Two years ago this month, a man named Homayoun Ghassemi\u2014who goes by the shorter nickname, Holmes\u2014resigned as director of hockey marketing at sporting goods company Easton Sports. The same day, Ghassemi accepted a job at Warrior Lacrosse, owned by the Boston-based sneaker company New Balance. Warrior was clearly planning to face off with Easton by purchasing Innovative Hockey, another vendor in the hockey stick business. Eight days after he resigned, Ghassemi gathered his stuff, met with Easton execs once more and then left for good. But his computer stayed behind, and, in a sense, this meant that Holmes Ghassemi\u2014some past, digital version of him anyway\u2014remained at Easton. A Shadow Holmes of sorts. The company was free to continue its exit interview with Ghassemi, in the form of a forensics investigation of his computer. This digital ghost, this Shadow Holmes, told Easton extraordinary things\u00ad\u2014that, for example, a month before he resigned, Ghassemi had forwarded a "Hockey Business Model" to Warrior from his Yahoo e-mail. The model included a projection that he could make the hockey unit a $50 million business in five years. Shadow Holmes told Easton that he had forwarded Easton files to his personal Yahoo account in the month leading up to his resignation, and that he accessed about 200 files on his office computer the day before he resigned, and dozens more on the day he left for good.Also see Intellectual Property Protection: The Basics The digital Shadow Holmes told Easton enough for the company's lawyers to inform Warrior's lawyers that Ghassemi was suspected of stealing trade secrets. Warrior said it would investigate and immediately amended Ghassemi's employment offer to say he shouldn't bring anything from Easton. In a subsequent letter Warrior denied that Ghassemi "retained any documents from Easton." Easton replied with a screen shot of Ghassemi's old computer showing Ghassemi's file access on that Sunday before he resigned. Warrior lawyers wanted to be sure, so they asked Ghassemi directly if he'd taken confidential information from Easton. Ghassemi said no and submitted affidavits reaffirming the denial. Easton nevertheless filed suit in U.S. District Court, charging Warrior with conducting a "campaign of industrial espionage, stealing Easton's trade secrets and raiding its employees." The complaint accuses Ghassemi of secretly brokering Innovative Hockey's sale to Warrior when Ghassemi knew that Easton was also pursuing Innovative. It accuses him of "soliciting" other Easton employees (some successfully) to work for Warrior. And it accuses him of forwarding documents containing Easton trade secrets to his Yahoo e-mail. What at first seemed like humdrum career advancement and corporate competition has since morphed into a cautionary tale. Easton v. Warrior Lacrosse remains unresolved, but already it has become a textbook case for CSOs to learn how to handle employees coming from and going to competitors, the vicissitudes of maintaining trade secrets in an age of hyperportable technology and public e-mail, and the ramifications of not preparing for the eventuality of a trade secret dispute. The day after Easton sued, as Easton asked a judge for permission to inspect Warrior computers, Ghassemi canceled his Yahoo account, effectively destroying it. Twice more in the next six months, Ghassemi would deny wrongdoing, once under oath during his deposition. But Easton forensics investigations produced two startling discoveries: Ghassemi's computer at his new company had "experienced" a CD that contained six Easton file names and "appeared" to have been created on the Saturday before Ghassemi resigned from Easton. Also, two more Easton file names, traceable to the extinct Yahoo account, were found on his Warrior hard drive. Easton filed a motion requesting sanctions when it discovered that Ghassemi had scotched the Yahoo account. In his ruling on the motion, from which all of the above findings of fact are taken, Judge Donald A. Scheer calls Ghassemi's denials of leaving Easton with confidential information "false." He calls Ghassemi's inability to recall certain events "to say the least, incredible." And finally, he writes: "No innocent explanation for Ghassemi's destruction of his Yahoo account has been presented. Nor has he explained the fact that data from a CD he admitted making but denied taking from Easton was found on his Warrior computer. There is definite evidence that Easton information was transmitted to a Warrior computer both from that CD and from Ghassemi's Yahoo account. Ghassemi unquestionably knew that, and a case can be made that Warrior should have done more to detect and preserve the relevant data under Ghassemi's control." It was, the judge ruled, spoliation of evidence. He stopped just short of entering a default judgment Easton had sought (which would amount to a ruling in favor of the plaintiff without a trial) but still imposed a serious sanction, an adverse inference instruction. That means that when the case goes to trial, Easton can tell the jury that evidence was destroyed, and the jury will be instructed that it may presume that the destroyed evidence would have helped Easton's case. "It's like the gap in the Watergate tapes," says Philip Gordon, an attorney who specializes in workplace privacy and trade secrets litigation with the firm Littler Mendelson. "Ask 99.9 percent of people and they assume that what was destroyed was bad for Nixon. This is the same thing. It's almost a silver bullet for the plaintiff. It's a very significant sanction." One of the most notable cases involving spoliation of evidence is a gender discrimination case, Zubulake v. UBS Warburg, in which some e-mails that should have been preserved as evidence were destroyed. The jury was given an adverse inference instruction. The plaintiff, Laura Zubulake, was eventually awarded an unprecedented $24.7 million. Says Michele Lange, a staff attorney with forensics firm Kroll OnTrak, "Certainly adverse inference played a major role for the jurors in that outcome." CSOs play a central role in preventing trade secret leaks. But given technology like anonymous e-mail boxes and USB keys, it's getting far more difficult to prevent information leakage. So CSOs must also learn to anticipate situations where trade secrets are at risk, and lead when it comes time to manage an incident. Here are 11 lessons for how to prepare for trade secret misappropriation and avoid messy situations like the one Warrior (which, it's important to remember, is innocent until proven guilty) finds itself in. 1. Create mirror images of hard drives. The security team, working with IT, should always replicate a departing employee's disk drive the day that person leaves for a competitive company. "When we give advice to clients," says Lange, "this is absolutely number one on the list." For large companies that may have hundreds of employees coming and going daily, Lange suggests that the security team identify the riskiest departures, usually those with high levels of access to trade secrets and those who are known to be leaving for a competitor, and target those individuals for priority hard disk imaging. Imaging is important for the defense in a trade secrets case too. Once Easton notified Warrior of its suspicions, the security team at Warrior should have immediately created a mirror image of Ghassemi's drive (whether or not they did is unclear). After all, the judge himself said in his ruling on the motion: "Warrior should have done more to detect and preserve the relevant data under Ghassemi's control." 2. Don't poke around. This is the first of two cardinal sins companies should not commit. The emotional impulse of someone who feels violated is to immediately start rifling through the suspect's computer looking for the smoking gun. Don't. Think of the computer as a crime scene. Just as you wouldn't go around picking up bullet shells or putting your fingerprints on weapons found at the scene, you don't want to start accessing files, plowing through e-mails or otherwise tainting the evidence. The more you do, the more the defense can argue that the evidence is highly unreliable, even tampered with. Once again, this advice applies to the CSO of the company receiving the employee too. Ghassemi's canceling his Yahoo account was, in effect, a severe form of poking around. 3. Don't redeploy too quickly. You don't want to eliminate the scene of the crime, either. Lange says viable trade secret cases are rendered moot when a suspect's machine has its drive wiped clean and is redeployed for a new hire. Especially for computers of high-risk employees, IT's inventory efficiency must take a back seat to preserving evidence. "The security officer needs to guard that computer and disk image like Fort Knox," Lange says. 4. Add arriving employee protocols. As part of accepting a job, have employees arriving from a competitor sign a statement affirming they've brought no sensitive documents with them, making sure to include a laundry list of the types of documents and form factors that are verboten. (Work with counsel on this.) Warrior tried to add something like this to Ghassemi's employment offer after Easton contacted them. Too late. Had it been part of the agreement from the beginning, the company would have had an easier time making the argument it eventually did to the judge. The judge noted that while the defendants essentially conceded that Ghassemi's actions support an inference of bad faith, they argued that "the conduct...was not solicited by them and should not expose them to sanctions." But the judge didn't buy their argument. His ruling against Warrior in the motion: "At least negligence." 5. Add departing employee protocols. Likewise, when an employee announces he's leaving for a competitor, have a piece of paper ready that shows him what he can and can't take off his computer. Include a statement that images of hard drives are taken as standard operating procedure. If necessary, have a security staffer sit with the person as he collects his personal files, such as pictures of the kids. This will help protect against one of the most common defenses offered by the accused: "I didn't know it was a trade secret." Chaperoning, or at least providing a list, specifies what is a trade secret. 6. Prepare an incident instruction memo. For a company like Warrior on the receiving end of a trade secrets misappropriation accusation, a quick response is crucial to protect itself from ending up dealing with spoliation motions. CSOs should prepare a form letter or e-mail that's sent to relevant employees immediately upon accusation. The message of the letter is: You have an obligation to preserve evidence, no matter how bad you may think it makes you or us look. Legal precedent establishes that manipulation of evidence is far worse (see "You Can't Fool the Ref"). Don't destroy anything. Specifically, instruct the employee with the following: Do not delete any files from your work computer. Do not transfer any files off your work computer to other computers or devices. Do not throw away or destroy storage media such as CDs or USB keys. Do not install or use hard drive wiping products like Evidence Eliminator. Do not delete personal e-mail accounts or anything in them. It is crucial to expressly mention third-party sources such as Yahoo accounts and home computers as requiring preservation, says Phil Gordon. 7. Understand modern methods of trade secret misappropriation and build defenses against their abuse. CD burning. USB keys. Public e-mail accounts and ubiquitous network access make keeping secrets harder than ever. "It's much easier to misappropriate trade secrets now," says Gordon. "It used to be you had to walk out with a big box of documents. Now you have a 2-gig thumb drive and no one knows." Lange concurs and, having seen enough cases involving trade secrets being spirited away on tiny dongles, she suggests CSOs consider disabling CD burners and USB drives on computers. Just prepare for a revolt by iPod users. 8. Make sure employees understand that on computers, delete doesn't actually mean delete. To be sure, CSOs have lost an edge in preventing trade secret misappropriation because of technology. But they've gained something too. Technology leaves behind more fingerprints than paper. What many fail to fully appreciate is that everything they do on a computer leaves behind some bread crumb that a skilled forensics investigator will find. "It's a huge eye-opening experience," says Lange of employees being confronted with electronic evidence they thought they had deleted or successfully obfuscated. "We're frequently asked to put together a timetable [of events or employee actions], and I think it frightens people sometimes how much we can put together through forensics." A good rule of thumb for employees to understand is that there's no such thing as "delete." Programs that promise to truly delete or eliminate digital files are not perfect either, and in fact, evidence of their presence or use often has a negative effect, making the employee appear as if he has something to hide. 9. Bone up on trade secret misappropriation law. Someone accusing your company of trade secret misappropriation must prove two things. First, he has to prove that what was taken is a trade secret. Second, he must prove that it was taken. "That can be more difficult than you think," says Gordon. On the first point, the defense will often argue that if something is easily observable or reverse-engineered, it's not really a trade secret. Yes, the employee might have taken that schematic from his old computer, but "it's a hockey stick. I could go buy one and get the same information," says Gordon. On the second point, proving someone took something electronically often relies on cobbling together one of those forensic time lines Lange was talking about. But often that's essentially a string of circumstantial evidence. In Ghassemi's case, in which the plaintiff had quite a bit of information, Easton still could prove only that Ghassemi's computer "experienced" a CD that "appeared" to be created before he left Easton. No evidence exists to prove who made the CD, where or whether files on the CD were even opened on Ghassemi's Warrior computer, never mind if anyone viewed them. In other words, Warrior would be in a much better position defending itself against trade secret misappropriation if there were no spoliation of evidence, no adverse inference instruction. That's why the points on imaging hard drives and communicating the obligation to preserve evidence are crucial. 10. Create a litigation response team. The idea behind a litigation response team, Lange says, is to have a single response to an accusation rather than distinct reactions from different offices. "We see a lot of mistakes when one department goes down its own path without anyone knowing," Lange says. The team should be able to assemble quickly and should include CSO, counsel, HR, a forensics expert, IT and a representative of the company's ISP. 11. Be ethical, no matter what. A trade secret misappropriation case will involve many employees with varying ethics. Some may want to bend or break the rules to protect themselves or the company. Your obligation is to the company, but also to the Right Thing. If it appears support is rising for some questionable act, you are duty-bound to assert why it would be wrong and the ramifications, including your declining to participate and possible need to report the incident. It might be a good idea to show them a copy of trade secret misappropriation cases and the results of those cases when evidence was destroyed or manipulated. Have counsel or forensics experts explain why such acts won't work anyway. Send feedback to Senior Editor Scott Berinato.