2
As a result I have talked to litigators who lament that fact that there are not as many Search Orders as there were in the good old days. I can add that we have not found this to be the case. It seems, rather, that some firms are regularly using the Search Orders to great effect, often on specific instances of data theft, whilst other are allowing it to wither on the vine in favour of other, less onerous and dra- conian remedies. Despite Lord Woolf’s laudable efforts to speed up and simplify the civil litiga- tion process, it is our experience that cer- tain types of problem can only sensibly be solved by resorting to the extreme option of the Search Order. As computer foren- sic investigators, we are regularly involved in the investigation of data theft. The recent changes in civil procedures have encouraged the parties to consider care- fully the aspect of proportionality in their strategies and therefore applications to the court. As a result, we have seen a rise in consent orders, whereby the computers of those suspected of data/confidential information theft, are delivered up to the claimants with the consent of the respondents. Whilst this may be deemed perfectly proportional by the claimants, and therefore, they hope, the court, such orders do not come without their drawbacks. The key strength of the Search Order is that it is a bolt from the blue. Applied for ex-parte, or without notice, it gives the claimants the key element of surprise. Indeed, the entire reason for applying for such an order is that the claimants will argue that, given notice of intended pro- ceedings, the respondents would certainly destroy any evidence. If the court agrees with the respondents, the Search Order will be granted allowing no chance for key evidence in the possession of the respondents to be destroyed. Consent orders, on the other hand, are exactly the opposite. The key weak- ness of such an order, despite the fact that it will contain a Penal Notice warn- ing of the dangers of interfering with the data to be delivered, is that it allows the respondents time to do exactly that. On a number of the data theft cases we have investigated recently, there is either the strong suspicion that the data sets delivered up have either been cleaned, or are not the full sets, or, as happens in the worst cases, that data has been delib- erately destroyed. Depending on the types of destruction undertaken, there is certainly the likeli- hood of demonstrating that such destruc- tion has occurred; but to say data has been destroyed is one thing – to state what has been destroyed is another mat- ter. True, most litigators will assert to the court that positive overwriting of data on machines the court has instructed the respondents not to tamper with is going to reflect badly on the respondents, and must surely point to their having tried to cover up material they were not meant to have. But consent orders normally deal with material relevant to the claimant’s business. A respondent will certainly try and claim that the destruction was of material not relevant to the order, and will probably try and further confuse the issue with spurious technical arguments about housekeeping and improved per- formance. Such problems may be avoid- ed by careful wording of any order, but again, proportionality will come into play. Businesses will be extremely unwill- ing to allow a competitor (for such is the claimant in most instances of data theft) to examine data on their computers that does not relate directly to the areas in contention, and drafting orders in which no data may be screened or deleted may not be practicable. All this, of course, depends on being able to determine that data has been erased. There are some software mecha- nisms that leave no trail behind them. In such cases, as with those where it is felt that the respondents have cleaned up data, or are presenting a “stunt set”, the investigators and litigators have to work on the inference of omission – i.e. that what is being presented cannot be true based on what is not present (for exam- ple, the sheer lack of e-mail, or of other business documentation), but this is, by nature, a difficult argument to prove. Without doubt, the preferred option for investigators and in most cases liti- gators (although I do not pretend to speak for them in general) to preserve evidence is to catch the respondents in possession of it. Such is the extreme nature of the Search Order that many litigators have never executed one. Sometimes, howev- er, they will find themselves being pushed into it by a client eager for such a remedy, and they will have to learn on the job. It is almost certain that any Search Order will include a specific order allowing for the imaging of com- puters and other digital media. Most computer forensic investigators have executed a number of Search Orders, and they will always be more than will- ing to add their store of knowledge on 4 Cry Woolf Julian Parker The Woolf Reforms, recently instituted to make civil litigation more user friendly, targeted, amongst other things, the investigator’s best friend, the Anton Piller Order (AP). The Order was targeted directly, by having its name changed to the Search Order, and indirectly, in that Woolf aimed to make claimants expend more effort in finding solutions before resorting to the “nuclear option” of the AP. CAUGHT RED HANDED

Cry Woolf

Embed Size (px)

Citation preview

Page 1: Cry Woolf

As a result I have talked to litigatorswho lament that fact that there are not asmany Search Orders as there were in thegood old days. I can add that we have notfound this to be the case. It seems, rather,that some firms are regularly using theSearch Orders to great effect, often onspecific instances of data theft, whilstother are allowing it to wither on the vinein favour of other, less onerous and dra-conian remedies.

Despite Lord Woolf ’s laudable effortsto speed up and simplify the civil litiga-tion process, it is our experience that cer-tain types of problem can only sensibly besolved by resorting to the extreme optionof the Search Order. As computer foren-sic investigators, we are regularly involvedin the investigation of data theft. Therecent changes in civil procedures haveencouraged the parties to consider care-fully the aspect of proportionality in theirstrategies and therefore applications tothe court. As a result, we have seen a risein consent orders, whereby the computersof those suspected of data/confidentialinformation theft, are delivered up to the claimants with the consent of therespondents. Whilst this may be deemed perfectly proportional by the claimants,and therefore, they hope, the court, such orders do not come without theirdrawbacks.

The key strength of the Search Order isthat it is a bolt from the blue. Applied forex-parte, or without notice, it gives theclaimants the key element of surprise.Indeed, the entire reason for applying for

such an order is that the claimants willargue that, given notice of intended pro-ceedings, the respondents would certainlydestroy any evidence. If the court agreeswith the respondents, the Search Orderwill be granted allowing no chance forkey evidence in the possession of therespondents to be destroyed.

Consent orders, on the other hand,are exactly the opposite. The key weak-ness of such an order, despite the factthat it will contain a Penal Notice warn-ing of the dangers of interfering withthe data to be delivered, is that it allowsthe respondents time to do exactly that.On a number of the data theft cases wehave investigated recently, there is eitherthe strong suspicion that the data setsdelivered up have either been cleaned,or are not the full sets, or, as happens inthe worst cases, that data has been delib-erately destroyed.

Depending on the types of destructionundertaken, there is certainly the likeli-hood of demonstrating that such destruc-tion has occurred; but to say data hasbeen destroyed is one thing – to statewhat has been destroyed is another mat-ter. True, most litigators will assert to thecourt that positive overwriting of data onmachines the court has instructed therespondents not to tamper with is goingto reflect badly on the respondents, andmust surely point to their having tried tocover up material they were not meant tohave. But consent orders normally dealwith material relevant to the claimant’sbusiness. A respondent will certainly try

and claim that the destruction was ofmaterial not relevant to the order, andwill probably try and further confuse theissue with spurious technical argumentsabout housekeeping and improved per-formance. Such problems may be avoid-ed by careful wording of any order, butagain, proportionality will come intoplay. Businesses will be extremely unwill-ing to allow a competitor (for such is theclaimant in most instances of data theft)to examine data on their computers thatdoes not relate directly to the areas incontention, and drafting orders in whichno data may be screened or deleted maynot be practicable.

All this, of course, depends on beingable to determine that data has beenerased. There are some software mecha-nisms that leave no trail behind them. Insuch cases, as with those where it is feltthat the respondents have cleaned updata, or are presenting a “stunt set”, theinvestigators and litigators have to workon the inference of omission – i.e. thatwhat is being presented cannot be truebased on what is not present (for exam-ple, the sheer lack of e-mail, or of otherbusiness documentation), but this is, bynature, a difficult argument to prove.

Without doubt, the preferred optionfor investigators and in most cases liti-gators (although I do not pretend tospeak for them in general) to preserveevidence is to catch the respondents inpossession of it.

Such is the extreme nature of theSearch Order that many litigators havenever executed one. Sometimes, howev-er, they will find themselves beingpushed into it by a client eager for such aremedy, and they will have to learn onthe job. It is almost certain that anySearch Order will include a specificorder allowing for the imaging of com-puters and other digital media. Mostcomputer forensic investigators haveexecuted a number of Search Orders,and they will always be more than will-ing to add their store of knowledge on

4

Cry WoolfJulian Parker

The Woolf Reforms, recently instituted to make civil litigation more user friendly,targeted, amongst other things, the investigator’s best friend, the Anton Piller Order(AP). The Order was targeted directly, by having its name changed to the SearchOrder, and indirectly, in that Woolf aimed to make claimants expend more effort infinding solutions before resorting to the “nuclear option” of the AP.

CAUGHT RED HANDED

Page 2: Cry Woolf

caught red handed

5

the practicalities of executing suchorders whenever asked, and of ensuringthe order is correctly drafted to allow forthe collection of all digital evidence.Executing a Search Order is a lot likeexecuting a criminal Search Warrant,and a little like undertaking a militaryoperation. The more planning andpreparation that goes into it, the betterthe result is likely to be.

Basic rules to prepare for aSearch Order:Select the right target

The investigation and litigation teamshould be careful to ensure the targetsselected are those directly relevant toproving the case, and are proven or are orlikely to be in possession of evidence.Further targets can be added as thesearches progress, but the courts will bemore prepared to grant an order that ishighly targeted with reliable evidencerather than one which is trying to catchall-comers. Search Orders should never beconsidered a “fishing expedition”.

Engage the relevant expertise

In most cases the target premises,whether business or residential, are verylikely to contain computers or other dig-ital processing equipment. Here it isworth noting that rarely does any mem-ber of the forensic team get the opportu-nity of finding out exactly what and howmuch processing power will be encoun-tered in any target location. The onlysensible approach is to take maximumfirepower (forensic imaging capability).Furthermore, the order will often stipu-late that two copies of any devices are tobe made, one being left with the respon-dents. It is not advisable to engage acomputer forensic specialist who onlyhas the capability of imaging onemachine at a time – whatever amount ofdigital media is encountered, theclaimant’s solicitors and the court willstill want to be out of the target premisesas quickly as possible.

Specialist assistance is often requiredin other fields, most notably surveillance

– once an order is granted, the claimants’solicitors will undertake to the court toexecute it as soon as practicable.Surveillance is often required to ensurethat the targets will be at their resi-dences/offices on the day chosen for thesearch (I could at this point tell the storyof the surveillance team which gave theOK to the search team, who duly arrivedafter a journey of many miles and severalhotel bills. On the morning of execu-tion, however, no-one was home. Thesurveillance team’s confident assertionsof occupancy were undermined by theobvious presence of an anti-burglardevice, which switched on the houselights every night at 10.00pm thus fool-ing them – but I digress).

Build redundancy into the executionteam

It goes without saying that there shouldbe enough people on hand to do the job.But Search Orders can be unpredictable– new targets and/or premises canemerge as the search gets underway, andit is never advisable to have the mini-mum number of people on hand.Likewise, do ensure that the executionteam has sufficient transport to meet anyeventualities (sounds obvious, I know,but we have known teams unable tocommence their search as they have beenstuck waiting for a train). Members ofthe search teams should also have testedmeans of communicating with eachother, and mobile telephone batteriesshould be fully charged.

Ensure the forensic team is wellbriefed and forewarned

It is not unknown for the forensic inves-tigators to be asked to execute a SearchOrder the next day in some remote loca-tion without any prior warning. There isno excuse for such lack of forethought.Search Orders take time to put togetherand apply for, and ideally the forensicteam should be involved in drafting orat least checking the technical aspects ofthe order. Likewise, the forensic teamwill suffer if not adequately briefed as tothe evidence being looked for. Search

criteria such as “all e-mails please” indi-cate a fundamental lack of awareness ofthe potential capabilities of forensicinvestigation, and can lead to needlesshours taken up producing irrelevantmaterial.

In the post Woolf era, many litigatorserr on the side of caution when tacklingfraud or data theft. With the watchwordof “proportionality” ringing in their earsthey shy away from aggressive tacticssuch as the Search Order. Indeed, manylitigators had never executed the oldAnton Piller Order in the pre Woolfdays, and would feel even less inclinedto try for the new Search Order. Asforensic investigators we have a differentperspective, of course. Our role is tosearch for evidence. In a previous issue,Data Genetics International reviewedour cases for the year of April 2002-2003. During this period a trendemerged which has continued apaceduring the first half of this year andshows no signs of abating, namely thegrowing problem of data theft. In mostcases the data in question has been inelectronic format. It is our direct experi-ence that the Search Order is, and willlikely remain, the most effective legaltool for breaking open such cases.Certainly it is more costly to apply forand execute a Search Order than to gofor a number of Consent or Disclosureorders, but it must be remembered thatthe Search Order is decisive and overquickly, whereas the other options candrag on in wrangles and argumentsabout what should or should not appear.We have always found digital evidenceto be of supreme value for the “knock-out blow” that most litigators wouldwish for in a case – and the most conciseand incontrovertible way to get suchevidence will always be from the repson-dents’ computers before they have timeto do anything about it.

Contacts:

Data Genetics InternationalTel: 0044 2075209384Email: [email protected]


V. Woolf: Building Vocabulary

V. Woolf: Building Vocabulary

Documents
Virginia Woolf, Europe and Peacekenthospitality.kent.ac.uk/Register/DocumentStore/Woolf... · 2018-04-22 · 1 Virginia Woolf, Europe and Peace The 28h Annual International Conference

Virginia Woolf, Europe and Peacekenthospitality.kent.ac.uk/Register/DocumentStore/Woolf... · 2018-04-22 · 1 Virginia Woolf, Europe and Peace The 28h Annual International Conference

Documents
Woolf College Consulting

Woolf College Consulting

Documents
Woolf - Inventing Galicia

Woolf - Inventing Galicia

Documents
WOOLF Virginia Doamna Dalloway

WOOLF Virginia Doamna Dalloway

Documents
Woolf Halakha

Woolf Halakha

Documents
Virginia Woolf: Jacobs Room

Virginia Woolf: Jacobs Room

Documents
Woolf - Le Tre Ghinee.pdf

Woolf - Le Tre Ghinee.pdf

Documents
Virginia Woolf- Doamna Dalloway

Virginia Woolf- Doamna Dalloway

Documents
Woolf Les Annees

Woolf Les Annees

Documents
WOOLF Act 1

WOOLF Act 1

Documents
Valurile, Virginia Woolf

Valurile, Virginia Woolf

Documents
Woolf Projects

Woolf Projects

Documents
"Modern Fiction" - Virginia Woolf

"Modern Fiction" - Virginia Woolf

Documents
Flush - Woolf Virginia

Flush - Woolf Virginia

Documents
Woolf 2014

Woolf 2014

Documents
Modern Fiction - Virginia Woolf

Modern Fiction - Virginia Woolf

Documents
WOOLF Act 2

WOOLF Act 2

Documents
Woolf,Virginia Lacasaencantadayotroscuentos(1.0)

Woolf,Virginia Lacasaencantadayotroscuentos(1.0)

Documents
Daniella Woolf Encaustic Stripes

Daniella Woolf Encaustic Stripes

Business
Woolf Pack Issue #1

Woolf Pack Issue #1

Documents
Virginia Woolf[1]

Virginia Woolf[1]

Documents
Virginia Woolf

Virginia Woolf

Documents
WOOLF Act 3

WOOLF Act 3

Documents
Virginia Woolf Essays

Virginia Woolf Essays

Documents
Woolf 2008

Woolf 2008

Documents
LUNA PEARL WOOLF

LUNA PEARL WOOLF

Documents
Virgina Woolf

Virgina Woolf

Documents
Virginia Woolf Writer

Virginia Woolf Writer

Documents
VIRGINIA WOOLF - UV

VIRGINIA WOOLF - UV

Documents