JRD recently performed work for a company who had terminated an employee for under performance of his assigned duties as well as gross abuse of company provided Internet access for personal use. The employer had admonished the employee on two previous occasions for poor performance and Internet misuse. The ex-employee continued to spend most of his day misusing his time on his company issued laptop, looking up sushi recipes, visiting MySpace or talking to his mom about dinner. During the meeting in which the employee was terminated, it was made clear to him why he was being terminated. The employer collected all materials and items that belonged to the company such as his laptop and hard drives, and then they cleaned out his desk and he was escorted out.

Approximately two weeks after the employee was terminated the company received a letter from the State of Maryland, Department of Labor, Licensing and Regulations (DLLR), stating that their ex-employee had filed for unemployment on the grounds that his employers did not provide sufficient reason for his termination. Needless to say this was a surprise to everyone at the firm and on the whole appeared to be an open and close case. The ex-employee spent a large part of his tenure with the company surfing the net, neglecting his daily tasks, and chatting with his friends over instant messenger. This employee was now claiming he was unfairly terminated and he was seeking to collect unemployment payments.

Unemployment is a safety net to help out those who are unexpectedly laid off or are truly terminated for the wrong reasons. However, his former employers felt that in this instance the former employee was taking advantage of the system, thus imposing unfair costs to the tax payers of Maryland, as well as their company. The employers appealed his unemployment request and a hearing date was set to argue the case.

JRD used our extensive computer forensic and electronic data discovery experience to help the company collect and present the computer evidence against the former employee for the appeals hearing. Almost everything the company presented during the appeals hearing was information pulled from the former employee's work laptop. The following paragraphs outline the process we went through to help the company prepare for their unemployment hearing.

JRD was fortunate enough to have worked with the company previously to establish solid Acceptable Use Policies (AUP) and technical employee termination procedures. When the employee was terminated, his access to company files, records, and equipment was removed. During the morning of his termination, all items that belonged to the company were collected while the employee was in his exit interview. This included all work related files, manuals, company laptop, and all external hard drives in his possession. By following this procedure the company protected themselves and the employee by denying him an opportunity to alter any data upon discovering the fact that he was being fired. This also prevented the employee from being able to delete or alter anything on his company computer that would be considered evidence, or could point to his misconduct. Another important step that the company executed was to lock the employee out of all network services prior to termination. By taking these basic steps the company assured themselves that the materials on the former employee's computer were accurate up to his last work day.

While the company did not expect to be involved in litigation with the terminated employee they followed the prudent policy of making a forensic duplication of all terminated employees work computers. Once they collected his laptop, the company's HR department contacted JRD and requested that a forensic duplication of the hard drive be made per their termination procedures.

As a general procedure, JRD typically creates forensic images in either the DD or Guidance Software EnCase (.EO1) formats. Typically the forensic image format selected is based on the client company's preference. In this case we used a bootable Linux CD that contained the Guidance Software LinEn forensic duplication utility to collect the forensic image of the former employee's laptop hard drive. The final forensic image was placed in an evidence bag and sealed for safe keeping.

The company's policy to make forensic images of former employee's computers when he/she leaves or is terminated because it may be needed later in a legal or administrative dispute paid off tenfold in this instance. The cost of making a forensic duplication of a terminated employee's computer hard disk is insignificant when compared to the cost of a potential Employment Practices Liability (EPL) law suit. Based on the 2006 D&O Survey prepared by Tower Perrin, 61.3% of the number of claims brought against surveyed companies was employment related. Following is a highlight of the major types of employment claims:

The 2006 Jury Verdict Research Report provides the following median settlements for employment practices claims:

When you consider that these figures do not include legal defense costs, making a forensic duplication of a hard disk seems like an awfully good idea. When the company contacted JRD about their upcoming unemployment hearing, we simply pulled the forensic duplication of the former employee's hard drive from our evidence storage and made a working copy for forensic analysis. We created a working copy of the forensic duplication so as not to tamper with the original evidence. We could then search the former employee's computer for documents, Internet habits and emails exactly as they were on the day of his termination.

The first set of files we extracted from the former employee's hard drive were his old emails. We then proceeded to extract all of the email from both his Microsoft Outlook "Inbox" as well as his "Sent Items" folders from the last week of his employment. To no one's surprise, most of the emails we reviewed had nothing to do with business. We then produced two print copies of the relevant emails and marked them as evidence for the upcoming hearing. Needless to say we found some very convincing evidence that showed that the company did not terminate the employee without cause.

Our next step was to pull the former employee's Internet history from multiple web browsers that had been installed on his computer. There are many tools out there that make viewing a web browser's history very easy. In this case JRD used two such tools. The first tool is called Web Historian and it is freely available on the internet, portions were based on the Pasco tool written by JRD's own Keith Jones. We used this tool to pull the history from the former employee's Opera web browser. The tool extracts data from the browser's "history.dat" file and outputs it into a Microsoft Excel spreadsheet which is very easy to read. The second tool we used was called "Dork 0.0" to examine Mozilla Firefox web browser history. This tool also outputs its results into a nice spreadsheet.

Collecting the ex-employee's emails and browser history was a simple task that took less than two hours and armed the company with all the evidence they needed for their unemployment hearing. Both tools we used are available to anyone on the Internet, and are easy-to-use. Since all evidence at the unemployment hearing was required to be in print form, we generated a giant pile of emails and spreadsheets that amounted to an evidence folder the size of a small phone book. We had more than enough evidence to support the company's claims for terminating the employee but now we had to prepare this huge pile of paper documents in a coherent and presentable manner.

Working with the companies HR department, we developed a plan to walk the examiner, citing specific evidence, through the company's reasons for termination. We created an evidence summary outline which gave a general explanation of each piece of evidence and why it was relevant. All of the evidence was placed into a large binder with each piece of evidence being separated with a tab, for ease of reference. In the end, we had helped the company and the HR department create a narrative of events that lead up to the termination of their former employee with the supporting evidence arranged in a way that was very easy to follow. A secondary benefit of putting the evidence together in this manner was that it allowed the company's HR representative to easily explain everything to the examiner even though she was not involved with the technical evidence collection or forensic analysis process.

The day of the unemployment hearing the HR representative was able to explain everything very clearly to the examiner. Along with a few witnesses, the evidence JRD collected for the company made for an open-and-shut case. It usually takes four to six weeks to receive a judgment from the State of Maryland DLLR. The company received a judgment in their favor within 3 business days.

In conclusion the company did several things that led to a successful outcome of a potentially damaging unemployment case:

1. The company had established, written Internet Acceptable Use Policies
2. The company's HR department had fully documented each meeting with the former employee where his poor performance was discussed
3. Personnel in the company's HR department fully understood and followed procedures designed to protect company data and assets during the former employee's termination
4. The company's HR department had established policies and procedures for automatically initiating a forensic duplication of any terminated employee's company owned computer

Article in PDF Format 39.53 Kb