In our last post, we covered the critical first 48 hours when key employees resign: garden leave, locking down IT access, collecting devices, securing client relationships, and asking initial questions about personal devices, confidential information, the reasons for leaving and where they are leaving for.
Those steps will help to protect the employer’s immediate business interests. But collecting devices and suspending IT access won’t tell the employer what has actually happened, or why. Did the employees coordinate their departure in advance? Have they already solicited clients or colleagues? Did they download confidential information in the weeks before resigning? The answers may lie in a forensic review of the employee’s documents, emails and other communications — and time will be of the essence if breaches occurred and enforcement steps need to be taken.
This week, we'll address how to conduct a swift and effective forensic investigation that uncovers evidence of breach while managing costs and focusing on what matters most.
Document review: the importance of filtering
A wholesale linear review of months of emails is likely to be impractical, disproportionately time-consuming and expensive. Instead, targeted filters should be deployed to identify the most relevant communications. Appropriate filters may include:
Time-based filtering
In many cases, it may be appropriate to focus in the first instance on a relatively short period, such as communications six weeks immediately preceding the resignation. If employees were planning a coordinated move, evidence may reasonably be expected to have clustered in this period as they finalised their plans.
Recipient filtering
Emails between the departing employees themselves and close colleagues where nobody else is copied are likely to be the most probative. If they're discussing something sensitive, they're unlikely to include others. Similarly, filter for emails to clients with no internal colleagues copied. This may be a warning sign of solicitation. Nevertheless, any findings will need to be assessed in their context: for example, logs of calls among the departing employees only (with evidence neither of what they discussed nor of the frequency of calls with other, non-departing employees) are unlikely, without more, to support an allegation of inducement or conspiracy. However, if the frequency of those intra-group calls in the run-up to the resignations is markedly higher than that of calls involving non-departing employees in the same period, this may provide some assistance.
Keyword filtering
Search for phrases tied to future plans (“catch up soon”, “be in touch”, “new opportunity”), or language that suggests awareness of restrictions and an unwillingness to say more in writing (“can't say more now”, “will explain later”, “let’s discuss”).
AI-assisted review
Once the initial filtering has identified a manageable dataset, AI-assisted review tools can significantly accelerate the analysis while reducing costs. Modern technology assisted review (“TAR”) platforms can identify patterns in communications that human reviewers might miss: for example, clustering emails by topic to identify coordinated discussions among multiple leavers, or flagging communications where the tone or content diverges from an employee's normal pattern.
AI tools are particularly effective at identifying conceptually similar documents even when different language is used. If one departing employee discussed “setting up independently”, while another referred to “the new venture,” AI clustering can connect these communications as part of the same storyline. This may be helpful when investigating whether resignations were coordinated.
However, AI-assisted review is not a substitute for human judgment. The technology requires prompting to identify relevant documents, and results need validation by lawyers who understand the legal issues at stake. False positives (irrelevant documents flagged as important) and false negatives (relevant documents missed) are inevitable, so quality control protocols are also essential. Used properly, AI can reduce review time by 60-70% while at least maintaining and perhaps improving accuracy relative to a traditional linear review, but to achieve these results, sponsors should ensure portfolio companies engage lawyers and e-disclosure vendors with proven track records in litigation and forensic investigations, instead of treating this as a purely commoditised, technology-driven exercise.
Download logs
User download logs reveal what documents employees accessed or downloaded in the weeks before departure. Did they suddenly download client lists, pricing models, or financial projections they hadn't accessed in months? Download logs also typically show what device or account received the data, such as personal email accounts, USB drives, or personal cloud storage locations.
Review emails sent by the employees to personal email accounts (Gmail, Hotmail, etc.) to identify documents forwarded outside the company’s IT environment. This is often the clearest evidence of intentional data exfiltration.
Getting complete client lists
As noted last week, departing employees should be asked to provide a comprehensive list of clients they've dealt with, including details of any personal or family relationships with people on that list.
When it comes to any subsequent forensic review, this request will serve several purposes. It helps to identify clients at risk of solicitation. It flushes out potential defences (“that client is my brother-in-law, the restriction doesn't apply”). And it creates a baseline against which to compare the forensic evidence — if the employee omits major clients from the list, that may be telling evidence of an intention to breach applicable restrictions.
The sponsor’s role
Portfolio companies rarely have in-house forensic capabilities. Therefore, ideally in advance of any departure, sponsors should identify appropriate legal counsel and e-disclosure vendors, and take steps to ensure that documents can be swiftly collected and reviewed.
Next post: We'll address a critical risk that emerges during forensic investigations: how the employer’s efforts to uncover employee breaches can inadvertently result in its own data protection and confidentiality breaches.
/Passle/67ead9999050990b49b427a6/SearchServiceImages/2026-03-11-20-04-24-458-69b1cac85e5230d4010f2623.jpg)
/Passle/67ead9999050990b49b427a6/SearchServiceImages/2026-03-09-15-05-44-842-69aee1c8d57b91c5a09a41b4.jpg)
/Passle/67ead9999050990b49b427a6/SearchServiceImages/2026-03-09-03-00-59-122-69ae37ebb4395017b6d01454.jpg)