Attorney Investigators
Attorney Investigators
Attorney Investigators

Leveraging Today’s Technology for Evidence-Gathering, Part 1: Evidence Under the Employer’s Control

In our increasingly digital world, much of the evidence in workplace investigations consists of online communications, electronic records, and internet activity. Beyond low-hanging fruit like company emails, most employers have access to less obvious forms of digital evidence that savvy practitioners should consider.

Part 1 of this two-part series aims to aid practitioners in identifying and collecting such digital evidence under the employer’s control. Part 2 will address how to detect and collect electronic evidence that an employee may possess.

Category #1: Employee Internet Activity on Company Devices

Reviewing internet activity may be an obvious first step in time theft cases or wage and hour disputes, but it can offer insight in other types of cases as well. For example:

  • Frequented websites could show that an employee accessed pornography sites during work hours or on company devices, that an alleged harasser visited chat forums where harassment or cyberbullying occurred, or that an employee who allegedly stole trade secrets was searching for new job opportunities at competitor companies.
  • Articles, blogs, instructional videos, or subscriptions in employees’ internet history could help an investigator identify who created a deepfake of a colleague circulating in the workplace, if the perpetrator recently read an article or watched a YouTube video on how to create deepfakes, or subscribed to similar pornographic content.

Because the nature of the online activity and when it occurred can raise legal implications, practitioners should take the following precautions:

  • Consult applicable labor and privacy laws to evaluate any risks or requirements in monitoring employee internet activity. The legal landscape surrounding employee monitoring is continually evolving, making it essential for practitioners to stay informed of associated risks and nuances in their jurisdiction.1
  • Review the employer’s policies regarding employee internet usage and the employee’s expectation of privacy on company devices. In the absence of a clear policy, employees may argue they had a reasonable expectation of privacy in their personal activity and material stored on company devices, particularly if that activity occurred outside work hours and did not relate to work.2 Even if the employer does have a clear policy, some courts have pondered “the extent to which an employer may reach into an employee’s private life or confidential records through an employment rule or regulation.”3
  • Exercise caution if the employee appears to have been using the internet to engage in protected activity, such as reporting harassment, discrimination, or safety violations. Be sure to handle this material in a way that avoids the appearance of retaliation by the employer.
  • Check to see if the employee is part of a union, and if so, whether their collective bargaining agreement imposes additional protections or restrictions when it comes to internet usage and employee monitoring.
  • Regardless of whether the employee is part of a union, proceed with caution if it appears the employee was using the internet to engage in protected concerted activity4 under the National Labor Relations Act (NLRA). The National Labor Relations Board (NLRB) has said that employees have the right to address work-related issues through social media, which can constitute a form of protected concerted activity. Any perception that an employer tried to intimidate or threaten employees for using social media for this purpose could result in an Unfair Labor Practice (ULP) charge.

Category #2: Instant Messages on Company Software/Hardware

While many investigators are quick to search company emails, they should not neglect searching company-sponsored chat programs like Microsoft Teams, Slack, and Google Chat. Even less obviously, in some situations, an employee’s personal communications may be readily available on company devices.

For example, personal text messages may be viewable if the employee synched personal devices to company devices or used personal instant messaging accounts on company property. Employees can also inadvertently create a complete backup of their personal phone to their company computer (including videos and images). For example, an employee may plug their phone into the computer to charge it, then hastily click “OK” on a prompt that offers to sync devices, not realizing this will copy the phone's entire contents.

Practitioners should consider the following steps when looking for messages:

  • First, review any messages directly stored on the employee’s company devices. Check the company’s internal chat platforms, then also look for any personal messages or applications on the device. For instance, the employee may have downloaded iMessage or WhatsApp to their work phone or computer, then logged into these applications via their personal accounts.
  • If it appears that the employee deleted messages, check the employee’s “Deleted” or “Trash” folders on the application. For example, on an iPhone, messages deleted within the last 30 days are usually recoverable in the iMessage application by selecting “Edit” in the top-left corner, then tapping “Show Recently Deleted.”5
  • Check retention settings and permissions for company-owned messaging applications. For example, on Slack, certain settings may allow workspace administrators to access deleted or edited messages.6
  • If important messages are still unrecoverable, consider engaging a forensic expert. However, it’s best to review other forms of evidence first in case they yield the same information in a different form.

If practitioners do obtain an employee’s personal messages, they should remain aware of applicable labor and privacy laws, as noted in the prior section.

Category #3: Security Camera Footage and Audio Recordings

An employer’s security camera footage and audio recordings also can provide valuable evidence pertaining to an employee’s whereabouts or alleged activity. Alleged misconduct on TV and film sets may also be captured by cameras and microphones still running between takes, or on B-reel (secondary) footage. Here are some helpful tips, if an employer possesses such evidence:

  • Ensure the employer acts quickly in obtaining this footage. Many systems record over existing recordings after a certain amount of time has passed.
  • Review applicable state laws regarding invasion of privacy and nonconsensual recordings. For example, in California, employers may take video recordings of common areas but not areas where there is an expectation of privacy, like restrooms. Also, audio recordings of communications intended to be confidential require prior consent.7 If the employer failed to comply with these requirements, it may not want to rely on such evidence in an investigation, as that could potentially expose the company to liability.
  • Bonus: Assess whether third parties have relevant security camera footage or audio recordings. For example, if alleged harassment or violence occurred as employees were departing a company event, a shop next to the event venue may have footage of the incident. While gathering such evidence from third parties poses additional hurdles, practitioners should act quickly to request such evidence where it may be truly necessary or probative for the investigation.

Category #4: Time Punches, Badge Data, and Login Records

Time punches, badge data, and computer login times may be useful outside the usual context of wage and hour disputes, such as when a person’s location or credibility is at issue. For example, if one employee alleges that another employee engaged in misconduct at a specific event, badge data could show that employee was not even on company premises that day. Some companies keep records showing not only when an employee logged into their computer for the day, but also where that connection occurred.

As another example, impermissible edits to time punches could reveal that an employee was lying about their working hours, or if they manipulated another employee’s data, it could reveal they were trying to assist or sabotage that person in some capacity.

Category #5: Documents or Data Taken Before Departing the Company

Technology evidence is particularly critical in cases involving suspected employee theft of confidential information, trade secrets, or other company data. While the stolen information itself is often in the employee’s possession, technology evidence in the employer’s control may provide sufficient circumstantial evidence to establish that the theft occurred. Here are some key steps to take when evaluating potential data theft:

  • Search the employee’s email account for anything forwarded to the employee’s outside personal email address. Many employers also have security firewalls to detect this type of activity.
  • Review whether the employee engaged with the protected information. Check any cloud storage, shared platforms, or collaboration tools that the employer uses to update and store company work product (e.g., Slack, iManage, DropBox, Google Drive),8 which typically reveal if someone downloaded, revised, or viewed the documents or data on the server.
  • Identify whether the employee recently plugged in a USB drive or downloaded information from their company device to a personal device. If the plug-in occurred around the same time that the employee downloaded or viewed the protected information at issue, this could further support that the employee was trying to steal the protected material.
  • Check to see if the employee’s work assignments required access to the protected information. Such evidence can help demonstrate that the employee had no justifiable reason to have engaged with those documents or data at that point in time.
  • Evaluate whether any other suspicious activity occurred around this time. For example, perhaps the employee was contacting competitor companies around the same time that the employee viewed the protected information. Think of the less obvious ways that the protected information could have been shared, such as using Zoom’s “screen share” function to show the competitor the documents containing trade secrets. On that note, consider checking Zoom meeting invitations for unrecognized or unexpected attendees, including email addresses ending in competitors’ domain names.

Other Types of Data to Consider

Depending on the nature of the company, employers may have access to other, atypical forms of evidence regarding their employees’ digital footprints. For example, GPS data or dash cameras on company vehicles, or keystroke data on company computers, could provide useful information about an employee’s whereabouts when certain events occurred or their activities during work hours. Personal applications downloaded or synched to company devices, such as fitness trackers, health apps, and social media apps, also may provide relevant insights in certain cases.9

Conclusion

Part 1 in a nutshell: Think creatively about what types of digital evidence the employer may possess. When collecting this evidence, remain aware of potential privacy, retaliation, and labor law concerns, especially if utilizing recordings or communications that could constitute protected activity.

Next time, in Part 2 of this series, we will provide tips for collecting technology evidence typically found in the possession of employees.

Footnotes

  1. For instance, in January 2022, California introduced a bill (AB 1651) that intended to impose various restrictions limiting employers’ use of monitoring technologies in the workplace. Although AB 1651 did not pass, practitioners should stay vigilant for similar pending legislation, and for new interpretations of existing laws. For example, California Labor Code Section 980 prohibits employers from requesting or requiring an employee to “divulge any personal social media,” unless the social media is reasonably believed to be relevant to investigating an employee’s misconduct. On its face, this provision appears to address employers compelling employees to disclose their social media accounts, rather than employers reviewing employees’ voluntary use of social media on company systems. Nonetheless, practitioners should monitor how courts interpret provisions like this one.
  2. In California, courts generally have held that employees do not have a reasonable expectation of privacy in personal emails on company devices, particularly when clear employer policies are in place. See Holmes v. Petrovich Dev. Co., 191 Cal. App. 4th 1047, 1069 (2011) (employee did not have a reasonable expectation of privacy in personal emails sent to an attorney from a company computer “because she was warned that the company would monitor e-mail” and “told that she had no expectation of privacy in any messages she sent via the company computer”). However, other jurisdictions have recognized circumstances where employees do have a reasonable expectation of privacy for such communications. See, e.g., Stengart v. Loving Care Agency, Inc., 408 N.J. Super. 54 (2010) (finding the employee had a reasonable expectation of privacy in personal emails sent to an attorney from a company computer, noting that the employer policy was ambiguous and lacked an explicit monitoring warning).
  3. See, e.g., Stengart, 408 N.J. Super. at 72. In Stengart, the court concluded that “the extent to which an employer may reach into an employee's private life or confidential records through an employment rule or regulation . . . may be a subject best left for the Legislature.” However, considering the facts of the case at hand, the court found, “A policy imposed by an employer, purporting to transform all private communications into company property — merely because the company owned the computer used to make private communications or used to access such private information during work hours — furthers no legitimate business interest.” The court held that an employer can monitor and discipline an employee for personal online activity during working hours, but the employer does not have an unfettered right to view and retain the employee’s personal communications.
  4. See the “Social Media” page of the NLRB’s website.
  5. See Apple’s “iPhone User Guide” for specific details.
  6. For instance, on Slack, employers who purchased the “Enterprise Grid plan” can access a setting that will “keep all messages and track message edits and deletions.” Slack’s free plan has a similar setting, but it will only retain the messages, edits, and deletions for 90 days. See Slack’s Help Center for additional information on customizing data retention.
  7. See California Labor Code Section 435 and California Penal Code Section 632(a).
  8. Given that the employee could have taken photos of the protected information, as opposed to actually transferring it to another device, evidence that the employee was merely “viewing” the protected information (rather than downloading it) can have relevance.
  9. While this type of information is usually in the employee’s possession (as discussed in Part 2), sometimes they also are accessible via company property, depending on the employee’s synchronization settings.