Of all the insider threats an organization can face, one of the most damaging is also one of the hardest to detect: the employee who is actively building a competing business while still sitting at your desk, drawing your salary, and using your resources.
It is a direct violation of fiduciary duty and a profound breach of trust. And yet, as iDS team member Timothy LaTulippe explains in the third installment of the Broken Covenants series on Lexology, traditional HR interviews and performance reviews rarely surface the proof needed to act.
The digital record, however, is far harder to obscure.
The Concurrent Login
The starting point for many of these investigations is what LaTulippe calls the concurrent login — the forensic evidence of an employee toggling between legitimate company systems and a hidden shadow infrastructure, often within the same working day.
By analysing browser artifacts, cookie data, and active network connections, investigators can identify the precise moments when an employee was registering a competing domain, researching office space, or drafting a rival business plan — all during core working hours, on company time and company equipment. The digital record draws a clear line between where the employee’s professional persona ended and their competitive one began.
Artefacts of Execution
Beyond time theft, the investigation turns to what LaTulippe describes as artefacts of execution — technical evidence that company resources were directly used to subsidize a start-up. This includes proprietary templates stripped of company branding, internal CRM systems queried to export high-value client leads into a personal spreadsheet, and a pattern of data access that tells a story of someone who had mentally checked out long before their resignation letter arrived.
The goal is a day-in-the-life forensic reconstruction: a chronological narrative that shows the evolution of a betrayal — from early preparation through to a functioning, competing entity — presented in a form that holds up before a judge.
The Role of OSINT
No two shadow competitors operate the same way, but open-source intelligence (OSINT) adds a powerful layer to any investigation. LaTulippe describes how social media footprints, domain registration history, and cached versions of competitor websites can reveal that a new business was being staged months before an employee officially departed — often while their salary was still being paid by the very organization they were undermining.
When public filings and digital signals are layered over internal forensic findings, investigators can demonstrate that the groundwork for a competing venture was built using the employer’s own tools, time, and client data.
What’s Coming Next
The fourth and final article in the series tackles what LaTulippe calls the battle of the experts — the stage where admissibility and narrative clarity determine the outcome. It explores how thousands of lines of complex metadata are transformed into colour-coded visual timelines that a judge can intuitively understand, why a well-constructed forensic report often drives settlement long before a case reaches trial, and how a proactive forensic hold functions as a strategic insurance policy against misconduct in an increasingly mobile workforce.
At iDS, this work spans our Digital Forensics, Investigations, and eDiscovery & Disclosure practices — turning complex digital evidence into clear, defensible narratives that support legal teams from investigation through to trial.
To connect with an iDS expert about your next investigation, visit idsinc.com.
iDS provides consultative data solutions to corporations and law firms around the world, giving them a decisive advantage – both in and out of the courtroom. iDS’s subject matter experts and data strategists specialize in finding solutions to complex data problems, ensuring data can be leveraged as an asset, not a liability. To learn more, visit idsinc.com.
Having trouble with a technical term used in this post? Check out our Data Investigators Glossary to crack the code.