InfoSec & Forensics Law: July 2008

Document Discovery Litigation Hold

Arthur Andersen Conviction for Obstruction of Justice (Impeding Official Government Investigation)

Record Retention & Destruction Policy

Early destruction of sensitive business records is risky because law will second-guess the decision to destroy. Video from the Enron scandal dramatizes how difficult it can be for a company to justify the destruction of important records after-the-fact.

The 8.5 minute video comes from the web site of Congressman Cliff Stearns of Florida. (Link to the video appears at the end of this post.) The video shows part of the hearings Congress held in the wake of Enron. In this video, Congressman Stearns interrogates Nancy Temple, a lawyer for auditor Arthur Andersen, who gave advice on AA's management of records and "litigation hold" on record destruction.

Congressman as Prosecutor
Congressman Stearns plays the role of a public prosecutor. He tries to show the public (the "jury") that Arthur Andersen handled its records improperly. In effect, he tries to show that Andersen intentionally destroyed important records so as to deny access by legal authorities. He argues Andersen should have implemented a litigation hold on its Enron records months before Enron imploded.

Congressman Stearns makes his point by questioning Ms. Temple about what she knew about deficiencies at Enron and when she knew them. He seeks to establish that she had long known many bad facts about Enron, and therefore should have implemented a litigation hold on the records many months before she did . . . long before any litigation or government investigation had been initiated on Enron's financial condition.

Looking Backwards

The video is a specific example of a common event. So often, after something bad happens, adversaries like Congressman Stearns (prosecutors, regulatory watchdogs, plaintiff lawyers, inspectors general) look back retrospectively and say to an enterprise and its advisors, "You knew all this bad information. You had reason to believe a lawsuit or investigation would eventually come. Why did you allow records to be destroyed?"

A few months after this congressional hearing, a courtroom jury convicted Arthur Andersen criminally for destroying its records. The jury concluded Andersen had "obstructed justice" by destroying records on the eve of a government investigation. The Andersen conviction is one of many examples of the legal system punishing organizations for destroying records when they should have known those records would be needed for an investigation or lawsuit.

Incentive to Keep More Records

Given stories like Arthur Andersen, how should organizations manage their records? The problem – from the perspective of an organization – is that it is very difficult, in practice, to assess which records will in fact be needed for future, potential litigation.

Knowing this difficulty, organizations have incentive to be increasingly generous in the retention of important records. When managing records, organizations are prudent to give themselves a wide margin for error and keep more records, longer than they did a decade ago.

See Video of Congressman Stearns Questioning Arthur Andersen's Nancy Temple.

By: Benjamin Wright, Senior Instructor on computer privacy law at the SANS Institute.

Bank Retention of Electronic Mail Archives

OCC and FDIC Regulation and Guidance

Financial Institution Audit Procedures

What do regulations say about a bank retaining e-mail records? Relevant statements have been issued by both the Office of the Comptroller of the Currency (OCC) (regulator for all national banks in the U.S.) and The Federal Deposit Insurance Corporation (FDIC).

Auditor Expectations

OCC

The OCC issued an Advisor Letter on Electronic Record Retention June 21, 2004. The Advisory Letter points to the Electronic Signatures in Global and National Commerce Act (E-Sign) as special reason for financial institutions to set up electronic record keeping systems. The E-Sign Act generally confirms the legal effectiveness of electronic commerce transactions, including e-mail contracts. The implication for banks is that their electronic records, such as e-mail records, can be evidence of legally-binding contracts and other transactions.

Accordingly, the OCC Advisory Letter states:

"[B]anks should design, implement, and operate their electronic records systems so that they are adequate to serve the following purposes and functions according to the nature of the retained records:

* Potential use in litigation support,

* Internal and external audits and controls,

* Bank supervision, and

* Compliance with regulatory requirements."

Notice those are broad purposes, which suggests that the retention of e-records should be generous at a time when the quantity and importance of electronic transaction is growing. The Advisory Letter goes on specifically to emphasize the retention of electronic message and electronic mail records.

FDIC

Consistent with the OCC Advisory Letter, FDIC has issued guidance on the retention of electronic records under the E-Sign Act. See FDIC Compliance Handbook — June 2006, page X-3.1. Although the FDIC Handbook does not provide as much detail as the OCC Advisory Letter, it says banks need good records of their electronic business transactions. Naturally, those records will include e-mail records, as the OCC Advisory Letter confirms.

The FCIC Handbook page X-3.1 states: "Record Retention. The E-Sign Act requires a financial institution to maintain electronic records accurately reflecting the information contained in applicable contracts, notices or disclosures and that they remain accessible to all persons who are legally entitled to access for the period required by law in a form that is capable of being accurately reproduced for later reference."

Further, the FDIC's 1998 Electronic Banking Safety and Soundness Examination Procedures specifically discuss record retention procedures for e-mail at page 8. Page 8 says bank examiners should expect banks to have retention policies for e-mail. It reads: "Determine if retention guidelines exist and are updated for source documents supporting electronic activities, such as account applications, instructions for account transactions, and other records. Determine whether the guidelines also address electronic mail, data files, and similar records." The implication is that if a bank does not have a retention policy, and FDIC examiner will expect the bank to create one.

Policy

So precisely how long should banks keep email records? I have led in-house workshops to address this question at numerous, diverse enterprises. The outcome of these workshops has varied, depending on many factors, including corporate culture.

In my experience, the best email retention policy is one that is developed by collaboration of the various stakeholder departments in the enterprise (legal, IT, HR, operations et al.). Normally, these different stakeholders will start with different positions on what the policy should say. But, in my experience, after the stakeholders have talked through the issues, they tend to compromise their positions and coalesce into a policy that is unique to the enterprise.

By Benjamin Wright, Senior Instructor on Law of Data Security and Investigations at the SANS Institute.

Related: How to write an enterprise records policy.

Update July 2012: Cost of Storage

I just led a workshop at a group of companies that owns two national banks. The purpose of the workshop was to help the stakeholders from the various enterprises develop a group-wide policy for the retention and destruction of email and other electronic records, including audio records of telephonic interactions with customers.

I have been leading workshops like this for years, and I have noticed from these workshops that something has changed. The cost of storage has become a non-issue. The raw cost of storing 100 terabytes of data is insignificant to an enterprise larger than a mom-and-pop. That is not to say that the raw cost of storage is the only issue in setting an electronic record retention policy. There are lots of issues, and no regulator is going to tell a bank how to resolve all of its issues. But the dynamics in these workshops has changed on account of how cheap storage has become.

[The above is only general information. If a bank needs legal advice, it should of course consult its lawyers.]

International and Foreign E-discovery & E-blackmail

Non-US E-mail and IM Record Retention Policy

Executive & Banker (Financial Institution) Text and Instant Messages

Investigations into corporate scandals in France (Europe - EU) and Japan (Asia) illuminate why employers need to retain employee electronic message archives. In the Kerviel-Société Générale scandal and in the Livedoor scandal, employee and executive e-mail and instant message (IM) records were critical to the companies as the scandals unfolded.

Click

Both scandals remind that electronic messages are a way of life for modern professionals and executives. If an enterprise wishes to know what its staff have been doing – and what commitments they have and have not been making on behalf of the enterprise – it must keep records of their messages. As blockbuster new technologies like the iPhone take messaging outside the confines of traditional corporate IT infrastructure, an enterprise must strive to capture records of employees' business-related messages. An enterprise is wise to require employees to use or copy an enterprise-controlled account on all business messages so they can be archived centrally, outside the control of individual employees.

Société Générale
A forged e-mail purporting to come from Deutsche Bank tipped big French bank Société Générale (SoGen) that something was amiss with the transactions of junior trader Jérôme Kerviel. As the bank came to realize he had exposed it to 50 billion euros of potential liability, it rushed to study all of his electronic messages in its possession.

[Side note: Some say the bank hesitated before reading Kerviel's e-mail, out of deference to French privacy laws that limit an employer's ability to read employee e-mail. This hesitation may have transpired before the bank realized how exposed it was.]

According to the New York Times: "One top Société Générale executive has told investigators that Mr. Kerviel rarely used his office e-mail account, sending no more than 60 messages over the last 12 months. But . . . he actively used instant messaging." Drawing on all the available records, the bank swiftly acted to neutralize Kerviel's outstanding trading positions.

In the exhaustive investigation that ensued, a key question was whether Kerviel acted alone. The bank examined thousands of messages stored from the bank's internal instant message system, including some between Kerviel and a suspected accomplice, Moussa Bakir, an employee at Fimat (Newedge). In one message that attracted particular scrutiny, Bakir stated to Kerviel, "You have done nothing illegal in terms of the law." And at least one e-mail hinted that an assistant inside the bank had helped Kerviel.

The outcome of the investigation is critical to the bank (and its investors) as responsibility for the scandal is allocated. Had the bank not been storing message records, its investigation and remedial steps would have been hampered.

Livedoor
In the Livedoor scandal in Japan, rather than IM, the message records were e-mail. Livedoor, a popular web portal in Japan, suffered an accounting scandal that led to criminal prosecution for several executives, including the CEO. Executive e-mail records figured prominently in the investigation. For instance, e-mail records showed that Livedoor executives deceived others by offering to purchase stock the company already owned.

Although the scandal heaped infamy on the company, it did not bring an end to Livedoor. As an entity separate from the individuals who serve as executives, the company regrouped and pressed ahead as a viable competitor in the Japanese Internet market. It installed a new CEO, who said, "When you're a company with 2,000 staff and 200,000 shareholders, people expect some corporate responsibility."

False Allegations
In the wake of Livedoor's highly-publicized scandal, a printout of an e-mail circulated in Japanese politics purported to evidence an earlier attempt by the firm's former CEO to use company funds to bribe top Japanese politicians. The company conducted an internal investigation of its records, and based on that investigation the new CEO was able publicly and authoritatively to express skepticism that such a bribe took place. In other words, the company's records enabled the new CEO to deflect suspicion away from the company.

The bribe e-mail was later proven to be fake. The story shows another incentive companies have to preserve their e-mail. Just as electronic archives can inform an enterprise about its commitments, they can protect it from false accusations and even e-blackmail.

Consider the U.S. e-blackmail case of Munshani v. Signal Lake. Consultant Munshani claimed a Signal Lake executive promised him valuable stock options. The stock options were not forthcoming, so Munshani sued for breach of contract. To evidence his alleged contract rights, Munshani introduced into court a printout of an e-mail from the executive to Munshani. The words of the printout promised stock options.

However, Signal Lake said the printout was bogus! And fortunately for Signal Lake, it retained all its incoming and outgoing e-mail records. Drawing upon the services of a computer forensics expert, Signal Lake was able to prove that Munshani was a fraud. By comparing Signal Lake's extensive records with Munshani's record, the expert established that Munshani had tampered with a genuine e-mail record, which said nothing about stock options, and falsely changed it to promise stock options. Signal Lake won the lawsuit, and the judge referred Munshani to the local prosecutor for criminal investigation.

As voicemail comes to look more like text and e-mail (on account of technology like unified communications), enterprises will want to save more of it too.

–Benjamin Wright

Updates: read the e-record lesson from the Tyco International scandal, plus analysis of proposals for recordkeeping on financial derivatives.

E-Discovery at School: Lost E-mails & Erased Hard Drive

Electronic Record Retention at Educational Institution

Needed Litigation Hold Before Lawsuit Filed

Since adoption of special amendments to the Federal Rules of Civil Procedure (FRCP) in late 2006, the field of e-discovery law has grown more dangerous for all enterprises. Recent cases show courts are serious about expecting litigants to possess and be able to find their e-mail and other electronic records.

===

A case in point is Jane Doe v. Norwalk Community College, a garden-variety lawsuit brought against a sympathetic public institution. It illustrates how expensive e-discovery issues can be for even a well-meaning public enterprise that fails to keep good, centrally-managed e-mail records.

Student Allegation

A student alleged that a teacher at Norwalk was making sexual advances toward her. Faculty members discussed the allegations by e-mail, and police opened an investigation in February 2004. The teacher in question left the college.

Then in November 2004 the student sued the college and demanded under the litigation rules of discovery that the college turn over all relevant e-mail records. The college was not forthcoming, so the student hired a computer forensic expert who examined the laptop that had been issued to the teacher. The expert claimed the college had destroyed electronic evidence. He showed that the college possessed 500 e-mails from the relevant time period belonging to a certain teacher who knew about the allegations, but the college could not produce this teacher's e-mail concerning the allegations.

The college's IT manager tried to explain to the judge what happened. He told the court that the college did not intentionally destroy anything, although he admitted that after the suspect teacher left, the college followed its usual policy of cleaning the hard drive of the laptop belonging to the teacher so it could be given to another employee. The cleaning was a well-intentioned policy to protect the privacy of student information and to prevent unauthorized access to the college's IT infrastructure. Further, the IT manager said some records may have been overwritten in the ordinary course, and some records may have been lost due to computer error.

Court Not Persuaded
The college did not persuade US District Judge Janet C. Hall. The judge said the college should have preserved all evidence relating to the suspect teacher from the beginning of the police investigation in February 2004. What's more, the judge did not believe the college's explanation for why e-mails could not be found. The judge found that Norwalk was "at least grossly negligent, if not reckless" in its failure to preserve electronic records. As a consequence, the judge ordered the college to pay the student's costs in pursuing e-discovery from the college (i.e, the costs of hiring the forensic expert). Moreover, the judge ruled that when this case goes to trial, the jury will be told that the college destroyed or mishandled records that would have supported the student’s side of this case. Thomas B. Scheffey, "Erased E-Mails Return as Sanction in Harassment Case," August 27, 2007, The Connecticut Law Tribune.

This latter sanction carried severe implications for the college. It increased the likelihood the institution would lose the case and have to pay sizable money damages to the student. In fact, this small college eventually settled the case for $765,000, plus a commitment to provide all employees with training on harassment. Lisa Chamoff, "NCC settles sexual assault suit for $765K," February 29, 2008, The Norwalk Advocate.

Lesson
If the college had possessed more complete and better organized records at the outset, it would not have found itself at such a disadvantage in court. Litigation trends suggest that any enterprise is wise to be generous in the retention of e-mail by decision-makers and to be capable of easily finding and searching the more recent records. A prudent course would be for the enterprise to implement a central e-mail archival system. --Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

About

Benjamin Wright is an attorney in private practice. He teaches the Law of Data Security and Investigations for the SANS Institute. He is author of The Law of Electronic Commerce (published by Wolters Kluwer) and Business Law and Computer Security (published by SANS). He helps others navigate the law of data compliance, including privacy, e-commerce, e-discovery, cloud contracts, records management and cyber investigations.

He is spotlighted in the book The Devil Inside the Beltway for his uncommonly insightful advice to LabMD in its now famous information security law dispute.

Public Statements Are Not Legal Advice

None of Mr. Wright's public statements, such as remarks on blogs, twitter, youtube web pages, social media and the like, are guaranteed for accuracy or are legal advice for any particular situation. You use the ideas in those statements at your own risk. If you need legal advice, you should consult a lawyer.

Mr. Wright's blogs, updates, tweets, web comments, youtube videos, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer.

Mr. Wright does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Wright has done anything illegal or unethical, he asks that person promptly to telephone him at 1.214.403.6642. Promptness helps mitigate damage.

Any person accessing any of Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Wright's interests.

No Advertisement

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Communication with Mr. Wright via private message does not, in itself, create an attorney-client relationship.

Privacy/Security Vision

Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has earned money from some organizations he mentions online, such as Messaging Architects/Netmail, SANS Institute and LabMD.

Attribution

Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas. Tel: +1.214.403.6642

InfoSec & Forensics Law