Case Study 2 — The Evidence That Aged Out
A departing executive is suspected of taking a customer database to a competitor — the classic anchor-case fact pattern, now lived entirely in the cloud. The proof almost certainly existed. But the team waited, chased the wrong reservoir, and ran headlong into jurisdiction, and by the time the legal machinery turned, the decisive logs had been deleted by ordinary retention. This is what losing a winnable cloud case looks like.
Background
A SaaS analytics company believes its departing VP of Sales, in her final fortnight, exported the full customer-relationship database and forwarded a strategic deck to a personal account before joining a direct competitor. Everything in scope is cloud-resident: the CRM is Salesforce, email and files are Google Workspace, and — a detail nobody flags early — the Workspace tenant carries a data-residency commitment keeping primary data in the EU. The matter is civil: a trade-secret claim, the same shape as the anchor IP-theft case, but with no criminal warrant available. Outside counsel is confident; the facts look strong. What follows is a sequence of avoidable errors, each individually survivable, that compound into a lost case.
What went wrong
Delay — the clock nobody started. The VP resigned on the 1st. Counsel spent three weeks negotiating the engagement's scope and budget before retaining an examiner on the 22nd. No litigation hold was issued in the interim, and no logs were exported. Nobody asked the question a cloud examiner asks in the first hour — what is logging here, and how long does it last? The honest answer would have been alarming: Google's Drive audit log in the admin console retains roughly six months, but the Login and most activity logs are far shorter, and Salesforce's Setup Audit Trail holds about 180 days. The relevant window was not yet gone on the 22nd — but it was already eroding, unpreserved, while everyone assumed the cloud "keeps everything."
Reservoir confusion — chasing content through the wrong door. The examiner's instinct was right about where the smoking gun would be — the VP's personal Gmail, into which the strategic deck was allegedly forwarded — but wrong about how to reach it. Counsel served a Rule 45 civil subpoena on Google demanding the contents of the personal mailbox. Google refused, and correctly: the Stored Communications Act generally bars providers from disclosing the content of communications to civil litigants, even under a subpoena. Weeks were lost to motion practice that was doomed from the start. The lawful path had been available all along and pointed the other way — compel the custodian herself to produce the account through the litigation's discovery obligations, backed by a preservation demand and, if she balked, a court order against the party, not the provider. The team had treated a reservoir-3 problem (an account the client does not control) as if a piece of paper to the provider could solve it, when civil process must run through the person.
The jurisdiction trap. When attention finally turned to the Workspace tenant's own logs (reservoir 2 — collectible with the client's admin access), a second wall appeared. The data-residency commitment meant the primary content sat on EU soil, and GDPR Article 48 restricts a provider's disclosure of personal data in response to foreign legal orders. For the content the client could not self-collect, the only formal cross-border route was a Mutual Legal Assistance Treaty (MLAT) request — and MLAT requests routinely take many months, longer than the logs' retention. The team had discovered the jurisdictional question mid-investigation, the worst possible time, instead of establishing provider, residency, and lawful instrument the moment the case touched the cloud.
The logs age out. By the time the doomed Google subpoena was withdrawn and counsel pivoted to compelling the VP's own production, it was month five. The examiner finally pulled what the client could lawfully reach with admin access — the Salesforce Setup Audit Trail and Google's admin-console audit logs — and found the worst possible result: not exculpatory evidence, but no evidence, because the records had passed their retention windows and been deleted by policy.
RETENTION vs. ELAPSED TIME — what was reachable, and when
Source Retention Status at month 5
Google Login / activity log short GONE (rotated out)
Google Drive audit log ~6 months partial — earliest events expiring
Salesforce Setup Audit Trail ~180 days GONE for the resignation fortnight
Salesforce report-export detail (Shield) NEVER EXISTED — Shield not licensed
The last line is the quiet catastrophe. Even on day one, the single question that mattered most — did she run a bulk export of the customer database? — was unanswerable, because user-activity detail in Salesforce requires the Shield Event Monitoring add-on, and the company had never licensed it. The ReportExport events that would have proven or disproven the export were never generated. What you can collect was decided long before the investigation began, by a purchasing choice nobody revisited.
The outcome. The examiner's final report was, to its credit, honest: it stated plainly that the available cloud telemetry was insufficient to determine whether the customer database had been exported, because Shield had not been licensed, the Setup Audit Trail had aged out, the personal-account content was unreachable by lawful civil process directed at the provider, and the EU-resident content lay behind an MLAT that would outlast the data. Every one of those is a defensible finding. But collectively they meant the client had no evidence, the trade-secret claim settled for a fraction of its value, and the lesson was paid for in full.
The analysis
- In the cloud, delay destroys evidence by itself. No one deleted anything maliciously; ordinary retention did the work. The three weeks before a hold, plus months of misdirected process, ran past the logs' lifespans. Preservation — a litigation hold for your own tenant, a § 2703(f) letter for third-party data — is the first action, issued before strategy is settled, not after.
- Civil cannot subpoena content from the provider. The SCA bars providers from disclosing communication content to civil litigants. You get a custodian's account by compelling the party to produce it, not by serving the provider. Knowing which door is even legally open is half the job; the team spent months on a door that was never open.
- Establish jurisdiction the moment a case touches the cloud. Provider nationality, data residency, and the lawful instrument (CLOUD Act request, executive agreement, or slow MLAT) determine whether you can get the data at all and in time. Discovering EU residency mid-case, after the clock had run, was an avoidable, fatal surprise.
- You inherit the past's logging posture — assess it first. Salesforce user-activity detail needs Shield; M365 auditing must have been enabled; Slack audit logs need Enterprise Grid. Telemetry that was never licensed cannot be created retroactively. Ask "what is even being logged here?" in the first hour and tell the client honestly what their configuration can and cannot prove.
- An honest "insufficient evidence" is professional — but a preventable one is a failure. "The telemetry is insufficient to reach a conclusion" is a valid finding when the limits are inherent. Here the limits were largely created by delay and misdirection. The discipline of cloud forensics is to convert as many preventable limitations as possible into preserved evidence, before the clock wins.
Discussion questions
- Build the day-one plan the team should have executed on the 1st (the day of resignation). List, in order, the preservation and assessment actions for each reservoir — endpoint, the client's own Salesforce/Workspace tenant, and the VP's personal account — and the single question you would answer before promising counsel anything.
- The Rule 45 subpoena to Google was doomed. Explain precisely why the SCA blocks it, then lay out the lawful civil path to the personal-account content, identifying who is compelled and by what mechanism.
- Contrast this case with Case Study 1: both were cloud cases with strong underlying facts, yet one was won from logs and the other lost. Identify the single habit most responsible for the difference, and write the one-line rule you would post above an intake desk to prevent a repeat.
- ⭐ The decisive Salesforce question was unanswerable on day one because Shield was never licensed. Draft the "logging-posture assessment" you would deliver to a client at engagement — what you check across M365, Google Workspace, Salesforce, Slack, and AWS, and how you translate each finding into "here is what we will and will not be able to prove." Tie it to the chapter's claim that SaaS investigations are bounded by configuration bought before the fact.
- Suppose the same facts arose in a criminal matter with law enforcement involved. Which doors that were closed here would open, which legal instruments would apply to the personal account and the EU-resident data, and would the jurisdiction problem disappear or merely change shape? Reference the SCA tiers, the CLOUD Act, and MLAT from the chapter.