Nobody Leaves Empty Handed

What to do if you suspect your company’s intellectual property has been stolen


Protecting intellectual property is critical to building, maintaining and growing a successful company. Whether your business is high tech or low tech, big or small, the theft of intellectual assets can cause harm to revenue, reputation and company infrastructure. Intellectual property is a business asset and includes the intangible results of a company’s creativity and innovation. It’s just as important to protect and secure your intellectual property as it is your company’s physical assets.

In the past 15 years, one of the fastest-growing threats to businesses today is the misappropriation of IP. With the proliferation of smart phones, flash drives, cloud data storage and document scanners, businesses must protect themselves both against competitors and hackers obtaining documents from the outside, but also to secure their networks from inside actors such as disgruntled co-owners or employees who might walk out the door with a company’s IP. When a claim is made that IP has been used without authorization in the creation of a new company, product or service, the claim must be investigated and documented by qualified analysts the moment the theft is suspected. 

There certainly is technology that can track the movement of data from one business’s system to a competitor or a bad actor, but all evidence must be properly handled and recorded to effectively support or dispute the claim. When a claim is made or if you believe that IP has been used without authorization (especially in the creation of a new company, product or service by a former employee or co-owner), the claim must be investigated and documented by qualified analysts the moment the theft is suspected.

What steps should you take when IP theft is suspected?

The first step in an electronic IP theft investigation is to ensure that all data and devices including mobile phones, laptops and tablets of the suspect are identified, immediately preserved and not accessed by anyone. Lock the devices in secure storage to ensure that they won’t be tampered with until a forensic professional can take custody of them and begin the investigation. 

Each time an HR or IT professional takes a peek or conducts any searches of the devices, they run the substantial risk of unintentionally destroying or overwriting data, calling into question the integrity of the evidence. If the suspect’s computer is on when you find it, keep it on. If you turn it off, you could lose important evidence that’s stored in the computer’s memory. If you find it turned off, leave it off.

As part of this initial lockdown, be sure to turn off any remote access to the devices and remove the device from your network. Your organization should be without the use of these devices for the duration of the investigation so they won’t be able to reassign the devices to another employee until the investigation is complete.

As soon as possible, contact a computer forensics specialist to take custody of the devices, oversee and conduct the investigation into the IP theft. You should also contact an attorney, and obtain legal advice as to your business’s rights to recover data or seek other legal or injunctive relief.

What can computer forensics professionals discover during an IP theft investigation?

The use of an experienced (and licensed in some states) computer forensics examiner is crucial, regardless if you are the plaintiff or defendant. After proper preservation and collections techniques are performed, investigators may be able to answer and determine the following:

• What process was utilized to get the data out of the company environment?

• What files were recently opened? What files were recently deleted?

• Did the person still have admin or VPN credentials to access the network remotely?

• Was cloud storage recently installed on the device? Did the person use a cloud-based repository?

• Was an external device used? Flash drives, external hard drive?

• What was the USB activity? When was the last time a USB device was connected, and what was the serial number or brand of the USB device?

• Are there LNK files (shortcut files) and how do they connect to files and folders on a device or network?

• Did the person use a company or personal email account?

• What does the person’s internet history reveal?

• Did the person burn DVDs/CDs?

• Did the person print data?

• Did the person perform mass deletion or utilize a wiping program to cover their tracks?

• What do the device’s event logs say about activity that could confirm IP or refute theft?

A proper digital forensic investigation must occur to allow for a thorough review of the many artifacts hiding in various nooks and crannies to help tell the whole story. Forensic examiners search and review live files, unallocated space (where “deleted” data resides) and the registry, where many tell-tale artifacts live, showing system and program settings, and user preferences and actions.

Only a qualified and expert forensic examiner has the proper tools and techniques to find your smoking gun.

— Melinda Redenius is Chief Business Officer at Forensic Pursuit as well as an ACE certified computer forensics analyst and Private Investigator. Redenius has 15 years of paralegal litigation experience prior to joining Forensic Pursuit in 2010.

Previous articleChallenges at Every Phase in ‘Crimmigration’ Practice
Next articleCourt Opinions- Sep 10, 2018


Please enter your comment!
Please enter your name here