1 / 65

The Dizzy New World of Cyber Investigations: Law , Ethics and Evidence

The Dizzy New World of Cyber Investigations: Law , Ethics and Evidence. Benjamin Wright, Attorney SANS Institute: “Legal 523: Law of Data Security & Investigations" benjaminwright.us

mpaxton
Download Presentation

The Dizzy New World of Cyber Investigations: Law , Ethics and Evidence

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Dizzy New World of Cyber Investigations: Law, Ethics and Evidence Benjamin Wright, Attorney SANS Institute: “Legal 523: Law of Data Security & Investigations" benjaminwright.us This is education, not legal advice. If you need legal advice, you should consult your organization’s lawyer.

  2. “Investigation” • Official, authorized collection of legal evidence • Not stalking, cyber-bullying or national intelligence

  3. Roadmap • Experimentation • Limits on investigations • Managing risk • Ethics imperatives • Data breach investigations • Rising accountability • Q&A

  4. Observation of a Tech Lawyer • Digital evidence fuels a hunger for more “investigations” • Example: video tech drives call for more, more, more body cameras on cops • Enterprises conduct more internal investigations (e.g. HR or corruption) • Opportunity and risk for professional investigators

  5. Future Career Advancement • Work as an investigator • Demonstrate talent as an investigator who can uncover and explain unexpected evidence • Digital forensic investigator now probes infotainment systems in modern automobiles • “A Canadian corporation is busting insurance fraud with social media,” businessinsider.com Feb 12, 2016

  6. Mind-Boggling Opportunities for Investigator Creativity • Investigation is an exercise in experimentation, because you never know what new technology or new kind of evidence will be available • Many new apps and devices (e.g. Apple Watch and smart grid meters) released every day • Each app and device may behave differently

  7. Beware • The problem with experimental investigations is that you might unwittingly do something that's illegal or unethical • Guidelines can be fuzzy you when you are using novel technology

  8. Absolute Software • Susan Clements-Jeffrey v. City of Springfield • Surveillance software on laptop stolen from school • Investigator collects sensational evidence and gives it to police, who are indiscrete • Investigator can’t withstand a jury trial on whether it eavesdropped illegally http://goo.gl/2LKbJc

  9. Boundary: Computer Crime Laws • Computer Fraud and Abuse Act – access a computer without authority and cause harm • Eavesdropping laws, like Wiretap Act and Stored Communications Act, which forbid illicit interception or recording of communication • Private rights of action

  10. To reduce risk, cyber investigators must exercise restraint and good judgment … easier said than done.

  11. Another Risk Reduction Tip • Post warnings, banners or contracts • “Warning: Property of School District. Subject to Monitoring.”

  12. More Risk Reduction Tips • Some (not all) of the earmarks of legality: • Accountability • Deliberation • Proportionality • Warning – consent

  13. Don’t Prejudge a Data Breach Investigation

  14. Information Security Law and Politics Are Dangerous • Data holder could include university, foundation, company, other non-profit or government entity • Plaintiff lawyers want to make money • Politicians and regulators want to attract attention • The media want to attract viewers

  15. Arguable We Give Too Many Breach Notices • State of Ohio loses unencrypted backup tape containing social security numbers • Spends $3 million on breach notice and credit monitoring service • But risk of harm to “victims” was virtually zero • Similar: University of Utah 2008

  16. Legal Standards Are Subjective and Open to Interpretation • HIPAA Omnibus Rule 2013 • Incident presumed to be a breach UNLESS a risk assessment shows low risk of harm, recognizing • Was risk mitigated? • Was data actually viewed or downloaded? • Nature of the data and likelihood of identification

  17. Show Confession Video

  18. Legal Adversaries Can Disagree with Data Holder’s Interpretation of Facts • Reasonable minds can look at same facts and reach different conclusions. • But adversaries may not be entitled to know about data holder’s investigation and interpretation of the facts.

  19. Breach at Lucile Packard Hospital at Stanford University • Hospital saw it had an “incident.” • After investigation, it gave notice. • Notice required within 5 days. • California Department of Public Health said notice from hospital was late. • CDPH claimed hospital owed $250,000. • They settled for $1100 on a technicality; both parties claimed victory!

  20. Lessons from Packard Hospital • Legal adversaries want to punish and shame the institution. • Adversaries would love to get institution’s internal investigation records . . . so the adversaries can second-guess whether there was a breach or whether it was handled properly.

  21. When You Have an Incident … • You don’t know whether you had a “breach” until you complete an investigation. • Investigation can take time and sweat. • Investigation might conclude no breach because (for example) no significant risk of harm. • Or investigation might reach other conclusions that adversaries disagree with.

  22. Data Holder Has Incentive to Keep Investigation Confidential • First, limit who has knowledge of the investigation. • Second, cloak investigation in “attorney work product” • “Attorney work product” prevents details of investigation from being disclosed under subpoena or lawsuit.

  23. What is “Attorney Work Product” Doctrine? • Similar to attorney-client privilege • Protects details of investigation conducted under auspices of attorney.

  24. So, When “Incident” Arises • Don’t jump to conclusion you have “breach” • Don’t write email saying you have “breach” or “compromise” • Involve legal counsel early • Label reports, risk assessment and emails “attorney work product” • Keep legal counsel engaged in the investigation

  25. Conclusion on Data Breach Investigations • Staff should avoid jumping to conclusions. • Staff are not qualified to reach legal conclusions before investigation is complete. • IT staff and legal staff should plan in advance for how handle incidents.

  26. Modern Investigations: Evidence and Secrets

  27. Evidence is Tricky • Secrets are harder to keep today than in the past • Investigator’s secrets can be revealed • Revelation of investigator’s secrets can be devastating

  28. Tech Makes Fraud Harder to Hide • 100 people fraudulently claim disability, dating back to 1988 • Social media, phone cameras and Dropcam have exploded in popularity • "Ex-Cops, Firefighters Charged with Disability Fraud," Wall St. Journal, 1/8/14 (includes web photo of "disabled" man deep-sea fishing)

  29. Whistleblowers Are Enabled • FTC vsLabMD • LabMD publicizes its “victimhood” • Whistleblower reveals secrets: digital evidence was spiced up and arguably mishandled • Nov 2015: Administrative Law Judge rules FTC’s evidence is insufficient to prove LabMD had violated law • Ben Wright worked for LabMD

  30. Guerrilla Publicity • LabMD published its own book The Devil Inside the Beltway • Publicized its story via Youtube, social media, podcasts, Amazon • Emergence of whistleblower triggered Congressional investigation & undermined FTC’s evidence

  31. Lesson: Investigators should not assume their secrets will remain secret. They must prepare for scrutiny.

  32. In this wild new world, investigators face myriad theoretical risks. Following are examples.

  33. Risk: Terms of Service • Web terms, mobile app terms, end user license agreements • TRUEBEGINNINGS, LLC v. Spark Network Services (patent case) • Terms can forbid evidence collection • Though these particular terms did not forbid it

  34. KirkpatrickPrice’s Public Terms • Forbid collection of legal evidence in Audit Manager • Onlineauditmanager.com/terms_of_service • “You will not use any evidence or information you access in the [Audit Manager] to attempt to collect money from KirkpatrickPrice, its owners, officers, agents, employees or contractors, or to enjoin them from or about anything they do.”

  35. Mega-Trend: Technology holds professionals, enterprises and all citizens to increasingly higher standards of accountability and legal compliance.

  36. SEC Catches Unusual Stock Trading Pattern • KPMG Auditor caught passing tips to small-fry investor • Very experienced CPA didn't think he'd get caught • This is rare kind of case, but Big Data makes it easier for SEC to catch • "Insider Trader Is Identified," Wall St. J., April 11, 2013

  37. eDiscovery Makes Lying Harder • Small investor got subpoena • If he lies in reply to subpoena, his computer and smart phone records could betray him • Therefore, he ratted out his KPMG friend! • http://goo.gl/zwLxF

  38. Danger in the Age of the Internet and “Big Data” • Advancing technology will uncover our hidden mistakes and transgressions • Case in Point: Swiss bank secrecy has vanished! • For many decades, it was an article of faith that Swiss bank secrecy was rock-solid

  39. Swiss Bank Secrecy • Technology contributed to its downfall • Analysis of Homeland Security data by staff working for Senator Carl Levin • Big data: Travel records of Swiss bankers showed US law violated. See http://goo.gl/3Ncbtd

  40. Secrets Can’t Hide These Days • Secrets leak out – think Snowden • “Liechtenstein Under Siege Clings to Bank Secrecy to Outdo Swiss,” Bloomberg.com 2/27/08 • Resignation of Klaus Zumwinkel, CEO of Deutsche Post AG

  41. Adviser Comes in from the Cold • Lawyer licensed in US & Switzerland pleads guilty in US court to 1 count of conspiracy & agrees to cooperate with government • Helped US taxpayers hide accounts • Prepared fraudulent US tax forms • “Swiss Lawyer Pleads Guilty,” Wall St. J. Aug 17-18, 2013

  42. Swiss Lawyer's Clients - On a Sinking Ship

  43. Hold Yourself to Highest Standard • Investigator may rationalize that he/she has legitimate investigative reason to lie or to hack • “PI Pleads Guilty to Hiring Someone to Break Into eMailAccounts,” SANS Newsbites, March 10, 2015 (PI possibly working on lawsuits connected with insurance claims.)

  44. Avoid Lying and Deception • It’s easy for good people to rationalize lying, deception (or failure to be candid). • President of University of Texas • Deceptively gave admissions to sub-par students who had political and money connections • Intensive investigation required to uncover truth • President resigns • Finally admits: I did it because it was in best interests of the university & everybody else does it.

  45. Technology Played Role in UT Probe • Investigation drew heavily on email and other e-records to uncover the truth • Such electronic evidence would not have been available to a similar investigation in 1990

  46. benjaminwright.us This presentation is just public education. It is not legal advice. If you need legal advice for a particular situation, you should consult a lawyer.

  47. Bonus Material – If time permits

  48. Hillstone Restaurant Case • Password-protected Myspace Forum • Banner: “without outside eyes prying in” • Employees fired • Controversy over how management got password • Jury: Pay back wages and $13,600 in penalties • “Employers Tread a Minefield,” Wall St. Journal, Jan. 21, 2011

  49. Harvard University Deans • Someone leaks student cheating investigation • Deans have agreed University can read their email • Administration searches only subject lines • Deans howl in public • Administration apologizes

More Related