firm of Peabody & Brown, in Providence.

The problem has only been exacerbated by the rise of virtual offices and telecommuting. All types of information, including illegal courses of action, have been uncovered on laptops and home computers, says Feldman. “We usually ask to see those computers, too,” she explains. “They’re generally full of information because most executives don’t take the time to prune those systems.”

In addition, the explosive growth of E-mail has provided fertile ground for data detectives. “E-mail is very important in litigation cases,” Lacouture says, “because people have a tendency to put things in E-mail that they would not write in a memo on their company letterhead.” E-mail, he says, is particularly important in discrimination and sexual harassment cases. “People think they can use E-mail and no one will ever see it. That’s not true.”


Guarding against the abuse of sensitive information, say experts, requires the development of an electronic evidence management plan that will prepare companies for reviewing, evaluating, and retrieving electronic data. And the core of any data management plan is a data retention policy.

“Many companies have retention policies for paper documents, but not for computer data,” Galligan says. “That’s ironic, because computer-based information is far more vulnerable to leaks than paper-based information.”

Lacouture agrees. “The most important thing companies can do is develop thoughtful document-retention policies,” he says. “You don’t have to keep everything, but you have to give some thought to what classes of documents you’re going to keep and how long you’re going to keep them.”

In fact, one of the most glaring errors companies make when they deal with computer data is that they store information too long. “Information services people are not provided with appropriate guidelines for how long they should keep information,” Feldman says. “The tendency in IS departments is to keep everything that fits and not look at what’s being stored or how it might be harmful to the company.”

Jay Squires, a computer evidence consultant with Ontrack Data Recovery, which is in Minneapolis, adds: “The problem is that companies are a little more cavalier about the storage of computer data. Basically, it’s so easy to store, you don’t have to worry about buying filing cabinets or purchasing off-site storage space.”

Ultimately, documents should be kept for one of three reasons, says Electronic Evidence Discovery’s Jessen: Your business needs them to function; the government says you have to keep them; or they’re needed for legal purposes.

E-mail, on the other hand, should be purged at least once a year. In addition, she says, “Any E-mail policy worth its salt should state that no employee should have an expectation of privacy on the E-mail system. It should inform employees that any E-mail stored or received on a company system is the property of the company and not the individual.” Such a policy can prevent embarrassing situations for employees when someone has to read their E-mail, and it puts the burden on employees to use the E-mail system in ways that won’t come back to haunt the company, she notes.

Documents that aren’t vital should be destroyed in a systematic and timely fashion, say experts. Such action can also make it easier and cheaper to comply with a discovery request. A forensic computer jock can save a company “hundreds of thousands of dollars” if he’s consulted before discovery lawyers begin knocking on the boardroom door, says Feldman, whose firm in the past year has tripled its staff and quadrupled its case load. “And those hundreds of thousands of dollars can be saved in complying with discovery orders alone,” she says. “It doesn’t include the dollars lost if they lose a court case because of bad documents on those computers.” Feldman cites a case she’s currently working on in which her firm has already billed a defendant $150,000 in discovery costs–and the meter is still running. For $20,000 to $50,000–the cost of a data audit by a computer forensics firm–the defendant could have averted much of that original cost, she argues.


Most companies have the expertise in-house to maintain and monitor sensitive information. The problem, says Feldman, is that the work doesn’t get done. Because of the time-intensive nature of computer forensics, “it’s usually easier to bring someone in from the outside to pull together the diverse elements that need to be assembled,” she says.

Those elements include representatives from the corporate counsel’s office, data security, human resources, and records management. “The first inclination of a company is to have information services do this,” she says. “And our answer to that is, ‘You’re already doing that, and that’s why you have a problem.’”

But Jessen and Shear argue that the typical IS department isn’t equipped to make the kinds of decisions that need to be made when evaluating data. “The traditional computer department sees a file as an item to be managed and processed, regardless of its content,” they write. “This management plan, however, revolves around the content of the file, whether or not it should exist in the computer system at all, and, if so, for how long.”

Without someone riding herd on this issue, forensic experts agree, it will quickly be neglected. “It’s like records management,” says Feldman. “You don’t think about it until you’re in the middle of being sued. At that point, you’re pretty much out of luck. You’re not in a position to make thoughtful decisions or take a contemplative approach to the overview of your material,” prior to the litigation. Adds Lacouture, “Businesspeople should consider this issue before they get into litigation, because if they wait until they’re in litigation, it’s too late to do anything but comply with the discovery requests.”

When hiring a cyberdetective, however, it would behoove a company to check credentials, Jessen warns. “It is critical for companies that are looking for assistance in this area to look at credentials and look at capabilities,” he says. “There are people out there now claiming to do this work who get a lot of press and a lot of attention and have totally falsified credentials.”


The increased use of cyberevidence in the courts is opening a Pandora’s box for Corporate America, suggest Jessen and Shear. They write: “Electronic evidence is fast becoming a central focus of discovery in litigation in U.S. courts, and this development presents enormous problems for corporate counsel. Moreover, with changing discovery rules, rapid accumulation of electronic data, the growing and uncontrolled use of electronic mail, and the increased use of sophisticated backup and archive systems, the problem will only intensify in the coming years.”

As powerful as evidence from computers can be in court, it may only contribute to a Pyrrhic victory, as the folks at Vermont Microsystems discovered. They used the fruits of computer forensics to win a case against one of their competitors for filching their technology. The competitor incorporated the technology into its product and essentially erased the Vermont company’s market.

The settlement in the case is still being hammered out in the appeals courts, but Vermont Microsystems has been reduced to a shell company whose sole reason for being is to collect the proceeds of the settlement. “I’m the last employee of Vermont Microsystems, and my sole duty is managing the lawsuit,” company president Reed observes. “I never thought a major part of my career would be this.”

John P. Mello Jr. is a contributing editor of CFO. (Chart Omitted)