Amy Francis, Associate Director in Cyber Security at S-RM, sets out what general counsel need to know about digital forensics and electronically stored information in the context of investigations, the policies and plans to have in place, and where to turn when forensic specialists are needed.
It is widely understood that data security incidents, whether an external data breach or an insider threat, are not purely technical issues that the IT team can deal with alone. Today’s general counsel play a vital role in managing the internal investigations and corporate disputes that can arise from these incidents, and they need to be able to address critical questions regarding digital evidence and understand the facts and opinions presented by forensic experts.
As general counsel, no one expects you to start collecting forensic evidence, analysing malware, or recovering deleted WhatsApp messages yourself. However, you should know the correct steps to take when an incident or potential incident occurs, when to seek external expert assistance, and the common mistakes to avoid.
Why Do You Need a Forensics Expert?
Organisations rely on the use and distribution of electronic data to conduct day-to-day business operations. This has accelerated due to Covid-19, as many organisations have been forced to move their business online and adapt to remote working. Laptops, mobile phones, email accounts, file-sharing platforms, and various cloud accounts are just some of the sources of electronically stored information (ESI) used by employees daily.
When faced with potential legal or compliance issues, such as payment fraud, intellectual property theft, harassment, or issues raised by whistleblowers, these sources of ESI contain evidence that needs to be reviewed as part of the investigation.
IT teams are an essential part of an organisation. Employed to configure and maintain internal infrastructure, the IT department typically helps with system administration and resolving user issues, but is often unequipped to handle ESI that contains forensic evidence.
The process of forensically preserving ESI using industry-standard tools and best practices includes additional information and metadata that is not available using standard IT tools and methods. Digital forensics experts are experienced in preserving data in a manner that will stand up in legal proceedings, and analysing a range of digital evidence to provide verifiable and defensible answers to the key questions in an investigation.
Electronically Stored Information
Having a digital forensics professional conduct the preservation will ensure chain of custody is maintained, and they can verify the preservation of evidence in legal proceedings as an expert witness if required.
There are numerous reasons for an organisation to engage an independent forensics expert. The most common reason is to access specialised skills to conduct the forensic analysis. As ESI is stored in increasingly varied places, from encrypted chat messaging apps to the Internet of Things, more advanced and specialised knowledge is required to recover and analyse the information.
Other drivers include when independence is important, either due to legal concerns relating to regulatory governance or contractual obligations, or because of a potential conflict of interest where there is a suspicion of an insider threat.
'Having a digital forensics professional conduct the preservation will ensure chain of custody is maintained, and they can verify the preservation of evidence in legal proceedings as an expert witness if required.'
Preparation: Policy, Planning, and Practice
The increased popularity of bring your own device (BYOD) policies carries potential complications due to blurred lines between personal and corporate information. How company policies are worded is critical to ensuring the organisation has the right to access the device, and any connected cloud accounts, if a dispute is raised or an investigation is launched that implicates an individual.
keep your policies updated to enable discovery when required
Does the policy give the organisation the right to access a personal device if it contains corporate data? What about the personal cloud account that syncs to a phone with access to company resources? Is the employee obligated to provide credentials to access these devices and accounts?
Assess the policy and procedures in place for preserving ESI for departed employees. When employees leave a company, the IT team often quickly delete their accounts and erase their devices to re-assign the equipment to another employee. The importance of this information often only comes to light many months after departure, at which point the evidence is no longer available. Consider whether to implement a policy to preserve a copy of employees’ email mailboxes and devices as part of the off-boarding process.
In short, will you be able to quickly obtain access to the ESI for forensic preservation and examination? Are you at risk of losing the data? Or, will you find a court order is required to obtain access to the individual’s devices and accounts, despite them being used for business purposes?
Review and Practice Your Incident Response Plan
Make sure your organisation’s incident response (IR) plan is suitable for response to an insider threat as well as an external data breach, as often the IR plan or crisis management plan is written with an external threat actor in mind. Does it cover the appropriate steps to address potential breaches of employment contracts or company policies?
Conducting a tabletop exercise with a digital forensics provider, to simulate an internal investigation, is a good opportunity to test the plan and ensure key stakeholders are comfortable with how an investigation would play out. This also gives the digital forensics team the opportunity to familiarise themselves with your environment, which means the initial scoping phase of a real investigation is quicker and runs more effectively.
When to Bring in a Forensics Expert
The escalation procedure within an incident response plan should define specific points at which to notify senior management and legal counsel, and when to bring in external experts. Based on conversations with the IT or security team and your understanding of how they may conduct an investigation, you will be able to judge when your organisation has reached the point at which to bring in a digital forensics expert.
Introducing a digital forensics expert early into the investigation is the ideal situation. Their expertise can be invaluable in identifying sources of ESI to preserve before the information is lost or deleted. With so much corporate data stored electronically across a number of different platforms, a digital forensics expert will be most experienced at quickly locating the critical information relevant to the investigation and commencing the preservation of the data in a forensically sound and defensible manner.
When there is concern around misconduct or breach of contract, the initial reaction is often for IT or management to want to ‘dig in’ and look at the devices and accounts belonging to the individual in question. However, ‘quickly checking’ the accounts or devices can overwrite or change important timestamps or artifacts that may be critical to the investigation.
Major cyber incidents place intense stress and scrutiny on even the most experienced internal teams. In these circumstances, the right response can make the difference between a swift resolution, and a prolonged organisational crisis.
Another reason for bringing in external forensic support early is the possibility the insider may be a member of the IT or security staff. Given their skills and potentially privileged access to systems, this creates a dangerous situation for a company.
Digital forensics experts can also work with the legal team to scope a plan for conducting the investigation, prioritise avenues of enquiry, and provide advice on overall investigative strategy.
During an investigation, the general counsel should ensure that the required human and technical resources from their organisation are available to the investigation team, as well as clear and frequent channels of communication between the key stakeholders within the organisation and the digital forensics expert.
'a digital forensics expert will be most experienced at quickly locating the critical information relevant to the investigation and commencing the preservation of the data in a forensically sound and defensible manner.'
Conclusion: Data Issues Require Digital Solutions
Digital forensics is an essential part of many internal investigations. Knowing how and when to work with digital forensics experts will help an investigation run smoothly, and ensure the results hold up in litigation. Talk to your external counsel, insurance provider, and industry professionals to get referrals to digital forensics providers who can respond quickly and effectively when needed.
Engaging a digital forensics expert through external counsel means analysis and findings are covered by privilege to the best extent possible. Even if at the outset it looks unlikely that the incident will result in litigation, this often changes as new evidence comes to light or third parties become implicated. Given the sensitive nature of most investigations and the potential for future legal, compliance, and regulatory risks, retaining a forensics expert through your external counsel is often the preferred method of protecting confidentiality.
FOR MORE ON DIGITAL FORENSICS, LISTEN TO AMY FRANCIS DISCUSS ALL THINGS INTELLIGENCE AND INVESTIGATIONS IN OUR LATEST PODCAST EPISODE.