An interesting article (available through Law360 subscription) by Mark Cooper and Richard Bacon at Eversheds Sutherland, specifically relating to the TBD (Owen Holland) Limited v Simons & Others [2020] EWHC 30 (Ch) case.  This case presents a scenario that is all too common where an employee leaves Company A to join Company B and is alleged to have taken confidential data with them to use at Company B at the expense of Company A.  A search order is often sought in these scenarios to ensure that documents that could be relevant to the case are preserved.

Although I am not able to comment on the case from a legal perspective as the authors do, it is interesting to see how the facts played out in this scenario.  We often get involved in assisting on these type of cases where we act as the independent computer expert during the execution of an order.  

When these orders are sought, from a technical perspective, it is important to ensure that they take into account the way people use technologies and where data may be stored.  For example, it is not simply the computers in the buildings subject to an order that could hold relevant documents, but much data can exist in the Cloud or in data centres - therefore, how this data is included in an order must be considered.

Equally, virtually all devices and on-line accounts that need to be captured will have some form of security around them, sometimes just a username and password, but often they can also have two-factor authentication built in.  These factors must also be considered in the drafting of the order.

And as this article points out, the preservation is just the starting point with the data.  Any further actions, which will need to be properly agreed by the parties and/or the court, will include two distinct technical processes:

  1. The first will involve preparing the user-created documents (e.g. emails, office documents, PDF files etc) to be indexed and analysed to determine a set of documents that can be reviewed.  
  2. The second will involve a more forensic analysis of the captured data, looking to recover artefacts that could also be useful to the case, for example, recovering deleted files, extracting Internet browsing history and identifying USB devices connected to a machine.

These processes will often include steps that include the identification of materials that may not be reviewed, for example privileged data, so that it can be isolated and excluded from the ongoing process.

If you'd like to know more about our experiences in respect of search orders, please feel free to contact me.