Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Data Discovery of Electronically Stored Information: the Public Policy of CyberForensics A Uniquely American “Game” How EDD is Intended to Achieve.

Similar presentations


Presentation on theme: "Electronic Data Discovery of Electronically Stored Information: the Public Policy of CyberForensics A Uniquely American “Game” How EDD is Intended to Achieve."— Presentation transcript:

1 Electronic Data Discovery of Electronically Stored Information: the Public Policy of CyberForensics A Uniquely American “Game” How EDD is Intended to Achieve Justice Implicates Electronic Records Management

2 What is EDD? Electronic Data Discovery, electronic discovery, e- discovery Electronic Data Discovery, electronic discovery, e- discovery Process seeking electronic data, location, securing, search intending its use as evidence in various tribunals: Process seeking electronic data, location, securing, search intending its use as evidence in various tribunals: E.g., internal investigations, regulatory enforcement, civil litigation, criminal prosecution E.g., internal investigations, regulatory enforcement, civil litigation, criminal prosecution An evolving field much beyond the technology raising legal, constitutional, political, security & privacy issues An evolving field much beyond the technology raising legal, constitutional, political, security & privacy issues Many such issues remain unresolved Many such issues remain unresolved EDD subfields: Computer, network & cyberforensics EDD subfields: Computer, network & cyberforensics Focusing on logs & files maintained on devices Focusing on logs & files maintained on devices e.g., HD, server, routers, switches, flash drives, PDAs, phones e.g., HD, server, routers, switches, flash drives, PDAs, phones Files & logs include eMail, TM, IM, VM, files: text, images, calendar, databases, spreadsheets, audio, video, animation, Web sites, application programs, lists of sender, recipient, routing, metadata, malware (e.g., viruses, Trojans, spyware) Files & logs include eMail, TM, IM, VM, files: text, images, calendar, databases, spreadsheets, audio, video, animation, Web sites, application programs, lists of sender, recipient, routing, metadata, malware (e.g., viruses, Trojans, spyware)

3 EDD Growth Facts Proliferation of electronic data Proliferation of electronic data Over 90% of business docs are created & stored electronicall Over 90% of business docs are created & stored electronicall Lyman, Peter and Hal R. Varian, How Much Information, 2003 http://www.sims.berkeley.edu/how-much-info-2003 Lyman, Peter and Hal R. Varian, How Much Information, 2003 http://www.sims.berkeley.edu/how-much-info-2003http://www.sims.berkeley.edu/how-much-info-2003 Cohasset Study: Cohasset Study: “the majority of organizations are not prepared to meet many of their current or future compliance and legal responsibilities.” “the majority of organizations are not prepared to meet many of their current or future compliance and legal responsibilities.” 46% of surveyed firms have no formal recordkeeping procedures 46% of surveyed firms have no formal recordkeeping procedures 65% of firms do not include e-Docs among documents systematically retained 65% of firms do not include e-Docs among documents systematically retained Are Govt. Agencies, NGOs & Not-for-Profits worse? Are Govt. Agencies, NGOs & Not-for-Profits worse? Under-served EDD opportunities are considerable Under-served EDD opportunities are considerable

4 EDD Importance of eMail Est. 500K eMail msgs per second Est. 500K eMail msgs per second Replacing official correspondence Replacing official correspondence Contracts enforceable in email Contracts enforceable in email Valid as offer or acceptance Valid as offer or acceptance Can be validated, authenticated & attributed using electronic signatures, certificates, etc. Can be validated, authenticated & attributed using electronic signatures, certificates, etc. Broad public expectations that email utility depends on freedom of expression, particularly in fast changing environments, despite async Broad public expectations that email utility depends on freedom of expression, particularly in fast changing environments, despite async e.g., commodities or financial market price changes e.g., commodities or financial market price changes Replaces phone or F2F conversations Replaces phone or F2F conversations

5 Some High Visibility EDD Cases MS, Gates’ IE Bundling impact on Netscape MS, Gates’ IE Bundling impact on Netscape Zubulake v. UBS Warburg employment Zubulake v. UBS Warburg employment Morgan Stanley Perelman litigation Morgan Stanley Perelman litigation Martha Stewart insider trading case Martha Stewart insider trading case Jack Grubman Jack Grubman Citigroup/Salomon Smith Barney telecom analyst Citigroup/Salomon Smith Barney telecom analyst Types of leading cases & industry impact: Types of leading cases & industry impact: Financial services, antitrust, securities law, employment, Pharmas Financial services, antitrust, securities law, employment, Pharmas

6 Discovery Begets Justice Most foreigners amazed at U.S. style litigiousness Most foreigners amazed at U.S. style litigiousness US defines individual rights broadly US defines individual rights broadly US justice system allows broad vindication US justice system allows broad vindication Role of civil procedures to force transparency Role of civil procedures to force transparency Discovery of embarrassing, exposing or incriminating evid Discovery of embarrassing, exposing or incriminating evid Is US strength derived from transparency Is US strength derived from transparency Simplistic: political & economic freedoms, cultural, historical, diversity, access to natural resources Simplistic: political & economic freedoms, cultural, historical, diversity, access to natural resources Are others nations future strength drawn from their lack of transparency Are others nations future strength drawn from their lack of transparency EX: EU Data Retention Directive only ISP & TelCo data & only for Criminal, Counter-Terrorism EX: EU Data Retention Directive only ISP & TelCo data & only for Criminal, Counter-Terrorism

7 A Litigator’s Vision of Discovery “As a litigator, I will tell you documents are just the bane of our existence. Never write when you can speak. Never speak when you can wink.” “As a litigator, I will tell you documents are just the bane of our existence. Never write when you can speak. Never speak when you can wink.” Statement of Jordan Eth, Sarbanes-Oxley: The Good, The Bad, The Ugly, Nov.10, 2005 on panel hostedby the National Law Journal and Stanford Law School’s Center on Ethics, reprinted in Nat.L.J. at p.18 (Dec.12, 2005). Statement of Jordan Eth, Sarbanes-Oxley: The Good, The Bad, The Ugly, Nov.10, 2005 on panel hostedby the National Law Journal and Stanford Law School’s Center on Ethics, reprinted in Nat.L.J. at p.18 (Dec.12, 2005). Modern update: Modern update: “Never type when you can write, Never speak when you can whisper, never communicate when its understood…” “Never type when you can write, Never speak when you can whisper, never communicate when its understood…”

8 EDD is a Game More EDD & ERM costs than if Target cheaply found the smoking gun More EDD & ERM costs than if Target cheaply found the smoking gun But perceived costs if admissions avoided and this was undetected But perceived costs if admissions avoided and this was undetected Natural reaction to hide misbehavior despite some evidence of leniency if forthright Natural reaction to hide misbehavior despite some evidence of leniency if forthright Less social costs of litigation if discovery could become more efficient Less social costs of litigation if discovery could become more efficient Reduced societal pressure for reforms that eviscerate rights Reduced societal pressure for reforms that eviscerate rights EDD requires Strategic Planning & cross- functional teams EDD requires Strategic Planning & cross- functional teams

9 Technology Advantages in Litigation Time saving Time saving Reduced cost Reduced cost EX: photocopying, review, coding EX: photocopying, review, coding Automated production of required docs Automated production of required docs Mechanizes Review: Mechanizes Review: Quickly sift or manipulate info to discover patterns, inconsistencies & hidden issues Quickly sift or manipulate info to discover patterns, inconsistencies & hidden issues Imposes planning & structure to manage information & case preparation Imposes planning & structure to manage information & case preparation

10 Non-Responsiveness is Punished Discovery Sanctions ordered against: Discovery Sanctions ordered against: Arthur Andersen, UBS Warburg, Morgan Stanley, Martha Stewart Arthur Andersen, UBS Warburg, Morgan Stanley, Martha Stewart Legal Counsel sanctioned for encouraging non- responsiveness Legal Counsel sanctioned for encouraging non- responsiveness E.g., Rambus discovery sanctions- privilege lost E.g., Rambus discovery sanctions- privilege lost Significant experience with hair-splitting Significant experience with hair-splitting Response to broaden requests & include excessive granularity in detail Response to broaden requests & include excessive granularity in detail Give us every document, letter, memo, email… Give us every document, letter, memo, email…

11 Ignoring a Smoking Gun Is Failure Litigating parties have incentive to do EDD “fishing expeditions” Litigating parties have incentive to do EDD “fishing expeditions” Huge discovery burdens incentivize EDD targets to settle Huge discovery burdens incentivize EDD targets to settle Arguably lawyer malpractice not to pursue aggressive EDD Arguably lawyer malpractice not to pursue aggressive EDD Smoking guns are increasingly decisive Smoking guns are increasingly decisive Defendants have been successful with litigation & tort reforms focused on early case dismissal before incurring these huge discovery costs Defendants have been successful with litigation & tort reforms focused on early case dismissal before incurring these huge discovery costs EX: ’95 PSLRA’s Automatic Stay of Discovery EX: ’95 PSLRA’s Automatic Stay of Discovery

12 The Cost of EDD in Court Cases (US) US Millions

13 12.1.06: new FRCP are CyberForensics Watershed Recognition of EDD, ESI, ERM Recognition of EDD, ESI, ERM New Processes still Needed New Processes still Needed FRCP is Model for all ESI Processes in Range of Tribunals FRCP is Model for all ESI Processes in Range of Tribunals Criminal Criminal Civil Civil Regulatory Regulatory Congressional Watchdog Committees Congressional Watchdog Committees Internal Investigations Internal Investigations SROs SROs ADR ADR Counter-Terrorism, eSurveillance, Intelligence Counter-Terrorism, eSurveillance, Intelligence

14 Electronically Stored Information (ESI) Undefined explicitly Undefined explicitly Nevertheless generally understood as: Nevertheless generally understood as: information created, manipulated, communicated, stored, & optimally used in digital form information created, manipulated, communicated, stored, & optimally used in digital form Requires use of computer & software Requires use of computer & software ESI distinguishable from “conventional” or analog records ESI distinguishable from “conventional” or analog records E.g., writing/typing/printing stored on paper, images printed on paper, analog photographic images, analog sound or video recordings, microfilm … E.g., writing/typing/printing stored on paper, images printed on paper, analog photographic images, analog sound or video recordings, microfilm …

15 Electronic Evidence Computer actions – electronic traces from email, invoices, viruses, hacker attacks, web activity, communications Computer actions – electronic traces from email, invoices, viruses, hacker attacks, web activity, communications Network Log data Network Log data Personal device log data Personal device log data Includes Actual Content, Attachments &/or Meta Data Includes Actual Content, Attachments &/or Meta Data Meta Data can provide audit trail contained in log files, meta data (descriptions or properties of data-files or email ) Meta Data can provide audit trail contained in log files, meta data (descriptions or properties of data-files or email ) Business records open to pre-trial discovery Business records open to pre-trial discovery U.S. adversary system permits preparation for trial by accessing facts relevant to case, if held by opponent or 3d parties U.S. adversary system permits preparation for trial by accessing facts relevant to case, if held by opponent or 3d parties

16 Pre-Trial Investigation Conducted both pre/post filing Conducted both pre/post filing Private Investigators Private Investigators Traditional & electronic sleuthing constrained by privacy, eavesdropping, wiretap, etc. Traditional & electronic sleuthing constrained by privacy, eavesdropping, wiretap, etc. Factual & witness (informal) discovery Factual & witness (informal) discovery Consensual interviews Consensual interviews Search experts Search experts Internal investigations Internal investigations Game theoretic & strategic considerations Game theoretic & strategic considerations

17 Pre-Trial Discovery Act or process of finding or learning something that was previously unknown Act or process of finding or learning something that was previously unknown Right of all litigants in the U.S. Right of all litigants in the U.S. Compulsory disclosure, at any opposing party's request, of information that relates to the litigation Compulsory disclosure, at any opposing party's request, of information that relates to the litigation Limits: Limits: Limits imposed given long history of intentional & harassing burden imposed on opposing parties Limits imposed given long history of intentional & harassing burden imposed on opposing parties But, such limits not intended to assist discovery target in hiding relevant information But, such limits not intended to assist discovery target in hiding relevant information

18 Discovery Process Litigants request information from the opposing party relevant to issues raised in claims and defenses Litigants request information from the opposing party relevant to issues raised in claims and defenses Traditionally: Traditionally: Interrogatories Interrogatories Depositions Depositions Examination Examination Production of Documents Production of Documents

19 Continuing Role of Traditional Discovery Interrogatories may still be useful: Interrogatories may still be useful: Requesters may query about: Requesters may query about: Repositories of printed docs Repositories of printed docs ESI existence, custodians, formats & locations ESI existence, custodians, formats & locations Interrogatories must be answered accurately & completely Interrogatories must be answered accurately & completely Potential challenge to inventory exhaustively Potential challenge to inventory exhaustively EX: portable storage devices, PDAs, laptop computers, cellphones, iPods,flash memory devices (thumbdrives) EX: portable storage devices, PDAs, laptop computers, cellphones, iPods,flash memory devices (thumbdrives) But, more cooperation now required But, more cooperation now required

20 Definitions of Computer Forensics “The application of computer investigation and analysis techniques in the interests of determining potential legal evidence.” “The application of computer investigation and analysis techniques in the interests of determining potential legal evidence.” “The science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media.” (FBI) “The science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media.” (FBI) The discovery, recovery, preservation & control of digital data or documents The discovery, recovery, preservation & control of digital data or documents Analysis, verification and presentation of eVidence in court & internal investigations Analysis, verification and presentation of eVidence in court & internal investigations

21 Computer/Network Forensics Forensics - search for eVidence by file content analysis, meta-data, logs & expensive erasure recovery techniques Forensics - search for eVidence by file content analysis, meta-data, logs & expensive erasure recovery techniques EX: post-erasure shadow may remain of un-erased magnetic filings, even after repeated overwrites EX: post-erasure shadow may remain of un-erased magnetic filings, even after repeated overwrites Targeting electronic devices: Targeting electronic devices: computers, cell phones, PDAs, voice-mail, servers, disks, zip drives, backup tapes computers, cell phones, PDAs, voice-mail, servers, disks, zip drives, backup tapes Targeting communications: Targeting communications: email, Internet transmissions, IM, chat rooms, listservs, usenet groups email, Internet transmissions, IM, chat rooms, listservs, usenet groups

22 Locations for the Recovery of eVidence: Data Repositories Network Workstations and Laptops Network Workstations and Laptops File Servers, Shared Drives File Servers, Shared Drives Application Servers, Enterprise Applications Application Servers, Enterprise Applications EX: Peoplesoft, SAP EX: Peoplesoft, SAP Home or Offsite Computing Home or Offsite Computing Paper Documents, Current office long term storage Paper Documents, Current office long term storage Diskettes, DVDs, CDs, Portable Storage Devices Diskettes, DVDs, CDs, Portable Storage Devices Backup media tape Backup media tape Network Email servers Network Email servers Mobile Devices, Blackberry, Palm, Pocket PC Mobile Devices, Blackberry, Palm, Pocket PC Instant Message Instant Message

23 Locations for the Recovery of eVidence Computer files & meta data Computer files & meta data Recycle Bins, including dates of deletions Recycle Bins, including dates of deletions Backup tapes & other archives Backup tapes & other archives Logs & cache files Logs & cache files Slack & unallocated space Slack & unallocated space Email, copies to self, forwarded messages, and deleted messages folders Email, copies to self, forwarded messages, and deleted messages folders SWAP files – This is a memory expanding feature that downloads data from main memory to a temporary storage area on PC SWAP files – This is a memory expanding feature that downloads data from main memory to a temporary storage area on PC 3 rd Party Providers, ie ISPs 3 rd Party Providers, ie ISPs

24 What Forensics can Find Computer forensics can reveal what users have done on the network: Computer forensics can reveal what users have done on the network: Theft of trade secrets, intellectual property, and confidential data Theft of trade secrets, intellectual property, and confidential data Defamatory or revealing statements in chat rooms, use net groups, or IM Defamatory or revealing statements in chat rooms, use net groups, or IM Sending of harassing, hateful, objectionable email Sending of harassing, hateful, objectionable email Downloading criminally pornographic material Downloading criminally pornographic material Downloading & installation unlicensed software Downloading & installation unlicensed software Online gambling, Insider trading, solicitation, drug trafficking Online gambling, Insider trading, solicitation, drug trafficking Which files accessed, altered, or saved Which files accessed, altered, or saved

25 Consequences for Failure to Comply with Discovery Cannot destroy what is expected to be subpoenaed Cannot destroy what is expected to be subpoenaed Procedural law in federal & state cts require compliance with discovery requests Procedural law in federal & state cts require compliance with discovery requests Risks of non-compliance Risks of non-compliance Spoliation Spoliation Obstruction of Justice Obstruction of Justice

26 Spoliation Tort - interference with or destruction of evidence Tort - interference with or destruction of evidence Defense to tort Defense to tort Adverse Evidentiary Interference or Presumption - unable to prove case because of destruction Adverse Evidentiary Interference or Presumption - unable to prove case because of destruction Discovery Sanction Discovery Sanction P&G sanctioned $10,000 for not saving email communications of 5 key employees P&G ID’d P&G sanctioned $10,000 for not saving email communications of 5 key employees P&G ID’d Default Judgment Default Judgment Employees knowingly destroyed documents Employees knowingly destroyed documents

27 Obstruction of Justice Definition: crime of offering interference of any sort to the work of police, investigators, regulatory agencies, prosecutors, or other (usually government) officials Definition: crime of offering interference of any sort to the work of police, investigators, regulatory agencies, prosecutors, or other (usually government) officials Often, no actual investigation or substantiated suspicion of a specific incident need exist to support an obstruction charge Often, no actual investigation or substantiated suspicion of a specific incident need exist to support an obstruction charge EX: Arthur Anderson, Enron, Martha EX: Arthur Anderson, Enron, Martha

28 Admissibility of Evidence Relevance, materiality & (in)Competence Relevance, materiality & (in)Competence Authentication (proof justifying proof) Authentication (proof justifying proof) Chain of Custody Chain of Custody Hearsay Hearsay Business Records Business Records Privileges Privileges Expert witnesses & scientific evidence Expert witnesses & scientific evidence

29 Exemptions for Privileged Info Privileges Intended to Encourage free flow of info within certain preferred relationships Privileges Intended to Encourage free flow of info within certain preferred relationships Frank disclosure needed for service adequacy would not be forthcoming or deterred in future Frank disclosure needed for service adequacy would not be forthcoming or deterred in future Protects privacy of client or beneficiary of relationship Protects privacy of client or beneficiary of relationship Some Privileges: Some Privileges: Primary: Attorney-Client & Work Product Primary: Attorney-Client & Work Product Others: Spousal; Professional Privileges (Doctor Patient; PsychoTherapist-Patient; Clergy-Penitent); News Reporter & Source; State Secrets (military, diplomatic); Executive; Agency; Law Enforcement; Required Reports (Pentagon Papers, Watergate, Ollie North); Confidential Informant; Self-Incrimination; Self-Evaluation Others: Spousal; Professional Privileges (Doctor Patient; PsychoTherapist-Patient; Clergy-Penitent); News Reporter & Source; State Secrets (military, diplomatic); Executive; Agency; Law Enforcement; Required Reports (Pentagon Papers, Watergate, Ollie North); Confidential Informant; Self-Incrimination; Self-Evaluation

30 Challenge of Deleting eMails As with most files in typical OS As with most files in typical OS Deleting marks for possible overwriting later Deleting marks for possible overwriting later eMail & oter files remain un-erased in various repositories eMail & oter files remain un-erased in various repositories EX: recycle bin, trash, server of client, network or recipient(s), recipient(s) PCs, backups of all the above, printouts, & forwarded recipients & servers EX: recycle bin, trash, server of client, network or recipient(s), recipient(s) PCs, backups of all the above, printouts, & forwarded recipients & servers Law recognizes NO higher expectation of privacy for eMail Law recognizes NO higher expectation of privacy for eMail

31 Recovering Deleted eMail Recoverable deleted files are discoverable Recoverable deleted files are discoverable Must show factual basis that email existed Must show factual basis that email existed Must show feasibility of un-deleting Must show feasibility of un-deleting Experts affidavit may be required Experts affidavit may be required Recovery often ordered after discovery target fails to produce eMail printouts Recovery often ordered after discovery target fails to produce eMail printouts Metadata discoverable if printouts omit dates, editing, or tampering apparent Metadata discoverable if printouts omit dates, editing, or tampering apparent Must demonstrate reasonable basis of suspicion Must demonstrate reasonable basis of suspicion Mere conjecture insufficient, some evid reqd Mere conjecture insufficient, some evid reqd

32 Who Conducts Deleted eMail Retrieval? Requesting party usually prohibited direct access Requesting party usually prohibited direct access Confidentiality & privilege barriers to examination of irrelevant matters Confidentiality & privilege barriers to examination of irrelevant matters Requesting party representative sometimes present & may help design search method Requesting party representative sometimes present & may help design search method Safeguards: Mirror image of HD made Safeguards: Mirror image of HD made Target’s atty searches imaged HD, filters confidential info then produces only responsive info Target’s atty searches imaged HD, filters confidential info then produces only responsive info Increasingly, Neutral Third Party service provider used if production is complex or extensive Increasingly, Neutral Third Party service provider used if production is complex or extensive

33 Hard Disk Drive Storage

34 Contiguous File #1

35 Contiguous File - Additional File #2

36 Addit’l Contiguous Files #3, 4 & 5

37 Addition to Existing File #3

38 Addition to Existing File #1

39 Deleted File #2

40 New File #6 Added

41 Where is Potentially Over- writable Slackspace?

42 Electronic Records Management (ERM) ERM is the "systemic review, retention, & destruction of documents received or created in the course of business" ERM is the "systemic review, retention, & destruction of documents received or created in the course of business" Broad range of policies, procedures & classification schemes Broad range of policies, procedures & classification schemes Doc retention – really destruction schedules Doc retention – really destruction schedules ERM policies can reduce EDD costs ERM policies can reduce EDD costs Can reduce costs to supply information requests if promptly found, preserved & protected against accidental deletion Can reduce costs to supply information requests if promptly found, preserved & protected against accidental deletion Disruptions avoided Disruptions avoided

43 Regulated ERM by Indus Sector IRS IRS SEC, CFTC SEC, CFTC EPA EPA EEOC EEOC DOD DOD Banking Banking Healthcare Healthcare Government Government

44 ESI Discovery Team In-House Counsel Outside Legal Counsel Outside ESI Vendors CIOGeneral Counsel Enterprise Functional Units Engaged in the Litigation IT Managers ESI Discovery Team

45 2006: Outsourcing ERM, EDD, etc. 71% of corps had litigation costs over $1 mil/yr 71% of corps had litigation costs over $1 mil/yr Excludes settlements or judgments Excludes settlements or judgments 40% had litigation costs over $5 mil/yr. 40% had litigation costs over $5 mil/yr. Excludes settlements or judgments Excludes settlements or judgments Half of U.S. firms surveyed use 3d P EDD vendors Half of U.S. firms surveyed use 3d P EDD vendors Assist in collection, identification, verification, recovery & production Assist in collection, identification, verification, recovery & production 30% of U.S. firms use outside legal counsel with special technical EDD/CyberForensics expertise 30% of U.S. firms use outside legal counsel with special technical EDD/CyberForensics expertise EDD vendors had revenues nearly $2 bill. 50% higher than 2005 EDD vendors had revenues nearly $2 bill. 50% higher than 2005 $130 mil. Was spent on forensic software, data recovery & production $130 mil. Was spent on forensic software, data recovery & production Service Level Commitments (SLC) are key Service Level Commitments (SLC) are key Source: Socha-Gelbmann Electronic Discovery Survey: http://www.sochaconsulting.com/2007/survey.htm http://www.sochaconsulting.com/2007/survey.htm


Download ppt "Electronic Data Discovery of Electronically Stored Information: the Public Policy of CyberForensics A Uniquely American “Game” How EDD is Intended to Achieve."

Similar presentations


Ads by Google