CyberForensic Policy Drivers How Public Policy Drivers Converge through Deployment of Cyber Forensics to Balance Privacy and Security John W. Bagby College

CyberForensic Policy DriversCyberForensic Policy Drivers

How Public Policy Drivers How Public Policy Drivers Converge through Deployment of Converge through Deployment of

Cyber Forensics to Balance Cyber Forensics to Balance Privacy and SecurityPrivacy and Security

John W. BagbyJohn W. Bagby

College of ISTCollege of IST

Penn StatePenn State

CyberForensic Policy ConvergenceCyberForensic Policy Convergence

Problem Statements & Policy Problem Statements & Policy QuestionsQuestions

Security & Privacy Decreasingly Security & Privacy Decreasingly Addressed Exclusively through Addressed Exclusively through Technical SolutionsTechnical Solutions• Increasingly Resolved thru Public Policy Increasingly Resolved thru Public Policy

Is Security vs. Privacy a traditional Is Security vs. Privacy a traditional trade-off/conundrum or Complement? trade-off/conundrum or Complement? • It Depends!It Depends!

What Role Does CyberForensics Play What Role Does CyberForensics Play to Resolve these Questions?to Resolve these Questions?


Conundrum: Privacy vs. SecurityConundrum: Privacy vs. Security

Irreconcilable, Zero-Sum Tradeoff Irreconcilable, Zero-Sum Tradeoff Strong privacy rights externalities Strong privacy rights externalities

• Privacy compromises security Privacy compromises security • Intruders/terrorists enjoy Intruders/terrorists enjoy

excessive anonymity excessive anonymity Strong security requires limited Strong security requires limited

privacy privacy Intrusion/attack deterred by ltd. Intrusion/attack deterred by ltd.

privacy privacy Security enhanced with liberty Security enhanced with liberty

limitationslimitations


Complement: Privacy w/ SecurityComplement: Privacy w/ Security

Privacy-security conundrum too simplistic Privacy-security conundrum too simplistic • Elevates law enforcement over liberty Elevates law enforcement over liberty

Liberty enables security (flight averts Liberty enables security (flight averts injury)injury)

Isolation protects prey Isolation protects prey • self-imposed seclusion & anonymity self-imposed seclusion & anonymity

Privacy diminished w/ insecure PII Privacy diminished w/ insecure PII • History of predator misuse of public databasesHistory of predator misuse of public databases• Social Engineering, e.g., pretexting, Social Engineering, e.g., pretexting,

impersonation, impersonation,


Hand/Posner/Bagby ModelHand/Posner/Bagby Model

Is their a trade offbetween

Privacy & Security?

Privacy

Security


Hand/Posner/Bagby ModelHand/Posner/Bagby Model

Is their a trade offbetween

Privacy & Security?

Privacy

Security


Law & Economics of Intrusions into Law & Economics of Intrusions into Personally Identifiable Info (PII)Personally Identifiable Info (PII)

Prof. (Judge) Posner’s model would protect Prof. (Judge) Posner’s model would protect privacy or permit intrusion for search & privacy or permit intrusion for search & seizure depending on a seizure depending on a balancingbalancing of: of:

1.1. UsefulnessUsefulness to society of PII acquired from the to society of PII acquired from the intrusion intrusion

2.2. RepugnanceRepugnance of the intrusion of the intrusion

Applied to Judge Hand’s formula: Applied to Judge Hand’s formula: Protect Privacy if Protect Privacy if B>P*LB>P*L Intrude on Privacy if Intrude on Privacy if B<P*LB<P*L

B=intrusion costs; P=probability of discovering B=intrusion costs; P=probability of discovering useful info; L=societal losses useful info; L=societal losses


Regulation of Private Data Regulation of Private Data Management Management

Fundamental Architecture & Fundamental Architecture & Mechanics of Private Data Activities Mechanics of Private Data Activities

PII Distribution Chain of Custody & PII Distribution Chain of Custody & Data Management Sequence: Data Management Sequence:

1.1. Data AcquisitionData Acquisition

2.2. Information Analysis Information Analysis

3.3. Use of Knowledge Use of Knowledge


PII Supply Chain: Custody & PII Supply Chain: Custody & Data ManagementData Management

Activity Occurs & Subject Individual is Identifiable

Data Collection: Sensing, Observation Capture

Data Storage: Made Available

Data Analysis Association Aggregation Organization Interpretation

Direct Use: by Data Manager

Secondary Use: PII Sold or Shared with 3d Party


Fair Information Practice PrinciplesFair Information Practice Principles Origin: 1973 HEW Advisory Com. Rpt.Origin: 1973 HEW Advisory Com. Rpt.1.1. Notice and/or Awareness Notice and/or Awareness 2.2. Choice and/or Consent Choice and/or Consent 3.3. Access and/or Participation Access and/or Participation 4.4. Integrity and/or Security Integrity and/or Security 5.5. Enforcement and/or Redress Enforcement and/or Redress Spreading throughout government Spreading throughout government

regulations and into self-regulation regulations and into self-regulation • Actively opposed by most of data industry, Actively opposed by most of data industry,

much of law enforcement, many in counter-much of law enforcement, many in counter-terrorism/security because …terrorism/security because …

Underlies the EU Private Data Directive Underlies the EU Private Data Directive


Integrity and/or SecurityIntegrity and/or Security

Collector/Archiver/CustodiansCollector/Archiver/Custodians• Reasonable steps to assure accuracy of PII Reasonable steps to assure accuracy of PII • Administrative & technical security Administrative & technical security

measures measures Standards: Standards:

• Prevent unauthorized access Prevent unauthorized access • Prevent unauthorized disclosurePrevent unauthorized disclosure• Prevent destruction Prevent destruction • Prevent misuse Prevent misuse

Relationship to Internal Control as Relationship to Internal Control as Component of Data Security/IAComponent of Data Security/IA


Enforcement and/or RedressEnforcement and/or Redress

Mechanism(s) of Privacy Practices Mechanism(s) of Privacy Practices EnforcementEnforcement

Self-regulationSelf-regulation StandardsStandards Private rights of action Private rights of action Regulatory enforcement Regulatory enforcement Criminal SanctionsCriminal Sanctions Market DisciplineMarket Discipline


Sources of Privacy Law Sources of Privacy Law Constitutional Rights Constitutional Rights

• 11stst, 3, 3rdrd, 4, 4thth, 5, 5thth, 6, 6thth, 9, 9thth, 10, 10thth, 14, 14thth Amendments Amendments TortsTorts

• Appropriation, private facts, intrusion, false lightAppropriation, private facts, intrusion, false light Property Rights Property Rights

• Information is property Information is property Protective Regulations Protective Regulations

• Children, Financial, Workplace, Health, TeleCom Children, Financial, Workplace, Health, TeleCom Contract Contract

• NDAs, website policies, privileges NDAs, website policies, privileges Criminal Procedure Criminal Procedure Intelligence Reform & National SecurityIntelligence Reform & National Security International Law (e.g., EU) International Law (e.g., EU)


US Privacy Law is SectoralUS Privacy Law is Sectoral

US is US is sectoralsectoral: : narrowly drawn to particular narrowly drawn to particular

government methods & industry sectorsgovernment methods & industry sectors

• Enacted following experience with activities that the Enacted following experience with activities that the

public finds abusivepublic finds abusive

• Financial services further sectioned by G/L/B FFRFinancial services further sectioned by G/L/B FFR

EU is EU is omnibusomnibus: comprehensive & uniform : comprehensive & uniform

covering most industries & governments, strong covering most industries & governments, strong

privacy rightsprivacy rights

• Sets fundamental policy for individuals Sets fundamental policy for individuals


Multiple Internal Control Multiple Internal Control Imperatives Imperatives

Government & Market Pressures for Government & Market Pressures for Information Assurance (IA) Controls are Information Assurance (IA) Controls are Generally ConsistentGenerally Consistent• Reinforcing - Not ConflictingReinforcing - Not Conflicting• Considerable Persistent Unawareness Considerable Persistent Unawareness

Opposition to Control Confluence & Opposition to Control Confluence & Harmonization Harmonization • Results are Wasteful Duplications, Results are Wasteful Duplications,

Unfortunate Opportunity Costs & Advocacy Unfortunate Opportunity Costs & Advocacy Harmful to Sound PolicyHarmful to Sound Policy


Four Drivers of Internal ControlFour Drivers of Internal Control

1.1. Sarbanes-Oxley Internal Control RegimeSarbanes-Oxley Internal Control Regime• Particularly SOX §302 & §404 Particularly SOX §302 & §404

2.2. Data Security Requirements under Data Security Requirements under Various Privacy Laws Various Privacy Laws

3.3. Trade Secrecy Trade Secrecy 4.4. National Security, Cyber-Terrorism & National Security, Cyber-Terrorism &

Counter-Terrorism Duties Counter-Terrorism Duties Others: sectoral regulations, fiduciary duties, Others: sectoral regulations, fiduciary duties,

contractual requirements, standards …contractual requirements, standards …


•CPA•FAS

InternalControls

•Books•Record-keeping

•Financials•Market Integrity

Investors

USA Patriot

SecurityInfra-

structureNat’l

SecurityPeople

Institutions

GLB, HIPPAState laws, etc.

Security PII Privacy Subject Individuals

•Rest & UTSA•Caselaw

•EEA

Reasonable Secrecy

IPTradeSecrets SH

Impetus Control device

Objects Underlying (In)tangible

Protected Beneficiary

Comparison Framework: Internal ControlComparison Framework: Internal Control


SOX Externalities: SOX Externalities: Other Impacted EntitiesOther Impacted Entities

Publicly-Traded Companies in 3 tiers: Publicly-Traded Companies in 3 tiers: • Accelerated ($75 mil float), non-accelerated, foreign cos Accelerated ($75 mil float), non-accelerated, foreign cos

Closely-Held Companies Closely-Held Companies Government Agencies Government Agencies Educational InstitutionsEducational Institutions Nor-for-Profits, SROs, NGOs Nor-for-Profits, SROs, NGOs

• Critical Infrastructure AuthoritiesCritical Infrastructure Authorities And of nearly all of these entities: And of nearly all of these entities:

• Suppliers, ASPs, Software Vendors, Network Providers, Suppliers, ASPs, Software Vendors, Network Providers, Consultants, Auditors, Employees, CIOs, CFOs, CSOs … Consultants, Auditors, Employees, CIOs, CFOs, CSOs …

• SAS 70: Service Organizations (Outsourcing, Offshoring)SAS 70: Service Organizations (Outsourcing, Offshoring)


Externalizing SOX’s Impact Externalizing SOX’s Impact Apply Audit-firm Specific Practices to allApply Audit-firm Specific Practices to all IT & Service Provider General Practices IT & Service Provider General Practices Directors Bring form other BoardsDirectors Bring form other Boards D&O Insurance best practicesD&O Insurance best practices Suppliers/Customers- SAS 70 Suppliers/Customers- SAS 70 CxO’s- information sharing, professionalismCxO’s- information sharing, professionalism New Laws Forthcoming New Laws Forthcoming

• EX: Not-for-profits EX: Not-for-profits • Sectoral control standards resembling SOXSectoral control standards resembling SOX


Internal Control RegimeInternal Control Regime

Pre-FCPA Pre-FCPA • Reasonable prudence to safeguard assetsReasonable prudence to safeguard assets• Accounting & Auditing StandardsAccounting & Auditing Standards

Foreign Corrupt Practices Act (FCPA)Foreign Corrupt Practices Act (FCPA)• §13(b)(2)(B) §13(b)(2)(B)

Treadway Commission (COSO)Treadway Commission (COSO)• Management ReportManagement Report

Sarbanes-Oxley (SOX, SourBox) Sarbanes-Oxley (SOX, SourBox) • §§302, 404§§302, 404


Privacy Security DutiesPrivacy Security Duties

GLBGLB HIPAAHIPAA State LawsState Laws

• CA’s S.1386CA’s S.1386 International LawInternational Law

• EU Data Protection DirectiveEU Data Protection Directive


Trade SecrecyTrade Secrecy Valuable Intellectual Property under Valuable Intellectual Property under

laws:laws:• Common Law & Rest. of Torts §757 & Common Law & Rest. of Torts §757 &

§758§758• Uniform Trade Secrets ActUniform Trade Secrets Act• Economic Espionage Act 1996Economic Espionage Act 1996

Generally Requires:Generally Requires:• InformationInformation• Reasonable Secrecy EffortsReasonable Secrecy Efforts• Independent Economical ValueIndependent Economical Value


Internal Control Valuation MethodsInternal Control Valuation Methods

Discounted Cash FlowDiscounted Cash Flow Options ValuationOptions Valuation Money Damages: Money Damages:

• Economic vs. non-economic; compensatory; Economic vs. non-economic; compensatory; special/consequential; lost profits; punitives special/consequential; lost profits; punitives

Scoring Methods, ordinal rankings …Scoring Methods, ordinal rankings … Actuarial, Stochastic, EmpiricalActuarial, Stochastic, Empirical Decision AnalysisDecision Analysis Game TheoreticGame Theoretic


Internal Control Valuation MethodsInternal Control Valuation Methods

Heurestic TechniquesHeurestic Techniques Best Practices &/or Professional Duties, Best Practices &/or Professional Duties,

Reasonably Prudent Functional Reasonably Prudent Functional ManagementManagement

Market Impact: event study, security Market Impact: event study, security pricesprices

Information Markets: personal stakes Information Markets: personal stakes consensus estimation pools – the “G”-wordconsensus estimation pools – the “G”-word

SimulationSimulation MaterialityMateriality


Links Among SOX, T/S, Privacy, Links Among SOX, T/S, Privacy, National SecurityNational Security

Legal duties for securing financial Legal duties for securing financial information are fragmentedinformation are fragmented• Would be less costly if harmonizedWould be less costly if harmonized

PIFI links to various financial accountsPIFI links to various financial accounts• ReceivablesReceivables• Banking-customer transaction “experience” Banking-customer transaction “experience”

infoinfo• Payables & LiabilitiesPayables & Liabilities• Consumer creditConsumer credit• Wholesale EFTWholesale EFT



ID Theft ID Theft • Costs: $800 avg. to cleanse, opportunityCosts: $800 avg. to cleanse, opportunity• SSN conversion costsSSN conversion costs• Quick financing requires robust PIFI Indus.Quick financing requires robust PIFI Indus.• Financial mgmt methods are T/S (BMP)Financial mgmt methods are T/S (BMP)

Vulnerabilities to terrorist financingVulnerabilities to terrorist financing Financial System is THE Key infrastructureFinancial System is THE Key infrastructure

• Maintains national economic securityMaintains national economic security• WTC attack was symbolic, physical target of WTC attack was symbolic, physical target of

financial systemfinancial system



Trade secrets include: Trade secrets include: • Customer lists, Market opportunities, Customer lists, Market opportunities,

Financial event history, Data broker PIFI Financial event history, Data broker PIFI datadata

HIPPAHIPPA• PIFI links to healthcare payment, PIFI links to healthcare payment,

billings, PII, credit cards, ssn, Insurance: billings, PII, credit cards, ssn, Insurance: private & Medicare/Medicaid, ER write-private & Medicare/Medicaid, ER write-offs/overhead & grants offs/overhead & grants


U.S. v. GibsonU.S. v. Gibson (W.D.Wa.8.19.04) (W.D.Wa.8.19.04) NO. CR04-0374RSM, 2004 U.S. Dist. LEXIS 20445NO. CR04-0374RSM, 2004 U.S. Dist. LEXIS 20445

ID Theft by technician of leukemia patient ID Theft by technician of leukemia patient during 1during 1stst bone marrow transplant @ bone marrow transplant @ Seattle Cancer Care Alliance 9.03Seattle Cancer Care Alliance 9.03

11stst HIPAA Conviction, plea bargain: HIPAA Conviction, plea bargain: • 16 mos prison & $15,000 restitution16 mos prison & $15,000 restitution

Despite U.S. Sectoral Approach, Privacy Despite U.S. Sectoral Approach, Privacy Sectors Frequently LinkedSectors Frequently Linked• Healthcare workers enabled to ID & abuse Healthcare workers enabled to ID & abuse

vulnerability, Health Ins primary payor of vulnerability, Health Ins primary payor of healthcare expensehealthcare expense



Money Laundering Duties & ControlsMoney Laundering Duties & Controls• Protects financial services, national Protects financial services, national

security, anti-smuggling goals, terrorist security, anti-smuggling goals, terrorist financingfinancing

Private Standards for ePmts Private Standards for ePmts • VISA’s revised 6.30.05 compliance VISA’s revised 6.30.05 compliance

deadline deadline But NOT …But NOT …

EX: Coke formula on paper has weak Nat’l EX: Coke formula on paper has weak Nat’l Security link Security link


Impact of the Reconcilation Impact of the Reconcilation

There are Synergies in Control InvestmentThere are Synergies in Control Investment SourBox benefits are long termSourBox benefits are long term Some Argue:Some Argue:

• Most low hanging (efficiency) fruit already Most low hanging (efficiency) fruit already pickedpicked

EX: JIT, supply chain, IT efficiency, outsource, finance, EX: JIT, supply chain, IT efficiency, outsource, finance, QC QC

• Now Internal Control is in the Limelight Now Internal Control is in the Limelight Lobbying to Weaken SourBox is Highly Lobbying to Weaken SourBox is Highly

Counter-productive to Privacy, Nat’l Counter-productive to Privacy, Nat’l Security & IP Security & IP


CyberForensics is Battleground for CyberForensics is Battleground for Resolution of Privacy vs. Security ConundrumResolution of Privacy vs. Security Conundrum

Must Supply eData in Most LitigationMust Supply eData in Most Litigation Non-Responsiveness is PunishedNon-Responsiveness is Punished Ignoring “Smoking Gun” is FailureIgnoring “Smoking Gun” is Failure Venue (tribunal) often DeterminativeVenue (tribunal) often Determinative

• Criminal prosecutions, civil suits, ADR, Criminal prosecutions, civil suits, ADR, regulatory investigation/hearing, internal regulatory investigation/hearing, internal investigation, 3d party sleuthsinvestigation, 3d party sleuths

Evidence Gathering ConstraintsEvidence Gathering Constraints• Litigation hold, chain of custody, Litigation hold, chain of custody,

authentication, foundation, spoliation, authentication, foundation, spoliation, obstruction, cost balancing (obstruction, cost balancing (ZubulakeZubulake), ), adverse inference adverse inference


Litigators’ Vision of EDDLitigators’ Vision of EDD

““As a litigator, I will tell you documents are just As a litigator, I will tell you documents are just the bane of our existence. the bane of our existence. • Never write when you can speak… Never write when you can speak… • Never speak when you can wink.”Never speak when you can wink.”† †

Could update to:Could update to:• Never email when you can writeNever email when you can write• never write when you can phonenever write when you can phone• never phone when you can meet face to facenever phone when you can meet face to face• Never speak when you can whisperNever speak when you can whisper• Never wink when its understoodNever wink when its understood

† † Statement of Jordan Eth, Statement of Jordan Eth, Sarbanes-Oxley: The Good, The Sarbanes-Oxley: The Good, The Bad, The UglyBad, The Ugly, Nov.10, 2005 panelist, hosted by the , Nov.10, 2005 panelist, hosted by the National Law Journal and Stanford Law School’s Center National Law Journal and Stanford Law School’s Center on Ethics, on Ethics, reprinted in reprinted in Nat.L.J. at p.18 (Dec.12, 2005)Nat.L.J. at p.18 (Dec.12, 2005)


Incentives to Conceal EvidenceIncentives to Conceal Evidence Incentives of Litigating Parties to Produce Docs Incentives of Litigating Parties to Produce Docs

• All parties have a disincentive to produce incriminating All parties have a disincentive to produce incriminating documents or reveal proprietary info or strategydocuments or reveal proprietary info or strategy

• Conflicting email incentives: Conflicting email incentives: Erase if sensitive, erase to lower archiving costs, erase to Erase if sensitive, erase to lower archiving costs, erase to

avoid embarrassment, erase with higher archival costs avoid embarrassment, erase with higher archival costs Save if exculpatory, save if potentially useful against Save if exculpatory, save if potentially useful against

others, save if legitimate business purpose to use later, others, save if legitimate business purpose to use later, save if easier than implementing regular & pervasive save if easier than implementing regular & pervasive review for erasure policy under doc retention program; review for erasure policy under doc retention program; save with lower archival costs save with lower archival costs

Justice system effectiveness & fairness increases Justice system effectiveness & fairness increases with access to all facts with access to all facts • Expansive discovery arguably inefficient Expansive discovery arguably inefficient • Litigation rules, spoliation sanctions & criminal Litigation rules, spoliation sanctions & criminal

obstruction penalty risks realign incentives to retain & obstruction penalty risks realign incentives to retain & produce docsproduce docs


The Cost of EDD in US Court Cases The Cost of EDD in US Court Cases

0

50

100

150

200

250

300

1999 2000 2001 2002

EDD

US Millions


Consider HP’s Current DifficultiesConsider HP’s Current Difficulties

Board or other leaks framed as security leaksBoard or other leaks framed as security leaks• Unlawful security leak of truthful, exculpatory, whistle-Unlawful security leak of truthful, exculpatory, whistle-

blowing, reveal fraud or wrongdoing?blowing, reveal fraud or wrongdoing?• ““Security” excessively vague: interpret more narrowlySecurity” excessively vague: interpret more narrowly

Illegal or unethical investigatory meansIllegal or unethical investigatory means• Pretexting under G/L/B vs. telecom privacy lawsPretexting under G/L/B vs. telecom privacy laws• Internal Investigations ProliferatingInternal Investigations Proliferating• Third Party Service ProvidersThird Party Service Providers

Will their methods be imputed to principal?Will their methods be imputed to principal?


Obstruction of Justice EX: NixonObstruction of Justice EX: Nixon Nixon investigated for Nixon investigated for

obstruction obstruction • Alleged role in cover-up of Alleged role in cover-up of

Watergate hotel break-Watergate hotel break-in,1972 re-election in,1972 re-election

• It appears he was aware It appears he was aware after the fact & planned after the fact & planned to pay hush money to pay hush money

Woods goes down in Woods goes down in history as responsible for history as responsible for erasure of 18 1/2 minutes erasure of 18 1/2 minutes of crucial evidence before of crucial evidence before transmitted to Watergate transmitted to Watergate investigators of Nixon investigators of Nixon impeachment effort impeachment effort


Obstruction of Justice: AA/EnronObstruction of Justice: AA/Enron AA was indicted, tried, convicted for obstruction when, as AA was indicted, tried, convicted for obstruction when, as

Enron collapsed, AA re-distributed document policy & Enron collapsed, AA re-distributed document policy & employees proceeded to shred two tons of documents but employees proceeded to shred two tons of documents but conviction reversed, 9-0, but too lateconviction reversed, 9-0, but too late

“‘“‘Document retention policies,’ which are created in part to Document retention policies,’ which are created in part to keep certain information from getting into the hands of keep certain information from getting into the hands of others, including the Government, are common in business. others, including the Government, are common in business. It is, of course, not wrongful for a manager to instruct his It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention employees to comply with a valid document retention policy under ordinary circumstances.” policy under ordinary circumstances.” Arthur Andersen LLP Arthur Andersen LLP v. USv. US, 125 S. Ct. 2129, 2135 (2005) (Rehnquist, C.J.), 125 S. Ct. 2129, 2135 (2005) (Rehnquist, C.J.)• Its OK to trigger shredding through a reminder enforcing Its OK to trigger shredding through a reminder enforcing

document retention policydocument retention policy• Not “corrupt” w/in Fed obstruction if doc destruction pursuant Not “corrupt” w/in Fed obstruction if doc destruction pursuant

valid document retention policy.valid document retention policy.


Obstruction of Justice: Obstruction of Justice: Martha Martha

6 mos in W Va but not for insider trading6 mos in W Va but not for insider trading Instead: obstruction of justice:Instead: obstruction of justice:

• Falsifying trading & phone records Falsifying trading & phone records • Heard from friend Sam Waksal, CEO of ImcloneHeard from friend Sam Waksal, CEO of Imclone• Martha allegedly sold Imclone stock on tipMartha allegedly sold Imclone stock on tip• Falsification of documents was intended Falsification of documents was intended

merely to create an explanation for what was a merely to create an explanation for what was a suspicious tradesuspicious trade

• Martha’s actions made it more difficult to prove Martha’s actions made it more difficult to prove Waksal had also sold his stock in anticipation Waksal had also sold his stock in anticipation of negative news of the lack of FDA approval of negative news of the lack of FDA approval for Imclone's product.for Imclone's product.

Documents

CyberForensic Policy Drivers How Public Policy Drivers Converge through Deployment of Cyber Forensics to Balance Privacy and Security John W. Bagby College