Forensic Update

Reflections on information management within the legal and regulatory arena

Archive for the ‘Information Security’ Category

Radio Show Appearance: Guest Expert on Business Fraud Awareness

Posted by Johnny Lee on September 6, 2011

ForensicUpdate editor, Johnny Lee, hit the airwaves again with colleague Philip Ratliff.  This time our host was Alan Butler, host of Atlanta’s Premier Business Talk Show “Butler on Business.”  Alan and co-host Jason Riddle facilitated a lively discussion covering a areas of concern to business owners and managers alike.

Listen as Philip Ratliff and Johnny Lee of Grant Thornton LLP’s Atlanta Forensics & Litigation practice comment on a broad variety of fraud issues facing organizations—especially in a down economy.  Segment one of the program can be found here; segment two can be found here. Please note that the views and opinions expressed are personal views and are not necessarily those of Grant Thornton; click here for more on this.

Posted in Computer Forensics, Data Governance, ECM, eDiscovery, Forensic Accounting, Fraud, Information Security, Investigations, Litigation Hold, Privacy, Records Retention, Social Networking | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Comments Off on Radio Show Appearance: Guest Expert on Business Fraud Awareness

Forensic Update editor presenting at North American ISACA conference…

Posted by Johnny Lee on May 17, 2011

The world’s leading conference for IT audit, control, security and governance professionals holds its 2011 annual conference in Las Vegas. ForensicUpdate editor, Johnny Lee, will present on the topic of “Data Governance and eDiscovery: Good Faith, Bad Actors, and Questionable Data.”  Click here for more details.

Posted in Announcement, Computer Forensics, Data Governance, ECM, eDiscovery, Information Security, Investigations, Litigation Hold, Privacy, Records Retention, Social Networking | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Comments Off on Forensic Update editor presenting at North American ISACA conference…

Trade Secrets and Departing Employees…A Cautionary Tale

Posted by Johnny Lee on February 14, 2011

Employers would be wise to review the fact pattern from a Columbus manufacturing company which was involved in a federal investigation related to the theft of trade secrets from a departing employee.  The former employee, Kevin Crow, admitted to stealing highly confidential information from Turbine Engines Components Technologies Corporation (“TECT”) in violation of the Economic Espionage Act.

Crow’s plea deal with the government resulted in a three-year jail sentence, another three years of “supervised release,” and a $10,000 fine.  The deal details Crow’s misbehavior from 1979 until 2007 (when he was laid off), at which time Crow joined a competitor.

Crow admits to walking out the door with close to one hundred (100!) compact discs containing top secret informationincluding blueprints as well as cost and pricing information.  Both TECT and Crow’s newest employer are in the business of “manufacturing and selling engine blades for military aircrafts.”

According to a press release from the United State Attorney’s Office in the Middle District of Georgia, “As an employee of TECT, Crow continually provided policy statements with explicit direction on identifying trade secrets within the company and how to protect those trade secrets. During Crow’s exit interview he signed a document stating that he had returned all documents containing any trade secret information to TECT, when in fact, he had taken approximately 100 computer discs containing multiple pieces of information considered trade secrets from TECT.

Crow was later employed by Precision Components International (PCI) in Columbus, Georgia, a competitor of TECT…After being employed with PCI, Crow made numerous contacts with employees of TECT requesting forging price sheets containing vendor and customer information. He also requested copies of TECT’s 2007 and 2008 contract reviews that contained trade secret information.  Crow admitted in a conversation with a TECT employee that he took computer discs, blueprints, and cost and pricing information belonging to TECT, and admitted that providing the information could be considered industrial espionage.”

United States Attorney Michael Moore said, “This type of industrial espionage is a serious matter, especially when it involves the production of parts for our military aircraft.  The damages alone to TECT and its employees might be calculated in dollars, but the potential harm to our military equipment readiness is still unknown.”  The parties involved in the plea agreement stipulated that TECT suffered losses of up to $14 million.

So, how can companies protect themselves from employees as unscrupulous as Crow?  The above fact pattern makes it clear that this is no easy proposition, but a robust data governance program seems like the most reasonable first step.  When considering the nature and sensitivity of the information used and protected by TECT (and similar firms), it strikes this editor as quite odd that more advanced data leakage and information security protocols were not employed at TECT.

The FBI employs highly competent investigators, and I have little doubt that Crow might have evaded detection for quite some time but for this fact.  Likewise, Crow might not have been caught if he were less overt in his attempts to obtain sensitive information (not to mention his rather myopic and incriminating admissions to former co-workers).  The take-away here is that the technology exists to send up flares long before a problem surfaces, as it did here, “procedurally” (as opposed to tripping a wire via one or more monitoring controls).  But for Crow’s brazen missteps, this theft of information might have gone undetected for a long, long time.



See also: Microsoft accuses former manager of stealing 600MB of confidential docs

Posted in Computer Forensics, Data Governance, ECM, eDiscovery, Fraud, Information Security, Investigations, Privacy, Records Retention | Tagged: , , , , , , , , , , , , , , , , , , , , , | Comments Off on Trade Secrets and Departing Employees…A Cautionary Tale

Evidence Spoliation Insurance…welcome news or moral hazard?

Posted by Johnny Lee on January 18, 2011

In early December, a division of Chartis Insurance (the artist formerly known as AIG), announced that it would offer a new insurance product focused upon evidence spoliation.  Interestingly, the product is designed to guard against claims arising from direct physical loss or damage to items that serve as material evidence in a legal proceeding.  Perhaps it’s the geek and the recovering attorney in me, but a couple of things are notable in this offering.

First, as with any insurance product, there must be a triggering event.  The event here is where the insured party is alleged to have breached its professional duty of care related to the preservation of property that is deemed to have evidentiary value.  The insurance would protect against liability for monetary damages and settlement, as well as defense costs for claims alleging a breach of professional duty.

Second, to be clear, this is not insurance that obviates the need for controls or proper handling of sensitive information, though the level of controls maturity will clearly affect how premia are rated.  This product, at least as initially introduced, does not appear to be aimed at entities protecting their own data.  This insurance offering appears to be geared toward organizations that are “conducting analysis on the property of others” and who, as a result of this analysis, may find themselves “exposed to spoliation as a separate tort” (i.e., sued for the harm caused by losing another party’s stuff—either by the party who owned the lost stuff or by a third party).  In legalese, this insurance protects against claims arising from the failure to preserve property of evidentiary value belonging to others that is in the care, custody, and control of the insured.  (Hint: Think engineering firm or research group conducting a form of benchmarking on data provided by a company.)

Despite the ostensible target market, it will be interesting to see how other vendors (especially so-called “cloud” vendors) react to this sort of insurance offering.  Indeed, there is the old saw—certainly trotted out with great frequency during the heyday of Sarbanes-Oxley compliance—that while you can outsource processes and services, you cannot outsource the risks related to same.  So, this leaves us with the question of whether the (potential) availability of such an insurance product to cloud vendors (and other third parties in possession of sensitive and valuable data) will decrease the diligence of these providers in the protection of these sensitive data.  An even bigger question is what companies hoping to outsource to such vendors should do about this.  It definitely will be an interesting area to monitor over the near term.

Posted in eDiscovery, Information Security, Privacy, Records Retention | Tagged: , , , , , , , , , , , , , , , , , , , , | 1 Comment »

Move to e-Records could increase claims and costs for Healthcare…

Posted by Johnny Lee on January 10, 2011

Electronic medical records have received a great deal of scrutiny in recent months, especially in light of sweeping changes from Washington coupled with mandates at the state level to automate healthcare delivery.  While the premise (and promise) of automation tends to focus on increased efficiencies and cost savings, the irony is that the implementation of electronic medical records (“EMR”) might actually cost providers (i.e., hospitals and medical practices) a lot more in litigation costs and liability insuranceat least in the short term.

According to a new report from Hartford-based Conning Research, underwriters are concerned that there will be a non-trivial increase in medical errors when EMRs are implemented.  This, in turn, will drive up both the number of claims and the related cost of defending same.

The report, entitled Medical Professional Liability in a Changing Health Care Environment, indicates that over 90% of providers have yet to implement EMRs (at least to the extent that would satisfy the federal “meaningful use” standards).   This statistic will change drastically in the coming years, given that ObamaCare intends to add over 30 million individuals to the “new insureds” ranks by 2014.  Providers will rush to adopt this new technology not because of the on-boarding of new insureds so much as the significant federal financial incentives that accrue to those adopting EMRs.

While the report indicates that errors are likely to trend downward over time, it is quite likely that claims could increase substantially as patients find fewer barriers to accessing their own health information and the treatments they receive.  This, combined with the fact that EMRs tend to have more information than their paper-based counterparts, will create a virtual bonanza for plaintiffs’ counsel that specialize in medical malpractice claims, as it will be that much easier to identify when treatments provided depart from recommended treatment protocols.

The ease of access to these eDiscovery “haystacks” (as well as the increased number of potential needles within them) might prove to be an ominous litigation trend facing providers for many years to come.  At a bare minimum, it certainly explains why insurers are twitchy with regard to the adoption of this technology.


See also: Electronic Records Don’t Improve Outpatient Care, Stanford Study Indicates

Posted in ECM, eDiscovery, Information Security, Privacy, Records Retention | Tagged: , , , , , , , , , , , , , , , , | Comments Off on Move to e-Records could increase claims and costs for Healthcare…

Business Chronicle: Smart Data Management

Posted by Johnny Lee on January 6, 2011

“Are you seeking a competitive advantage for your business? Many companies need look no further than the mountains of information generated in the course of doing business and contained in their computer systems.

These days data management isn’t just about being able to respond to litigation, but using a wide range of information to operate more efficiently, better serve customers and sell more products.”

Click here for the full article, written by Randy Southerland of the Atlanta Business Chronicle.

Posted in ECM, Information Security, Records Retention | Tagged: , , , , , , , , , , , , , , , , , , | Comments Off on Business Chronicle: Smart Data Management

Florida Bar Association requires lawyers to sanitize storage media…

Posted by Johnny Lee on December 15, 2010

On December 10, the Florida Bar Board of Governors issued final approval to Ethics Advisory Opinion 10-2, which speaks to a lawyer’s ethical duty to sanitize storage media that may contain client data.  The Opinion, available on the Florida Bar Association’s website, is an extension of existing rules that reinforce the premise that lawyers have an ethical obligation “to protect information relating to the representation of a client.”  It states that a lawyer who uses a device with “storage media” within it (such as printers, copiers, scanners, and fax machines) must take “reasonable steps to ensure that client confidentiality is maintained and that the Device is sanitized before disposition.”

This Advisory Opinion was written in response to a request from the Florida Bar Board of Governors to address the ethical obligations of attorneys regarding client data stored on hard drives.  The Opinion acknowledges the increasing number of devices that now contain hard drives (or similar storage media) that can store client information.  Further, the Opinion addresses the often unintentional storage of client data by attorneys due to a lack of awareness related to the behind-the-curtain machinations of such devices.

The Opinion states that is is important for lawyers to “recognize that the ability of the Devices to store information may present potential ethical problems for lawyers.”  It goes on to prescribe a series of steps that attorneys must follow to ensure that inadvertent disclosure of confidential information, including: (1) identification of the potential threat to confidentiality along with the development and implementation of policies to address the potential threat to confidentiality; (2) inventory of the Devices that contain Hard Drives or other Storage Media; (3) supervision of nonlawyers to obtain adequate assurances that confidentiality will be maintained; and (4) responsibility for sanitization of the Device by requiring meaningful assurances from the vendor at the intake of the Device and confirmation or certification of the sanitization at the disposition of the Device.

Interestingly, the confidentiality and competence rules upon which this Opinion 10-2 is based applies to all information relating to the representation of a given client, whether provided to counsel in confidence or not.  Put differently, an attorney may not disclose such information except as permitted or required under the professional conduct rules or by law.

This raises non-trivial considerations for counsel throughout their representation of a client.  In effect, attorneys must keep current with changes in technology to the extent that such changes may impinge upon client confidences.

It will be interesting indeed to see where these new duties lead.  It raises a host of questions about the storage and disclosure of not only client information but other forms of sensitive data (e.g., medical records, personally identifiable information, social security numbers).  Likewise, the Opinion directly implicates the lawyer’s duty to supervise others (including non-lawyers) in the protection of confidentiality.  Undoubtedly, this will present unique challenges for both corporate counsel and their external counsel, as technology will continue to evolve at a rapid pace, and with it the speed and portability of potentially sensitive data.

Posted in Computer Forensics, ECM, eDiscovery, Information Security, Investigations, Privacy, Records Retention | Tagged: , , , , , , , , , , , , , , | Comments Off on Florida Bar Association requires lawyers to sanitize storage media…

Facebook privacy protections are neither private nor protected…

Posted by Johnny Lee on October 19, 2010

In addition to articles on this site about potential discovery issues related to social networking (q.v., Social Media Privacy = Wishful Thinking and Facebook Posts Deemed Discoverable), individuals and companies alike are now faced with another source of exposure for data housed by Facebook.  It now seems that Facebook is a gold mine for criminals intent on fraud and for online marketers intent upon building very detailed buying profiles of Facebook users without their knowledge or consent.

John Lawler, the chief executive of Australia’s Crime Commission, warned that elements of organized crime are taking personal information from Facebook in droves to obtain credit fraudulently.  These criminals are exploiting all manner of personal information (from family members to pet’s names) to establish credit and to circumvent the usual controls by which applicants legitimately authenticates themselves to financial institutions seeking to extend them credit.

In a related story (and new episode in a long series of prominent embarrassments) for the online networking company, the Wall Street Journal (“WSJ”) reported earlier this week that its investigation yielded significant control gaps in the way personal information could be mined from Facebook without the end user’s knowledge or permission.  Unlike prior complaints about lax privacy controls or confusing settings for users to “lock down” their information, the WSJ investigation reveals that Facebook is literally broadcasting (or, more precisely, permitting the broadcasting of) personal information to online marketers, advertisers, and Internet tracking companies.

To be clear, this latest reputation hit for Facebook affects only those who use Facebook applications or “apps” (as opposed to the native “friending” and “wall” features).  Users must take a secondary step of confirming that an app has permission to attach itself to a user profile.  That said, the personal details being shared with these online companies affect tens of millions of Facebook app users—including those who have elected the most stringent privacy setting for their profiles.

Technically, the dissemination practice by app developers uncovered by the WSJ violates Facebook’s rules.  However, the sheer magnitude of personal information being disclosed has renewed concerns that Facebook does precious little to keep its users’ information private and secure.  The compromised data from Facebook users allows online marketers to compile and sell “detailed dossiers of their activities and interests.”

For individuals using these apps, there is serious thinking to do about the continued use of these online gateways to personal data.  For companies employing such individuals, new thinking is required to educate its employee base about proper communication protocols.  This education could require companies to revisit their data management policies, their public disclosure rules, their online monitoring of employees, and even their code of conduct policies to ensure that employees using these compromised applications either discontinue such use or adjust that use commensurate with the company risk that travels with it.  For everyone, this is yet another example of how technology is forcing us to re-think existing notions about information privacy and whether such a concept can be taken seriously for much longer.

Posted in eDiscovery, Information Security, Privacy, Records Retention, Social Networking | Tagged: , , , , , , , , , , , , , , | 2 Comments »

eDiscovery meets CMM…a new benchmarking model

Posted by Johnny Lee on September 21, 2010

EDRM CMMThe excellent consortium of experts at EDRM have delivered a tremendous service to organizations that are wrestling with in-house Electronic Discovery program development.   At long last, a vendor-agnostic framework exists to inform and to guide companies seeking to improve their litigation readiness capabilities without over-engineering their policies or procedures or purchasing technology that underwhelms because it’s misaligned to strategy.

As with any Capability Maturity Model (“CMM”), the basic utility of the model is the objective way in which it identifies key indicators of capability across people, process, and technology within a given organization.  If you’re unfamiliar with the good folks at the Electronic Discovery Reference Model, I strongly recommend you review their excellent research.

This model, developed as part of the EDRM White Paper Series, will help organizations benchmark their current capabilities along a straightforward spectrum.  Additionally, the CMM permits insights into which level of capability is optimal for a given organization, given its unique risk profile, which should cut down immensely on the “boil the ocean” reticence many organizations face when they first embark down the path of developing an eDiscovery readiness program.  Sincere kudos to the great work at EDRM!

Posted in ECM, eDiscovery, Information Security, Litigation Hold, Records Retention | 1 Comment »

%d bloggers like this: