There is a growing assumption among those who choose to violate their post-termination obligations: move the conversation off corporate email and onto WhatsApp or Signal, and you have effectively stepped outside the company’s reach. No server log, no evidence. No evidence, no case.
It is a fundamental miscalculation.
In the second installment of the Broken Covenants series published on Lexology, iDS team member Timothy LaTulippe examines the forensic techniques being used to pierce the veil of private messaging — and why encrypted apps offer far less protection than their users assume.
The Paperless Trail
Proving a breach of a non-compete or non-solicitation covenant demands more than suspicious timing or hearsay. It requires what the article calls “the paperless trail.” While encrypted messaging apps protect data in transit, the data at rest on a physical device tells a different story. Sophisticated extraction techniques can recover deleted message fragments from mobile handsets and surface cloud synchronization logs that the user likely forgot existed entirely.
The platforms most commonly involved are those people already use in their daily lives — WhatsApp across the UK and Western Europe, WeChat in China, LINE in East Asia, and Signal or Viber elsewhere. Their convenience is precisely why they become the vehicle for illicit activity. And despite their privacy-by-design reputations, most are exploitable by forensic practitioners who know where conversation artifacts are cached.
LaTulippe describes cases where former employees flatly denied soliciting colleagues, only for a forensic image to uncover a shadow contact list or a hidden folder of screenshots created on a personal device in the days immediately before a resignation was tendered. In other instances, sentiment analysis and metadata scrutiny revealed a calculated pattern — a departing manager sharing internal salary data and performance reviews with a competitor in real time, while still on the payroll.
The Right to Access Problem
Recovering the data is only half the challenge. The more complex issue for legal teams is the right to access it in the first place. Personally owned devices used for business purposes are now commonplace, but Acceptable Use Policies frequently fail to address the realities of “bring your own device” environments. Without clear language in employment agreements, imaging a personal device is rarely straightforward.
As the article notes, a robust policy — established well before any dispute arises — creates the legal expectation that devices could be accessed or triaged in connection with an investigation. It is, as LaTulippe puts it, a critical area for legal teams to address before a crisis hits.
What Comes Next in the Series
The next installment will turn to another form of insider threat: individuals who build shadow competing businesses — sometimes on company systems and company time — and the forensic markers they leave behind while attempting to take clients and colleagues with them.
At iDS, this work sits at the core of what we do. Our Digital Forensics, Investigations, and eDiscovery & Disclosure practices help legal teams build the kind of evidence-backed narrative that supports injunctive relief and litigation — turning fragmented digital artifacts into a coherent, defensible account of what actually happened.
To speak with an iDS expert about non-compete investigations or digital forensics, visit stg-idsinccom-stage.kinsta.cloud.
iDS provides consultative data solutions to corporations and law firms around the world, giving them a decisive advantage – both in and out of the courtroom. iDS’s subject matter experts and data strategists specialize in finding solutions to complex data problems, ensuring data can be leveraged as an asset, not a liability. To learn more, visit stg-idsinccom-stage.kinsta.cloud