Subpoena BYOD Mobile Law

BYO Online Account | Ownership

I wish to draw attention to a discussion that appears in comments under a Google Plus post. Quinn Yost attended a SANS at Night presentation I delivered regarding Bring-Your-Own-Device law.

During the presentation, I had suggested that an employer have a contract with each employee saying that if s/he makes substantial use of an online account for work, then the employer has the option to purchase ownership of the account for $10.

Then Quinn raised his hand and observed that the terms of service at LinkedIn forbid transfer of ownership of an account.

Fortunately, Quinn then followed up on his comment. He left a detailed comment at the Google Plus link above. He cited the relevant language from the LinkedIn terms of service. I am grateful that he did that because he helped me learn about the topic.

As you can see in the comments under the link, I offer an alternative to the $10 purchase option. I suggest an agreement with the employee to the effect that the employer is deemed the owner of the account from the time the account was created.

I invite your comments! Is my suggestion practical? Is it fair?

Wearable Computing | Confessions to Legal Infractions

Technology increases accountability for noncompliance with law. It creates scads of records that can be used to enforce laws.

But such heightened accountability can shock people.

Our society floats in innumerable and confusing laws. And we are not conditioned to being judged under these laws by way of all the records that now accumulate about us.

Scoble’s Excellent Glass Adventure

Consider a technology demonstration by tech pundit Robert Scoble. Scoble is an early tester of Google Glass, a wearable computer. He used Google Glass to video record a short automobile trip as he drove the roads of California.

The video depicted what he, the driver, saw as he steered the vehicle. He narrated as the video recorded events.

He compared the navigation available through Google Glass to the navigation available through a smartphone suction-cup-mounted on his windshield. He explained that he preferred monitoring the phone for navigation because it displayed information at a location that is safer and easier for his eyesight.

Videotaped Confession

Then, while the video recorded, he confessed that he was breaking California traffic law! He said that in California it is illegal to suction-cup anything (his smartphone) to his windshield.

He promptly posted the video on his Google Plus page for the world to view.

Of course Scoble probably does not think it is risky to admit in a public video that he is breaking a “trivial” law. And this incident in itself may not be legally significant in Scoble’s life.

Publication of Evidentiary Minutia

But the incident points up a larger phenomenon in society. More and more of the minutia of our lives is being recorded and published for reviewing by all, including the police, tax auditors, divorce lawyers and bill collectors.

As social media emerged a few years ago, some people naively used it to brag openly about crimes. Early example: A woman in New Zealand bragged on Facebook that she was collecting more welfare than she was entitled to. The authorities saw her Facebook page and convicted her in 2009 of a crime.

Treasure Trove for Legal Adversaries

Technology like Google Glass is poised to increase the quantities of records about us by orders of magnitude.

The technology can deliver a treasure trove for legal adversaries. Were a prosecutor wanting to prove that Scoble has a history of skirting traffic laws, this video would be discoverable by search engine. Were a family lawyer seeking to prove that Scoble is a danger to his children, this video would be corroborating evidence that he prefers playing with his tech gadgets rather than complying with vehicle safety laws.

The big picture: these recording technologies motivate us to be much more guarded in what we say, even when in the quiet of our own automobile.

Some would say technology imposes an unwelcome form of political correctness.

Like Being on the Witness Stand

On the Record

I posted a comment under Scoble’s video saying it is unwise ever to admit in a public recording that you are breaking a law. In other words, when you are recording yourself with Glass, assume you are on the witness stand in a courtroom.

–Benjamin Wright

Cyber Investigations: Managing Risk

In a fraud investigation, classic practice teaches the investigator to collect evidence first, then interview the subject second. But that practice may be backwards when the evidence is on computers, on mobile devices or out in cloud computing (social media and mobile apps).

In the classic scenario, evidence was physical. It was paper, or it was fingerprints on a file cabinet. The evidence could be destroyed or tampered.

Digital Evidence Changes Dynamics of Investigation

Fraud has changed. More commonly the evidence is now digital.

This change has two implications:

1. The evidence is much harder to eradicate than people think.

People naively think they can delete digital records. But deleted records can be recovered from hard drives and mobile devices like tablets and smart phones. Also, very commonly, the records are copied to lots of places due to backups, synchronization, sharing in social media and so on.

Moreover – and this is a subtle point – the number of relevant records today is far larger than was true in the past. Our mobile phones and computer networks are collecting records of biblical proportions . . . records about whom we talked to, what we said, when it happened, which applications we accessed, what cologne we were wearing and precisely where we were at any given moment (plus more and more and more!).

2. The collection of digital evidence can raise dicey privacy and related issues.

Our society is in shock about the quantities and details of information that technology is now collecting, storing and spreading about us. In reaction we see a confused privacy push-back.

First example: In the past twelve months, several states have enacted (non-uniform) legislation preventing employers from demanding social media log-on credentials from employees.

Second example: Some networks like Facebook publish little-understood terms of service that severely limit the ability of an investigator to collect information about a network user – even so-called “public” information.

Third example: Under broadly-worded Connecticut legislation, if an investigator collects private information, the investigator must “safeguard” it. Connecticut gives no clue what safeguarding requires. (Encryption? Lock and key? Final, absolute, confirmed destruction of all copies of the information?)

Privacy Issues Connote Risk

Privacy issues create risk for the investigator. Hence, when management of a restaurant read the contents of an invitation-only Myspace forum set up by employees, it infringed the privacy of the employees. As a consequence of the privacy violation, a jury held the restaurant owed employees back wages and punitive damages.

Similarly, the administration at Harvard University angered the faculty when it surreptitiously conducted a limited search of the emails of 22 deans (related to an investigation of a data leak).

Response to Risk: Soft Investigative Steps

This change in evidence from physical to digital gives an investigator incentive to work differently. The investigator is often wise to take “soft” investigative steps before aggressively grabbing evidence off of a social network or a mobile device.

These soft steps include:

A. Give the target of the investigation a preservation letter. The letter would warn the target not to destroy evidence and would educate the target that any effort to destroy evidence can probably be detected and punished.

B. Interview the target and transcribe the

Recorded Interview

interview. Present to the target the allegations that have arisen. Explain to the target that lying will dig the target’s hole deeper. Lying can ultimately be uncovered through the many sources of evidence (emails, texts, photos, videos, meta data), brought forward through appropriate procedures such as a subpoena or eDiscovery in a civil lawsuit.

Results of Soft Investigative Steps

If the target of the investigation is guilty and wise s/he will confess.

If the target is innocent, s/he may voluntarily turn over a lot of convincing evidence to refute the allegations.

In any case, taking the soft steps first helps the investigator reduce risk of violating a privacy or stalking law.

–Benjamin Wright

Smartphone Forensic Alibi

Latest smartphones sport a spectacular array of sensors. That array expands as you consider all the mobile accessories, like heart rate monitors, that can be used with the phones.

Detailed History

These phones, sensors and apps that operate them can collect and record jaw-dropping detail about the user’s personal history, including the following, coupled with time and date:

* geolocation

* ambient temperature

* body temperature

* barometric pressure

* humidity

* interaction with apps like messaging, social media or motor vehicle functions

* hand motion

* speed and direction of movement

* front and back cameras

Record Keeper

* microphone

* compass

* eye movements!

* REM sleep

* more, more, more

All the data collected by mobile devices is often thought, from a forensics perspective, as providing evidence that the user did something wrong. Mobile evidence can be used to prove, for example, that a suspect was at the scene of a crime or that a bully transmitted a threatening message to a victim.

Prove Innocence

But mobile sensors are a forensic two-way street. They might help a user prove a negative . . . prove she did not do something.

In 2011 a motorist persuaded a court to dismiss a speeding ticket in part owing to GPS data from the motorist’s Android phone and tracking app. The data showed the motorist was traveling within the speed limit, contrary to the opinion of a police officer.

Exculpatory Evidence

When data is marshaled intelligently, a cell phone owner may be able to refute an allegation of drug abuse . . . or disprove an accusation of date rape . . . or dispute a claim of marital infidelity.

This growing panoply of forensic data creates an arms race among adversaries. They compete to discover

(A) what the data is,

(B) where it is located (on-board, in app-cloud or synced to other device),

(C) how it can be extracted, and

(D) what it means.

Expert Psychological Opinion

Much hinges on interpretation. Industries of experts and analytical software will blossom to opine on whether the data show the suspect ran from the scene of a crime or merely walked away from an insignificant location.

Forensic psychologists will assess whether a slow, steady decrease in blood pressure denotes a clear conscience . . . or the introduction of a sedative.

–Benjamin Wright

Attorney Wright humbly teaches the law of data security and investigations at the SANS Institute.

Update: Christa Miller reports that social media proved that a murder suspect was innocent.

Big Data Catches Insider Trading

A subpoena from the Securities and Exchange Commission led to the downfall of a prominent CPA.

A senior auditor at KPMG, Scott London, had been passing secrets about public audit clients (e.g., Herbalife) to his friend, a small, non-professional investor, Bryan Shaw. Mr. London thought the two of them would never get caught because Shaw was investing such small amounts of money. London thought the authorities were able to pursue only the big, professional inside traders.

Mr. London was wrong.

Automated Monitoring Probably Flagged Account

The authorities (SEC, FINRA, Shaw’s brokerage and/or options regulators) spotted unusual trading activity in Shaw’s relatively-small retail investment account. The brokerage suspended Shaw’s account. Then the SEC sent a civil subpoena to Shaw, asking him to explain his activity.

Mr. London thought the authorities could not prove anything. He thought the brokerage would just give Shaw his money and stop doing business with him.

London was wrong.

Subpoena Requires Truth

A subpoena is a legal demand for

Administrative Demand for Evidence

information that the recipient (Mr. Shaw) cannot ignore.

The subpoena frightened Shaw. Shaw could go to jail if he was caught lying in reply to the subpoena.

Shaw hired a lawyer.

The lawyer probably told Shaw:

1. You are in deep trouble. The government is coming after you, and you will be punished.

2. Modern electronic records, like your online trading records, the records on your computer(s) and all of your detailed cell phone activity (calls, dates, times, geolocation, text messages) are available to the government to rat you out.*

3. The only way to get leniency from the government (i.e., reduced punishment) is to cooperate with the government and help it catch a bigger fish. The bigger fish would be London.

Sting Operation

Mr. Shaw told the government the truth. Shaw agreed to help the government catch his friend, Mr. London.

Shaw participated in a classic sting operation. He made a telephone call to London, recorded by the government, discussing insider trading. He arranged a meeting with Mr. London in a parking lot, where he would deliver cash to London in exchange for insider information.

At the meeting, Shaw wore a secret recording device.

Yesterday’s Wall Street Journal features an FBI photo of Mr. Shaw handing an envelope of cash to Mr. London in a parking lot.

Big Data + Subpoena + EDiscovery + Incentives = Big Fish

Mr. London will likely go to jail.

Mr. Shaw will likely get reduced punishment.

–Benjamin Wright

*Note: Such detailed records did not exist a few years ago when CPA London formed his opinion that the authorities could not pursue small-caliber inside traders. London's studied opinion has been rendered obsolete by modern eDiscovery.

How to Confiscate Mobile Device

Suppose enterprise has a BYOD policy empowering the enterprise to seize employee’s smartphone. Suppose further that enterprise has reason to believe the phone contains important evidence . . . such as stolen trade secret or records of contract negotiations by employee on behalf of enterprise or photos relevant to allegations of a hostile work environment.*

Wise Steps

Enterprise considers confiscating the device and investigating whether it contains the evidence in question. What would be wise steps for the enterprise?

1. Consider engaging an attorney so that confidentiality of the investigation is protected under attorney work product doctrine.

2. Document the reason for believing the device possesses relevant evidence.

3. Consider sending the employee who owns the device a preservation letter, informing employee that she/he should avoid destroying evidence. Remember, whatever evidence may exist on device may also be copied to online accounts controlled by the employee (e.g., cyber locker like Dropbox).

If employee destroys evidence in the face of an investigation and a preservation letter, the act of destruction itself could be grounds for action against the employee.

4. Consider interviewing the employee formally before confiscating the device. In recorded interview, with multiple people involved, ask employee about allegations and evidence. If employee lies during interview, the lying itself might be grounds for taking action against employee.

5. Ask employee if she/he consents to confiscation and inspection of

Evidence Container

device and collection of evidence.

6. If enterprise decides to confiscate device, document justification for the decision and involvement of multiple authorities (e.g., lawyer and higher management).

7. Make detailed records about the process of confiscation (e.g., narrative of when and how confiscation transpired and photos or video of confiscation and condition of device).

8. Give employee written document (receipt) of the confiscation, describing the device (including possibly images), date and time.

9. If enterprise investigator inspects device (including evidence extraction), involve multiple agents and keep detailed records of the inspection (including possibly narrated video of each step of inspection).

10. Take care to comply with any relevant laws, including those that forbid employer from demanding social media log-on credentials.

11. Exercise restraint. If the enterprise refrains from looking at data it does not need, then any argument that the employee's rights were violated is weaker.

12. Inspection might include sophisticated forensic extraction of data and/or just video/affidavit recording of data (text, images, audio) manifest by operation of the device.

13. Consider measures to secure collected data, such as encryption. Encryption is a hassle because it requires the enterprise to maintain a process for storing and finding the decryption key . . . for possibly years into the future.

14. Ensure copy of investigative records are in hands of multiple people (e.g., lawyer and investigator).

15. If child porn is discovered (or even suspected), contact police immediately. (horrible)

16. If device is kept for extended time, document the justification, including notice to employee.

17. Document return of device if and when it happens.

18. When data collected from device is no longer needed, consider destroying the data as a measure to promote privacy. However, privacy interest must balance against anti-spoliation law. Also, if investigation report has spread to multiple places, destruction may be impractical.

–Benjamin Wright

Mr. Wright teaches Law of Data Security and Investigations at SANS Institute.

*Vast records can be stored on a mobile device, including text, audio, email, video, geolocation, meta data showing time that an app was accessed, content of posts to social networking services, documents uploaded to storage lockers.

. . .
Next step: What if the device is a form of wearable computing?

Attorney-Client Confidentiality | Data Security Breach

As an enterprise comes to suspect that it may have suffered an infosec incident, it may be wise immediately to involve an attorney.

Attorney Work Product Doctrine

The "attorney work product" doctrine provides that the content and results of an investigation -- which is led by an attorney -- are kept confidential from future legal proceedings. The legal proceedings that might follow an infosec incident include lawsuits, as well as investigations by government authorities such as industry regulators (e.g., state healthcare department), state attorneys general and the Federal Trade Commission.

After an attorney has been engaged to lead an infosec incident investigation, the attorney might direct technical investigators to gather evidence, analyze it and report back to the attorney. Often, owning to the attorney's leadership of the investigation, the evidence gathering, analysis and reporting would be

Lips are Sealed

confidential under the "attorney work product" doctrine. See, "Law Firms Tout Cybersecurity Cred," Wall Street Journal, April 1, 2013.

Reduce Exposure to Potential Liability

If the "attorney work product" doctrine does apply to an investigation, then adversaries, like plaintiffs or government, cannot force the enterprise to reveal to them the results of the investigation.

For an enterprise that wishes to minimize its exposure to litigation or liability, the "attorney work product" doctrine can be invaluable.

For example, an enterprise may conclude after thorough investigation that it did not suffer a data breach requiring it to give notice. However, the enterprise may prefer that the content of the investigation not be provided to adversaries who might try to second-guess that conclusion.

See explanation of attorney-client privilege and attorney work product doctrine.

--Benjamin Wright

Taxes, Regulation and E-Commerce Innovation

A video affirmation can carry legal, cultural and political weight.

Walmart is thinking about empowering customers to deliver purchases to other customers. Customers who have time and transportation would take online purchases to customers who lack time or transportation. The delivery people would be rewarded with discounts and other incentives.

Roadblocks

Walmart’s thinking is an innovative e-commerce idea.

But innovative ideas often encounter legal risks and roadblocks. New ideas upset old norms.

Video Overcomes Roadblocks Better Than Paper and Ink

The video below shows one way to cope with such risks and roadblocks.

Imagine that as Walmart signs up a customer to deliver stuff to other customers, Walmart:

1. Presents to the delivery person contract terms and program rules, written on paper;

2. Asks the delivery person to read and then sign the terms and rules in ink; and

3. Asks the delivery person to make a video like this (where the delivery person is reading a script):

What a Video Affirmation Does

A video affirmation creates compelling evidence. The evidence can be more emotionally impactful than an ink signature on a long paper document.

Here, the video shows the customer really cares about the delivery program. It shows he understands it. It shows he was not tricked into joining it.

It shows the delivery program is part of a positive cultural phenomenon, one that includes cool benefits to the community as a whole.

What Are Some of the Roadblocks?

As e-commerce innovations come along, someone – like a judge, a jury, a government regulator or a tax collector -- might be tempted to decide that the innovation:

a. should be taxed (e.g., unemployment taxes);

b. should be regulated for safety under occupational safety regulations; or

c. should be treated like employment, for purposes of benefits like retirement or healthcare insurance.

However, videos like the one above might motivate a decision-maker to pause . . . to think differently. It might persuade a jury that the innovative delivery program is something most different from traditional employment and should be given special room to flourish.

–Benjamin Wright

Corporate Email Archives: Unwanted Liability or Searchable Asset?

Some corporate lawyers prefer to delete records as soon as possible. They feel that informal records like email are a liability when the corporation heads into litigation. The records are burdensome to search and turn under eDiscovery.

To support advice that email be deleted quickly, these lawyers will point to FTC v. Lights of America Inc., 2012 WL 695008 (C.D. Cal. Jan. 20, 2012). In that lawsuit, the Federal Trade Commission possessed few email records to turn over in eDiscovery. One reason for the paucity of records was FTC’s default policy to delete email at 45 days.

Upon scrutinizing the policy, the court saw nothing inherently wrong with it. The court could not conclude that FTC should be punished for deleting relevant records.

Litigation Hold

Does a 45-day deletion policy make sense for an enterprise?

As a practical matter, if an enterprise like FTC deletes most email at 45 days, it must have a mechanism for applying litigation hold. Under litigation hold, emails that are likely to be needed in a lawsuit or investigation must be spared from the default 45-day deletion policy.

Corporate Knowledge

For most enterprises litigation hold is difficult. An enterprise may "know" it needs to apply litigation, but not not have the infrastructure in place to understand and act on that knowledge.

It is difficult for knowledge of the need for litigation hold to stroll briskly through the organization and come to the attention of a lawyer who can cause a litigation hold to be implemented. Most enterprises have relatively small legal departments.

The FTC is different. A large percentage of the FTC’s staff is lawyers or professionals with a legal bent. Unlike a corporation that makes widgets or a municipality that delivers city services, the FTC is a law-heavy enterprise. Its very mission is law enforcement.

Thus, FTC is highly sensitive to when litigation hold needs to be applied to records. Further, its culture enables swift implementation of litigation hold. Its staff and culture are also highly attuned to composing formal “records” that tell the legal story FTC wants told. Hence, an aggressive policy of deleting informal email at 45 days can work for the FTC.

Electronic Mail as Corporate Memory

Other enterprises – like private corporations and most other government agencies – must think differently about email. Email is part of corporate memory. Email records what happened, how it happened, and why it happened.

For most enterprises, it is not the key mission of staff to create formal “records” that tell the legal story the enterprise wants told.

For the typical enterprise, informal email records are a functional asset. Electronic message archives, older than 45 days, answer practical and operational questions.

Cal Fire’s Need for Records

Take for example the California Department of Forestry and Firefighting (Cal Fire). It is under investigation for something that previous leadership did in 2004. In 2004 the department started using proceeds from fines imposed on corporations to set up a training and equipment fund. Under California law, such a fund must be approved by the state’s Finance Department.

By 2013, however, Cal Fire could not easily document that the fund had received approval from the Finance Department. So Cal Fire closed the fund and gave the money to the Finance Department. The Finance Department opened an investigation into whether law had been broken. “California Agency Burned by Discovery of Bank Account,” Wall Street Journal, January 26, 2013.

Whether Cal Fire has the records it needs I don’t know. Whether it retains email back to that time, I don’t know. However, when a question like this arises, complete email records from the time in question can be invaluable to an enterprise like Cal Fire. Rarely can people remember old administrative details like whether approval was obtained for an unusual bureaucratic event.

Email as Searchable Diary

Email is a remarkably powerful resource for recording how, when, who and why. Well-archived email is a detailed, easily-searchable, time-and-date-stamped diary of enterprise activity.

Most enterprises are well-meaning, and intend to do what is right. On balance, email archives document the day-to-day efforts of people trying to do the best they can.

–Benjamin Wright

Standard: Data Security Breach Notice

Department of Health and Human Services has issued the most significant advancement in data breach notification law since California adopted the original Senate Bill 1386 in 2002.

First Standard Was Vague

SB 1386 said the data holder must give notice if it had reason to believe the security of sensitive data had been compromised.

Technologically speaking, SB 1386's standard was vague. It caused many organizations to issue confusing, unnecessary notices that are of no value to the recipients (data subjects).

New Standard Calls for Intelligent Risk Assessment

HHS’s new Omnibus HIPAA Rule states a more realistic and sophisticated standard for whether a healthcare data holder must give notice of a breach.

To paraphrase revised 45 CFR § 164.402, the data holder must:

1. presume that a security incident requires delivery of notice . . .

2. unless a risk assessment shows low probability of data compromise considering the following four factors (in addition to any other relevant factors):

(A) Nature of the data and likelihood it can be used to identify the data subject;

Data Risk

(B) Who accessed the data;

(C) Whether data was "actually acquired or viewed”;

(D) Whether risk to the data has been mitigated.

§ 164.402 motivates the data holder – before giving notice – rigorously to gather all the facts about an incident and then to analyze and evaluate those facts. That process of gathering, analyzing and evaluating is a “risk assessment.” For that risk assessment, § 164.402 gives the data holder four useful factors to consider.

But, rationally, § 164.402 reminds the data holder that there can be other factors to consider.

Does Prior Warning of Risk Reduce the Need to Give Notice?

I argue that another relevant factor is whether the data subject had been warned of the risk of compromise and therefore accepted the risk.

No Knee-Jerk Reaction

Historically, many organizations have treated breach notification as a knee-jerk reaction to security incidents and vulnerabilities.

HHS is now teaching that before sending breach notices, the data holder should engage an intelligent investigation and assessment.

In effect, HHS is -- commendably -- refining the definition of data security breach.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Contact Form