In a recent case, United States v. Bailey, 2003 WL 21705226 (D.Neb. July 23, 2003), a federal district court addressed an employee’s expectation of privacy claim where evidence of child pornography was located in a search of the employee’s work computer. As part of its "Innocent Images Crimes Against Children Initiative," the FBI suspected that an employee within American Family Insurance was receiving child pornography using his company email account. This was discovered through an FBI agent’s undercover investigation of the Yahoo! “Candyman” e-group. Pursuant to a subpoena, American Family Insurance accessed the contents of the Defendant's email account and reported to the FBI that pornographic images were found. Based on this information, the FBI issued a warrant to search the Defendant’s office space and work computer. The Defendant moved to suppress evidence of child pornography located during the search of his work computer. The court held that the Defendant did not have an expectation of privacy in the information stored on his work computer given his employer's practices, procedures, and regulation over the use of the computer property. Specifically, the company had a log-in notice that warned of possible monitoring or searching and required users to click "OK" to proceed. Every time the Defendant accessed his work computer, he physically acknowledged that he was giving consent for his employer to search his computer. The employer also posted company computer-use policies on its intranet site and sent email notification to all users reminding them to read the policy. Denying the motion to suppress, the court stated, “An employee cannot claim a justified expectation of privacy in computer files where the employer owns the computer; the employee uses that computer to obtain access to the internet and e-mail through the employer's network; the employee was explicitly cautioned that information flowing through or stored on computers within the network cannot be considered confidential, and where computer users were notified that network administrators and others were free to view data downloaded from the internet.”

THE BRILL FILES: LONG-FORGOTTEN COMPANY ARCHIVES CAN CONTAIN DANGEROUS DATA

*** Written by Alan Brill, Senior Managing Director for Kroll Ontrack, The Brill Files reflect his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. ***

This summer, at one of the many conferences in which I participated, I had the opportunity to lead a panel discussion on electronic records management. Coming off the heels of this event, I felt it important to take a “back to the basics” look at e-document preservation. In a time when civil litigators and high-tech investigators are becoming more sophisticated about all facets of electronic evidence, it has been my experience that it is often the low-tech aspects of a case that are most easily overlooked. Nowhere is this experience more real than in the area of e-evidence preservation. Today it is almost automatic for counsel to design an e-evidence preservation plan which often includes sending preservation letters to all parties and non-parties, putting them on notice of the duty to preserve digital data. This means safeguarding computer data files and email from accidental, deliberate, or automatically scheduled destruction. It has been my experience that companies generally try to comply with such preservation duties to avoid sanction from the court. The problem arises when the company discovers pools of archived information that no one knew about – or in some cases no one remembered. The lesson is not to wait until litigation ensues to understand exactly what data archives exist within your organization, and then attempt to get those data archives under some form of management. I remember a specific case in which the client discovered early in the suit that an Information Technology manager, not fully trusting their offsite backup vendor, maintained an independent onsite backup. These backups were undocumented and contained far more archival information than was being collected at the vendor’s backup site. Once litigation ensued, this data needed to be preserved and then searched. The data proved useful during the litigation, but unfortunately more so for the opposing party. We’ve been looking at this issue for some time, and have developed a few starting-point recommendations: l Learn what is being stored, where it is being stored, and who is storing it. Consider sending out a survey to determine what files and archives employees, groups, and offices around the world maintain. l Actively manage your data storage. All data must be handled in accordance with a data management plan that should be reviewed and approved not only by the technical staff, but also by IT users and counsel. l Pay special attention to “unofficial” archives that evolved with little formal documentation. This can be a huge surprise to management. Imagine having gone through the work of implementing a system in which routine email messages are only retained for 30 days, to later discover that an IT specialist thought someone might want to recover the emails after 30 days and is keeping a much more complete set of email backups. l Keep at it. New archives can spring up informally at any place and time. There is no magic solution to this issue. Task someone with keeping up to date on your data storage, evolve your rules as necessary, and prevent unauthorized archives from placing the company at risk.

TECHNOLOGY YOU SHOULD KNOW: EXPERT ADVICE WHEN SELECTING A COMPUTER FORENSIC EXPERT

*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to understand the inner workings of computers and how they relate to computer conduct issues. ***

Choosing a qualified computer forensic expert is a critical element in a case calling for an investigative and detailed analysis of electronic data. The expert must have the proper experience and training to successfully identify and attempt to retrieve possible evidence that may exist on a computer system. As many “experts” exist in the computer forensic arena, attorneys must be very careful when selecting the right computer forensic expert as this decision could make or break their case. When selecting a computer forensic expert, consider the following aspects:

Ensure the expert is qualified.
Determine if the expert has sufficient direct experience with the relevant electronic media at issue. The expert must be thoroughly familiar with both the technology and the concepts surrounding the case and should have extensive technical, legal and industry experience. A seasoned expert will be better able to help determine what information is technically feasible to collect, how to best analyze that information, and how to interpret the resulting findings.

Find an expert with the ability to think outside the computer box.
Computers are not the only form of electronic evidence that investigators should consider when evaluating cyber-evidence. While computer records can be decisive or at least helpful in many cases, they are not the whole story. Building access systems, video monitoring programs, and phone logs could be fundamental to an investigation in the digital age. Also, an expert should look for physical evidence associated with the computer media. For example, notes containing computer passwords may be laying in plain view.

Make certain the expert follows computer forensic best practices.
A firm grasp of basic data handling concepts and computer forensic best practices is the first step to ensure a successful investigation. Check to see if the expert adheres to strict industry standards regarding data collection and preservation. Electronic evidence, just like other types of evidence, is fragile. For example, simply booting a computer or opening a file can change potentially valuable metadata – dates, times and other behind-the-scenes information about the data. The credibility of any recovered data is based on proper evidence handling. If a forensic analysis is done on a piece of media, an expert must make a mirror image – a bit-by-bit snapshot of the original drive – of the media in order to preserve the integrity of the original media.

Question the expert’s chain of custody documentation.
Maintaining a written "chain of custody" on pieces of relevant media is the best way to proactively ensure admission of the data into evidence at trial. A proper chain of custody ensures the reliability of evidence and minimizes any risk that evidence was changed, altered or modified from its original form on the hard drive. Inquire about the expert’s chain of custody documentation and ask to see a sample in order to ensure such documentation will meet best practice requirements.

KROLL ONTRACK CO-SPONSORING STRATEGIC E-COMMERCE SUMMIT

Kroll Ontrack and International Business Law Services (IBLS), a leader in e-Business law, would like to invite you to the Strategic Global Summit for E-Commerce, being held September 18th and 19th, 2003, at the Marbella Country Club in San Juan Capistrano, California. Kroll Ontrack customers are being offered 10 complimentary registration packages on a first come, first serve basis, as Kroll Ontrack is one of the main sponsors of the summit, and Kroll Ontrack’s Alan Brill is scheduled to speak on Friday, Sept. 19, at 9:15 a.m. All California lawyers will earn 13 MCLE credits for attending. Learn the pending changes and trends that will impact the way everyone does business online, as international speakers from government, e-Business, and the legal profession share their insights with you. U.S. Federal Trade Commissioner Mozelle W. Thompson will be delivering the keynote address. Companies which do business online, as well as those looking to expand into e-Commerce will get the latest information on changes in the law, Lawyers will learn how to mitigate their own organization's and clients' online liability. Please visit http://www.ibls.com/events/ for details. Please register at http://www.ibls.com/events/invitation_top.htm and use your promotional code 3741 to receive free registration. Registration is required, so if you are sure you can make it, please register as soon as possible to secure a seat at this dynamic event. If the 10 free registrations have been filled, you can still attend the Summit for the discounted price of $350 per person. Please use promotional code MP5OX4T for this rate if the 10 free slots are filled. For more information or any questions, please contact Eric Gazin, Conference Director, by email at egazin@ibls.com, or by phone at 1-949-250-0601

For more information about these opportunities and other open positions at Kroll Ontrack, visit: http://www.krollontrack.com/careers/jobsearch.asp.

Meet Kroll Ontrack Representatives at the Following Events:

Visit http://www.krollontrack.com/upcomingevents/ for more information on these events and others.

KROLL ONTRACK REQUESTS YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of electronic discovery law. If you are aware of any additional local court rulings or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.

This newsletter is written by Michele C.S. Lange, staff attorney with Kroll Ontrack, with assistance from Charity J. Delich, a Kroll Ontrack law clerk. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about electronic discovery and computer forensics services, contact Kroll Ontrack at 1-800-347-6105 or http://www.krollontrack.com/.