LITIGATION SUPPORT TIP OF THE NIGHT

Here's a continuation of my postings about the Electronic Discovery Institute's online e-discovery certification program, that you can subscribe to for just $1. I last blogged about this program on February 4, 2018. Go to https://www.lawinstitute.org/ to sign up for it.

This course on information security is taught by Lisa Sotto, the managing partner of Hunton & Williams; Corey Hirsch, the CIO of Teledyne LeCroy; and Renee Meisel, a legal director at Dell specializing in cybersecurity.

Introduction & Overview

Cybersecurity is emerging as at the top risk area for many companies. Post-Target (in December 2013 there was a data breach effecting more than 100 million Target customers) there has been a heightened focus on cyber security issues. This event caused a CEO to resign for the first time. The increase in regulation has also led to increased focus on cyber security issues. The newly revised NIST standards and Defense Federal Acquisition rules have also caused people to be more aware of cyber security issues.

Legal Risks with Information Security

The regulatory landscape has changed. Legal risk is a moving target. The expectations of legal regulators may change over time.

Information security laws dictate security requirements. Data breach notifications law are a separate category that require businesses to notify individuals if their personal information was acquired by an unauthorized person.

There are flow down requirements in government sourced contracts. Export control laws may lead to punishment for allowing data to be hacked. It is not clear which insurance protections will pay out under which circumstances involving data breaches.

Different countries have different spam regulations, but email addresses usually no longer specify the nationality of a recipient.

The Intersection of Data Privacy & Data Security

Privacy goes hand in glove with data security. There are three different kinds of attacks - confidentiality; availability; and integrity. Pursing one factor as a priority may lead to strength in another area being compromised.

The Ashley Madison hack involved a breach of data on a dating site that was published on the dark web. The individuals whose data was posted were susceptible to blackmail.

Data privacy concerns what needs to be protected, but information security focuses on how to protect the information.

Assessing the Information Security Risks

No industry is exempt from cyber security threats. Hackers will go after any kind of company. Each organization should know what its active gird threat looks like. They should know to what extent ransomware and business email compromise can prevent it from reaching its business objectives. Law firms may have data that will have a high market value on the dark web. Companies will face great pressure to pay ransomware.

Companies that protect customer information, such as credit card information or healthcare information, will need to focus on information security practices. Any company whose value is based on intellectual property will have to make an effort to protect its data secrets and will have a duty to its shareholders to do so.

Types of Security Threats

There are three types of actors:

1. Traditional hackers.

2. Nation states - advanced persistent threats.

3. Hacktivists

Insiders can fall into any of these categories. Rogue actors at vendors may have access to protected data of great value. Losses related to advanced persistent threats total more than $500 billion. More than 4,000 ransomware attacks are made daily.

Phishing has become as big of a concern as brute force attacks.

International Data Security

Hirsch related a story of an elderly professor in the UK who did not come into work one day. The faculty checked to see if he had logged into his email over the weekend in order to confirm that he had not experienced a health problem. This led to a conviction for a breach of privacy.

The first breach notification law became effective in the United States in 2003. There has been effort to pass laws imposing information security requirements on businesses. China just enacted cyber security legislation recently.

Compliance may be difficult when there is a patchwork regulatory framework. There are often aspirational guidelines rather than specific rules. There can be variances in the time to issue notifications about data breaches. Individual country notifications may be necessary in addition to the need to notify the EU data protection authority.

Information Security & eDiscovery

Access to broad, distributed databases and the ability to preserve data that may be deleted are important concerns in the electronic discovery field. Security controls over information are an important consideration. Third party vendors may have control over important information. Records should be kept of which information is deleted.

Safeguarding Information During Discovery & Litigation

Roles based access controls should be enforced, and communicated to vendors that have access to confidential data. Access control lists should show who has rights to read, write and edit data. Non-disclosure agreements should be implemented. Encryption should be used for cloud services as well as multi-factor authentication.

Government Agencies Involved in Information Security

The Federal Trade Commission is the federal agency which has taken the lead in information security concerns.

Responding to a Data Breach

When an issue comes in the door, it must be escalated appropriately. There should be a hotline so the right people can be contacted.

The legal department can help bolster risk assessments and business cases. Its very important that the legal department be embedded from the start. It's also necessary to determine if a legal hold should be implemented. It's important to understand what data will be needed from a regulator in order to do a data breach analysis. External parties, including law enforcement and bloggers, may be the first to notify a company that its data has been breached.

Table top exercises should be conducted so employees know how to respond to a data breach.

A cyber incident response playbook should be prepared to deal with scenarios such as the loss of email communications or the need to access backed up data. The need to preserve evidence should not be neglected. In the event of a ransomware attack, a file server should not be taken offline before the infected host is located. There should be predefined data back strategies. Companies should be prepared to respond to data breaches without the use of important electronic systems.

Further Education & Conclusions

Black Hat and Ignite offer immersive training in how to deal with cyber security issues. Attorneys should spend time with their information security professionals.

To get the right answer to the above question, don't ask former Donald Trump advisor, and attorney at law Sam Nunberg. Mr. Nunberg made the rounds of the cable news programs yesterday, and expressed his astonishment that he was expected to review and produce his personal emails in response to a grand jury subpoena issued in connection with Russia investigation of Robert Mueller. He wondered if it would take him 20 hours to review his emails - or then again he thought it might take him 40 hours . . . and even later he speculated that it would take him 80 hours! Maybe he should simply give the FBI the password to his email account!

An excerpt from the subpoena is posted here. It specifies that "Production with respect to each document shall include all electronic versions and data files from email applications, as well as from word processing, spreadsheet, database, or other electronic data repositories applicable to any attachments, and shall be provided to the grand jury where possible in its native file format and shall include all original metadata for each electronic documents or data file." The documentation relates to communications between Mr. Nunberg and Donald J. Trump; Paul Manafort; Steven Bannnon; Carter Page, and others, from November 2015 to the present.

Courts rarely find such requests for productions from personal email accounts to be burdensome. In Sunderland v. Suffolk County, 2:13-cv-04838-JFB-AKT (E.D.N.Y. June 24, 2016), Magistrate Judge A. Kathleen Tomlinson ruled that, "the Court concludes that Plaintiff has the right to pursue emails and other correspondence the Individual . . .. Defendants may have created/saved on their personal computers or sent from their personal email accounts. The Court does not consider the requested discovery unduly intrusive or burdensome. " The defendants in the suit were physicians. A transgender inmate brought a 42 U.S.C. 1983 action against them for violations of her rights under the Eighth Amendment. The document request was limited to a date range of four years, and the parties agreed upon particular search terms. The limited excerpt of the subpoena doesn't indicate if search terms were proposed to Mr. Nunberg, but if they were not, proposing such terms might appear to be the logical next step for him to take.

Here's a continuation of my outline of the 2016 edition of Craig Ball's Electronic Discovery Workbook which I last posted about on January 13, 2018.

XV. Computer Back-up Systems A. General a. Movement of data to the cloud b. Growth in hard drive capacities. c. Increased use of virtual machines d. Use of replication – D2D2T (Disk-to-Disk-to-Tape) – disk staging. Backups stay on disk for a day to week before being copied to tape and deleted afterwards.

B. Back-up Tapes a. Full backups ignore software that can be reinstalled, only focus on user created data. b. Incremental backups – only focus on data created since last full or incremental backup. c. Tape is cheap, durable and portable, primarily used for disaster recovery. Should be recycled regularly – tape rotation. d. Legacy tapes may be retained indefinitely by many companies.

C. Duplication, Replication and Backup a. Duplication – copy made to another medium b. Replication – duplication without discretion. e.g., RAID 1 mirroring. c. Backup – alteration of data and logging of content with software that compresses and encrypts.

D. Back-up Systems a. Driving imaging – collection of bitstream in single file or chunks of data. b. Full backups / changed-file (since last full) backups. c. Incremental backups – based on status of a file’s bit. d. Differential backups – based on file’s created and modified times. e. Delta block – differences in version of file since last back-up. f. Back-up catalog – tracks source and metadata of each files. Can facilitate single instance backup of identical files. g. Tape log – list of backup events.

E. Back-up Media a. LTO-7 – 4 inch cartridges holding 6 TB transferring at 300 MB per second. i. Linear serpentine recording schemes. b. SAIT-2 tape systems – 8 mm tape with 800 GB of storage. Sony stopped selling in 2010. i. Helical recording system. c. eMag Solutions – specialists in back-up tapes estimate that it takes twice as long to restore data from back-up tape as stated capacity and transfer rates would suggest. For common tape data types theoretical data transfer time would be 1.5 to 3.5 hours, but real word time would be 4 to 7.5 hours. d. Disk backup intervals are currently on a par with tape rotation intervals. Tape is not as often used for disaster recovery, but usually only for long term storage. e. Virtual Tape Libraries – VTLs – disk arrays emulating tape drives so existing software and backup routines did not need to change.

F. Compression a. Use of computing power to express information in more compact ways. b. Saves time, tape and money needed for backups. c. Compression algorithms tend to be proprietary and require particular software.

G. Deduplication a. Duplication from one backup to the next is often was high as 90%. b. Vertical deduplication – deduping within a single custodian’s email archives and electronic files. c. Horizontal deduplication – across multiple custodians. d. In-line deduplication – hash value calculated for each file or data block. If already stored, not backed up. e. Post-process deduplication – all files stored on backup medium first, then culled.

H. Data Restoration a. Burden and cost of creating a restoration platform for backup data was the main reason why it was judged not reasonably accessible. b. New technology eliminated the need to recreate native computing environment to restore files. c. Non-native restoration – new technology eliminates the need to use particular backup software or recreate native computing environment. Can extract specific files from back-up sets. d. It can be cheaper to retrieve ESI from back-up tapes than from active data.

I. Sampling a. Selecting parts of tape most likely to contain responsive information and using them as a basis to decide whether or not restore more. b. Selection of data snapshots rather than a selection of tapes.

J. Cloud Backups a. Eliminates the need for user backups and occurs behind the scenes. b. The distinction between inaccessible backups and accessible active data stores will soon be just a historical curiosity,