Impact of Revised Federal Rules on CyberForensic PracticeWatershed for all CyberForensics? What will be FRCP’s Impact Beyond Jurisdiction of Federal Civil Litigation Rules?

Some Litigators’ Vision of Discovery • “As a litigator, I will tell you documents

are just the bane of our existence. Never write when you can speak. Never speak when you can wink.”– Statement of Jordan Eth, Sarbanes-Oxley: The

Good, The Bad, The Ugly, Nov.10, 2005 on panel hostedby the National Law Journal and Stanford Law School’s Center on Ethics, reprinted in Nat.L.J. at p.18 (Dec.12, 2005).

• Modern update:– “Never type when you can write, Never speak

when you can whisper, never communicate when its understood…”

12.1.06 FRCP is CyberForensics Watershed• Recognition of EDD, ESI, ERM • New Processes Needed• Costs & Burdens Recalibrated • FRCP is Model for all ESI Processes in

Range of Tribunals– Criminal– Civil– Regulatory– Congressional Watchdog Committees– Internal Investigations– SROs– ADR– Counter-Terrorism, eSurveillance, Intelligence

FRCP as Watershed• Consciously balance EDD costs• Reinforces attorney-client and attorney work

product privileges in certain ESI• Clarify requester’s right to prefer some ESI forms

– e.g., native format with meta-data intact

• Clarify when the target’s duty arises to preserve ESI following a “litigation hold” by providing a “safe harbor” from spoliation sanctions

• Elevates electronic records management (ERM) by compressing EDD schedule so most firms must plan for EDD before litigation by: – inventorying and monitoring all ESI– designating EDD teams– informing litigators about ESI repositories – generally adopting ERM best practices, ex ante

• May result in standardized discovery protocols

Some of the Major FRCP Revisions• Cooperation

• Planning

• ESI emerges

• Privilege Preservation

• Pace Quickens– Are all litigators sufficiently tech savvy?

• ERM ubiquity predictable

• 3d P Service Providers – Essential for expertise – Essential for scalability & work capacity

New Federal Rules• U.S. Judicial Conference developed &

approved – Public comment– U.S. Supreme Court approved – Congress failed to change, effective 12.1.06

• Revisions address some abuses in obfuscation and destruction of evidence – Truncates pre-trial motion delays with

mandatory EDD planning– Clarifies discoverable electronic forms of

information – Strikes new balance in the burdens of EDD

Electronically Stored Information - ESI• Undefined explicitly in amended 12.1.06

FRCP nor in official Committee Notes • Nevertheless generally understood as:

– information created, manipulated, communicated, stored, & optimally used in digital form

– Requires use of computer & s/w

• ESI distinguishable from “conventional” or analog records – E.g., writing/typing/printing stored on paper,

images printed on paper, analog photographic images, analog sound or video recordings, microfilm …

ESI• Should now more clearly include

info targets frequently resisted producing:– Content & meta-data of word-processed

docs, various formats– spreadsheets, – e-mail including attachments, – instant messages (IM), – Voice-over Internet Protocol (VoIP), – personal data assistants (PDA) storage, – most other databases of

Continuing Role of Traditional Discovery• Interrogatories may still be useful:

– Requesters may query about:• Repositories of printed docs• ESI existence, custodians, formats &

locations

– Interrogatories must be answered accurately & completely

– Potential challenge to inventory exhaustively

• EX: portable storage devices, PDAs, laptop computers, cellphones, iPods,flash memory devices (thumbdrives)

• But, more cooperation now required

Cooperation & Planning• Scoping, protocol & planning of EDD• Rule 16(b) requires parties to meet quickly

following filing of complaint • Must negotiate discovery scope

– Within 120 days of service of complaint– Protocol agreed upon on scope of EDD

• Practical effects: – litigators must quickly understand IT environment of

their clients & of opposing parties– Inform protocol design

• Protocol uniformity likely – de facto EDD standards may emerge

• Intended to diminish expense of delaying tactics – EX: motions to compel, counter motions to resist – EX: Zubulake & Rambus litigation

– Short time to issue RFPs for:• EDD &/or litigation support service providers • Should establish service level commitments (SLC) &

metrics ex ante • Manage requests, collection, review & production

Cost Balancing• 2 tiered cost balancing: accessible & non-accessible

– Targets shoulder costs of providing “accessible” ESI • When responsive to a proper request and relevant to litigated

issues– Production costs borne by requester for “not readily

accessible” ESI • Requesters may challenge target’s inaccessibility designation

• Process: – 1st requester makes demand– 2nd implicitly target must understand ESI accessibility to

reply– 3rd denial empowers requester to file a motion to compel

production – 4th target must provide detailed proof that ESI production

would impose an undue burden• Targets legitimately resistance justifiable only when informed

with an accurate ESI inventory• Inaccessible ESI must still be preserved until litigation hold is

released such as following litigation & appeals

Form of ESI Production • Form of ESI produced may

– impose greater search costs &– hide potentially relevant metadata

• Revised FRCP attenuates contention – Requesting party may choose format

• Facilitate search & review • May seek native formats w/ metadata

– EX: track changes metadata may reveal revision authors & dates, deleted concessions, compromises faux pas.

Safe Harbor• Lost, unrecoverable from regular business

process • Documents destroyed after litigation hold

– Imposes preservation duty – Exposes target to spoliation &/or obstruction

• New FRCP permit limited safe harbor– ESI lost, overwritten or otherwise unrecoverable – If done as part of regular business practice of

document destruction– Further enhances 3d P Services Opportunities

• Litigation support • EDD service providers • Improve document destruction practices expected

Clawback • FRCP Rule 26(b)(5)(B) enables the target to

retrieve privileged information inadvertently disclosed– Optional procedure retroactively asserting

privilege after inadvertent production• Clawback Agreements - parties may agree

that privileged or protected (trade secret) information inadvertently produced during quick paced eDiscovery must be returned or destroyed & w/o waiving privilege

Clawback under FRCP Rule 26(b)(5)(B)• Information Produced. If information is produced in

discovery that is subject to a claim of privilege or of protection as trial-preparation material, the party making the claim may notify any party that received the information of the claim and the basis for it. After being notified, a party must promptly return, sequester, or destroy the specified information and any copies it has and may not use or disclose the information until the claim is resolved. A receiving party may promptly present the information to the court under seal for a determination of the claim. If the receiving party disclosed the information before being notified, it must take reasonable steps to retrieve it. The producing party must preserve the information until the claim is resolved.

Privileges• Encourage free flow of info in certain

preferred relationships

• Protects privacy of client or beneficiary of relationship

• Instrumental Justification: Professions– Frank disclosure needed for service

adequacy would not be forthcoming `

Attorney-Client Privilege• Since Elizabeth I (1533-1603)• party seeking the protection of actual or

prospective client, can be a corporation (management must assert

• communication must be between client and an attorney acting as counsel – privilege protects communications to and

from attorneys– communications with attorneys agents – communications conveying advice of counsel– Third party communications (e.g.,

consultants) generally not protected, unless consultant retained directly by

Attorney-Client Privilege• communication made in confidence

– Not before 3d Ps– "Public" communications not protected

• purpose of communication must be to secure or provide an opinion of law or legal assistance– protects legal advice and factual information

communicated to receive legal advice– privilege does not protect underlying facts,

business or other non-legal advice.• privilege must be asserted -does not

automatically attach– claimed at the time of demand by 3d P

Attorney-Client Privilege• Privilege belongs to corporation, not to

individual managers or employees– Corporation can waive privilege over

individual employees objections• Privilege easily lost or "waived" by

disclosures to third parties– E.g., voluntary disclosure - in response to

interrogatories or subpoenas– Involuntary or accidental disclosure

• Crime Fraud Exception– Client gives atty criminal evidence or atty

knows of future criminal plans

Attorney Work Product Privilege• Protects materials prepared by a

lawyer in preparation for trial from being seen and used by the adversary during pre-trial discovery or @ trial– Reflecting legal opinions or strategy – Records prepared in anticipation of

litigation – Divulge an attorney's theory of a case – Divulge litigation strategy

Spousal Privilege• Valid Marriage under Law

• Marital Testimonial

• Marital Communications

Professional Privileges • Doctor Patient Privilege

• PsychoTherapist-Patient Privilege

• Clergy-Penitent Privilege

• News Reporter & Source Privilege

State Secrets Privilege• A/K/A Military & Diplomatic Secrets,

Executive Privilege, Agency Privilege, Law Enforcement Privilege, Privilege for Required Reports– EX: Pentagon Papers, Watergate, Ollie

North

• Confidential Informant Privilege

Self-Incrimination Privilege• 5th A

– No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

– Prohibits the government from forcing individual to provide evidence, answering questions, leading to criminal prosecution

– Applicable to one's papers & effects

• Statements that might expose individual to criminal prosecution

How does Society Add New Privileges? • EX: Self-Evaluation Privilege

• Must evaluate, weigh, balance factors:– Societal importance of the relationship– Intrusion Offensive to societal values– Expectation of confidentiality – Confidentiality essential to relationship– Likely Barriers to Relationship w/o

Privilege– Societal benefits

Sensible & Regulated ERMERM as a Mandatory Planning Activity

Regulatory Requirements

Responsible Outsourcing

Managing 3d Party Service Providers

Electronic Records Management (ERM)• ERM is the "systemic review,

retention, & destruction of documents received or created in the course of business"

• Broad range of policies, procedures & classification schemes– Doc retention – really destruction

schedules

• ERM policies can reduce EDD costs – Can reduce costs to supply information

requests if promptly found, preserved & protected against accidental deletion

– Disruptions avoided

Some Record Retention & ERM Requirements• IRS• SEC• EPA• EEOC• DOD• Banking• Healthcare• See http://www.irch.com/

– Information Requirements Clearinghouse

– Donald S. Skupsky, JD, CRM, FAI, MIT

Financial Services ERM• SEC Record Retention Rules

– SEC Rule 17a-4

• NYSE Record Retention Rules – Rules 440 & 472

• NASD Record Retention Rules– NASD Conduct Rule 3010 – NASD Conduct Rule 3110

• CFTC Record Retention Rules

Sarbanes-Oxley Section 404 • Foreign Corrupt Practices Act (FCPA)

– Internal Control Requirements §13(b)(2)(B) – See SEC vs World Wide Coin Invest., 567

F.Supp. 724 (N.D.Ga.1983) • Section 404 requires public cos certify

internal control– Corporate Management & Indep. Auditors– Co’s records support transactions, positions, &

financials – Audits: financial records maintenance & mgt

• Including records mgt programs & correspondence

• Need records reflecting all transactions • Need records management programs that

retain all records for adequate periods – Must enable Co to locate records when needed

• EX: litigation, enforcement actions

Sarbanes-Oxley Section 404• Recordkeeping programs mandatory

for Whistleblower communications• Audit Work Papers - all public

accounting firms retain audit work papers for 7 years– Includes paper & e-records incl e-mail– correspondence for both audit firms

and cos. • PCAOB subpoena subpoena powers from

Cos now de facto 7 year retention

Sarbanes-Oxley Section 404• Penalties for inappropriate destruction of

business records. – Willful destruction of corporate audit records

• Imprisonment up to 10 years– Destroying or altering records to impede a

federal investigation or bankruptcy case, tampering with records, or impeding an investigation

• Prison terms of up to 20 years – Implications of Sourbox penalties:

• Ad hoc suspension of records destruction, either in anticipation of litigation or across the board as a protective measure

SEC Record Retention Rules: SEC Rule 17a-4 • Rule 17a-3 Info of Member, broker, dealer • SIX YRS: for not less than 6 years

– 1st 2 years in easily accessible place • Blotters - itemized daily record of all

purchases and sales of securities, all receipts and deliveries of securities , all receipts and disbursements of cash and all other debits and credits. Ledgers (or other records) reflecting all assets and liabilities, income and expense and capital accounts.

• Ledger accounts showing all purchases, sales, receipts and deliveries of securities and commodities for customer accounts

• A securities record or ledger separately for each security as of the clearance dates all "long" or "short" positions

SEC Record Retention Rules: SEC Rule 17a-4• THREE YRS: not less than 3 years• 1st 2 years in accessible place

– Check books, bank statements, cancelled checks, cash reconciliations.

– Bills receivable or payable – Originals of all communications received and copies of

all communications sent.– Ttrial balances, computations of aggregate indebtedness

and net capital (and working papers in connection therewith), financial statements, branch office reconciliations, and internal audit working papers, relating to the business of such member, broker or dealer

– Guarantees of accounts and all powers of attorney – Written agreements– Records which containing 15 enumerated items– Every such member, broker and dealer shall preserve for

a period of not less than 6 years after the closing of any customer's account any account cards or records which relate to the terms and conditions with respect to the opening and maintenance of such account.

NYSE Record Retention Rules • Rule 472 Communications with the Public• Rule 440. Books and Records

Every member not associated with a member organization and every member organization shall make and preserve books and records as the Exchange may prescribe and as prescribed by Rule 17a-3. The recordkeeping format, medium and retention period shall comply with Rule 17a-4 under the Securities Exchange Act of 1934.

NASD Record Retention Rules• NASD Conduct Rule 3010 Supervision• NASD Conduct Rule 3110• Broker-Dealer Email & IM Archiving

Compliance if NASD, NYSE regulated – Must supervise & therefore monitor electronic

communication since May ’03– Supervise, sample, review, educate, train,

monitor, audit trail, records of reviews, – Preserve all customer correspondence

EU Data Retention Directive• EU Directive 2002/58/EC

– http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_ 20120020731en00370047.pdf

• Enhances law enforcement in EU nations– Does not enhance civil litigation in EU nations

• Requires retention of various eDocs – member states may pass laws mandating

retention of traffic & location data of communications

• mobile phones, SMS, landlines, faxes, e-mails, chat rooms, Internet, or other electronic communication devices

EU Data Retention Directive• Reverses 1997 Telecom Privacy Directive • Explicitly permits EU national laws to

compel ISPs & TelCos to record, index, & store communications data – Traffic data - all data generated by conveyance

of communications on electronic communications network

– Location data data indicating the geographic position of mobile phone user (CPNI in U.S.)

– Contents NOT covered

• Permissible purposes:– National security, criminal investigations and

prevention, prosecution of criminal offences– Without specific judicial authorization.

EU Data Retention Directive• Controversial & Compliance Spotty

– Belgium, France, Spain, UK – http://www.dataretentionisnosolution.com – Opposition: EDRI & XS4ALL petition campaign– TelCos & ISP oppose the costs & customer

mistrust

• Opposition driven by Individual Privacy not Corporate Confidentiality

• Austrian Fed Const Ct. held unconstitutional the Austrian statute compelling TelCos & ISPs to implement wiretapping measures at their own expense 2.27.03

Outsourcing EDD & 3d P Service • Determine provisional scope of

project

• Assess Internal Expertise & costs

• Survey 3d P vendors– Retain Consultant to find the consultant

• Determine what can be done low cost/low tech vendors – E.g., photocopying

Outsourcing EDD & 3d P Service• Outsourcing-practice of contracting with

outside 3d P to provide service or product otherwise too expensive, complicated, or time-consuming to do internally

• EDD Outsourcing is BIG growth indus• Some respected & reliable vendors using

proven technologies– However, many new startups w/ unproven

technologies & methods

• Domestic 3d party service provider vs. Offshore outsourcing?– Exporting IT-related work from developed

nation (U.S.) to low cost (hopefully stable & reliable) nation

Factors in evaluating outsourcing• Price, performance duties,

reputation • Metrics tied to performance

– Defined in: Service Level Commitments (SLC)

• Remedies for breach reasonably available

• Direct experience with client media• Scalability capacity w/in

expectations• Who owns, controls client’s data?

Factors favoring outsourcing– Cost

• RFP, must know project scope• Developed ERM informs well • Reasonable Scalability add-ons

– Engagement letter (K) – Multi-disciplinary teams

• In/Out-House reps from all key areas– IT, legal, 3d party, implicated divisions

– Mutual education defining project & roles

– Action plan, milestone performance reviews, progress pmts

– Are wage rates primary cost component? • Regulatory costs in pet food gluten outsourcing

Legal Issues in Outsourcing• Concluding the Consulting Contract

– Negotiating an Engagement Letter• Offer• Acceptance• Is all defined in the Written Agreement?

– Third Party Rights• Assignment: client transfers rights

– Merger, sale of assets, acquisition, scalability

• Delegation: outsourcing by the outsourcer• 3d Party Beneficiaries

Legal Issues in Outsourcing• Performing the Consulting Contract

– Perfect Tender Rule• Specificity of Deliverables, timetables,

performance metrics• Scalability again: accommodating flexibility

for client, by consultant or service provider

– Substantial Performance– Material Breach

• SLC standards, Metrics, Legitimacy of Evaluations

• Remedies for Breach– Client breach: pmts, cooperation– Consultant or service provider breach

Legal Issues in Outsourcing• Adequately Imposing Duties

– Assuring Clients’ Customer Privacy – Assuring Client’s Data Security

• May need to address other contractual issues such as:– IP ownership, compliance with

domestic vs. foreign laws • EX: privacy, security

– Indemnity – Audit co-opreration (e.g., SAS70)

Audit Issues in Outsourcing: SAS 70• SAS70 Report: Service Orgs

– in-depth, indep. audit of 3d P serv.org.• EX: ASP, bank trust dept, claims process

centers, Internet data centers, data processing service bureau

– Impact on client's (user) control environment

– SOX: cannot offload mgt’s control duties

• 3d P’s include controls over info tech & related processes – Uniform Service Auditor's Report of 3d

P’s control activities & processes • Disclosed to client (user) & client’s auditors

Audit Issues in Outsourcing: SAS 70• Type I Report Service auditor opinion

1. whether service organization's description of controls presents fairly, in all material respects, the relevant aspects placed in operation as of a specific date, and

2. whether controls suitably designed to achieve specified control objectives

• Type II report service auditor opinion1. same items in Type I report, PLUS testing

2. whether controls tested were operating effectively to provide reasonable (not absolute) assurance that control objectives were achieved during a specified period (6mo)

SAS 70: Client/User Perspective– Outsourcing to 3d P unable to pass audit

can denigrate client/user audit – Frustrates quick & dirty cost savings from

poorly managed 3d P serv org

– Outsourcing to 3d P passing SAS audit can justify outsourcing– Enables assurances to Client’s customers

– Opportunity to encourage or harmonize 3d P control technique improvements

SAS 70: 3d P Service Organization Perspective– No duty to submit, cooperate or bind

subcontractors unless user’s engagement letter obligates– May cause client/user surprise &

difficulty

– SAS 70 Compliance could become marketing point

– Opportunity to improve controls following independent assessment

Regulated ERM: Presidential Records • Archiving Administration eMail

– Presidential Records Act (PRA) of 1978, 44 U.S.C. ß2201-2207

– Governs official records of Pres & VPs – Created or received after Jan. 20, 1981– Changed the legal ownership from

private to public– Established new statutory structure for

Presidents to manage records

Presidential Records Act:• Defines & states public ownership of the

records. • President has custody and management

responsibility• Allows disposal by incumbent President

– If records no longer have administrative, historical, informational, or evidentiary value

– after obtaining views of U.S. Archivist

• Requires President & staff to take all practical steps to file personal records separately from Presidential records.

Presidential Records Act: • Establishes process for restriction &

public access• PRA allows for public access through

FOIA– beginning five years after the end of the

Administration,– allows the President to invoke as many as six

specific restrictions to public access for up to twelve years.

• Establishes procedures for Congress, courts, and subsequent Administrations to obtain special access to records that remain closed to the public– Requires 30 day notice to former & current

Presidents • Requires similar treatment of VP records

Current AG Gonzales Crisis• White House eMail policies allegedly

violate PRA

• White House eMails lost – Processed via RNC’s ISP accounts

• Congressional Watchdog Subpoenas to determine US Atty Firings process, purpose, plans

• Gonzales Testimony Postponed

• How can the White House successfully assert Executive Privilege?