Law and Computer Security E-Discovery Bahareh Rahmani CS - University of Tulsa.

Law and Computer SecurityE-Discovery

Bahareh RahmaniCS - University of Tulsa

Definition Data Classification First Ground

EDRM IT Department Penalties

Electronic discoveryrefers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.E-Discovery can be:•carried out offline on a particular computer•done in a network•Court-ordered or government sanctioned hacking for the purpose of obtaining critical evidenceE-discovery is an evolving field that goes far beyond mere technology. It gives rise to multiple legal, constitutional, political, security and personal privacy issues, many of which have yet to be resolved.

Electronic discoveryWhen a company is sued, the parties in the lawsuit ask for documents and other evidence from each other so they can fully explore the facts of the case prior to a trial. E-discovery is the process of exchanging documents and other information in electronic form. Lawyers define this as electronically stored information (ESI). It involves:1- identifying, 2- locating, 3- retrieving,4- handing over the requested information. Because the lion's share of corporate information is now stored electronically, e-discovery can be a complicated, time-consuming and expensive process.

Why digital data?1.electronically searched with ease, whereas paper documents must be scrutinized manually.2.difficult or impossible to completely destroy, particularly if it gets into a network.3.the data appears on multiple hard drives and because digital files, even if deleted, can be undeleted. 4.the only reliable way to destroy a computer file is to physically destroy every hard drive where the file has been stored.

Data ClassificationA tool for categorization of data to enable/help organization to effectively answer following questions: 1- What data types are available? 2- Where are certain data located? 3- What access levels are implemented? 4- What protection level is implemented and does it adhere to compliance regulations?

Data Classification's steps

1- Define what information you want to protect (specifically, not general data classification) 2- Discover where it’s located (various tools/techniques, preferably automated, like DLP, rather than manual) 3- Secure the data where it’s stored, and/or eliminate data where it shouldn’t be (access controls, encryption) 4- Monitor data usage (various tools, including DLP, DAM, logs, SIEM) 5- Protect the data from exfiltration (DLP, USB control, email security, web gateways, etc.)

Data typesdata of all types can serve as evidence:This can include:

1- text, images, calendar files, databases, spreadsheets, audio files, animation, Web sites and computer programs.

2- malware such as viruses, trojans and spyware can be secured and investigated.

3- Email can be an especially valuable source of evidence in civil or criminal litigation, because people are often less careful in these exchanges than in hard copy correspondence such as written memos and postal letters.

Computer(CYBER) forensicsa specialized form of e-discovery in which:1.an investigation is carried out on the contents of the hard drive of a specific computer.2.physically isolating the computer, investigators make a digital copy of the hard drive. 3.the original computer is locked in a secure facility to maintain its pristine condition. 4.All investigation is done on the digital copy.

http://searchfinancialsecurity.techtarget.com/definition/electronic-discovery

First ground of e-discovery2003: securities giant UBS Warburg was sued by one of its salespersons in what seemed to be a fairly commonplace employment discrimination suit.

The way the company handled its electronic information once the suit was filed landed it in deep trouble, however.

2004: a court found that UBS Warburg failed to save emails that might have been used as evidence against it and ordered the company to pay the employee $29.3 million.

The landmark case, Zubulake v UBS Warburg, broke new ground for electronic data that must be produced during a lawsuit, a requirement known as electronic discovery, or e-discovery. Since then, the law and practice surrounding the legal obligations for handling e-discovery have continued to evolve.

State farm policyState Farm wanted control over and consistency within its e-discovery process. By keeping 25 years' worth of documents in production systems fronted by a master management system, the company greatly reduced the cost of responding to lawsuits.

insurer of homes and automobiles keeps anything that might matter: emails, 100% of the email attachments of its claims officers, paper and electronic documents dating back 25 years, even the latest iterations of its human resources Web pages. The voluminous cache, meticulously imaged and coded, is stored centrally in an active system that is searched regularly as litigation arises.

Electronic Discovery Reference Model (EDRM)

1- Developed in 2005 by George Socha Jr., founder of St. Paul, Minn.-based Socha Consulting LLC, and Tom Gelbmann, managing director of Gelbmann & Associates in Roseville, Minnesota.

2- A framework that outlines standards for the recovery and discovery and of digital data.

3- Designed to serve as guidance for gathering and assimilating electronic data during the legal process, including criminal evidence discovery.

4- A conceptual standard for the e-discovery process.

EDRM steps1. Information management: Implement data governance processes that alleviate risk and expenses in the event of an electronic discovery request.2. Identification: Locate sources of information to determine exactly what the data is, and how it needs to be managed.3. Preservation: Ensure potentially e-discovery-relevant ESI is properly stored using measures such as retention and deletion schedules.4. Collection: Gather information for e-discovery use.5. Processing: Reduce the volume the relevant ESI and convert it for review and analysis.6. Review: Determine the data's e-discovery relevance.7. Analysis: Evaluate the ESI for content and context, including key patterns and topics.8. Production: Deliver the ESI to relevant parties.9. Presentation: Display data findings at depositions, hearings, trials, etc.

IT department1- Where, when, why and how the company stores and destroys data as well as how to retrieve it.2- The IT team's role has to begin with information management, well before there's any hint of litigation. 3- Successful e-discovery that minimizes costs relies on an organization's information management strategy, namely its data retention/destruction policy and data management system.

Experts advise that:

1- IT professionals familiarize themselves with the basics of e-discovery law and legal terms. 2- An organization's IT and legal departments collaborate on important policies and procedures for e-discovery, such as which formats data should be archived in or how long to store metadata.

Penalties The UBS Warburg case set a precedent for identifying, preserving and producing emails and implementing litigation holds. Other high-profile cases have subsequently resulted in heavy sanctions for spoliation.

PricewaterhouseCoopers was penalized with a $345 million judgment for not preserving materials under a litigation hold.

Morgan Stanley was ordered to pay $1.45 billion following a ruling of e-discovery violations, although the ruling was later overturned.

Monetary damages aren't the only penalties for noncompliance. Failure to comply can also result in a company's own employees being barred from testifying or other evidence being excluded. Noncompliance can also lead to an "adverse influence" jury instruction that can cost a company the case.

Penalties

Judges have held also companies in contempt for not fully complying with e-discovery rules.

1- A judge in Louisiana recently called Dell Inc.'s e-discovery conduct "unconscionable" after learning that the company's search efforts in an ongoing case did not include words such as camera.

2- Arthur Andersen was handed a criminal conviction for obstructing justice for shredding records just before being handed a subpoena from the U.S. Securities and Exchange Commission. Even though it was later reversed, the impact of this charge played a large part in forcing the company to shut down and ushered in the conditions for the Sarbanes-Oxley Act.