Skip to main content

How Digital Forensics Can Identify Employee Non-Compete Violations


In a world of cut-throat competition across a global industry, an enterprise can be seriously compromised by a leak of their intellectual property or industrial secrets. The temptation for an individual employee to divulge information to a competitor in return for more lucrative employment or another reward is high.

Having a legally binding stipulation that an employee cannot work for a direct competitor during or for a length of time after their employment, means that the company has some protection against breach of their secrets. This is where a ‘non-compete clause’ comes into play. 18% of workers in the US have a non-compete clause built into their contracts. This equates to around 30 million people.

Restricting employees from working for competitors immediately after leaving their current employment can also improve employee retention. Workers in non-compete contracts remain with the company roughly 11% longer than in those without.

What is a non-compete clause, and what purpose does it serve?

Non-compete clauses are designed to protect an enterprise’s trade secrets and intellectual property. Having employees take sensitive data with them when they leave to work for a competitor, or an unhappy employee taking revenge or looking to make a quick buck after dismissal are all too common in the world of competitive business.

A non-compete clause also prohibits an employee from leaving to start their own business based on the private data they’ve gathered while working for a company. Having a signed contract with a non-compete clause means that a company has recourse against the person committing the violation, and can legitimately investigate with a view to suing for damages.

The significance of non-compete violations

A 2018 study by Bromium estimated that leaking intellectual property and industry secrets costs $500 billion per year, amounting to around a third of the total estimated revenue of all cybercrime.

Consider the high-profile 2005 case of Kai-Fu Lee, who moved from his position as corporate VP of Interactive Services at Microsoft to work at Google. A non-compete clause in his original contract meant significant legal wrangling, a substantial but ‘undisclosed’ reparation, and some major restrictions in Lee’s functions in the first year of his employment at Google. Without this clause, Microsoft would have had no control over any intellectual property Lee took to their competitor.

Non-compete clauses have been built into contracts for many years, long before the advent of the digital workplace. They must be enforceable, which means that a violation of a non-compete agreement must be provable. They should also be fair. They should not be intended to restrict a person from ever working within their area of expertise again, while still allowing an organization a level of guarantee against their data being leaked to an external establishment.

Enforcing a non-compete clause

Identification and enforcement of non-compete agreements have, arguably, become easier with the shift towards a digital workplace. Employers are able to access records of the movement of data, for example, outgoing emails which demonstrate that an employee has transferred inappropriate information to an external address.

Data leaked in this way is considered an “insider threat”, but one that can be mitigated through legally binding documents, technological advancements, and employee investigations. The drive to enforce non-compete clauses in the digital workplace has led to a new branch of information security – digital forensics.

How digital forensics can help businesses detect and navigate a non-compete issue

Digital forensics is a branch of investigative science that collects and preserves evidence from digital devices such as laptops, smartphones, cloud-based services, and more. This evidence can be used as part of an investigation into any crime or misdemeanour involving information technology.

In the case of non-compete violations, digital forensics teams may be called in to investigate evidence of data leak and intent to divulge trade secrets or to identify anonymous defamation of the company online. The team can also be called to identify issues in someone’s employment history that could impact on their work, and to gather evidence defending against an accusation of wrongful termination. Digital forensics is also a fast-growing branch of criminal law enforcement.

The tools and techniques of digital forensics

Digital employee investigations can take many forms, from the simplest monitoring of outgoing emails to diving deep into complex digital fingerprints. For some investigations involving the use of an employee’s personal device, gaining legal permission is necessary. If an organization has reason to believe that an employee has committed a breach or theft of intellectual property, electronic devices may be seized for investigation, such as in the case of Frees Inc. vs. McMillian.

In general, for a company to have a chance to seek compensation or even punitive damages, they need to be able to prove, in a court of law, that there was malicious intent and a deliberate breach of the non-compete clause.

Digital evidence can be pulled from most devices. For example, mobile phones are the most widely used digital devices and can be a rich source of forensic evidence during investigations. These devices contain not only a record of communications and data transfer but also timestamped photographs, movement tracker apps, activity logs, and more. Other physical devices, such as laptops, tablets, and removable media, can be an easy source for data as well. Web-based email, social media, browser data, and search histories can also provide compelling evidence. In the case of a deliberate transfer of data to a competitor, a simple history of those communications is sometimes enough.

The evidence that can be gathered in a digital forensic investigation can take various forms, from the simple to the complex, including:

  • Communications: Messages, emails, social media interactions, and phone call history are typically accessible by a digital forensics team. The evidence gained may be as straightforward as a message showing intent to breach a confidentiality or non-compete clause, or even showing a transfer of documents. Digital communications investigations can also show how long an employee has been in dialogue with a competitor, which can help uncover further data loss and intentions.
  • Device history: A digital forensics team can find out which networks or other devices an electronic device has been connected to, who has used the device, what changes were made to any data and when, and sometimes even the physical whereabouts of the device at any time. Work-issued laptops have been used to transfer data to competitors in return for a substantial reward, which can be attractive to certain employees.
  • Web browser history: Sometimes, the insight can be as simple as finding that an employee has used a work computer to search for the contact details or job vacancies of a competitor.
  • Printer, copier, and photographic record analysis: Devices are increasingly interconnected, and evidence can be found by working out who logged on to what, where, and when, and collating that with evidence of data breach. With cameras on every smartphone, a task as common as photographing a piece of sensitive information can constitute sound evidence of a breach of contract.
  • Web-based data storage: There are many ways to expose company secrets, such as simply creating sharable documents on a web-based storage facility or cloud drive.

If any evidence is intended to be used in legal proceedings, it must be very carefully gathered and held. If there is any possibility that the evidence has been altered or damaged during or after retrieval, that can make the difference between a successful and unsuccessful recourse against breach of contract and breach of data security. A case of insider data breach and violation of non-compete agreement can hinge on being able to produce a solid record.

Evidence can be preserved for use through copying or ‘mirroring’ forensic findings. This can often be done non-invasively, and much evidence can be gathered without alerting anyone suspected of involvement in the data breach.


In any data breach, time is of the essence. Recovering and protecting data is the key immediate consideration. Identifying the vector of transmission and enforcing the repercussions of a violation of a non-compete clause can mean the difference between continued data theft and true security. Acting to enforce non-compete violations may also send a strong message to other employees who may be tempted to divulge company secrets.

Sophisticated employee investigations using digital forensics mean that non-compete violations can be enforced with strong evidence supporting serious repercussions. Having a robust digital forensics plan means a secure data pool and a trustworthy workforce.