1 / 54

Impact of Revised Federal Rules on CyberForensic Practice

Impact of Revised Federal Rules on CyberForensic Practice. Watershed for all CyberForensics? What will be FRCP’s Impact Beyond Jurisdiction of Federal Civil Litigation Rules?. Some Litigators’ Vision of Discovery .

zody
Download Presentation

Impact of Revised Federal Rules on CyberForensic Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Impact of Revised Federal Rules on CyberForensic Practice Watershed for all CyberForensics? What will be FRCP’s Impact Beyond Jurisdiction of Federal Civil Litigation Rules?

  2. Some Litigators’ Vision of Discovery • “As a litigator, I will tell you documents are just the bane of our existence. Never write when you can speak. Never speak when you can wink.” • Statement of Jordan Eth, Sarbanes-Oxley: The Good, The Bad, The Ugly, Nov.10, 2005 on panel hostedby the National Law Journal and Stanford Law School’s Center on Ethics, reprinted in Nat.L.J. at p.18 (Dec.12, 2005). • Modern update: • “Never type when you can write, Never speak when you can whisper, never communicate when its understood…”

  3. 12.1.06 FRCP is CyberForensics Watershed • Recognition of EDD, ESI, ERM • New Processes Needed • Costs & Burdens Recalibrated • FRCP is Model for all ESI Processes in Range of Tribunals • Criminal • Civil • Regulatory • Congressional Watchdog Committees • Internal Investigations • SROs • ADR • Counter-Terrorism, eSurveillance, Intelligence

  4. FRCP as Watershed • Consciously balance EDD costs • Reinforces attorney-client and attorney work product privileges in certain ESI • Clarify requester’s right to prefer some ESI forms • e.g., native format with meta-data intact • Clarify when the target’s duty arises to preserve ESI following a “litigation hold” by providing a “safe harbor” from spoliation sanctions • Elevates electronic records management (ERM) by compressing EDD schedule so most firms must plan for EDD before litigation by: • inventorying and monitoring all ESI • designating EDD teams • informing litigators about ESI repositories • generally adopting ERM best practices, ex ante • May result in standardized discovery protocols

  5. Some of the Major FRCP Revisions • Cooperation • Planning • ESI emerges • Privilege Preservation • Pace Quickens • Are all litigators sufficiently tech savvy? • ERM ubiquity predictable • 3d P Service Providers • Essential for expertise • Essential for scalability & work capacity

  6. New Federal Rules • U.S. Judicial Conference developed & approved • Public comment • U.S. Supreme Court approved • Congress failed to change, effective 12.1.06 • Revisions address some abuses in obfuscation and destruction of evidence • Truncates pre-trial motion delays with mandatory EDD planning • Clarifies discoverable electronic forms of information • Strikes new balance in the burdens of EDD

  7. Electronically Stored Information - ESI • Undefined explicitly in amended 12.1.06 FRCP nor in official Committee Notes • Nevertheless generally understood as: • information created, manipulated, communicated, stored, & optimally used in digital form • Requires use of computer & s/w • ESI distinguishable from “conventional” or analog records • E.g., writing/typing/printing stored on paper, images printed on paper, analog photographic images, analog sound or video recordings, microfilm …

  8. ESI • Should now more clearly include info targets frequently resisted producing: • Content & meta-data of word-processed docs, various formats • spreadsheets, • e-mail including attachments, • instant messages (IM), • Voice-over Internet Protocol (VoIP), • personal data assistants (PDA) storage, • most other databases of

  9. Continuing Role of Traditional Discovery • Interrogatories may still be useful: • Requesters may query about: • Repositories of printed docs • ESI existence, custodians, formats & locations • Interrogatories must be answered accurately & completely • Potential challenge to inventory exhaustively • EX: portable storage devices, PDAs, laptop computers, cellphones, iPods,flash memory devices (thumbdrives) • But, more cooperation now required

  10. Cooperation & Planning • Scoping, protocol & planning of EDD • Rule 16(b) requires parties to meet quickly following filing of complaint • Must negotiate discovery scope • Within 120 days of service of complaint • Protocol agreed upon on scope of EDD • Practical effects: • litigators must quickly understand IT environment of their clients & of opposing parties • Inform protocol design • Protocol uniformity likely • de facto EDD standards may emerge • Intended to diminish expense of delaying tactics • EX: motions to compel, counter motions to resist • EX: Zubulake & Rambus litigation • Short time to issue RFPs for: • EDD &/or litigation support service providers • Should establish service level commitments (SLC) & metrics ex ante • Manage requests, collection, review & production

  11. Cost Balancing • 2 tiered cost balancing: accessible & non-accessible • Targets shoulder costs of providing “accessible” ESI • When responsive to a proper request and relevant to litigated issues • Production costs borne by requester for “not readily accessible” ESI • Requesters may challenge target’s inaccessibility designation • Process: • 1st requester makes demand • 2nd implicitly target must understand ESI accessibility to reply • 3rd denial empowers requester to file a motion to compel production • 4th target must provide detailed proof that ESI production would impose an undue burden • Targets legitimately resistance justifiable only when informed with an accurate ESI inventory • Inaccessible ESI must still be preserved until litigation hold is released such as following litigation & appeals

  12. Form of ESI Production • Form of ESI produced may • impose greater search costs & • hide potentially relevant metadata • Revised FRCP attenuates contention • Requesting party may choose format • Facilitate search & review • May seek native formats w/ metadata • EX: track changes metadata may reveal revision authors & dates, deleted concessions, compromises faux pas.

  13. Safe Harbor • Lost, unrecoverable from regular business process • Documents destroyed after litigation hold • Imposes preservation duty • Exposes target to spoliation &/or obstruction • New FRCP permit limited safe harbor • ESI lost, overwritten or otherwise unrecoverable • If done as part of regular business practice of document destruction • Further enhances 3d P Services Opportunities • Litigation support • EDD service providers • Improve document destruction practices expected

  14. Clawback • FRCP Rule 26(b)(5)(B) enables the target to retrieve privileged information inadvertently disclosed • Optional procedure retroactively asserting privilege after inadvertent production • Clawback Agreements - parties may agree that privileged or protected (trade secret) information inadvertently produced during quick paced eDiscovery must be returned or destroyed & w/o waiving privilege

  15. Clawback under FRCP Rule 26(b)(5)(B) • Information Produced. If information is produced in discovery that is subject to a claim of privilege or of protection as trial-preparation material, the party making the claim may notify any party that received the information of the claim and the basis for it. After being notified, a party must promptly return, sequester, or destroy the specified information and any copies it has and may not use or disclose the information until the claim is resolved. A receiving party may promptly present the information to the court under seal for a determination of the claim. If the receiving party disclosed the information before being notified, it must take reasonable steps to retrieve it. The producing party must preserve the information until the claim is resolved.

  16. Privileges • Encourage free flow of info in certain preferred relationships • Protects privacy of client or beneficiary of relationship • Instrumental Justification: Professions • Frank disclosure needed for service adequacy would not be forthcoming `

  17. Attorney-Client Privilege • Since Elizabeth I (1533-1603) • party seeking the protection of actual or prospective client, can be a corporation (management must assert • communication must be between client and an attorney acting as counsel • privilege protects communications to and from attorneys • communications with attorneys agents • communications conveying advice of counsel • Third party communications (e.g., consultants) generally not protected, unless consultant retained directly by

  18. Attorney-Client Privilege • communication made in confidence • Not before 3d Ps • "Public" communications not protected • purpose of communication must be to secure or provide an opinion of law or legal assistance • protects legal advice and factual information communicated to receive legal advice • privilege does not protect underlying facts, business or other non-legal advice. • privilege must be asserted -does not automatically attach • claimed at the time of demand by 3d P

  19. Attorney-Client Privilege • Privilege belongs to corporation, not to individual managers or employees • Corporation can waive privilege over individual employees objections • Privilege easily lost or "waived" by disclosures to third parties • E.g., voluntary disclosure - in response to interrogatories or subpoenas • Involuntary or accidental disclosure • Crime Fraud Exception • Client gives atty criminal evidence or atty knows of future criminal plans

  20. Attorney Work Product Privilege • Protects materials prepared by a lawyer in preparation for trial from being seen and used by the adversary during pre-trial discovery or @ trial • Reflecting legal opinions or strategy • Records prepared in anticipation of litigation • Divulge an attorney's theory of a case • Divulge litigation strategy

  21. Spousal Privilege • Valid Marriage under Law • Marital Testimonial • Marital Communications

  22. Professional Privileges • Doctor Patient Privilege • PsychoTherapist-Patient Privilege • Clergy-Penitent Privilege • News Reporter & Source Privilege

  23. State Secrets Privilege • A/K/A Military & Diplomatic Secrets, Executive Privilege, Agency Privilege, Law Enforcement Privilege, Privilege for Required Reports • EX: Pentagon Papers, Watergate, Ollie North • Confidential Informant Privilege

  24. Self-Incrimination Privilege • 5th A • No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation. • Prohibits the government from forcing individual to provide evidence, answering questions, leading to criminal prosecution • Applicable to one's papers & effects • Statements that might expose individual to criminal prosecution

  25. How does Society Add New Privileges? • EX: Self-Evaluation Privilege • Must evaluate, weigh, balance factors: • Societal importance of the relationship • Intrusion Offensive to societal values • Expectation of confidentiality • Confidentiality essential to relationship • Likely Barriers to Relationship w/o Privilege • Societal benefits

  26. Sensible & Regulated ERM ERM as a Mandatory Planning Activity Regulatory Requirements Responsible Outsourcing Managing 3d Party Service Providers

  27. Electronic Records Management (ERM) • ERM is the "systemic review, retention, & destruction of documents received or created in the course of business" • Broad range of policies, procedures & classification schemes • Doc retention – really destruction schedules • ERM policies can reduce EDD costs • Can reduce costs to supply information requests if promptly found, preserved & protected against accidental deletion • Disruptions avoided

  28. Some Record Retention & ERM Requirements • IRS • SEC • EPA • EEOC • DOD • Banking • Healthcare • See http://www.irch.com/ • Information Requirements Clearinghouse • Donald S. Skupsky, JD, CRM, FAI, MIT

  29. Financial Services ERM • SEC Record Retention Rules • SEC Rule 17a-4 • NYSE Record Retention Rules • Rules 440 & 472 • NASD Record Retention Rules • NASD Conduct Rule 3010 • NASD Conduct Rule 3110 • CFTC Record Retention Rules

  30. Sarbanes-Oxley Section 404 • Foreign Corrupt Practices Act (FCPA) • Internal Control Requirements §13(b)(2)(B) • SeeSEC vs World Wide Coin Invest., 567 F.Supp. 724 (N.D.Ga.1983) • Section 404 requires public cos certify internal control • Corporate Management & Indep. Auditors • Co’s records support transactions, positions, & financials • Audits: financial records maintenance & mgt • Including records mgt programs & correspondence • Need records reflecting all transactions • Need records management programs that retain all records for adequate periods • Must enable Co to locate records when needed • EX: litigation, enforcement actions

  31. Sarbanes-Oxley Section 404 • Recordkeeping programs mandatory for Whistleblower communications • Audit Work Papers - all public accounting firms retain audit work papers for 7 years • Includes paper & e-records incl e-mail • correspondence for both audit firms and cos. • PCAOB subpoena subpoena powers from Cos now de facto 7 year retention

  32. Sarbanes-Oxley Section 404 • Penalties for inappropriate destruction of business records. • Willful destruction of corporate audit records • Imprisonment up to 10 years • Destroying or altering records to impede a federal investigation or bankruptcy case, tampering with records, or impeding an investigation • Prison terms of up to 20 years • Implications of Sourbox penalties: • Ad hoc suspension of records destruction, either in anticipation of litigation or across the board as a protective measure

  33. SEC Record Retention Rules: SEC Rule 17a-4 • Rule 17a-3 Info of Member, broker, dealer • SIX YRS: for not less than 6 years • 1st 2 years in easily accessible place • Blotters - itemized daily record of all purchases and sales of securities, all receipts and deliveries of securities , all receipts and disbursements of cash and all other debits and credits. Ledgers (or other records) reflecting all assets and liabilities, income and expense and capital accounts. • Ledger accounts showing all purchases, sales, receipts and deliveries of securities and commodities for customer accounts • A securities record or ledger separately for each security as of the clearance dates all "long" or "short" positions

  34. SEC Record Retention Rules: SEC Rule 17a-4 • THREE YRS: not less than 3 years • 1st 2 years in accessible place • Check books, bank statements, cancelled checks, cash reconciliations. • Bills receivable or payable • Originals of all communications received and copies of all communications sent. • Ttrial balances, computations of aggregate indebtedness and net capital (and working papers in connection therewith), financial statements, branch office reconciliations, and internal audit working papers, relating to the business of such member, broker or dealer • Guarantees of accounts and all powers of attorney • Written agreements • Records which containing 15 enumerated items • Every such member, broker and dealer shall preserve for a period of not less than 6 years after the closing of any customer's account any account cards or records which relate to the terms and conditions with respect to the opening and maintenance of such account.

  35. NYSE Record Retention Rules • Rule 472 Communications with the Public • Rule 440. Books and RecordsEvery member not associated with a member organization and every member organization shall make and preserve books and records as the Exchange may prescribe and as prescribed by Rule 17a-3. The recordkeeping format, medium and retention period shall comply with Rule 17a-4 under the Securities Exchange Act of 1934.

  36. NASD Record Retention Rules • NASD Conduct Rule 3010 Supervision • NASD Conduct Rule 3110 • Broker-Dealer Email & IM Archiving Compliance if NASD, NYSE regulated • Must supervise & therefore monitor electronic communication since May ’03 • Supervise, sample, review, educate, train, monitor, audit trail, records of reviews, • Preserve all customer correspondence

  37. EU Data Retention Directive • EU Directive 2002/58/EC • http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_ 20120020731en00370047.pdf • Enhances law enforcement in EU nations • Does not enhance civil litigation in EU nations • Requires retention of various eDocs • member states may pass laws mandating retention of traffic & location data of communications • mobile phones, SMS, landlines, faxes, e-mails, chat rooms, Internet, or other electronic communication devices

  38. EU Data Retention Directive • Reverses 1997 Telecom Privacy Directive • Explicitly permits EU national laws to compel ISPs & TelCos to record, index, & store communications data • Traffic data - all data generated by conveyance of communications on electronic communications network • Location data data indicating the geographic position of mobile phone user (CPNI in U.S.) • Contents NOT covered • Permissible purposes: • National security, criminal investigations and prevention, prosecution of criminal offences • Without specific judicial authorization.

  39. EU Data Retention Directive • Controversial & Compliance Spotty • Belgium, France, Spain, UK • http://www.dataretentionisnosolution.com • Opposition: EDRI & XS4ALL petition campaign • TelCos & ISP oppose the costs & customer mistrust • Opposition driven by Individual Privacy not Corporate Confidentiality • Austrian Fed Const Ct. held unconstitutional the Austrian statute compelling TelCos & ISPs to implement wiretapping measures at their own expense 2.27.03

  40. Outsourcing EDD & 3d P Service • Determine provisional scope of project • Assess Internal Expertise & costs • Survey 3d P vendors • Retain Consultant to find the consultant • Determine what can be done low cost/low tech vendors • E.g., photocopying

  41. Outsourcing EDD & 3d P Service • Outsourcing-practice of contracting with outside 3d P to provide service or product otherwise too expensive, complicated, or time-consuming to do internally • EDD Outsourcing is BIG growth indus • Some respected & reliable vendors using proven technologies • However, many new startups w/ unproven technologies & methods • Domestic 3d party service provider vs. Offshore outsourcing? • Exporting IT-related work from developed nation (U.S.) to low cost (hopefully stable & reliable) nation

  42. Factors in evaluating outsourcing • Price, performance duties, reputation • Metrics tied to performance • Defined in: Service Level Commitments (SLC) • Remedies for breach reasonably available • Direct experience with client media • Scalability capacity w/in expectations • Who owns, controls client’s data?

  43. Factors favoring outsourcing • Cost • RFP, must know project scope • Developed ERM informs well • Reasonable Scalability add-ons • Engagement letter (K) • Multi-disciplinary teams • In/Out-House reps from all key areas • IT, legal, 3d party, implicated divisions • Mutual education defining project & roles • Action plan, milestone performance reviews, progress pmts • Are wage rates primary cost component? • Regulatory costs in pet food gluten outsourcing

  44. Legal Issues in Outsourcing • Concluding the Consulting Contract • Negotiating an Engagement Letter • Offer • Acceptance • Is all defined in the Written Agreement? • Third Party Rights • Assignment: client transfers rights • Merger, sale of assets, acquisition, scalability • Delegation: outsourcing by the outsourcer • 3d Party Beneficiaries

  45. Legal Issues in Outsourcing • Performing the Consulting Contract • Perfect Tender Rule • Specificity of Deliverables, timetables, performance metrics • Scalability again: accommodating flexibility for client, by consultant or service provider • Substantial Performance • Material Breach • SLC standards, Metrics, Legitimacy of Evaluations • Remedies for Breach • Client breach: pmts, cooperation • Consultant or service provider breach

  46. Legal Issues in Outsourcing • Adequately Imposing Duties • Assuring Clients’ Customer Privacy • Assuring Client’s Data Security • May need to address other contractual issues such as: • IP ownership, compliance with domestic vs. foreign laws • EX: privacy, security • Indemnity • Audit co-opreration (e.g., SAS70)

  47. Audit Issues in Outsourcing: SAS 70 • SAS70 Report: Service Orgs • in-depth, indep. audit of 3d P serv.org. • EX: ASP, bank trust dept, claims process centers, Internet data centers, data processing service bureau • Impact on client's (user) control environment • SOX: cannot offload mgt’s control duties • 3d P’s include controls over info tech & related processes • Uniform Service Auditor's Report of 3d P’s control activities & processes • Disclosed to client (user) & client’s auditors

  48. Audit Issues in Outsourcing: SAS 70 • Type I Report Service auditor opinion • whether service organization's description of controls presents fairly, in all material respects, the relevant aspects placed in operation as of a specific date, and • whether controls suitably designed to achieve specified control objectives • Type II report service auditor opinion • same items in Type I report, PLUS testing • whether controls tested were operating effectively to provide reasonable (not absolute) assurance that control objectives were achieved during a specified period (6mo)

  49. SAS 70: Client/User Perspective • Outsourcing to 3d P unable to pass audit can denigrate client/user audit • Frustrates quick & dirty cost savings from poorly managed 3d P serv org • Outsourcing to 3d P passing SAS audit can justify outsourcing • Enables assurances to Client’s customers • Opportunity to encourage or harmonize 3d P control technique improvements

  50. SAS 70: 3d P Service Organization Perspective • No duty to submit, cooperate or bind subcontractors unless user’s engagement letter obligates • May cause client/user surprise & difficulty • SAS 70 Compliance could become marketing point • Opportunity to improve controls following independent assessment

More Related