There’s nothing to add to this story. Apparently, blueprints and other information about the Presidential helicopter, Marine One, were snatched from a defense contractor’s supposedly-secure computer system by someone with an Iranian IP address. How secure is your data?
The name of the game is to intercept falling missiles (which have an annoying tendency to split off in multiple directions) with silos on the ground (hint; we’re the silos).
John Cornyn (R) has introduced the “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act”, or ‘Internet Safety Act’ (for those of us who can’t fit all that in a catchy blog title). This bill is actually a regurgitation of a bill introduced in 2006. I think you get the gist from the bill’s title, but here’s the fine print:
“A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.”
That’s Part I of the headache. Part II is who would be covered under this bill; essentially anyone who serves wireless using DHCP. That’s right – it includes that little Wi-Fi router you have at home. Note to those who brought their wireless router home from the store and
just plugged it in; you might want to configure the security feature, lest someone nearby connect through it and start looking at child
pornography. Starting to sweat, yet? Maybe you will after I mention Part III; you might go to jail for up to 10 years.
Here’s the really bad news – there’s a Part IV…
Once again, all I think about is Zubulake. The moment you’re required to retain a record for two years, it may be adjudged ‘accessible’ for Zubulake purposes – and not just the ones covered under this Act, which, as I previously mentioned, specifically targets child pornography. Any purpose of litigation may be fair game to subpoena these logs!
You think maybe Senator Cornyn knows how to push a bill through Congress by piggybacking it on the hot-button terms that frighten all parents to death?
This Act really could be the legal equivalent to ‘Missile Command’ (or starfish, or octopus…). The tentacles could reach virtually anywhere. I’ll be monitoring this closely, as should you. If it becomes law, it could be…
As sanctions mount for those who have run afoul of the new e-discovery rules, debate is raging about criminal liability. To some, the threat is very real. They recommend extreme caution. To others, it’s nothing more than a scare tactic. They say the threat of incurring criminal liability over an e-discovery issue is slim to none.
Who is right?
I’ve neglected to link articles from both sides of the debate. The reason; it’s not my place to criticize the writers – they make very strong arguments, for and against. It just so happens that, in my opinion, the answer is somewhere in between. Perhaps the reason many people think that criminal liability
is unlikely to attach flows from the possibility that they’re not thinking broadly enough. In other words, they’re not taking into account who might be ensnared in the e-discovery net.
The logic works in reverse. The higher up in the e-discovery food chain you are, the more likely you’ll be eaten. The small fry aren’t likely to get themselves in trouble, barring egregious conduct of some sort. The standard of what would rise to the level of a criminal act may be high – but the liability exists. So, who should be looking over their shoulder?
The White House (possibly violating the Federal Records Act), A former Broadcom Corporation executive (accused of obstruction of justice) and former Credit Suisse First Boston investment banker Frank Quattrone (also accused of obstruction and witness tampering) who endured a four-year ordeal for encouraging his employees to essentially ‘clean up those files’.
And the lawyers? Six of them were referred to the State Bar of California for possible ethical violations in the Qualcomm v. Broadcom case. A crime? No, but facing various penalties up to and including disbarment, my guess is it feels like a crime to them.
If you reviewed the links, you’ll note that I’m not necessarily
concerned with whether the principal was convicted of – or plead guilty to –
committing a crime. It’s scary enough just reading what actually happened – or could happen.
We’ve all heard the term, “Ignorance of the law is no excuse.” That rule-of-thumb applies to e-discovery also. One can commit a crime without realizing it.
If you’re a tech, and the boss tells you to delete data – and you simply follow his orders – if he instructed you in order to hide wrongdoing, he’s likely to be in trouble, but what about you? If the facts are as stated, probably not. But what if your company has an ESI policy, your boss’ instruction violates that policy, you know this, but you do it anyway? Did you just become an accomplice to a crime? Will the common explanation, “I was just following orders” get you off the hook?
Obviously, we’re not taking a crash-course on criminal law today. There are so many hypothetical scenarios that could occur, with so many different facts that it would be impossible – and irresponsible on my part – to attempt to tackle all of them in a blawg post.
What I endeavor to do is to impress upon you that a snap decision that didn’t make you think twice in the past could burn you in the future. ESI for it’s own sake doesn’t normally make one think of crimes. But now, we’ve entered a new arena. The law is involved, and if data “goes missing” in this context, your adversary – or the court – may infer that something fishy is going on.
Is it worth the time, expense, stress, loss of reputation and threat of incarceration? The outcome is beside the point. Even if you’re exonerated, where do you go to get your lost time, money and reputation back?
Part I of a two-part series. Part II will appear 12/04/08.
PART I – LOGICAL RELEVANCE
A cardinal rule, known to law students everywhere, was broken. “When on a break from the bar exam, don’t discuss a specific part of it with anyone – and if you absolutely must, ask permission first!” The reasoning behind this rule; to prevent students from freaking out because inevitably the other student will point out something they themselves missed, thus setting off a chain reaction of worry, panic and distraction.
There I was, on a break from the California Bar Exam, and another student really wanted to discuss the evidence question with me. We had a pleasant conversation – as pleasant as it could be between two stressed-out bar candidates in the middle of a three-day exam. We discussed the facts as they pertained to the question and the issue of whether each piece of evidence put before us was authentic.
All was going well until I pointed out the ones that were legit, but weren’t admissible in court. The pallor of my counterpart changed noticeably. That’s when he realized that he’d done a great job analyzing whether each piece of evidence was authentic, but forgot the next step – determining whether each was admissible.
Finding evidence is just the beginning. If all of your dominoes don’t line up properly, it will never be admitted. The technology gurus have a huge role to play and may not even be aware of it.
A few years ago, if you explained to the average person what electronic evidence – or e-evidence was, then asked them to give you an example, 99% of them would have given you the same answer – e-mail. We’ve all read news stories about this individual or that one who was caught red-handed through his or her e-mail messages.
Later, another example started showing up more often – text messages. Just ask the former Mayor of Detroit how that turned out for him…
In law school and on the bar exam, the testers took pride in finding ways to slip a piece of written evidence right by a student by putting it into a form that he or she wouldn’t normally think of as “written”; engraving on a tombstone, label on a medicine bottle, a license plate. We’re conditioned to think of written evidence as something more mainstream, like a letter, a book or a bill of receipt.
A lot of e-evidence is still written – but now it’s written to computer hard drives, DVDs and cellular phones. Just like law school students, we have to broaden our thinking and remember that virtually any device that can save, store – or even process electronic information (e.g. RAM in printers/fax machines) may qualify. Then, we have to remember the really tough part – many of these devices are mobile. They could be virtually anywhere in the world.
Let’s take a hypothetical look at Jane Doe. She works for a multi-national corporation, “Multi-Corp”. She has an office in Los Angeles and one in Tokyo, and an apartment in each city as well. She has a desktop computer in each office, plus a laptop to use when she’s out in the field, at home or traveling. She stores some of her work on the company file servers. She’s taken to transferring work from her laptop to her home computers in both Tokyo and L.A. – because she likes them better (the boss doesn’t know). It’s annoying for her to connect the machines directly, so she either hooks up wirelessly through her router or uses her thumb drive. She has two cellular phones (one is personal) and a PDA.
Multi-Corp is sued by Uni-Corp, and the Plaintiffs subpoena Jane’s correspondences. Am I the only one with a headache? Probably not.
If I’m in the IT department at Multi-Corp, I have to think of every possible device – and the location of each – where relevant data may be stored (let’s hope Jane remembers to tell me about the thumb drive). Then, once I do, I have to locate the data on the device itself. What if I need to retrieve it from back-up media? What happens if a device – and the data it contains – is owned/managed/outsourced to a third party (e.g. the file servers or the cellular phones)? How do I get them to grant me access when they don’t want to be dragged into a lawsuit? Do they have to do so? I might have to ask the legal department.
If I’m in the Legal department at Multi-Corp – or in their outside counsel’s office – I’m depending on the expertise of my IT resources, but I’m also worried about issues that IT doesn’t normally think about; chain-of-custody being a prime example. I’m looking for data that will exonerate the defendant and relevance is only one issue. I’m also responsible for making sure it’s admissible and I don’t want it thrown out on a technicality. How can I impress this and other concepts upon people who don’t work directly for me?
Meanwhile, both departments – and management – are thinking about the costs and whether the Plaintiff’s subpoena is too broad in its scope.
A lot of questions. A lot of concerns. I will endeavor to address all of them in tomorrow’s post.
Part II of a two-part series. Part I appeared 11/24/08.
PART II – ESI COLLECTION
I read a lot of of excellent articles, white papers and documents (as do you)
which present reasonable, astute and prescient approaches to getting a
handle on your company’s ESI (electronically stored information).
However, in virtually all of the materials I see, one important element is missing:
Sounds counterintuitive, doesn’t it? Common sense would tell you that if you’re backing up your data, it should be relatively easy to recover it on demand. After all, the software “tells” you in your morning report that last night’s run went fine. But did it? Is that all that matters?
Think about it for a moment. How many spokes are in your hub? Where are they? How many people are responsible for protecting the data? What software do you use? What hardware? What media? Is it easily accessible? Physically? Remotely? Do you handle it in-house or do you depend on outside vendors? Do you use off-site media storage? Do you know the time it would require for you to comply with a request to produce data? Do you have an alternate location to restore it? It isn’t always restored to the location where it originated, and certainly not when litigation is involved.
Let’s boil it down to one simple question. What would you do if you received a call with a demand for data – a large quantity of data – that isn’t at your fingertips?
It would surprise you how many companies haven’t thought about this. They do everything right in terms of the front-end of this process, but never anticipate the back-end. They do a terrific job of thinking about data protection, yet don’t think about more important issues – data integrity and the ability to restore it.
What good is all of this technology if, when the big request comes down, you can’t deliver? It’s bad enough when this has nothing to do with e-discovery (such as my location in California, where we have to worry about earthquakes), but when it does, there are sanctions on the line – and not just civil sanctions. Some of the penalties are criminal in nature.
Admittedly, criminal liability would most likely require intentional and/or egregious conduct, but the spectre is out there (I’ll address the facts vs. fictions in a future post).
You don’t want to be the attorney who has to stand in front of the judge and say “I’m sorry, Your Honor.” because you are either experiencing delays in producing the data, produced it very late in the litigation process or are unable to produce it at all. You might get a response like this one from a Judge in the recent McAfee case – “Heads will have to roll“.
Let’s hope it isn’t your head she’s talking about.