InfoSec & Forensics Law: August 2008

E-Discovery Strategy, Search & Artificial Intelligence

E-mail Archive Policy

Lesson from Tyco Scandal. In a legal dispute, you want as much of two assets as you can get – evidence and brainpower. You want evidence to supply facts so you can understand and support your side of the case. And you want good analysis and judgment so you can assemble the best arguments and make the best decisions about how to manage your case.

Since e-discovery affects both evidence and brainpower, it is revolutionizing litigation and, more generally, all manner of investigations.

A lawsuit today is not your father’s lawsuit.

The advent of electronic records like e-mail causes the quantity of records potentially relevant to a lawsuit/investigation to swell beyond imagination. In any dispute, this profusion of records opens vast opportunity to those able to exploit it. Smart litigants today (a) welcome oceans of records, and (b) seek advanced analytics and artificial intelligence to glean from those oceans the best case.

Observe the lesson from the Tyco International scandal . . . Continue Reading E-Discovery Strategy

Encrypted Personal Data On Stolen Laptop

Compromise of Password-Protected Computer Lost in Burglary

Anheuser-Busch notified thousands of employees that their personal data, and the data of their dependents, may theoretically be at risk of identity theft. The data were on a password-protected laptop, and the data were encrypted.

The case comes to light because one of the states involved, New Hampshire, requires notice be sent both to affected individuals and to the state attorney general, who publishes the notices on the web. New Hampshire's law does not require notice if data were encrypted. AB says the data were encrypted. It also says it has no information suggesting the burglars are attempting identity theft. So why did it give notice?

My guess is that the company was motivated more by the politics of the situation than a strict reading of the law.

The facts: A burglary in a Missouri building harvested several laptop computers from the offices of multiple companies. One of those laptops, belonging to AB, contained personal information (names, addresses, social security numbers and so on) about certain AB employees and their dependents.

Continue reading about encrypted laptop data

Local Government E-mail Retention

Freedom of Information, Open Records and Sunshine Laws

Increasingly, public agencies are required to search for and turn over e-mail records in response to freedom of information and open records requests.

Generally speaking, under either state or federal law, a freedom of information act requires government to disclose requested records to citizens. Sometimes a FOIA might be known as an open records act or a sunshine act.

One example: A Kentucky judge required state government to give a man copies of e-mails between his wife, a state employee, and another state employee whom the man suspected was having an affair with his wife. (Associated Press, “Judge: Ky. Man Can See His Wife's E-Mail,” Nov. 20, 2007.) Continue Reading

State Government Healthcare Electronic Mail Destruction

Duty to Preserve Electronically Stored Information (ESI)

When a lawsuit is filed or reasonably anticipated, parties are expected to apply a "litigation hold" to ensure records are not destroyed.

In a class action case concerning rights to state-paid medical care (connected with Medicare), a federal trial court has criticized Tennessee state agencies for failing to preserve electronic records. Said the court:

continue reading about potential government spoliation

Healthcare Internal Control: Retained E-mail & IM Records

Board of Directors Fiduciary Duty

Medicare Compliance & Fraud Investigations

Electronic records such as e-mail do more than satisfy discovery requests in litigation. They serve as a check against mistake, fraud and other wrongdoing. Healthcare institutions need to retain these records to enable investigations of misconduct on the part of administrators or other decision-makers.

For example, when the board of directors of HealthSouth Corporation (operator of multiple hospitals) investigated massive accounting and Medicare fraud within the company, it needed access to the e-mail records of executives. Continue reading "Healthcare Internal Control: Retained E-mail & IM Records"

Mr. Wright teaches email law at the SANS Institute.

TJX Breach Now Put into Perspective

Law of Payment Card Industry Data Security Standard

Excessive Cancelation of Compromised Credit Cards

The ring of criminals at the heart of the TJX credit card break-in has been indicted. The indictments help us evaluate the civil legal system's (especially the Federal Trade Commission's) response to the TJX heist. Read more at the new site for Wright's Legal Beagle, the thought-leadership blog for Messaging Architects.

About

Benjamin Wright is an attorney in private practice. He teaches the Law of Data Security and Investigations for the SANS Institute. He is author of The Law of Electronic Commerce (published by Wolters Kluwer) and Business Law and Computer Security (published by SANS). He helps others navigate the law of data compliance, including privacy, e-commerce, e-discovery, cloud contracts, records management and cyber investigations.

He is spotlighted in the book The Devil Inside the Beltway for his uncommonly insightful advice to LabMD in its now famous information security law dispute.

Public Statements Are Not Legal Advice

None of Mr. Wright's public statements, such as remarks on blogs, twitter, youtube web pages, social media and the like, are guaranteed for accuracy or are legal advice for any particular situation. You use the ideas in those statements at your own risk. If you need legal advice, you should consult a lawyer.

Mr. Wright's blogs, updates, tweets, web comments, youtube videos, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer.

Mr. Wright does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Wright has done anything illegal or unethical, he asks that person promptly to telephone him at 1.214.403.6642. Promptness helps mitigate damage.

Any person accessing any of Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Wright's interests.

No Advertisement

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Communication with Mr. Wright via private message does not, in itself, create an attorney-client relationship.

Privacy/Security Vision

Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has earned money from some organizations he mentions online, such as Messaging Architects/Netmail, SANS Institute and LabMD.

Attribution

Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas. Tel: +1.214.403.6642

InfoSec & Forensics Law