Case Study 2 — The Investigation That Became the Liability
A company had a genuine case: a departing engineer really had copied proprietary files. But its internal investigation reached past the company's own laptop into the employee's personal phone and personal webmail — including messages with his lawyer — and quietly looped in a friendly detective along the way. The technical extraction was flawless. It also handed the employee a Stored Communications Act claim, a privilege disqualification, and a suppression argument, and it turned a winnable trade-secret case into the company's own legal emergency.
Background
This is the cautionary mirror of the book's second anchor case — the employee who covered their tracks — and a deliberate contrast to Case Study 1. There, an examiner with a narrow warrant stayed inside it and won. Here, a corporate investigator with broad authority over one asset treated it as authority over everything, and lost.
Northbridge Robotics suspected that a senior controls engineer, departing for a direct competitor, had taken proprietary motion-planning source code. The suspicion was well founded. The engineer's company-owned laptop carried clean authority: Northbridge owned it, the engineer had signed an acceptable-use policy years earlier, and a login banner announced monitoring and no reasonable expectation of privacy at every logon. On that laptop alone, a competent examiner could have built the entire case — USB device history in the registry, files opened from a removable volume, $FILE_NAME timestamps that survive timestomping, browser history showing a personal-cloud upload — the very artifacts the IP-theft anchor is built from. The authority was clean, the evidence was there, and the matter was civil: trade-secret misappropriation, governed by the FRCP, not a warrant.
Then the investigation went looking for more, in all the wrong places.
What went wrong
Under pressure from a vice president who "wanted everything," the internal investigator made three moves that each crossed a line the company's authority did not reach.
First, the personal phone. The engineer had left a personal smartphone charging at his desk — a BYOD device Northbridge did not own and that no MDM container or signed BYOD policy covered. The investigator extracted it anyway, pulling its messages wholesale.
Second, the personal webmail. On the company laptop, the engineer had logged into his personal, password-protected webmail. Cached credentials let the investigator read it. Among those messages were communications with the engineer's own attorney about the very dispute.
Third, the quiet detective. The investigator had been informally feeding findings to a friendly police detective and, at one point, acted on the detective's suggestion to "check the phone too." That coordination risked converting a private investigation into state action, dragging the Fourth Amendment back into a matter that had started safely outside it.
AUTHORITY MAP — what Northbridge actually had vs. what it took
──────────────────────────────────────────────────────────────────
Company laptop (owned + AUP + banner) ......... CLEAN authority ✓
Personal phone (BYOD, no policy, no MDM) ...... NO authority ✗ (SCA risk)
Personal webmail on laptop (password-protected) NO authority ✗ (SCA risk)
└─ contained attorney-client messages ..... PRIVILEGED ✗ (Stengart)
Acting at detective's direction ............... STATE-ACTION risk ✗
──────────────────────────────────────────────────────────────────
The case lived entirely in the green row. The investigator took the red ones.
None of it was necessary. The laptop held the proof. The overreach added nothing of value and everything of liability.
The unraveling
When the engineer's counsel learned what had been collected, the case inverted. Northbridge stopped being the plaintiff with a strong trade-secret claim and started being a defendant explaining its own conduct.
ENGINEER'S COUNSEL: "Your investigator pulled my client's personal phone —
a device your company does not own and no policy covered.
On what authority?"
NORTHBRIDGE: "He... left it at his desk."
COUNSEL: "And read his personal webmail, including his messages
with me, his attorney, about this matter?"
NORTHBRIDGE: "Those were accessible from the company laptop..."
COUNSEL: "Accessible is not authorized. We have a Stored
Communications Act claim and a motion to disqualify."
The damage came on three fronts. The personal-phone extraction and the personal-webmail access exposed Northbridge to liability under the Stored Communications Act (echoing Pietrylo v. Hillstone, where accessing an employee's password-protected private content violated the SCA) — cached credentials are not authorization. Reading the attorney-client messages triggered Stengart v. Loving Care Agency: privilege survived on personal, password-protected webmail even though it was opened on a company device, and now the investigator (and arguably the company's litigation team) had seen privileged strategy, prompting a motion to disqualify counsel and a fight over a taint that could not be un-seen. And the informal coordination with the detective raised a state-action argument that, if it stuck, would drag Fourth Amendment suppression into the criminal referral the company had hoped to make.
The clean laptop evidence — the part that actually proved the theft — was now entangled with all of it. The competent technical work was, on paper, indistinguishable from a careless invasion. The trade-secret claim survived, barely, but only after expensive motion practice, the disqualification of the company's first litigation counsel, and a settlement posture far weaker than the facts deserved.
The contrast
Set this beside Case Study 1. There, an examiner with a narrow grant of authority — a fraud warrant — treated its limits as sacred, stopped at the fence, and her evidence survived every attack. Here, an investigator with broad authority over one device treated it as authority over the person, reached into a personal phone, personal webmail, and privileged communications, and converted a winnable case into a liability. The lesson is identical across the criminal and corporate worlds and across the Recovery vs. Forensics divide: authority is specific to an asset and a purpose, and the question is never "can I get the data?" but "am I permitted to look at this device, for this purpose?" The investigator who answered the engineering question and skipped the legal one made the most common and most damaging mistake in the field — and made it with flawless technique.
The analysis
-
Clean authority over one asset is not authority over the person. Northbridge owned the laptop and had the AUP and banner to prove it; that authority did not extend one inch to a personal phone it did not own or to password-protected personal accounts. "We own the device" answers a question about that device only. The scope of authority can be far narrower than the reach of the hardware.
-
"Could I access it?" is not "am I permitted to access it?" Cached credentials made the personal webmail technically reachable; that is precisely the trap. Technical access is not legal authorization (Pietrylo), and the gap between the two is where the Stored Communications Act and state privacy laws live. The investigator answered the easy question and walked past the one that mattered.
-
Privilege survives on personal accounts — and seeing it is its own catastrophe. Under Stengart, attorney-client privilege persisted on the engineer's personal webmail even on a company laptop. Reading those messages did not just fail to help; it created a disqualification fight and a taint, because privileged material, once seen by the wrong people, cannot be un-seen. The defensible move is to stop the instant such material appears and route it to a walled-off filter team.
-
Looping in law enforcement can move the ground under your feet. By acting at a detective's suggestion, the investigator risked becoming an agent of the government, pulling Fourth Amendment scrutiny — and the exclusionary rule — into a matter that had safely started outside it. The moment law enforcement directs a private investigation, the legal character changes; that is a "stop and call counsel" trigger, not a casual favor.
-
The overreach added nothing — the case was already on the laptop. Every fact Northbridge needed to prove misappropriation lived in the green row of the authority map: the company-owned laptop with clean authority. The personal phone, the webmail, and the detective coordination contributed no necessary evidence and all of the liability. Discipline here was not just lawful; it was free. The investigator paid a heavy price for data he never needed.
Discussion questions
-
Northbridge had clean authority over the laptop and could have built its entire case there. List the specific laptop artifacts (from Chapter 16 and Chapter 21) that would have proven the file copying — and explain why reaching the personal phone added liability without adding necessary proof.
-
The investigator read personal webmail because cached credentials made it accessible. Explain the difference between technical access and legal authorization, and name the statute and the case (Pietrylo) that turn "I could open it" into "I committed a violation by opening it."
-
Draft the BYOD architecture Northbridge should have had in place before the incident — a written BYOD policy, MDM containerization, and a segregate-and-minimize collection methodology — and explain how each element would have let the company collect its data from a personal device without touching the employee's personal life.
-
⭐ The informal coordination with a detective raised a state-action problem. Explain how a private investigator can be transformed into an "agent or instrument of the government," what consequence that carries (the Fourth Amendment and the exclusionary rule attaching to the private actor), and write the one-sentence rule an in-house investigator should follow the moment a police officer takes an interest in the matter.
-
Compare this case directly with Case Study 1. One actor had narrow authority and honored it; the other had broad authority and overreached. State the single principle both cases prove about the relationship between authority and scope — and explain why the chapter insists the question is always "am I permitted to look at this, for this purpose?" rather than "can I get the data?"