Impact of revised federal rules on cyberforensic practice
Download
1 / 54

Impact of Revised Federal Rules on CyberForensic Practice - PowerPoint PPT Presentation


  • 60 Views
  • Uploaded on

Impact of Revised Federal Rules on CyberForensic Practice. Watershed for all CyberForensics? What will be FRCP’s Impact Beyond Jurisdiction of Federal Civil Litigation Rules?. Some Litigators’ Vision of Discovery .

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Impact of Revised Federal Rules on CyberForensic Practice' - zody


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Impact of revised federal rules on cyberforensic practice

Impact of Revised Federal Rules on CyberForensic Practice

Watershed for all CyberForensics?

What will be FRCP’s Impact Beyond Jurisdiction of Federal Civil Litigation Rules?


Some litigators vision of discovery
Some Litigators’ Vision of Discovery

  • “As a litigator, I will tell you documents are just the bane of our existence. Never write when you can speak. Never speak when you can wink.”

    • Statement of Jordan Eth, Sarbanes-Oxley: The Good, The Bad, The Ugly, Nov.10, 2005 on panel hostedby the National Law Journal and Stanford Law School’s Center on Ethics, reprinted in Nat.L.J. at p.18 (Dec.12, 2005).

  • Modern update:

    • “Never type when you can write, Never speak when you can whisper, never communicate when its understood…”


12 1 06 frcp is cyberforensics watershed
12.1.06 FRCP is CyberForensics Watershed

  • Recognition of EDD, ESI, ERM

  • New Processes Needed

  • Costs & Burdens Recalibrated

  • FRCP is Model for all ESI Processes in Range of Tribunals

    • Criminal

    • Civil

    • Regulatory

    • Congressional Watchdog Committees

    • Internal Investigations

    • SROs

    • ADR

    • Counter-Terrorism, eSurveillance, Intelligence


Frcp as watershed
FRCP as Watershed

  • Consciously balance EDD costs

  • Reinforces attorney-client and attorney work product privileges in certain ESI

  • Clarify requester’s right to prefer some ESI forms

    • e.g., native format with meta-data intact

  • Clarify when the target’s duty arises to preserve ESI following a “litigation hold” by providing a “safe harbor” from spoliation sanctions

  • Elevates electronic records management (ERM) by compressing EDD schedule so most firms must plan for EDD before litigation by:

    • inventorying and monitoring all ESI

    • designating EDD teams

    • informing litigators about ESI repositories

    • generally adopting ERM best practices, ex ante

  • May result in standardized discovery protocols


Some of the major frcp revisions
Some of the Major FRCP Revisions

  • Cooperation

  • Planning

  • ESI emerges

  • Privilege Preservation

  • Pace Quickens

    • Are all litigators sufficiently tech savvy?

  • ERM ubiquity predictable

  • 3d P Service Providers

    • Essential for expertise

    • Essential for scalability & work capacity


New federal rules
New Federal Rules

  • U.S. Judicial Conference developed & approved

    • Public comment

    • U.S. Supreme Court approved

    • Congress failed to change, effective 12.1.06

  • Revisions address some abuses in obfuscation and destruction of evidence

    • Truncates pre-trial motion delays with mandatory EDD planning

    • Clarifies discoverable electronic forms of information

    • Strikes new balance in the burdens of EDD


Electronically stored information esi
Electronically Stored Information - ESI

  • Undefined explicitly in amended 12.1.06 FRCP nor in official Committee Notes

  • Nevertheless generally understood as:

    • information created, manipulated, communicated, stored, & optimally used in digital form

    • Requires use of computer & s/w

  • ESI distinguishable from “conventional” or analog records

    • E.g., writing/typing/printing stored on paper, images printed on paper, analog photographic images, analog sound or video recordings, microfilm …


ESI

  • Should now more clearly include info targets frequently resisted producing:

    • Content & meta-data of word-processed docs, various formats

    • spreadsheets,

    • e-mail including attachments,

    • instant messages (IM),

    • Voice-over Internet Protocol (VoIP),

    • personal data assistants (PDA) storage,

    • most other databases of


Continuing role of traditional discovery
Continuing Role of Traditional Discovery

  • Interrogatories may still be useful:

    • Requesters may query about:

      • Repositories of printed docs

      • ESI existence, custodians, formats & locations

    • Interrogatories must be answered accurately & completely

    • Potential challenge to inventory exhaustively

      • EX: portable storage devices, PDAs, laptop computers, cellphones, iPods,flash memory devices (thumbdrives)

  • But, more cooperation now required


Cooperation planning
Cooperation & Planning

  • Scoping, protocol & planning of EDD

  • Rule 16(b) requires parties to meet quickly following filing of complaint

  • Must negotiate discovery scope

    • Within 120 days of service of complaint

    • Protocol agreed upon on scope of EDD

  • Practical effects:

    • litigators must quickly understand IT environment of their clients & of opposing parties

    • Inform protocol design

      • Protocol uniformity likely

        • de facto EDD standards may emerge

      • Intended to diminish expense of delaying tactics

        • EX: motions to compel, counter motions to resist

        • EX: Zubulake & Rambus litigation

    • Short time to issue RFPs for:

      • EDD &/or litigation support service providers

      • Should establish service level commitments (SLC) & metrics ex ante

      • Manage requests, collection, review & production


Cost balancing
Cost Balancing

  • 2 tiered cost balancing: accessible & non-accessible

    • Targets shoulder costs of providing “accessible” ESI

      • When responsive to a proper request and relevant to litigated issues

    • Production costs borne by requester for “not readily accessible” ESI

      • Requesters may challenge target’s inaccessibility designation

  • Process:

    • 1st requester makes demand

    • 2nd implicitly target must understand ESI accessibility to reply

    • 3rd denial empowers requester to file a motion to compel production

    • 4th target must provide detailed proof that ESI production would impose an undue burden

      • Targets legitimately resistance justifiable only when informed with an accurate ESI inventory

      • Inaccessible ESI must still be preserved until litigation hold is released such as following litigation & appeals


Form of esi production
Form of ESI Production

  • Form of ESI produced may

    • impose greater search costs &

    • hide potentially relevant metadata

  • Revised FRCP attenuates contention

    • Requesting party may choose format

      • Facilitate search & review

      • May seek native formats w/ metadata

        • EX: track changes metadata may reveal revision authors & dates, deleted concessions, compromises faux pas.


Safe harbor
Safe Harbor

  • Lost, unrecoverable from regular business process

  • Documents destroyed after litigation hold

    • Imposes preservation duty

    • Exposes target to spoliation &/or obstruction

  • New FRCP permit limited safe harbor

    • ESI lost, overwritten or otherwise unrecoverable

    • If done as part of regular business practice of document destruction

    • Further enhances 3d P Services Opportunities

      • Litigation support

      • EDD service providers

      • Improve document destruction practices expected


Clawback
Clawback

  • FRCP Rule 26(b)(5)(B) enables the target to retrieve privileged information inadvertently disclosed

    • Optional procedure retroactively asserting privilege after inadvertent production

  • Clawback Agreements - parties may agree that privileged or protected (trade secret) information inadvertently produced during quick paced eDiscovery must be returned or destroyed & w/o waiving privilege


Clawback under frcp rule 26 b 5 b
Clawback under FRCP Rule 26(b)(5)(B)

  • Information Produced. If information is produced in discovery that is subject to a claim of privilege or of protection as trial-preparation material, the party making the claim may notify any party that received the information of the claim and the basis for it. After being notified, a party must promptly return, sequester, or destroy the specified information and any copies it has and may not use or disclose the information until the claim is resolved. A receiving party may promptly present the information to the court under seal for a determination of the claim. If the receiving party disclosed the information before being notified, it must take reasonable steps to retrieve it. The producing party must preserve the information until the claim is resolved.


Privileges
Privileges

  • Encourage free flow of info in certain preferred relationships

  • Protects privacy of client or beneficiary of relationship

  • Instrumental Justification: Professions

    • Frank disclosure needed for service adequacy would not be forthcoming `


Attorney client privilege
Attorney-Client Privilege

  • Since Elizabeth I (1533-1603)

  • party seeking the protection of actual or prospective client, can be a corporation (management must assert

  • communication must be between client and an attorney acting as counsel

    • privilege protects communications to and from attorneys

    • communications with attorneys agents

    • communications conveying advice of counsel

    • Third party communications (e.g., consultants) generally not protected, unless consultant retained directly by


Attorney client privilege1
Attorney-Client Privilege

  • communication made in confidence

    • Not before 3d Ps

    • "Public" communications not protected

  • purpose of communication must be to secure or provide an opinion of law or legal assistance

    • protects legal advice and factual information communicated to receive legal advice

    • privilege does not protect underlying facts, business or other non-legal advice.

  • privilege must be asserted -does not automatically attach

    • claimed at the time of demand by 3d P


Attorney client privilege2
Attorney-Client Privilege

  • Privilege belongs to corporation, not to individual managers or employees

    • Corporation can waive privilege over individual employees objections

  • Privilege easily lost or "waived" by disclosures to third parties

    • E.g., voluntary disclosure - in response to interrogatories or subpoenas

    • Involuntary or accidental disclosure

  • Crime Fraud Exception

    • Client gives atty criminal evidence or atty knows of future criminal plans


Attorney work product privilege
Attorney Work Product Privilege

  • Protects materials prepared by a lawyer in preparation for trial from being seen and used by the adversary during pre-trial discovery or @ trial

    • Reflecting legal opinions or strategy

    • Records prepared in anticipation of litigation

    • Divulge an attorney's theory of a case

    • Divulge litigation strategy


Spousal privilege
Spousal Privilege

  • Valid Marriage under Law

  • Marital Testimonial

  • Marital Communications


Professional privileges
Professional Privileges

  • Doctor Patient Privilege

  • PsychoTherapist-Patient Privilege

  • Clergy-Penitent Privilege

  • News Reporter & Source Privilege


State secrets privilege
State Secrets Privilege

  • A/K/A Military & Diplomatic Secrets, Executive Privilege, Agency Privilege, Law Enforcement Privilege, Privilege for Required Reports

    • EX: Pentagon Papers, Watergate, Ollie North

  • Confidential Informant Privilege


Self incrimination privilege
Self-Incrimination Privilege

  • 5th A

    • No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

    • Prohibits the government from forcing individual to provide evidence, answering questions, leading to criminal prosecution

    • Applicable to one's papers & effects

  • Statements that might expose individual to criminal prosecution


How does society add new privileges
How does Society Add New Privileges?

  • EX: Self-Evaluation Privilege

  • Must evaluate, weigh, balance factors:

    • Societal importance of the relationship

    • Intrusion Offensive to societal values

    • Expectation of confidentiality

    • Confidentiality essential to relationship

    • Likely Barriers to Relationship w/o Privilege

    • Societal benefits


Sensible regulated erm

Sensible & Regulated ERM

ERM as a Mandatory Planning Activity

Regulatory Requirements

Responsible Outsourcing

Managing 3d Party Service Providers


Electronic records management erm
Electronic Records Management (ERM)

  • ERM is the "systemic review, retention, & destruction of documents received or created in the course of business"

  • Broad range of policies, procedures & classification schemes

    • Doc retention – really destruction schedules

  • ERM policies can reduce EDD costs

    • Can reduce costs to supply information requests if promptly found, preserved & protected against accidental deletion

    • Disruptions avoided


Some record retention erm requirements
Some Record Retention & ERM Requirements

  • IRS

  • SEC

  • EPA

  • EEOC

  • DOD

  • Banking

  • Healthcare

  • See http://www.irch.com/

    • Information Requirements Clearinghouse

    • Donald S. Skupsky, JD, CRM, FAI, MIT


Financial services erm
Financial Services ERM

  • SEC Record Retention Rules

    • SEC Rule 17a-4

  • NYSE Record Retention Rules

    • Rules 440 & 472

  • NASD Record Retention Rules

    • NASD Conduct Rule 3010

    • NASD Conduct Rule 3110

  • CFTC Record Retention Rules


Sarbanes oxley section 404
Sarbanes-Oxley Section 404

  • Foreign Corrupt Practices Act (FCPA)

    • Internal Control Requirements §13(b)(2)(B)

    • SeeSEC vs World Wide Coin Invest., 567 F.Supp. 724 (N.D.Ga.1983)

  • Section 404 requires public cos certify internal control

    • Corporate Management & Indep. Auditors

    • Co’s records support transactions, positions, & financials

    • Audits: financial records maintenance & mgt

      • Including records mgt programs & correspondence

  • Need records reflecting all transactions

  • Need records management programs that retain all records for adequate periods

    • Must enable Co to locate records when needed

      • EX: litigation, enforcement actions


Sarbanes oxley section 4041
Sarbanes-Oxley Section 404

  • Recordkeeping programs mandatory for Whistleblower communications

  • Audit Work Papers - all public accounting firms retain audit work papers for 7 years

    • Includes paper & e-records incl e-mail

    • correspondence for both audit firms and cos.

      • PCAOB subpoena subpoena powers from Cos now de facto 7 year retention


Sarbanes oxley section 4042
Sarbanes-Oxley Section 404

  • Penalties for inappropriate destruction of business records.

    • Willful destruction of corporate audit records

      • Imprisonment up to 10 years

    • Destroying or altering records to impede a federal investigation or bankruptcy case, tampering with records, or impeding an investigation

      • Prison terms of up to 20 years

    • Implications of Sourbox penalties:

      • Ad hoc suspension of records destruction, either in anticipation of litigation or across the board as a protective measure


Sec record retention rules sec rule 17a 4
SEC Record Retention Rules: SEC Rule 17a-4

  • Rule 17a-3 Info of Member, broker, dealer

  • SIX YRS: for not less than 6 years

    • 1st 2 years in easily accessible place

      • Blotters - itemized daily record of all purchases and sales of securities, all receipts and deliveries of securities , all receipts and disbursements of cash and all other debits and credits. Ledgers (or other records) reflecting all assets and liabilities, income and expense and capital accounts.

      • Ledger accounts showing all purchases, sales, receipts and deliveries of securities and commodities for customer accounts

      • A securities record or ledger separately for each security as of the clearance dates all "long" or "short" positions


Sec record retention rules sec rule 17a 41
SEC Record Retention Rules: SEC Rule 17a-4

  • THREE YRS: not less than 3 years

  • 1st 2 years in accessible place

    • Check books, bank statements, cancelled checks, cash reconciliations.

    • Bills receivable or payable

    • Originals of all communications received and copies of all communications sent.

    • Ttrial balances, computations of aggregate indebtedness and net capital (and working papers in connection therewith), financial statements, branch office reconciliations, and internal audit working papers, relating to the business of such member, broker or dealer

    • Guarantees of accounts and all powers of attorney

    • Written agreements

    • Records which containing 15 enumerated items

    • Every such member, broker and dealer shall preserve for a period of not less than 6 years after the closing of any customer's account any account cards or records which relate to the terms and conditions with respect to the opening and maintenance of such account.


Nyse record retention rules
NYSE Record Retention Rules

  • Rule 472 Communications with the Public

  • Rule 440. Books and RecordsEvery member not associated with a member organization and every member organization shall make and preserve books and records as the Exchange may prescribe and as prescribed by Rule 17a-3. The recordkeeping format, medium and retention period shall comply with Rule 17a-4 under the Securities Exchange Act of 1934.


Nasd record retention rules
NASD Record Retention Rules

  • NASD Conduct Rule 3010 Supervision

  • NASD Conduct Rule 3110

  • Broker-Dealer Email & IM Archiving Compliance if NASD, NYSE regulated

    • Must supervise & therefore monitor electronic communication since May ’03

    • Supervise, sample, review, educate, train, monitor, audit trail, records of reviews,

    • Preserve all customer correspondence


Eu data retention directive
EU Data Retention Directive

  • EU Directive 2002/58/EC

    • http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_ 20120020731en00370047.pdf

  • Enhances law enforcement in EU nations

    • Does not enhance civil litigation in EU nations

  • Requires retention of various eDocs

    • member states may pass laws mandating retention of traffic & location data of communications

      • mobile phones, SMS, landlines, faxes, e-mails, chat rooms, Internet, or other electronic communication devices


Eu data retention directive1
EU Data Retention Directive

  • Reverses 1997 Telecom Privacy Directive

  • Explicitly permits EU national laws to compel ISPs & TelCos to record, index, & store communications data

    • Traffic data - all data generated by conveyance of communications on electronic communications network

    • Location data data indicating the geographic position of mobile phone user (CPNI in U.S.)

    • Contents NOT covered

  • Permissible purposes:

    • National security, criminal investigations and prevention, prosecution of criminal offences

    • Without specific judicial authorization.


Eu data retention directive2
EU Data Retention Directive

  • Controversial & Compliance Spotty

    • Belgium, France, Spain, UK

    • http://www.dataretentionisnosolution.com

    • Opposition: EDRI & XS4ALL petition campaign

    • TelCos & ISP oppose the costs & customer mistrust

  • Opposition driven by Individual Privacy not Corporate Confidentiality

  • Austrian Fed Const Ct. held unconstitutional the Austrian statute compelling TelCos & ISPs to implement wiretapping measures at their own expense 2.27.03


Outsourcing edd 3d p service
Outsourcing EDD & 3d P Service

  • Determine provisional scope of project

  • Assess Internal Expertise & costs

  • Survey 3d P vendors

    • Retain Consultant to find the consultant

  • Determine what can be done low cost/low tech vendors

    • E.g., photocopying


Outsourcing edd 3d p service1
Outsourcing EDD & 3d P Service

  • Outsourcing-practice of contracting with outside 3d P to provide service or product otherwise too expensive, complicated, or time-consuming to do internally

  • EDD Outsourcing is BIG growth indus

  • Some respected & reliable vendors using proven technologies

    • However, many new startups w/ unproven technologies & methods

  • Domestic 3d party service provider vs. Offshore outsourcing?

    • Exporting IT-related work from developed nation (U.S.) to low cost (hopefully stable & reliable) nation


Factors in evaluating outsourcing
Factors in evaluating outsourcing

  • Price, performance duties, reputation

  • Metrics tied to performance

    • Defined in: Service Level Commitments (SLC)

  • Remedies for breach reasonably available

  • Direct experience with client media

  • Scalability capacity w/in expectations

  • Who owns, controls client’s data?


Factors favoring outsourcing
Factors favoring outsourcing

  • Cost

    • RFP, must know project scope

    • Developed ERM informs well

    • Reasonable Scalability add-ons

  • Engagement letter (K)

  • Multi-disciplinary teams

    • In/Out-House reps from all key areas

      • IT, legal, 3d party, implicated divisions

      • Mutual education defining project & roles

  • Action plan, milestone performance reviews, progress pmts

  • Are wage rates primary cost component?

    • Regulatory costs in pet food gluten outsourcing


Legal issues in outsourcing
Legal Issues in Outsourcing

  • Concluding the Consulting Contract

    • Negotiating an Engagement Letter

      • Offer

      • Acceptance

      • Is all defined in the Written Agreement?

    • Third Party Rights

      • Assignment: client transfers rights

        • Merger, sale of assets, acquisition, scalability

      • Delegation: outsourcing by the outsourcer

      • 3d Party Beneficiaries


Legal issues in outsourcing1
Legal Issues in Outsourcing

  • Performing the Consulting Contract

    • Perfect Tender Rule

      • Specificity of Deliverables, timetables, performance metrics

      • Scalability again: accommodating flexibility for client, by consultant or service provider

    • Substantial Performance

    • Material Breach

      • SLC standards, Metrics, Legitimacy of Evaluations

  • Remedies for Breach

    • Client breach: pmts, cooperation

    • Consultant or service provider breach


Legal issues in outsourcing2
Legal Issues in Outsourcing

  • Adequately Imposing Duties

    • Assuring Clients’ Customer Privacy

    • Assuring Client’s Data Security

  • May need to address other contractual issues such as:

    • IP ownership, compliance with domestic vs. foreign laws

      • EX: privacy, security

    • Indemnity

    • Audit co-opreration (e.g., SAS70)


Audit issues in outsourcing sas 70
Audit Issues in Outsourcing: SAS 70

  • SAS70 Report: Service Orgs

    • in-depth, indep. audit of 3d P serv.org.

      • EX: ASP, bank trust dept, claims process centers, Internet data centers, data processing service bureau

    • Impact on client's (user) control environment

    • SOX: cannot offload mgt’s control duties

  • 3d P’s include controls over info tech & related processes

    • Uniform Service Auditor's Report of 3d P’s control activities & processes

      • Disclosed to client (user) & client’s auditors


Audit issues in outsourcing sas 701
Audit Issues in Outsourcing: SAS 70

  • Type I Report Service auditor opinion

    • whether service organization's description of controls presents fairly, in all material respects, the relevant aspects placed in operation as of a specific date, and

    • whether controls suitably designed to achieve specified control objectives

  • Type II report service auditor opinion

    • same items in Type I report, PLUS testing

    • whether controls tested were operating effectively to provide reasonable (not absolute) assurance that control objectives were achieved during a specified period (6mo)


Sas 70 client user perspective
SAS 70: Client/User Perspective

  • Outsourcing to 3d P unable to pass audit can denigrate client/user audit

    • Frustrates quick & dirty cost savings from poorly managed 3d P serv org

  • Outsourcing to 3d P passing SAS audit can justify outsourcing

    • Enables assurances to Client’s customers

  • Opportunity to encourage or harmonize 3d P control technique improvements


Sas 70 3d p service organization perspective
SAS 70: 3d P Service Organization Perspective

  • No duty to submit, cooperate or bind subcontractors unless user’s engagement letter obligates

    • May cause client/user surprise & difficulty

  • SAS 70 Compliance could become marketing point

  • Opportunity to improve controls following independent assessment


Regulated erm presidential records
Regulated ERM: Presidential Records

  • Archiving Administration eMail

    • Presidential Records Act (PRA) of 1978, 44 U.S.C. ß2201-2207

    • Governs official records of Pres & VPs

    • Created or received after Jan. 20, 1981

    • Changed the legal ownership from private to public

    • Established new statutory structure for Presidents to manage records


Presidential records act
Presidential Records Act:

  • Defines & states public ownership of the records.

  • President has custody and management responsibility

  • Allows disposal by incumbent President

    • If records no longer have administrative, historical, informational, or evidentiary value

    • after obtaining views of U.S. Archivist

  • Requires President & staff to take all practical steps to file personal records separately from Presidential records.


Presidential records act1
Presidential Records Act:

  • Establishes process for restriction & public access

  • PRA allows for public access through FOIA

    • beginning five years after the end of the Administration,

    • allows the President to invoke as many as six specific restrictions to public access for up to twelve years.

  • Establishes procedures for Congress, courts, and subsequent Administrations to obtain special access to records that remain closed to the public

    • Requires 30 day notice to former & current Presidents

  • Requires similar treatment of VP records


Current ag gonzales crisis
Current AG Gonzales Crisis

  • White House eMail policies allegedly violate PRA

  • White House eMails lost

    • Processed via RNC’s ISP accounts

  • Congressional Watchdog Subpoenas to determine US Atty Firings process, purpose, plans

  • Gonzales Testimony Postponed

  • How can the White House successfully assert Executive Privilege?


ad