Haste Does Not Necessarily Make Waste: Rapid Response Forensics

An Example of Rapid Response Forensics from HaystackID

Corporate intellectual property and trade secrets are the lifeblood of successful businesses, especially in crowded and competitive marketplaces. While the recent uptick of corporate hacks and agency leaks have prompted organizations to re-evaluate and tighten their information governance systems and policies, vulnerabilities remain and can be exploited by disgruntled current or recently departed employees who have access to sensitive information.

Frequently, where there’s smoke, there’s fire, and time is of the essence when identifying, containing, and remediating such threats. The potential exposure, both in real dollar terms and optically within the marketplace, is significant, and the harm caused by IP loss can erase what took organizations years to develop.

HaystackID is widely recognized for its expertise in digital forensics and support of internal (or external) investigations regarding the potential theft or removal of corporate IP assets.

A recent case highlights the speed and depth with which HaystackID can respond to emergency situations, dousing the flames before they become a damaging inferno.


HaystackID’s client, one of largest providers of waste services to the North American healthcare sector, provides bio-waste management and disposal solutions across more than 20 operation sites in the U.S., and even more globally. Of primary concern to them is the protection of their IP surrounding their innovative approach to sharps management.

Prior to the introduction of their solutions, medical, pharmaceutical, and chemotherapy waste was routinely burned in hospital incinerators, causing not only harmful environmental impacts but also often leaving dangerous sharps intact when the disposable sharps container was not fully destroyed.

The client’s staff includes several senior business development and sales executives organized regionally around the country. Each of these senior team members had access to contract files, pricing, R&D / Engineering reporting, financial information, and future planning in support of their pursuit of new business for the organization.

It competes in a market where sales cycles are long, revenue values are high, and contract terms last several years. Notably, each pending contract opportunity represents millions of dollars in potential revenues for the company.

HaystackID was contacted by a member of the organization’s C-Suite on the strong recommendation of their outside counsel, which had enjoyed a fruitful and successful history with HaystackID. During the litigation support provider’s initial consultation, consultants and forensic examiners probed the client as to why they suspected there may be an issue and what sorts of controls were in place institutionally to provide visibility into the possible risks.

The client explained that they had only the day before, uncovered reason to believe that two of their regional vice presidents for business development were planning to leave the organization. The company was concerned that it appeared to be cooperative action between the two employees, both of whom having major contracts pending. They estimated the potential exposure to the company to be $10 million.

HaystackID’s forensic team immediately engaged that afternoon, securing business systems, CRM and ERP systems, network shares, and email repositories for preservation and analysis. Forensic analysis the following day of email communication between the two individuals in question during the target timeframe suggested that the organization’s fears were well-founded, but provided no definitive evidence of collusion or attempted theft of any trade secrets. Moreover, in-house counsel confirmed that neither employee’s employment agreements included a restrictive covenant, leaving them as free and clear to move to a competitor as they so choose. HaystackID would need to dig deeper.

Importantly, the client had not fully deployed a mobile device management solution that would allow them to examine smartphone activity at the server. Neither employee would willingly part with their client-owned phones.

As a result, HaystackID suggested a bit of subterfuge.


Management arranged for a meeting at their U.S. headquarters for all of their regional vice presidents under the auspice of planning for the roll-out of new solutions at the beginning of the following year.

Plane tickets were purchased, hotel rooms were booked, and the sales team gathered at headquarters at the beginning of the following week with instructions that their phones were to be left with IT for an upgrade to newer models. Client IT kept HaystackID apprised of the meeting schedule. Once the meeting began, HaystackID arrived at the location and immediately created forensic images of both phones while the two custodians were in the meeting, none the wiser.

Once the devices were collected, HaystackID immediately began examining the smartphones in a forensically sound fashion, working to identify any smoking gun possible, and leveraging its proprietary mobile phone tools to get the job done quickly and seamlessly. The results were staggering.

The Outcome

Examination of the smartphone data, and the SMS texts in particular, revealed that the two employees were indeed working in concert with one another and had been discussing current and future plans through text messages. Furthermore, it became clear that they were actively working to re-direct pending contracts to their newly formed organization that would compete with their former employer.

They had not only already set up shop, but had gone so far as to settle on a logo and design. Most importantly, deeper examination of the smartphones and laptops showed the client’s IP was re-branded and re-packaged as a competing product under the new entity.

This project showcased HaystackID’s speed and breadth of expertise in digital forensics. Rather than embarking on a longer and likely more costly eDiscovery review of the material HaystackID collected, the forensics team was able to ferret out the most impactful information through analysis and reporting, saving the client thousands of spend dollars and protecting several million dollars’ worth of projected revenue.

Initial consultation to location of the damning evidence took less than one week, enabling the client to immediately secure a Temporary Restraining Order(TRO) to stem the bleeding, and pursue further action against these two individuals.

About HaystackID

HaystackID is a specialized eDiscovery services firm that helps corporations and law firms find, listen, and learn from data when they face complex, data-intensive investigations and litigation. With an earned reputation for mobilizing industry-leading computer forensics, eDiscovery, and attorney document review experts, HaystackID’s Forensics FirstEarly Case Insight, and ReviewRight services accelerate and deliver quality outcomes at a fair and predictable price.

Serving more than 500 of the world’s leading corporations and law firms from North American and European locations, HaystackID’s combination of expertise and technical excellence coupled with a culture of white glove customer service make it the alternative legal services provider that is big enough to matter but small enough to care. Learn more about HaystackID at HaystackID.com.