Transcript Impact of Revised Federal Rules on CyberForensic Practice

Impact of Revised
Federal Rules on
CyberForensic Practice
Watershed for all CyberForensics?
What will be FRCP’s Impact Beyond
Jurisdiction of Federal Civil Litigation
Rules?
Some Litigators’ Vision of Discovery
• “As a litigator, I will tell you documents
are just the bane of our existence. Never
write when you can speak. Never speak
when you can wink.”
– Statement of Jordan Eth, Sarbanes-Oxley: The
Good, The Bad, The Ugly, Nov.10, 2005 on
panel hostedby the National Law Journal and
Stanford Law School’s Center on Ethics,
reprinted in Nat.L.J. at p.18 (Dec.12, 2005).
• Modern update:
– “Never type when you can write, Never speak
when you can whisper, never communicate
when its understood…”
12.1.06 FRCP is CyberForensics Watershed
•
•
•
•
Recognition of EDD, ESI, ERM
New Processes Needed
Costs & Burdens Recalibrated
FRCP is Model for all ESI Processes in
Range of Tribunals
–
–
–
–
–
–
–
–
Criminal
Civil
Regulatory
Congressional Watchdog Committees
Internal Investigations
SROs
ADR
Counter-Terrorism, eSurveillance, Intelligence
FRCP as Watershed
• Consciously balance EDD costs
• Reinforces attorney-client and attorney work
product privileges in certain ESI
• Clarify requester’s right to prefer some ESI forms
– e.g., native format with meta-data intact
• Clarify when the target’s duty arises to preserve
ESI following a “litigation hold” by providing a
“safe harbor” from spoliation sanctions
• Elevates electronic records management (ERM)
by compressing EDD schedule so most firms
must plan for EDD before litigation by:
–
–
–
–
inventorying and monitoring all ESI
designating EDD teams
informing litigators about ESI repositories
generally adopting ERM best practices, ex ante
• May result in standardized discovery protocols
Some of the Major FRCP Revisions
•
•
•
•
•
Cooperation
Planning
ESI emerges
Privilege Preservation
Pace Quickens
– Are all litigators sufficiently tech savvy?
• ERM ubiquity predictable
• 3d P Service Providers
– Essential for expertise
– Essential for scalability & work capacity
New Federal Rules
• U.S. Judicial Conference developed &
approved
– Public comment
– U.S. Supreme Court approved
– Congress failed to change, effective 12.1.06
• Revisions address some abuses in
obfuscation and destruction of evidence
– Truncates pre-trial motion delays with
mandatory EDD planning
– Clarifies discoverable electronic forms of
information
– Strikes new balance in the burdens of EDD
Electronically Stored Information - ESI
• Undefined explicitly in amended 12.1.06
FRCP nor in official Committee Notes
• Nevertheless generally understood as:
– information created, manipulated,
communicated, stored, & optimally used in
digital form
– Requires use of computer & s/w
• ESI distinguishable from “conventional”
or analog records
– E.g., writing/typing/printing stored on paper,
images printed on paper, analog photographic
images, analog sound or video recordings,
microfilm …
ESI
• Should now more clearly include
info targets frequently resisted
producing:
– Content & meta-data of word-processed
docs, various formats
– spreadsheets,
– e-mail including attachments,
– instant messages (IM),
– Voice-over Internet Protocol (VoIP),
– personal data assistants (PDA) storage,
– most other databases of
Continuing Role of Traditional Discovery
• Interrogatories may still be useful:
– Requesters may query about:
• Repositories of printed docs
• ESI existence, custodians, formats &
locations
– Interrogatories must be answered
accurately & completely
– Potential challenge to inventory
exhaustively
• EX: portable storage devices, PDAs, laptop
computers, cellphones, iPods,flash
memory devices (thumbdrives)
• But, more cooperation now required
Cooperation & Planning
• Scoping, protocol & planning of EDD
• Rule 16(b) requires parties to meet quickly
following filing of complaint
• Must negotiate discovery scope
– Within 120 days of service of complaint
– Protocol agreed upon on scope of EDD
• Practical effects:
– litigators must quickly understand IT environment of
their clients & of opposing parties
– Inform protocol design
• Protocol uniformity likely
– de facto EDD standards may emerge
• Intended to diminish expense of delaying tactics
– EX: motions to compel, counter motions to resist
– EX: Zubulake & Rambus litigation
– Short time to issue RFPs for:
• EDD &/or litigation support service providers
• Should establish service level commitments (SLC) &
metrics ex ante
• Manage requests, collection, review & production
Cost Balancing
• 2 tiered cost balancing: accessible & non-accessible
– Targets shoulder costs of providing “accessible” ESI
• When responsive to a proper request and relevant to litigated
issues
– Production costs borne by requester for “not readily
accessible” ESI
• Requesters may challenge target’s inaccessibility designation
• Process:
– 1st requester makes demand
– 2nd implicitly target must understand ESI accessibility to
reply
– 3rd denial empowers requester to file a motion to compel
production
– 4th target must provide detailed proof that ESI production
would impose an undue burden
• Targets legitimately resistance justifiable only when informed
with an accurate ESI inventory
• Inaccessible ESI must still be preserved until litigation hold is
released such as following litigation & appeals
Form of ESI Production
• Form of ESI produced may
– impose greater search costs &
– hide potentially relevant metadata
• Revised FRCP attenuates contention
– Requesting party may choose format
• Facilitate search & review
• May seek native formats w/ metadata
– EX: track changes metadata may reveal
revision authors & dates, deleted
concessions, compromises faux pas.
Safe Harbor
• Lost, unrecoverable from regular business
process
• Documents destroyed after litigation hold
– Imposes preservation duty
– Exposes target to spoliation &/or obstruction
• New FRCP permit limited safe harbor
– ESI lost, overwritten or otherwise unrecoverable
– If done as part of regular business practice of
document destruction
– Further enhances 3d P Services Opportunities
• Litigation support
• EDD service providers
• Improve document destruction practices expected
Clawback
• FRCP Rule 26(b)(5)(B) enables the target to
retrieve privileged information inadvertently
disclosed
– Optional procedure retroactively asserting
privilege after inadvertent production
• Clawback Agreements - parties may agree
that privileged or protected (trade secret)
information inadvertently produced during
quick paced eDiscovery must be returned or
destroyed & w/o waiving privilege
Clawback under FRCP Rule 26(b)(5)(B)
• Information Produced. If information is produced in
discovery that is subject to a claim of privilege or of
protection as trial-preparation material, the party
making the claim may notify any party that received
the information of the claim and the basis for it. After
being notified, a party must promptly return,
sequester, or destroy the specified information and
any copies it has and may not use or disclose the
information until the claim is resolved. A receiving
party may promptly present the information to the
court under seal for a determination of the claim. If
the receiving party disclosed the information before
being notified, it must take reasonable steps to
retrieve it. The producing party must preserve the
information until the claim is resolved.
Privileges
• Encourage free flow of info in certain
preferred relationships
• Protects privacy of client or
beneficiary of relationship
• Instrumental Justification:
Professions
– Frank disclosure needed for service
adequacy would not be forthcoming
`
Attorney-Client Privilege
• Since Elizabeth I (1533-1603)
• party seeking the protection of actual or
prospective client, can be a corporation
(management must assert
• communication must be between client
and an attorney acting as counsel
– privilege protects communications to and
from attorneys
– communications with attorneys agents
– communications conveying advice of counsel
– Third party communications (e.g.,
consultants) generally not protected, unless
consultant retained directly by
Attorney-Client Privilege
• communication made in confidence
– Not before 3d Ps
– "Public" communications not protected
• purpose of communication must be to
secure or provide an opinion of law or
legal assistance
– protects legal advice and factual information
communicated to receive legal advice
– privilege does not protect underlying facts,
business or other non-legal advice.
• privilege must be asserted -does not
automatically attach
– claimed at the time of demand by 3d P
Attorney-Client Privilege
• Privilege belongs to corporation, not to
individual managers or employees
– Corporation can waive privilege over
individual employees objections
• Privilege easily lost or "waived" by
disclosures to third parties
– E.g., voluntary disclosure - in response to
interrogatories or subpoenas
– Involuntary or accidental disclosure
• Crime Fraud Exception
– Client gives atty criminal evidence or atty
knows of future criminal plans
Attorney Work Product Privilege
• Protects materials prepared by a
lawyer in preparation for trial from
being seen and used by the
adversary during pre-trial discovery
or @ trial
– Reflecting legal opinions or strategy
– Records prepared in anticipation of
litigation
– Divulge an attorney's theory of a case
– Divulge litigation strategy
Spousal Privilege
• Valid Marriage under Law
• Marital Testimonial
• Marital Communications
Professional Privileges
•
•
•
•
Doctor Patient Privilege
PsychoTherapist-Patient Privilege
Clergy-Penitent Privilege
News Reporter & Source Privilege
State Secrets Privilege
• A/K/A Military & Diplomatic Secrets,
Executive Privilege, Agency
Privilege, Law Enforcement
Privilege, Privilege for Required
Reports
– EX: Pentagon Papers, Watergate, Ollie
North
• Confidential Informant Privilege
Self-Incrimination Privilege
• 5th A
– No person shall be held to answer for a capital, or otherwise
infamous crime, unless on a presentment or indictment of a
Grand Jury, except in cases arising in the land or naval
forces, or in the Militia, when in actual service in time of War
or public danger; nor shall any person be subject for the
same offence to be twice put in jeopardy of life or limb; nor
shall be compelled in any criminal case to be a witness
against himself, nor be deprived of life, liberty, or property,
without due process of law; nor shall private property be
taken for public use, without just compensation.
– Prohibits the government from forcing individual to provide
evidence, answering questions, leading to criminal
prosecution
– Applicable to one's papers & effects
• Statements that might expose individual to criminal
prosecution
How does Society Add New Privileges?
• EX: Self-Evaluation Privilege
• Must evaluate, weigh, balance
factors:
– Societal importance of the relationship
– Intrusion Offensive to societal values
– Expectation of confidentiality
– Confidentiality essential to relationship
– Likely Barriers to Relationship w/o
Privilege
– Societal benefits
Sensible & Regulated ERM
ERM as a Mandatory Planning Activity
Regulatory Requirements
Responsible Outsourcing
Managing 3d Party Service Providers
Electronic Records Management (ERM)
• ERM is the "systemic review,
retention, & destruction of
documents received or created in the
course of business"
• Broad range of policies, procedures
& classification schemes
– Doc retention – really destruction
schedules
• ERM policies can reduce EDD costs
– Can reduce costs to supply information
requests if promptly found, preserved &
protected against accidental deletion
– Disruptions avoided
Some Record Retention & ERM Requirements
•
•
•
•
•
•
•
•
IRS
SEC
EPA
EEOC
DOD
Banking
Healthcare
See http://www.irch.com/
– Information Requirements
Clearinghouse
– Donald S. Skupsky, JD, CRM, FAI, MIT
Financial Services ERM
• SEC Record Retention Rules
– SEC Rule 17a-4
• NYSE Record Retention Rules
– Rules 440 & 472
• NASD Record Retention Rules
– NASD Conduct Rule 3010
– NASD Conduct Rule 3110
• CFTC Record Retention Rules
Sarbanes-Oxley Section 404
• Foreign Corrupt Practices Act (FCPA)
– Internal Control Requirements §13(b)(2)(B)
– See SEC vs World Wide Coin Invest., 567
F.Supp. 724 (N.D.Ga.1983)
• Section 404 requires public cos certify
internal control
– Corporate Management & Indep. Auditors
– Co’s records support transactions, positions, &
financials
– Audits: financial records maintenance & mgt
• Including records mgt programs & correspondence
• Need records reflecting all transactions
• Need records management programs that
retain all records for adequate periods
– Must enable Co to locate records when needed
• EX: litigation, enforcement actions
Sarbanes-Oxley Section 404
• Recordkeeping programs mandatory
for Whistleblower communications
• Audit Work Papers - all public
accounting firms retain audit work
papers for 7 years
– Includes paper & e-records incl e-mail
– correspondence for both audit firms
and cos.
• PCAOB subpoena subpoena powers from
Cos now de facto 7 year retention
Sarbanes-Oxley Section 404
• Penalties for inappropriate destruction of
business records.
– Willful destruction of corporate audit records
• Imprisonment up to 10 years
– Destroying or altering records to impede a
federal investigation or bankruptcy case,
tampering with records, or impeding an
investigation
• Prison terms of up to 20 years
– Implications of Sourbox penalties:
• Ad hoc suspension of records destruction, either in
anticipation of litigation or across the board as a
protective measure
SEC Record Retention Rules: SEC Rule 17a-4
•
•
Rule 17a-3 Info of Member, broker, dealer
SIX YRS: for not less than 6 years
–
1st 2 years in easily accessible place
• Blotters - itemized daily record of all
purchases and sales of securities, all
receipts and deliveries of securities , all
receipts and disbursements of cash and all
other debits and credits. Ledgers (or other
records) reflecting all assets and liabilities,
income and expense and capital accounts.
• Ledger accounts showing all purchases,
sales, receipts and deliveries of securities
and commodities for customer accounts
• A securities record or ledger separately for
each security as of the clearance dates all
"long" or "short" positions
SEC Record Retention Rules: SEC Rule 17a-4
• THREE YRS: not less than 3 years
• 1st 2 years in accessible place
– Check books, bank statements, cancelled checks, cash
reconciliations.
– Bills receivable or payable
– Originals of all communications received and copies of
all communications sent.
– Ttrial balances, computations of aggregate indebtedness
and net capital (and working papers in connection
therewith), financial statements, branch office
reconciliations, and internal audit working papers,
relating to the business of such member, broker or
dealer
– Guarantees of accounts and all powers of attorney
– Written agreements
– Records which containing 15 enumerated items
– Every such member, broker and dealer shall preserve for
a period of not less than 6 years after the closing of any
customer's account any account cards or records which
relate to the terms and conditions with respect to the
opening and maintenance of such account.
NYSE Record Retention Rules
• Rule 472 Communications with the Public
• Rule 440. Books and Records
Every member not associated with a
member organization and every member
organization shall make and preserve
books and records as the Exchange may
prescribe and as prescribed by Rule 17a3. The recordkeeping format, medium and
retention period shall comply with Rule
17a-4 under the Securities Exchange Act
of 1934.
NASD Record Retention Rules
• NASD Conduct Rule 3010 Supervision
• NASD Conduct Rule 3110
• Broker-Dealer Email & IM Archiving
Compliance if NASD, NYSE regulated
– Must supervise & therefore monitor electronic
communication since May ’03
– Supervise, sample, review, educate, train,
monitor, audit trail, records of reviews,
– Preserve all customer correspondence
EU Data Retention Directive
• EU Directive 2002/58/EC
– http://europa.eu.int/eurlex/pri/en/oj/dat/2002/l_201/l_
20120020731en00370047.pdf
• Enhances law enforcement in EU nations
– Does not enhance civil litigation in EU nations
• Requires retention of various eDocs
– member states may pass laws mandating
retention of traffic & location data of
communications
• mobile phones, SMS, landlines, faxes, e-mails, chat
rooms, Internet, or other electronic communication
devices
EU Data Retention Directive
• Reverses 1997 Telecom Privacy Directive
• Explicitly permits EU national laws to
compel ISPs & TelCos to record, index, &
store communications data
– Traffic data - all data generated by conveyance
of communications on electronic
communications network
– Location data data indicating the geographic
position of mobile phone user (CPNI in U.S.)
– Contents NOT covered
• Permissible purposes:
– National security, criminal investigations and
prevention, prosecution of criminal offences
– Without specific judicial authorization.
EU Data Retention Directive
• Controversial & Compliance Spotty
–
–
–
–
Belgium, France, Spain, UK
http://www.dataretentionisnosolution.com
Opposition: EDRI & XS4ALL petition campaign
TelCos & ISP oppose the costs & customer
mistrust
• Opposition driven by Individual Privacy
not Corporate Confidentiality
• Austrian Fed Const Ct. held
unconstitutional the Austrian statute
compelling TelCos & ISPs to implement
wiretapping measures at their own
expense 2.27.03
Outsourcing EDD & 3d P Service
• Determine provisional scope of
project
• Assess Internal Expertise & costs
• Survey 3d P vendors
– Retain Consultant to find the consultant
• Determine what can be done low
cost/low tech vendors
– E.g., photocopying
Outsourcing EDD & 3d P Service
• Outsourcing-practice of contracting with
outside 3d P to provide service or product
otherwise too expensive, complicated, or
time-consuming to do internally
• EDD Outsourcing is BIG growth indus
• Some respected & reliable vendors using
proven technologies
– However, many new startups w/ unproven
technologies & methods
• Domestic 3d party service provider vs.
Offshore outsourcing?
– Exporting IT-related work from developed
nation (U.S.) to low cost (hopefully stable &
reliable) nation
Factors in evaluating outsourcing
• Price, performance duties,
reputation
• Metrics tied to performance
– Defined in: Service Level Commitments
(SLC)
• Remedies for breach reasonably
available
• Direct experience with client media
• Scalability capacity w/in
expectations
• Who owns, controls client’s data?
Factors favoring outsourcing
– Cost
• RFP, must know project scope
• Developed ERM informs well
• Reasonable Scalability add-ons
– Engagement letter (K)
– Multi-disciplinary teams
• In/Out-House reps from all key areas
– IT, legal, 3d party, implicated divisions
– Mutual education defining project & roles
– Action plan, milestone performance reviews,
progress pmts
– Are wage rates primary cost component?
• Regulatory costs in pet food gluten outsourcing
Legal Issues in Outsourcing
• Concluding the Consulting Contract
– Negotiating an Engagement Letter
• Offer
• Acceptance
• Is all defined in the Written Agreement?
– Third Party Rights
• Assignment: client transfers rights
– Merger, sale of assets, acquisition, scalability
• Delegation: outsourcing by the outsourcer
• 3d Party Beneficiaries
Legal Issues in Outsourcing
• Performing the Consulting Contract
– Perfect Tender Rule
• Specificity of Deliverables, timetables,
performance metrics
• Scalability again: accommodating flexibility
for client, by consultant or service provider
– Substantial Performance
– Material Breach
• SLC standards, Metrics, Legitimacy of
Evaluations
• Remedies for Breach
– Client breach: pmts, cooperation
– Consultant or service provider breach
Legal Issues in Outsourcing
• Adequately Imposing Duties
– Assuring Clients’ Customer Privacy
– Assuring Client’s Data Security
• May need to address other
contractual issues such as:
– IP ownership, compliance with
domestic vs. foreign laws
• EX: privacy, security
– Indemnity
– Audit co-opreration (e.g., SAS70)
Audit Issues in Outsourcing: SAS 70
• SAS70 Report: Service Orgs
– in-depth, indep. audit of 3d P serv.org.
• EX: ASP, bank trust dept, claims process
centers, Internet data centers, data
processing service bureau
– Impact on client's (user) control
environment
– SOX: cannot offload mgt’s control
duties
• 3d P’s include controls over info
tech & related processes
– Uniform Service Auditor's Report of 3d
P’s control activities & processes
• Disclosed to client (user) & client’s auditors
Audit Issues in Outsourcing: SAS 70
•
Type I Report Service auditor opinion
1. whether service organization's description of
controls presents fairly, in all material
respects, the relevant aspects placed in
operation as of a specific date, and
2. whether controls suitably designed to achieve
specified control objectives
•
Type II report service auditor opinion
1. same items in Type I report, PLUS testing
2. whether controls tested were operating
effectively to provide reasonable (not
absolute) assurance that control objectives
were achieved during a specified period (6mo)
SAS 70: Client/User Perspective
– Outsourcing to 3d P unable to pass audit
can denigrate client/user audit
– Frustrates quick & dirty cost savings from
poorly managed 3d P serv org
– Outsourcing to 3d P passing SAS audit
can justify outsourcing
– Enables assurances to Client’s customers
– Opportunity to encourage or harmonize
3d P control technique improvements
SAS 70: 3d P Service Organization Perspective
– No duty to submit, cooperate or bind
subcontractors unless user’s
engagement letter obligates
– May cause client/user surprise &
difficulty
– SAS 70 Compliance could become
marketing point
– Opportunity to improve controls
following independent assessment
Regulated ERM: Presidential Records
• Archiving Administration eMail
– Presidential Records Act (PRA) of 1978,
44 U.S.C. ß2201-2207
– Governs official records of Pres & VPs
– Created or received after Jan. 20, 1981
– Changed the legal ownership from
private to public
– Established new statutory structure for
Presidents to manage records
Presidential Records Act:
• Defines & states public ownership of the
records.
• President has custody and management
responsibility
• Allows disposal by incumbent President
– If records no longer have administrative,
historical, informational, or evidentiary value
– after obtaining views of U.S. Archivist
• Requires President & staff to take all
practical steps to file personal records
separately from Presidential records.
Presidential Records Act:
• Establishes process for restriction &
public access
• PRA allows for public access through
FOIA
– beginning five years after the end of the
Administration,
– allows the President to invoke as many as six
specific restrictions to public access for up to
twelve years.
• Establishes procedures for Congress,
courts, and subsequent Administrations
to obtain special access to records that
remain closed to the public
– Requires 30 day notice to former & current
Presidents
• Requires similar treatment of VP records
Current AG Gonzales Crisis
• White House eMail policies allegedly
violate PRA
• White House eMails lost
– Processed via RNC’s ISP accounts
• Congressional Watchdog
Subpoenas to determine US Atty
Firings process, purpose, plans
• Gonzales Testimony Postponed
• How can the White House
successfully assert Executive
Privilege?