E-Discovery: How do Litigation Hold, BYOD, and Privacy affect you?

By Amelia Phillips, PhDChair, Pure & Applied Science DivisionCIS and Computer Science DepartmentsRegional Director PRCCDCHighline Community CollegeSeattle WA

Agenda

• Define E-Discovery• The challenge ahead• Who does this affect?• Privacy or corporate security• Current tools• New technology

Defining E-Discovery

• “gathering electronically stored information (ESI) for use in litigation”

• Discovery happens daily and is the compulsary disclosure of data, facts and documents in civil and criminal cases.

• Legal council generally exists on both sides from the beginning

Whose Perspective?

Who needs to know about e-discovery?

Information Governance Reference Model

© edrm.net

Potential Students / Target Audience

• IT / CIS Students• MIS Students• Paralegals• Business Managers• Production Managers

Litigation Hold – what does that mean?

• If a litigation hold is in place– Backups cannot be over written or deleted– Physical files cannot be shredded– Files cannot be deleted– What happens to the BYODs?

• Corporate policies need to be in place– Educate the employees

Tools of the Trade

• Concordance• Discovery Assistant by IMAGEMaker• @LegalDiscovery• Catalyst CR• AD Summation iBlaze • Nextpoint Discovery Cloud • Sherpa Software Discovery Attender• And more

E-Discovery Tools

Discovery Attender

Finding email

Choose Search Criteria

Search Results

Reverse Funnel Method

De-Duping

Email, Social media and Privacy

• Clandestine affair• Sharing a login on Gmail but never

transmitting• Cyberstalking and threats

HICSS44

Why action was needed NOW

• 2 Generals implicated• Over 30,000 documents most of which was email

examined• Exposed that Google had responded to over 7,000

requests from the US government from January to June 2012

Resulted in the following:

• Requests from governments– 2009 - ~ 12,000– 2012 – over 21,000

• U.S. certainly highest• India• U.K.

Google Transparency Report

What ever happened to the 4th Amendment?

• Electronic Communications Privacy Act• Created in 1986• PCs were in their infancy– Hard drives were 10 to 20 MB– Easy drive at 60 MB was the largest in 1988– Files were 10 to 20 kb– Email was at a premium

ECPA

• Accessing a computer or network without authorization or by exceeding authorization

• Accessing a computer or network to collect financial information, credit information, or other information from a government computer or any protected computer

• Making a computer or network unavailable for its intended use by a department of the U.S. government or another entity

ECPA lists as violations:

• Transmitting programs, information, codes, or commands to intentionally cause harm or damage to networks or computers

• Accessing information on a computer or network to commit fraud or cause damage, whether intentionally or as a result of reckless actions

• Intentionally obtaining and trafficking in passwords• Threatening harm to a computer or network for use in

extortion or a similar practice

ECPA (more violations)

• Stored Communications Act• Supplement ECPA• Offense.— Except as provided in subsection (c) of this section whoever

— • (1) intentionally accesses without authorization a facility through which

an electronic communication service is provided; or • (2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

SCA

• Existing Law:

• 180 days old – considered abandoned

No warrant!

The Catch

• Gmail• Yahoo mail• Dropbox• SkyDrive• Google docs• Google+

Online email and storage

• Facebook• MySpace• Twitter• What laws apply here?

Social Media

• ArchiveSocial – compliant with– FINRA – Financial Industry Regulatory Authority– SEC – Securities and Exchange Commission– FOIA – Freedom of Information Act– FRCP – Federal Rules of Civil Procedure– SOX – Sarbanes-Oxley

• Other software– Actiance– X1 Discovery– Patrina Corporation– Reed Archives

Social Media Archiving

BYOD, BYOA – whose line is it anyway?

• Interconnected far beyond imagined• Business owner – Cell phone – Business computer

• One device compromised– Have everything

Mobile Devices

• Someone logs in at a coffee shop– Shows up on their Facebook– Shows up on their Twitter

• U.S. based companies spend over $2 billion annually for such demographics

• What are your rights?

Who knows where you are?

• 24 yr old Austrian law student– Asked for his Facebook history– Over 1200 pages long!– Included items he

• Never posted• Had deleted

• “Europe has come to the conclusion that none of the companies can be trusted,” said Simon Davies, the director of the London-based nonprofit Privacy International. “The European Commission is responding to public demand. There is a growing mood of despondency about the privacy issue.” (Semgupta, 2012)

EU Privacy Laws

• The term Bring Your Own Device (BYOD) has become common in the language today.

• Includes cell phones, smart phones, Blackberry devices, palmtops, laptops, iPhones, iPads and items that are still be invented.

• Are they part of a litigation hold? • Does the employee have the right to delete their

personal information?

BYOD

• Issued by and paid for by the company• Purchased and paid for by the employee• Purchased and paid for by visitors• Purchased and paid for by patients• And where is the information stored?

BYOD (cont’d)

• The voicemail is stored on the servers of the provider• Text messages are saved on the device• Voicemail can be stored on some smart phones• Email is stored with the email server whether it be

Yahoo, Gmail, or corporate server• File attachments could be located on the corporate

servers, on the cloud or home machine.

BYOD (part 3)

• Computers as closed containers• U.S. v. Reyes in New York 1996 – Privacy of data on a pager

• United States v. Knotts and United States v. Karo– U.S. Supreme Court– Tracking devices– On public street or in private dwelling

Mobile devices and the Law

• Ohio State Supreme Court– 2009– Warrant needed to search a cell phone

• Oregon State Supreme Court– Schlossberg v. Solesbee – 2012– Search incident to arrest

Case Law on cell phones

HICSS44

Search incident to

Arrest

• Online Communications and Geolocation Protection Act (OCGPA)

• Before the House in March 2013• GPS• Warrant for all electronic messages regardless of age• Just approved this week in the Senate Subcommittee

HICSS44

New Proposed Law

HICSS44

IRS Facebook

• Lady boasted on her Facebook about her and her partner’s tax fraud

• Pictures of how much money they had made• 57 counts of tax fraud

HICSS44

Tax Fraud Pioneer

• Can a company require that you make them a friend before they hire you?

• Can a company force you to give them your username and password on Facebook or MySpace to get a rating?

• Can conversations on social media be used against you?

• Can such exchanges hold up in court?

HICSS44

Social Media and Investigations

New Technology

Forensic Linguistics

• International Association of Forensic Linguists• Look for variations in the way things are phrased,

cadence, etc.• Very effective in spotting fraudulent documents

Dealing with Multinational Corporations

• Every country must deal with email, mobile business and devices, data, ecommerce, Black Berries, and PDAS

• Privacy laws vary from country to country. • Chain of custody• Qualifications of examiners• Process and procedure

HCSS44

• Unique law enforcement concerns regarding the location of potential digital evidence, its preservation, and its subsequent forensic analysis.

• For instance, if a customer or business becomes the target of a criminal investigation, they could migrate their working environment to a cloud environment.

• This would provide a means for the business to continue its routine operations while the migrated environment is forensically analyzed.4

• However, this is not without risk. The migrated data only represents a “snapshot” of when it was sent to the cloud.

Case proposed by John Barbara

• Since the data can be stored anywhere in the world, its dispersal could be to a location or country where privacy laws are not readily enforced or non-existent.

• Establishing a chain of custody for the data would become difficult or impossible if its integrity and authenticity cannot be fully determined (where was it stored, who had access to view it, was there data leakage, commingling of data, etc.).

JJ Barbara (slide 2)

• There are also potential forensic issues when the customer or user exits a cloud application.

• Items subject to forensic analysis, such as registry entries, temporary files, and other artifacts (which are stored in the virtual environment) are lost - making malicious activity difficult to substantiate:

JJ Barbara (slide 3)

• Over time, it's expected that clouds will contain more and more evidence of criminal activity.

• The NIJ, recently revealed plans to fund research into improved electronic forensics in several areas, including the cloud.

• Cloud providers and customers need to set up their infrastructures to meet these lawful requests or face fines and other legal repercussions. – do so without violating local privacy laws or accidentally giving away

competitive secrets.

George Lawton’s Opinion

• The demands of cloud forensics could prove costly as lawsuits and investigations become more complex.

• A 2009 study by McKinsey & Company – electronic discovery requests were growing by 50% annually. – Growth in e-discovery spending from $2.7 billion in 2007 to

$4.6 billion in 2010, according to a Socha Consulting LLC survey.

Lawton (slide 2)

• The U.S. government has also attempted to expand the scope of data that can be lawfully requested without a warrant through a National Security Letter (NSL).

• In August, the Obama administration requested to add "electronic communication transaction records" to the data included in an NSL, – Require providers to include the addresses a user has emailed, the times

and dates of transactions, and possibly a user's browser history. – Have to ensure that the provider's infrastructure can deliver on these

requests in a timely manner.

Lawton (slide 3)

• "Cloud forensics is difficult because there are challenges with multi-tenant hosting, synchronization problems and techniques for segregating the data in the logs,"

• "Right now, most of the cloud service providers are not open to talking about this because they don't know the issue ."

Lawton (slide 4)

Privacy Laws• USA citizens take the expectation of privacy for granted• Privilege “according to UK common law … allows a person

to refuse to testify on a matter or to withhold information” – Includes self incrimination– Legal counsel privilege– Statements made without prejudice

• China and Japan (and other non-English speaking nations) have laws that are significantly different

HICSS44

Objectives of any Investigation

• That evidence obtained can hold up in court• That the examiner can hold up under scrutiny

HICSS44

The Expert• What qualifies a person as a digital forensic expert?• The qualifications of the person examining the evidence

should be easily identifiable in all parts of the world• On the international front, many use vendor certifications. • In the US, several states - against the resolution of the

American Bar Association (ABA) - instituted requirements that all computer forensics investigators be licensed private investigators.

HICSS44

The Expert (cont’d)• “Is it a state or federal matter to qualify digital investigators?” • The global economy and international crime require an

international standard that is beyond the boundaries of vendor certification

• The ISFCE has created certifications which are accepted in many countries.

• SANS has created a body of knowledge that constitutes what is needed for a person qualified in the field.

HICSS44

• ISO 27037:2012• October 2012• Digital Evidence First Responder (DEFR) as the one

who collects the evidence, chain of custody, and storage of digital evidence

• Gives guidelines for transmission of ESI

New ISO standard

Technology and E-evidence

• Email investigations– Whose server are things located on? – How was it transmitted? – When is a wiretap law needed? – When are you dealing with stored messages? – How to put laws in place that addresses these issues is

another challenge.

HICSS44

• Cloud-based electronic discovery tools might help to keep these costs down.

• Companies including Orange, Autonomy, Clearwell and Kazeon have launched hosted services for collecting, preserving and analyzing digital evidence.

• Gartner research director Debra Logan said she expects that many corporations will start investing in e-discovery infrastructure and that, by 2012, companies without this infrastructure will spend 33% more to meet these requests.

Technology and E-Evidence

What laws affect what you do?

DEMO of Law database

• E-discovery is here to stay• New challenges• Affects legal, business, and IT students /

professionals alike• Needs to become part of the curriculum• Global issue

Summary

Questions?