Employee Privacy, Digital Evidence, and the CFE. Kenneth C. Citarella, M.B.A., J.D., CFE Managing Director, Investigations Guidepost Solutions LLC

Transcription

1 Employee Privacy, Digital Evidence, and the CFE Kenneth C. Citarella, M.B.A., J.D., CFE Managing Director, Investigations Guidepost Solutions LLC

2 The Good Old Days

3 CFE s Aerial View 1. What Information Needed? Documentary Personal 2. Where Is It? Container Person 3. How To Get It? Data review Interview 4. Access, Review and Report

4 Scope 1. Quick Overview of Digital Forensics 2. Employee Privacy in Digital Communications 3. How Digital Forensics Impacts Employee Privacy 4. Current State of the Law of Employee Privacy in Digital Communications 5. How the Employers Compound the Problem 6. What the CFE Can Do

5 Digital Data Questions 1. Where it is stored 2. How much is stored 3. How to get it 4. How to be sure it is reliable and admissible

6 1. Desktop 2. Laptop 3. Notepad 4. Smartphone 5. USB Drive 6. Servers Local Corporate Cloud Where It Is Stored

7 CFE s Data Trinity 1. Integrity 2. Chain of Custody 3. Know How to Explain

8 Cloud 1. Which Cloud? 2. Where? 3. Access Controls? 4. Audit Trails? You will need Cloud personnel to establish the authenticity of your data

9 CFE Tip #1 Know the policies and procedures of your Cloud(s) before it is too late for data to be useful to you.

10 Easy Way or Request the data from a reliable source. Or Use Digital Forensics.

11 CSI Version of Digital Forensics E-V-I-D-E-N-C-E

12 Digital Forensics Applies to your media within your physical control. Cloud forensics by cloud provider.

13 Digital Forensics 7 Step Discipline of Investigation 1. Identification 2. Collection 3. Preservation 4. Recovery 5. Verification 6. Analysis of data 7. Report the findings

14 Forensic Workstation

15 Identification 1. Not just the obvious containers 2. Also: digital cameras, handheld PDAs, wireless e- mail devices, fax machines, cell phones, USBs, etc. 3. Any device that can store digital information

16 Collection Must follow standard rules for collection of evidence Chain of custody Same old rules

17 Preservation Extreme temperature changes, moisture, magnetic fields, physical damage Write protect original HDD Avoid the well-intentioned, but untrained

18 Recovery Software Automated process Able to analyze numerous operating systems Training, support, accepted in community Accepted by courts

19 Verification Verification done by mathematical formula A change of one bit would be detected

20 1. Human function 2. Browse through Folder File Cluster Deleted files Slack Space Analysis

21

22

23 Analysis Deleted Files: 1. Still there 2. OS cannot see 3. Forensic software can 4. HDD space available for re-use 5. Length of time recoverable depends on size of HDD, use of the computer

24 Slack space: Analysis 1. Data written in blocks of preset length 2. Last block of file might have empty space (like this line of text) 3. Contents of deleted file not overwritten by empty space at end of block 4. Old contents remain

25 1. Just the facts Report Findings 2. No opinion 3. Probative materials, the bookmarked files are admitted, not the whole report 4. Report gets turned over as part of discovery

26 Forensics Issues 1. Poor forensics will fail to find evidence 2. Impossible to find evidence that is not there 3. Argument is over what it means Not if it is there 4. Search for malware 5. Date and time stamps

27 Forensics Issues 1. Protecting original media 2. Documentation of process 3. Clock verification 4. Software used How widely How well accepted

28 CFE Tip #2 Discuss your objectives and concerns with forensic examiners before they begin work.

29 Employee Privacy Issue: Forensic examination of employee s work-issued digital device General Rule: No privacy issue in contents of device or records of Internet use

30 Employee Privacy BUT What about personal communications via an employer s device?

31 Employee Privacy Caution: No definitive answer

32 Employee Privacy Scenario: Forensic examination of employee s workissued digital device Personal communication acquired Personal communication relevant to inquiry

33 Employee Privacy Is it a privacy violation to read employee s personal s? Any consequences to the investigation?

34 Employee Privacy Courts seem to focus on the scope of the privacy policy. Detailed examination of corporate policy regarding Internet and .

35 Digital Forensics Reminder If employee deletes his personal communications, they might still be there in deleted files slack space

36 U.S. v. Simmons Internet policy said employer will audit, inspect and/or monitor Internet use as deemed appropriate NO expectation of privacy

37 Smyth v. Pillsbury 1. Employee s with supervisor in employer s system 2. Policy says all privileged and confidential and would not be grounds for termination 3. Court found NO expectation of privacy

38 McLaren v. Microsoft 1. Employee s sent over employer s system 2. Stored on employee s computer under password in folder marked Personal 3. Court found NO expectation of privacy because e- mail first transmitted over employer s system 4. Not like an employee s locker

39 Employee Privacy Two recent decisions: 1. Stengart v. Loving Care Agency (NJ Supreme Court) 2. City of Ontario v. Quon (U.S. Supreme Court)

40 Stengart v. Loving Care Agency Issue: Stengart was using personal password-controlled e- mail account from employer-issued computer Communicating with her personal attorney Planning to sue the LCA for workplace harassment

41 Stengart v. Loving Care Agency Stengart resigns and LCA performs a forensic examination of her computer LCA finds s with her attorney Attorney ethical issues rise from failure to disclose

42 Stengart v. Loving Care Agency Court s Approach: 1. Examine LCA electronic communications policies.

43 Stengart v. Loving Care Agency 2. The company reserves and will exercise the right to review, audit, intercept, access, and disclose all matters on the company's media systems and services at any time, with or without notice.

44 Stengart v. Loving Care Agency 3. and voice mail messages, internet use and communication and computer files are considered part of the company's business and client records. Such communications are not to be considered private or personal to any individual employee.

45 Stengart v. Loving Care Agency 4. The principal purpose of electronic mail ( ) is for company business communications. Occasional personal use is permitted

46 Stengart v. Loving Care Agency 5. It is not clear from that language whether the use of personal, password-protected, web-based accounts via company equipment is covered.

47 Stengart v. Loving Care Agency 6. Terms are undefined. 7. system seems to refer to corporate Policy does not address personal accounts.

48 Stengart v. Loving Care Agency 9. [E]mployees do not have express notice that messages sent or received on a personal, web-based account are subject to monitoring if company equipment is used to access the account.

49 Stengart v. Loving Care Agency 10. The Policy also does not warn employees that the contents of such s are stored on a hard drive and can be forensically retrieved and read by Loving Care.

50 Stengart v. Loving Care Agency Used a personal, password-protected account instead of her company address Did not save the account's password on her computer Had a subjective expectation of privacy

51 Stengart v. Loving Care Agency Court s conclusions: 1. [T]he Policy creates ambiguity about whether personal use is company or private property. 2. The scope of the written Policy, therefore, is not entirely clear. 3. Stengart had a reasonable expectation of privacy in the s she exchanged with her attorney on Loving Care's laptop.

52 Stengart v. Loving Care Agency Consequences: Effort to investigate expected workplace harassment lawsuit created additional cause of action for violation of privacy. Note: Stengart s s were in cache memory, not saved in their entirety.

53 Holmes v. Petrovich Example where court found no privacy interest. The corporate policy said: 1. Company technology to be used only for company purposes. 2. is not private; like a postcard. 3. Company may inspect all files and messages at any time for any purpose. 4. Company will monitor for compliance.

54 Employee Privacy Risk of Poor Privacy Waiver: 1. Poor corporate policy might create civil liability if personal is accessed 2. Might create a restriction on forensic examination

55 City of Ontario v. Quon U.S. Supreme Court Significant facts: 1. Police department 2. SWAT team 3. Text pagers for official communications 4. Private carrier 5. Monthly character limit 6. Excess to be paid by using officer

56 City of Ontario v. Quon Computer Usage, Internet, and Policy: City reserves the right to monitor and log all network activity including and Internet use, with or without notice. Users should have no expectation of privacy or confidentiality when using these resources.

57 City of Ontario v. Quon Department said text messages will be treated as e- mails Quon reminded that usage will be audited because he exceeded limits Continued to exceed

58 City of Ontario v. Quon Sexually explicit Between Quon and wife Fellow police officer

59 City of Ontario v. Quon Sexually explicit Between Quon and girlfriend Department dispatcher

60 City of Ontario v. Quon Court assumptions: 1. Reasonable expectation of privacy in pager communications 2. But not reasonable to assume immune from auditing 3. Reasonable police department employee should expect auditing

61 City of Ontario v. Quon No privacy right in text messages within police agency system

62 City of Ontario v. Quon BUT the Court would have difficulty predicting how employees privacy expectations will be shaped by those changes or the degree to which society will be prepared to recognize those expectations as reasonable.

63 Employee Privacy Employee s might be stored in the Cloud. If so, Cloud forensics might violate employee rights.

64 CFE Tip #3 Examine corporate policy so reasonable expectation of privacy issue is clearly addressed.

65 Social Networking Facebook LinkedIn

66 Social Networking Increasingly used as marketing avenues for sales But can be sources of dangerous malware

67 Social Networking For security, IT may insist social network marketing efforts not go through corporate system Using webmail gives approval for use of non-corporate for business purposes

68 Social Networking May conflict with corporate and Internet use policies and create ambiguity

69 Social Networking No expectation of privacy in any matter posted in social networking site

70 Social Networking Impact of authorized social network marketing on ability to use results of digital forensics on employer-provided digital equipment is uncertain

71 CFE Tip #4 Examine corporate policy so reasonable expectation of privacy issue is clearly addressed AND be sure it covers social network marketing.

72 You Want What? Be involved in: 1. Computer security, including Cloud migration 2. privacy policy 3. Social network marketing policy

73 Conclusion, sort of City of Ontario v. Quon: the Court would have difficulty predicting how employees privacy expectations will be shaped by [communication] changes or the degree to which society will be prepared to recognize those expectations as reasonable.

74 Thanks! Kenneth C. Citarella Managing Director, Investigations Guidepost Solutions LLC