650 likes | 658 Views
The Dizzy New World of Cyber Investigations: Law , Ethics and Evidence. Benjamin Wright, Attorney SANS Institute: “Legal 523: Law of Data Security & Investigations" benjaminwright.us
E N D
The Dizzy New World of Cyber Investigations: Law, Ethics and Evidence Benjamin Wright, Attorney SANS Institute: “Legal 523: Law of Data Security & Investigations" benjaminwright.us This is education, not legal advice. If you need legal advice, you should consult your organization’s lawyer.
“Investigation” • Official, authorized collection of legal evidence • Not stalking, cyber-bullying or national intelligence
Roadmap • Experimentation • Limits on investigations • Managing risk • Ethics imperatives • Data breach investigations • Rising accountability • Q&A
Observation of a Tech Lawyer • Digital evidence fuels a hunger for more “investigations” • Example: video tech drives call for more, more, more body cameras on cops • Enterprises conduct more internal investigations (e.g. HR or corruption) • Opportunity and risk for professional investigators
Future Career Advancement • Work as an investigator • Demonstrate talent as an investigator who can uncover and explain unexpected evidence • Digital forensic investigator now probes infotainment systems in modern automobiles • “A Canadian corporation is busting insurance fraud with social media,” businessinsider.com Feb 12, 2016
Mind-Boggling Opportunities for Investigator Creativity • Investigation is an exercise in experimentation, because you never know what new technology or new kind of evidence will be available • Many new apps and devices (e.g. Apple Watch and smart grid meters) released every day • Each app and device may behave differently
Beware • The problem with experimental investigations is that you might unwittingly do something that's illegal or unethical • Guidelines can be fuzzy you when you are using novel technology
Absolute Software • Susan Clements-Jeffrey v. City of Springfield • Surveillance software on laptop stolen from school • Investigator collects sensational evidence and gives it to police, who are indiscrete • Investigator can’t withstand a jury trial on whether it eavesdropped illegally http://goo.gl/2LKbJc
Boundary: Computer Crime Laws • Computer Fraud and Abuse Act – access a computer without authority and cause harm • Eavesdropping laws, like Wiretap Act and Stored Communications Act, which forbid illicit interception or recording of communication • Private rights of action
To reduce risk, cyber investigators must exercise restraint and good judgment … easier said than done.
Another Risk Reduction Tip • Post warnings, banners or contracts • “Warning: Property of School District. Subject to Monitoring.”
More Risk Reduction Tips • Some (not all) of the earmarks of legality: • Accountability • Deliberation • Proportionality • Warning – consent
Information Security Law and Politics Are Dangerous • Data holder could include university, foundation, company, other non-profit or government entity • Plaintiff lawyers want to make money • Politicians and regulators want to attract attention • The media want to attract viewers
Arguable We Give Too Many Breach Notices • State of Ohio loses unencrypted backup tape containing social security numbers • Spends $3 million on breach notice and credit monitoring service • But risk of harm to “victims” was virtually zero • Similar: University of Utah 2008
Legal Standards Are Subjective and Open to Interpretation • HIPAA Omnibus Rule 2013 • Incident presumed to be a breach UNLESS a risk assessment shows low risk of harm, recognizing • Was risk mitigated? • Was data actually viewed or downloaded? • Nature of the data and likelihood of identification
Legal Adversaries Can Disagree with Data Holder’s Interpretation of Facts • Reasonable minds can look at same facts and reach different conclusions. • But adversaries may not be entitled to know about data holder’s investigation and interpretation of the facts.
Breach at Lucile Packard Hospital at Stanford University • Hospital saw it had an “incident.” • After investigation, it gave notice. • Notice required within 5 days. • California Department of Public Health said notice from hospital was late. • CDPH claimed hospital owed $250,000. • They settled for $1100 on a technicality; both parties claimed victory!
Lessons from Packard Hospital • Legal adversaries want to punish and shame the institution. • Adversaries would love to get institution’s internal investigation records . . . so the adversaries can second-guess whether there was a breach or whether it was handled properly.
When You Have an Incident … • You don’t know whether you had a “breach” until you complete an investigation. • Investigation can take time and sweat. • Investigation might conclude no breach because (for example) no significant risk of harm. • Or investigation might reach other conclusions that adversaries disagree with.
Data Holder Has Incentive to Keep Investigation Confidential • First, limit who has knowledge of the investigation. • Second, cloak investigation in “attorney work product” • “Attorney work product” prevents details of investigation from being disclosed under subpoena or lawsuit.
What is “Attorney Work Product” Doctrine? • Similar to attorney-client privilege • Protects details of investigation conducted under auspices of attorney.
So, When “Incident” Arises • Don’t jump to conclusion you have “breach” • Don’t write email saying you have “breach” or “compromise” • Involve legal counsel early • Label reports, risk assessment and emails “attorney work product” • Keep legal counsel engaged in the investigation
Conclusion on Data Breach Investigations • Staff should avoid jumping to conclusions. • Staff are not qualified to reach legal conclusions before investigation is complete. • IT staff and legal staff should plan in advance for how handle incidents.
Evidence is Tricky • Secrets are harder to keep today than in the past • Investigator’s secrets can be revealed • Revelation of investigator’s secrets can be devastating
Tech Makes Fraud Harder to Hide • 100 people fraudulently claim disability, dating back to 1988 • Social media, phone cameras and Dropcam have exploded in popularity • "Ex-Cops, Firefighters Charged with Disability Fraud," Wall St. Journal, 1/8/14 (includes web photo of "disabled" man deep-sea fishing)
Whistleblowers Are Enabled • FTC vsLabMD • LabMD publicizes its “victimhood” • Whistleblower reveals secrets: digital evidence was spiced up and arguably mishandled • Nov 2015: Administrative Law Judge rules FTC’s evidence is insufficient to prove LabMD had violated law • Ben Wright worked for LabMD
Guerrilla Publicity • LabMD published its own book The Devil Inside the Beltway • Publicized its story via Youtube, social media, podcasts, Amazon • Emergence of whistleblower triggered Congressional investigation & undermined FTC’s evidence
Lesson: Investigators should not assume their secrets will remain secret. They must prepare for scrutiny.
In this wild new world, investigators face myriad theoretical risks. Following are examples.
Risk: Terms of Service • Web terms, mobile app terms, end user license agreements • TRUEBEGINNINGS, LLC v. Spark Network Services (patent case) • Terms can forbid evidence collection • Though these particular terms did not forbid it
KirkpatrickPrice’s Public Terms • Forbid collection of legal evidence in Audit Manager • Onlineauditmanager.com/terms_of_service • “You will not use any evidence or information you access in the [Audit Manager] to attempt to collect money from KirkpatrickPrice, its owners, officers, agents, employees or contractors, or to enjoin them from or about anything they do.”
Mega-Trend: Technology holds professionals, enterprises and all citizens to increasingly higher standards of accountability and legal compliance.
SEC Catches Unusual Stock Trading Pattern • KPMG Auditor caught passing tips to small-fry investor • Very experienced CPA didn't think he'd get caught • This is rare kind of case, but Big Data makes it easier for SEC to catch • "Insider Trader Is Identified," Wall St. J., April 11, 2013
eDiscovery Makes Lying Harder • Small investor got subpoena • If he lies in reply to subpoena, his computer and smart phone records could betray him • Therefore, he ratted out his KPMG friend! • http://goo.gl/zwLxF
Danger in the Age of the Internet and “Big Data” • Advancing technology will uncover our hidden mistakes and transgressions • Case in Point: Swiss bank secrecy has vanished! • For many decades, it was an article of faith that Swiss bank secrecy was rock-solid
Swiss Bank Secrecy • Technology contributed to its downfall • Analysis of Homeland Security data by staff working for Senator Carl Levin • Big data: Travel records of Swiss bankers showed US law violated. See http://goo.gl/3Ncbtd
Secrets Can’t Hide These Days • Secrets leak out – think Snowden • “Liechtenstein Under Siege Clings to Bank Secrecy to Outdo Swiss,” Bloomberg.com 2/27/08 • Resignation of Klaus Zumwinkel, CEO of Deutsche Post AG
Adviser Comes in from the Cold • Lawyer licensed in US & Switzerland pleads guilty in US court to 1 count of conspiracy & agrees to cooperate with government • Helped US taxpayers hide accounts • Prepared fraudulent US tax forms • “Swiss Lawyer Pleads Guilty,” Wall St. J. Aug 17-18, 2013
Hold Yourself to Highest Standard • Investigator may rationalize that he/she has legitimate investigative reason to lie or to hack • “PI Pleads Guilty to Hiring Someone to Break Into eMailAccounts,” SANS Newsbites, March 10, 2015 (PI possibly working on lawsuits connected with insurance claims.)
Avoid Lying and Deception • It’s easy for good people to rationalize lying, deception (or failure to be candid). • President of University of Texas • Deceptively gave admissions to sub-par students who had political and money connections • Intensive investigation required to uncover truth • President resigns • Finally admits: I did it because it was in best interests of the university & everybody else does it.
Technology Played Role in UT Probe • Investigation drew heavily on email and other e-records to uncover the truth • Such electronic evidence would not have been available to a similar investigation in 1990
benjaminwright.us This presentation is just public education. It is not legal advice. If you need legal advice for a particular situation, you should consult a lawyer.
Hillstone Restaurant Case • Password-protected Myspace Forum • Banner: “without outside eyes prying in” • Employees fired • Controversy over how management got password • Jury: Pay back wages and $13,600 in penalties • “Employers Tread a Minefield,” Wall St. Journal, Jan. 21, 2011
Harvard University Deans • Someone leaks student cheating investigation • Deans have agreed University can read their email • Administration searches only subject lines • Deans howl in public • Administration apologizes