In Part II, I described how you can use metadata to shield yourself from allegations of misappropriation of trade secrets or spoliation. But enough about defense – what about playing offense? What about when you need to establish that an employee or competitor has stolen your stuff? Here again, metadata may be your friend.

Metadata was our best friend when a partner of mine and I recently obtained a $20-million-plus judgment on behalf of a government contractor client against an illicit competitor who had misappropriated several of our client’s trade secrets. We did it by proving that the competitor, working with a former employee of our client, used our client’s trade secrets in preparing a proposal to win a lucrative government contract, and by disproving the competitor’s main defense that it was actually working on an entirely innocent document that happened to contain those trade secrets.

The competitor’s defense hinged largely upon one document. For reasons you’ll understand three paragraphs from now, we’ll call it the “Sham Document.” The Sham Document was supposedly a proposal the defendant was preparing to submit to a foreign government that was unrelated to our client’s core business. The existence of the Sham Document at the time of the events in question supposedly showed that the defendant was not misappropriating our client’s trade secrets into a legitimate government contract proposal, but rather was engaged in preparing an innocent proposal. Metadata showed that the Sham Document was, well, a sham, and that in fact the defendant created the Sham Document only after the litigation began to cover up the defendant’s misappropriation of our client’s trade secrets.

First, the Sham Document contained a “temporal anomaly.” The anomaly was that the metadata showed a “Last Saved Date” that was earlier than the “Last Printed Date.” Experts for both sides agreed: when Microsoft Word prints a document, the Last Saved Date must be on or after the Last Printed Date. The defendant’s own expert testified that the anomaly “can be indicative of backdating” that can occur “where the system clock associated with the computer is for some reason set to the wrong date, whether it’s intentional or not. And then there are tools that are specifically designed for modification of metadata dates.”

Second, the Sham Document bore a File System Created Date on the defendant’s server that was long after the underlying events at issue in the lawsuit, after litigation had begun. This “File System Created Date” was compelling evidence establishing that the defendant had not been working on the Sham Document when it said it was (i.e., the innocent explanation), but instead created the Sham Document after the defendant knew that it had been sued for misappropriation.

Finally, we used metadata to prove that the defendant had backdated other files. Litigation-related documents that the defendant received in late September bore “Last Written Dates” in August. Similarly, post-August emails contained in an .OLM file had a “Last Written Date” in August– this was impossible. Two defense forensic experts said these anomalies suggested that someone had used a tool to backdate these files. One said that “a tool could have been used to change these [Last Written Dates] so that they were, you know, screwy.” Our expert testified that “you can set those dates to anything you want. Once you’re using tools, all bets are off. You can make the dates dance and sing any way you want.”

The judge noted all of this in concluding that the Sham Document was a “fraud.” In addition to assessing compensatory and exemplary damages against the defendant, the judge said that the defendant’s law firm should have known from the metadata that the Sham Document defense was a fraud. As a result, the judge imposed sanctions against the law firm for continuing to assert the defense in spite of the metadata that disproved the authenticity of the Sham Document.

We also had to prove that the defendant, through our former employee, actually used our client’s trade secrets in preparing its illicit proposal. Amid a ton of emails and draft proposals showing our former employee inserting our client’s pricing information into the competitor’s proposal, we found gold: the metadata named our client’s former employee as the person who “Last Saved” the version of the competitor’s proposal that included our client’s pricing and other related information.

Metadata can be powerful evidence. It is contemporaneous and it can reveal who was doing what to which file, and when. There are tools that employers need to be aware of that are designed to manipulate metadata, to delete files, and to destroy evidence of the deletion of files – but that is the subject of the upcoming and concluding installment of this four-part series.