Confidential data is a critical asset for most organisations and therefore needs to be protected as such.  This article reviews a case in Italy where an employee had covertly given the company's former general manager some confidential company documents without any authorisation to do so.

It is always interesting to read about cases such as these and their global reach - this one being in Italy.  Regardless of jurisdiction, digital evidence often plays a key role in determining the who, what, where, when, why and how of an investigation.  This not only involves looking at the documents and emails present on relevant systems, but also undertaking a forensic examination to identify additional intelligence and evidence for the case.

A forensic examination can entail attempting to recover deleted files (which can be very insightful), analysing Internet usage - especially where webmail (e.g Gmail) or cloud file storage sites (e.g. Dropbox) are used, and probing into how the machine was used - for example, which documents were recently opened, what other devices have been connected and which network folders have been accessed.

The most important step is to preserve the potential evidence in the first place, as soon as potential issues may be realised.  In many cases we have been asked to investigate devices used by former employees which have subsequently been reused by others, which at the very least muddies the waters if you manage to find relevant information.  Companies therefore need to seriously consider preserving the systems used by key employees who decide to leave, regardless of the situation, to ensure they can investigate if needed.