Electronic evidence new challenges for information security officers
1 / 39

Electronic Evidence: New Challenges for Information Security Officers - PowerPoint PPT Presentation

  • Uploaded on

Electronic Evidence: New Challenges for Information Security Officers. Presented by: Tom Greene Chief Assistant Attorney General, Public Rights Division Clark Kelso Chief Information Officer, State of California. Overview.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Electronic Evidence: New Challenges for Information Security Officers' - piper

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Electronic evidence new challenges for information security officers l.jpg

Electronic Evidence: New Challenges for Information Security Officers

Presented by:

Tom Greene

Chief Assistant Attorney General, Public Rights Division

Clark Kelso

Chief Information Officer, State of California

Overview l.jpg
Overview Security Officers

  • Introduction to the recent FRCP amendments for “Electronically Stored Information” (ESI)

  • Implications for Information Security Officers

  • Resources

  • Questions

E data has been discoverable and admissible for some time l.jpg
E-Data has been Discoverable and Admissible for Some Time Security Officers

  • “Fed. R. Civ. P. 34(a): “document” includes “data compilations from which information can be obtained, translated, if necessary, by the respondent through detection devices into reasonably usable form”

  • “Today it is black letter law that computerized data is discoverable if relevant … The law is clear that data in computerized form is discoverable even if paper ‘hard copies’ of the information have been produced….” Anti-Monopoly, Inc. v. Hasbro, Inc., 94 Civ.2120, 1995 WL 649934 (S.D.N.Y. 1995)

Frcp amendments and e evidence l.jpg
FRCP Amendments and E-Evidence Security Officers

  • Amendments to the Federal Rules of Civil Procedure address “electronically stored information” (ESI)

  • Apply to cases brought on or after 12/1/06 and all other cases unless “would not be feasible or would work injustice.” Rule 86.

Amended rule 34 a electronically stored information l.jpg
Amended Rule 34(a): Security Officers“Electronically Stored Information”

“Any party may serve…a request…to produce designated documents, electronically stored information—including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations stored in any medium from which information can be obtained—translated, if necessary, …into reasonably useful form…”

Four concepts in the new rules l.jpg
Four Concepts in the New Rules Security Officers

  • Early Consideration of ESI issues

  • Two-Tier Approach to Back-up Media

  • Practical Adjustments

  • Shallow Safe Harbor for E-Document Destruction

Critical decisions come early l.jpg
Critical Decisions Come Early! Security Officers

  • Rule 26(f) Conference Among Counsel

    • ASAP but not later than 16 days before Rule 16 conference or issuance of scheduling order.

  • Rule 26(a) disclosures of ESI

    • At or w/in 14 days of 26(f) conference unless a different schedule per stipulation or order.

  • Rule 16 Conference Order

    • ASAP but at least w/in 90 days of appearance of defendant or 120 days from service of complaint.

Rule 26 f meet and confer obligation l.jpg
Rule 26(f) Meet and Confer Obligation Security Officers

  • Discuss “any issues relating to preserving discoverable information”.

  • “changes in the timing, form or requirement for disclosures under Rule 26(a)”

  • “[A]ny issues” relating to ESI including the “form or forms” of production.

  • New Form 35 for report to court.

  • Consider bringing a consultant/expert.

Rule 26 a initial disclosures l.jpg
Rule 26(a) Initial Disclosures Security Officers

  • 26(a)(1)(A)—Witnesses

    • May need to include e-evidence custodian(s); might well be an ISO.

  • 26(a)(1)(B)—”a copy of, or a description by category of, all documents, electronically stored information….that the disclosing party may use to support its claims or defenses”

Rule 26 a sanctions l.jpg
Rule 26(a); Sanctions Security Officers

  • If fail to “make a disclosure under Rule 26(a), any other party may” move to compel and for “appropriate sanctions”. Rule 37(a)(2)(A).

  • May not be “permitted to use” the undisclosed information “at a trial, at a hearing, or on a motion”. Rule 37(c)(1).

Rule 16 conference l.jpg
Rule 16 Conference Security Officers

  • Per Advisory Committee, Court is to start w/ 26(f) Report of Counsel.

  • Order is to include “provisions for disclosure or discovery of” ESI. Rule 16(b)(5).

  • Order may include “any agreements the parties reach for asserting claims of privilege or of protection of trial-preparation material after production.” Rule 16(b)(6).

Local rules l.jpg
Local Rules Security Officers

  • N.D. Cal. Civil Local Rule 16-9 requires a description of:

    • “Steps taken to preserve evidence relevant to the issues reasonably evident in the action, including interdiction of any document-destruction program and any ongoing erasures of e-mails, voice-mails, and any other electronically-stored material.”

Duties of litigation counsel l.jpg
Duties of Litigation Counsel Security Officers

  • Communicate discovery obligations to client

  • Identify sources of discoverable information

  • Speak directly with key players in litigation as well as IT personnel

  • Put in place a litigation hold

  • Reiterate instructions for litigation hold and monitor compliance

  • Call for employees to produce copies of e-evidence

  • Arrange for segregation and safeguarding of archival media (backup tapes) (Zubulake V, 229 F.R.D. 422 (S.D.N.Y. 2004)

Potential role s of isos l.jpg
Potential Role(s) of ISOs Security Officers

  • Consultant (How do your systems work?)

    • Informal Advice; Attend 26(f) session or 16(b) conference

  • Witness

    • Persons Most Knowledgeable (PMK) Depositions

  • Design/Implement Litigation Hold; Search for Information

What should you explain to your lawyers l.jpg
What Should You Explain to Your Lawyers? Security Officers

  • Discuss Email System

    • Hardware, Software, Versions, Location, etc.

  • Discuss File Servers

    • Hardware, Software, Versions, Location, etc.

  • Discuss PCs

    • O/S, Recent Upgrades, Applications, Versions

  • Discuss PDAs

    • Blackberry, Treo, Palm, etc.

Talking to your lawyers part 2 l.jpg
Talking to Your Lawyers, Part 2 Security Officers

  • Backup Policy

  • Retention Policy

  • Destruction Policy

  • Capable of Litigation Holds?

  • Other considerations:

    • Thumb drives

    • Working from home

    • Personal Archives

Special problems with voice mail l.jpg
Special Problems with Voice Mail Security Officers

  • Voice mail typically Not under Your Direct Control

  • Contact 3rd-Party Vendor ASAP

  • Secure hold on Voice Mails for “Key Players”

Two tier approach rule 26 b 2 c l.jpg
Two-Tier Approach; Rule 26(b)(2)(C) Security Officers

  • “A party need not provide discovery of [ESI]from sources that the party identifies as not reasonably accessible”

  • Committee note states that fact that archived data expensive to access does not mean don’t have to preserve back-up media.

  • Demanding party can motion for production if value outweighs burden taking into account amount in controversy, parties’ resources, issues in case and importance of the proposed discovery.

States of data cheap to expensive l.jpg
States of Data: Cheap to Expensive Security Officers

  • Active data ($)

  • Metadata ($)

  • System data ($)

  • Backup tapes ($$$)

  • Deleted and altered files ($$$$)

  • Legacy data ($$$$$)

Budget issues costs for managing e evidence l.jpg
Budget Issues: Costs for Managing E-Evidence Security Officers

  • Collect data

    • $250-500 per hard drive or backup tape

    • $2,000-3,000 per server

  • Cull and Search for Relevant Data using Tech Tools

    • $1,800 per hard drive; more for backup tapes.

    • $450 per e-mail box

  • Produce Relevant Data

    • $750 per hard drive to prepare data for production in proper format

  • Convert data to litigation support repository for privilege review

    • $4 per Megabyte plus $.10/page for Bates numbering and tiffing the images

Practical adjustments form s of production l.jpg
Practical Adjustments: Form(s) of Production Security Officers

  • FRCP 34(b) authorizes demanding party to “specify the form or forms in which [ESI] is to be produced”; subject to challenge.

  • Per Advisory Note, can specify different forms for spreadsheets and documents.

Metadata and why it may be important in a lawsuit l.jpg
Metadata and Why It May Be Important in a Lawsuit Security Officers

  • Classic e-mail metadata fields

    • From, To, Subject, Date, cc, bcc, Text of email

    • Date and time e-mail and/or attachment opened

  • 50-60 other types of fields are available

  • Embedded data (e.g., Excel formulas, Word Processing prior versions)

  • Expensive to manage and produce; relevance depends on the nature of your case.

Typical forms of production l.jpg
Typical Forms of Production Security Officers

  • Native Format – ESI is produced as it was maintained and used; contains metadata.

  • Quasi-Native – ESI is produced in a format similar to, but not the same as, the format in which it was maintained and used.

    • Proprietary software

    • Large databases

Forms of production part 2 l.jpg
Forms of Production, Part 2 Security Officers

  • Quasi-Paper – ESI is converted to image files, typically TIFF or PDF; meta data and full text are extracted.

  • Quasi-Paper Hybrid – Meta data and text are extracted with a link to the native file.

  • Paper

  • What do you really need?

  • Be careful what you ask for. . .

Rule 37 shallow safe harbor l.jpg
Rule 37: “Shallow Safe Harbor” Security Officers

  • FRCP 37(f) provides that “absent exceptional circumstances, a court may not impose sanctions…[for ESI]… lost as a result of the routine, good-faith operation of an electronic information system.”

  • Good faith per Committee Note includes retention under common law, etc. and existence of effective litigation hold.

Retention obligation practice tips l.jpg
Retention Obligation: Practice Tips Security Officers

  • Normal business destruction will not yield sanctions under FRCP.

  • But Improper Destruction Creates Major Risks for Your Agency.

  • Written Litigation Hold Policies are Highly Recommended.

What is spoliation l.jpg
What is “spoliation”? Security Officers

  • “the destruction or significant alteration of evidence, or the failure to preserve…evidence in pending or reasonably foreseeable litigation.” West v. Goodyear, 167 F.3d 776,779 (2nd Cir.1999)

  • contra spoliatorem omnia proesumuntur. Black’s Law Dictionary4th

Sources of duty to preserve l.jpg
Sources of Duty to Preserve Security Officers

  • Knew or should have known of possible litigation

  • Specific statutes, e.g. Sarbanes-Oxley; SEC Rules

  • Court order

  • Agreement

When does duty attach l.jpg
When Does Duty Attach? Security Officers

  • Based on common law “knew or should have known” standard:

    • When Product Designed. Carlucci, 102 F.R.D. 472 (S.D.Fl.1984)

    • When Complaints Received. Remington, 836 F.2d 1104 (8th Cir.1988)

    • When litigation suspected. Zubulake IV, 220 F.R.D. 212 (S.D.N.Y.2003)

    • When major accident occurs. Union Pac. R.R., 2004 U.S.App.LEXIS 6 (8th Cir.2004)

Preservation of metadata may be required l.jpg
Preservation of Metadata May Be Required Security Officers

  • Relevance of metadata depends on the case.

  • Burden of disclosing metadata on the producing party. Williams v. Sprint, 2005 U.S. Dist. Lexis 29882 (D.Md. 11/22/05)

  • Discuss at 16(b) conference.

What remedies l.jpg
What remedies? Security Officers

  • “Most potent” is the adverse inference instruction. Cedars-Sinai, 18 Cal.4th 1, 11(1998)

  • Example: New CA standard instruction 205 reads: “You may consider whether one party intentionally concealed or destroyed evidence. If you decide that a party did so, you may decide that the evidence would have been unfavorable to that party.”

Other sanctions l.jpg
Other Sanctions Security Officers

  • Monetary

  • Evidence

  • Issue

  • Terminating

A few examples l.jpg
A Few Examples Security Officers

  • Leon v. IDX (9th Cir. 2006) 464 F.3d 951 (files deleted from laptop; dismissal)

  • U.S. v. Gordon (9th Cir.2004) 393 F.3d 1044 (use of “Evidence Eliminator to scrub drive; pay costs and conviction affirmed)

  • In re Napster (N.D.Cal. 10/25/06) 2006 WL 3050864 (deletion of e-mail; adverse inference instruction)

More examples l.jpg
More Examples Security Officers

  • World Courier v. Barone(N.D.Cal., No. C 06-3072 THE, 4/13/07) (destruction of hard drive in IP case by non-party husband; adverse inference instruction, costs; relies on Residential Funding v. DeGeorge Fin. (2d Cir. 2002) 306 F.3d 99, 105)

  • People v. Hanson Building Materials(Contra Costa County, No. MSC04-00424, 5/3/07) (Failure to retain e-mail; CA state agency ordered to pay $79K in fees/costs + adverse inference instruction; writ pending)

Litigation hold requirement policy and implementation l.jpg
Litigation Hold Requirement: Security OfficersPolicy and Implementation

  • Create Policy to:

    • Determine When Hold is to be Imposed

    • Define what is to be preserved

    • Staff responsibilities

  • Implementation Issues:

    • ID key players who are involved

    • ID relevant records/docs/systems/computers

    • Contact and interview all key players

    • Will metadata be material? A forensics snapshot?

    • Will legacy data or backup media need to be preserved?

    • When do we need an outside expert?

Litigation hold procedures training and follow up l.jpg
Litigation Hold Procedures: Security OfficersTraining and Follow-up

  • Follow-up

    • Meetings and regular reminders

    • Individual Interviews

    • Determine if staff requires further clarification

  • Document the process

Resources l.jpg
Resources Security Officers

  • Sedona Guidelines (sedonaconference.com)

  • Zubulake decisions

  • Michael Arkfeld ,Electronic Discovery and Evidence (All AGO libraries)

  • BNA, Digital Discovery and E-Evidence

  • Internet resources

    • Discoveryresources.org; krollontrack.com; FIOS.com; applieddiscovery.com; Note webinars.

Take aways l.jpg
Take-Aways? Security Officers

  • E-Discovery Presents Serious Risks to Your Agencies.

  • ISOs Will Have Important Roles in Future Litigation

  • Need to Partner Early with your CIO, the AG and your General Counsel’s Office.

  • Need for Standards and Guidelines (Which You Should Help Write).

Thanks and questions l.jpg
Thanks and Questions Security Officers