Welcome to Volume 3, Issue 21 of The Internet Security Conference newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is this newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
As some of you know, I'm a contributing series editor for Artech House Publishers. I recently received my copy of attorney Jeffrey H. Matsuura's Security, Rights, and Liabilities in e-commerce. After thumbing through the book, I realized just how often security folks discuss the legal aspects of computer and Internet crime, law enforcement, prosecution and litigation without (ahem) qualification. Most often, I hear people talk about electronic records and evidence. With Artech House's permission, this issue of Insight is an excerpt from Chapter 2, Managing Electronic Records and Evidence. If you like what you read here, you can order the book from Artech House or wherever Artech books are sold.
from Security, Rights, and Liabilities in
e-commerce
ISBN 1-58053-298-5
Jeffrey H. Matsuura
Published with permission from Artech House Publishers
Every Electronic file, document and transaction history is a record, a piece of evidence that can be used to verify information or to demonstrate that a specific transaction, in fact, took place. This can be good news, if the record helps us to prove a factual point we want to make; or it can be bad news, if it enables another party to prove a point against our interests. Most of us are familiar with the need to manage our printed documents, such as letters, memoranda, and reports to ensure that we know what material is in our records and what inference can be drawn from those records. Many people are not as familiar with the need to manage their electronic records.
Failure to understand and manage electronic records can, however, have serious adverse consequences. Keep in mind that the law assumes that we are aware of all the information contained in our records, even if that is not actually the case. It makes us responsible for the contents of our records, and also requires us to disclose the contents of our records for public review, when ordered to do so by a court of other law enforcement authority. Failure to comply with these disclosure requirements can result in penalties imposed by governments. Those penalties include court-ordered compliance, fines, and prison terms, in some cases.
Certain types of electronic records are subject to a special legal protection. For example, various laws now require special protection for health and medical records in electronic form (e.g., the Health Insurance Portability and Accountability Act [HIPAA] in the United States). These specific categories of records are provided special legal protection as they contain material that is deemed by governments to be particularly sensitive. Parties who handle those special types of records must comply with the specific security requirements associated with those records, or face legal liability enforced by governments and by individuals who are the subjects of the records in question.
Failure to manage electronic records effectively can lead to legal liabilities to other private parties. Electronic records can e used by other parties to substantiate claims for cord-ordered relief, such as monetary damages or court injunctions. Poorly managed electronic records may also undermine a party's ability to assert its own legal rights. A party may have been the target of actions that would ordinarily justify some form of compensation or other type of legal relief. If, however, that party is unable to provide evidence sufficient to support its claim for relief, it will be unable to assert its legal rights effectively. The party's electronic records will likely be an important element of its efforts to enforce its rights.
Organizations should develop strategies, policies, and practices that enable them to manage their general electronic records in a manner that helps them protect the value of those records as legal evidence. We should recognize that those records are subject to special legal requirements and ensure that the management systems applied to those special records comply with the legal obligations associated with them. Many forms of electronic records are relatively easy to identify and to manage (e.g., word processing documents, electronic mail messages). As our computer systems become more sophisticated, however, the range and complexity of electronic records increase dramatically. The list of the electronic records of many organizations now includes: cookies, cached on-line content, data tracking Web site usage, encryption keys, key-stroke monitoring data and electronic commerce transaction audit data.
The challenge of performing all necessary records management functions effectively grows as the number of electronic records increases and as additional categories of electronic information are subject to special legal oversight. Technology and the demands of business competition provide the opportunity and the incentive to retain more and more information in electronic format. Each time we have an opportunity to retain additional electronic records, we should first consider the potential legal impact of possession of those records and make a conscious decision as to whether the commercial benefits of that additional material outweigh the potential liabilities associated with the material.
When there is a legal dispute, there is a search for evidence. Evidence consists of information that helps a court or other legal institution (e.g., a law enforcement authority or a regulatory agency) to identify facts relevant to the dispute. Parties to the dispute produce evidence that helps clarify the facts, and based on that evidence, the judge or other party responsible for resolving the dispute makes a decision. Records-including electronic records-are a key component of evidence. Another important form of evidence is testimony, which consists of verbal or written statements and responses to specific questions, made under oath (i.e., subject to legal penalties for perjury if they are untrue), that provide information to the legal authority involved in the case.
Evidence is gathered for a legal proceeding through a process called discovery. The discovery process is the system through which relevant evidence is disclosed to the parties and the legal institutions involved in the case. Records, documents, and testimony are all gathered during discovery. The information collected during the discovery phase of the litigation creates the factual basis for the resolution of the dispute.
Courts, legislatures, and regulatory agencies have the authority to order private parties to make evidence available. These orders are commonly referred to as subpoenas. If you receive a court order to deliver information, including records, you must provide the information to the party requesting it at the time identified for delivery. If you fail to comply with a valid court order, you may be fined or jailed for contempt of the legal authority in question. The only way to avoid disclosing the information required by the court order is to persuade the authority that all or part of the sought material qualifies for one of the exemptions against disclosure established by law. Those exemptions include reasons such as privilege (e.g., the information requested is confidential communications between an attorney and his or her client, and is thus protected by attorney-client privilege). Claims of privilege against disclosure must, however, be approved by the authority that issued the order before they will be valid.
Legal systems in the United States and other countries give courts and other legal institutions the power to compel disclosure of evidence because that information is essential to the ability of those authorities to find the facts necessary to support fair rulings. Left to our own preferences, each of us would likely disclose information selectively. We would be eager to disclose information that supported our arguments, but would be reluctant to divulge evidence that weakened our case. In that setting, authorities would have difficulty making fair decisions; thus we give those authorities the potent and important tool of compelling disclosure of evidence.
When we receive a valid legal order to produce evidence, we cannot ignore it. More accurately, if we choose to ignore the order we will be subject to legal penalties. We must respond in some way, if we want to avoid legal liability for failure to comply. This obligation to produce records and evidence in response to a valid legal order exists in all jurisdictions, and it is an essential element of an effective legal system. The acceptable responses are: full disclosure of the material request, a request for clarification of the information sought (or for additional time to comply), or a request that the court modify the order based on a claim that all or part of the sought material is, by law, exempt from disclosure. Notice that any action other than full compliance with the order must be approved by the legal authority. If the authority does not approve our request, we must comply fully with the original order, and if we do no so comply, we face penalties for contempt.
In legal actions in which the government is a party, the subpoenas are issued directly by the government. For example, in a criminal law case, the government issues the orders to compel disclosure of information. In civil lawsuits (cases in which one private party is suing another private party) the process is a bit different. Each party in a civil lawsuit makes its own request to the other party for disclosure of information. The party receiving a request is expected to comply with that request unless it can persuade the court (or regulatory agency) that is handling the case that such compliance is not required by law. In a civil case, the party that received the request must either comply or go to the court and ask to be excused from compliance. Compliance is required unless the court grants an exemption.
Recognize the difference between a compulsory order to disclose records and other information (e.g., a subpoena issued by a court, a legislature, or a regulatory agency) and a request for information (e.g., an inquiry made by a law enforcement authority or a private party). Compliance with valid orders issued by courts or other government bodies that have subpoena power is compulsory. Compliance with disclosure requests made by parties without subpoena power, including law enforcement authorities in many jurisdictions, is voluntary. You must comply with a compulsory legal order, and you may, if you choose to do so, comply with a request for information. Of course, a request for information can become a compulsory order if the requesting party can persuade a court to make the request mandatory. It is generally a good idea to decide ahead of time which requests for information, if any, your organization will accommodate. A common and sound approach to this type of disclosure is to adopt a policy that says the organization will only disclose records when required to do so by a compulsory court order, such as a subpoena.
Subpoenas for records are often broad. The authority commonly asks for "all documents and other records" related to a particular event or activity. When an order asks for "all" records, it means all records, no matter what form those records may take or how difficult they may be to produce. For example, in a breach of contract lawsuit, a subpoena may ask for all records of transactions between the parties during a specific period of time. To comply with that subpoena, the parties would be required to deliver all paper and electronic records documenting those transactions. Those records would include copies of paper forms, but they would also include all electronic data files documenting the electronic transactions between the parties during the relevant period of time. It would be possible to ask that the request be made more specific, that additional time be provided to comply, or that some of the material requested be exempted from disclosure based on law, but it would not be reasonable to ignore the order.
Governments and private parties around the world recognize the significance of electronic records. Law enforcement authorities routinely seek court orders to seize and review computers and electronic files as part of many of their investigations. This practice is now so common that it is being integrated into new laws and regulations applicable to computer systems and their content. For example, the draft Convention on Cyber-Crime, a proposed treaty now being considered by the Council of Europe, provides for liberal access to the content of computers and computer networks by law enforcement authorities in European countries, making it easier for those authorities to search and seize computer equipment and stored content.
Private parties engaged in civil litigation also request electronic records as part of their standard discovery and document production processes. You can be certain that if you become involved in some form of legal action, the electronic records of your organization will be among the first targets of your adversary. For example imagine that your organization has been sued by another party claiming that your organization engaged in unfair business practices. To be successful, the plaintiff in that case would like to have access to all of the internal communications (e.g., email messages, memoranda) of your organization, to look for evidence regarding your group's actions, intentions, and motivations. It is likely that the plaintiff will make a very broad discovery request.
If your organization is like many other business, the records in question will likely contain vast amounts of potential evidence, some of which will help your case, some of which will hurt it, and much of which will not be familiar to you and your colleagues. That situation is not a good one from the perspective of protecting your legal interests, yet it is a very common situation. To make matters worse, remember that the information that a party obtains through the evidence discovery process can generally be retained and used by the party who discovers it for purposes other than the litigation. So in our example, the records obtained by the plaintiff through the discovery process could, unless the court orders special protection for them, be used by the plaintiff for other purposes (e.g., learning more about the way your organization operates or deriving information about your current commercial condition.
Obviously that information would be quite sensitive if the party who discovers it is a business competitor, supplier, or customer of your company. This situation explains, at least in part, why businesses and individuals sometimes initiate litigation, even if they are not confident that they will ultimately prevail. Under some circumstances, the potential access to valuable competitive information, through the discovery process, may be attractive enough for commercial reasons to lead a party to go to court and bear the costs of litigation even with a relatively weak case. Courts are, of course, aware of this potential problem, and they commonly try to limit these so-called "fishing expeditions, " but the risk remains a significant one. Effective management of records, in anticipation of litigation, is thus an essential process from both legal and business strategy perspectives. This challenge will increase significantly as the number of different types of electronic records increases, and parties involved in legal disputes become ever more eager to access electronic records to search for information that is valuable as legal evidence and commercial intelligence.
[ED] Sorry, that's all we have permission to print!
© 2001 - 2006 Core Competence & Mactivity, Inc.
Reprinted with permission from Artech House