Not so long ago, it was considered unduly burdensome or somehow disproportionate to look at text messages on mobile phones during disclosure or eDiscovery. Data forensic examiners have been querying these types of data with specialised tools for nearly a decade – though that may be a bit of a generous estimate. The overall cost of technology to effectively extract data from mobile devices has come down, but the large rise in requests to perform these operations in eDiscovery, where it was once considered a bit exhaustive, has meant data forensic examiners can perform these extractions and analysis more justifiably.
In Our Experts' Opinions: The Altep Blog
TAR eDiscovery orders and opinions have made some pretty big splashes in the last five years, and the recent FCA US LLC v. Cummings, Inc., order, despite being brief, was no exception. The court took up the question of whether keyword search culling of a data set prior to the application of Technology Assisted Review (i.e., TAR or Predictive Coding) is the preferred method. The answer, in the court’s opinion, was simple but powerful: it is not.
In my work as an Information Security Engineer, I am regularly asked to assess the practices and technologies corporations use. In the performance of Altep’s Risk Assessment service, my colleagues and I examine a broad variety of factors ranging from account credential management to network device configuration to audit policies. To date, we’ve provided these services for dozens of companies in the healthcare, retail, and legal industries, as well as for a number of public sector organizations. Often, we perform network, wi-fi, and web application penetration testing as a complementary effort, and assist the organization in identifying the most effective and affordable approaches to remediation of identified vulnerabilities and issues.
In the course of these engagements, I’ve seen a broad variety of problems and vulnerabilities, many of which are easy to correct. Straightforward changes in the configuration of a network appliance, for example, can prevent unwanted and potentially dangerous traffic, and implementing a yearly training and awareness program can help insure that employees don’t inadvertently contribute to cyber risks. Out-of-the-box programs are readily available and affordable – “Securing the Human,” from the SANS Institute, is a good one – so there’s no reason to leave this important area of risk unaddressed.
In my most recent piece, “Difficult Devices,” I discussed some of the ways in which hardware sometimes presents physical challenges for examiners and other forensic practitioners. However, in some situations, it’s not the device that poses the problem; instead, the data is what hampers the ediscovery effort or investigation.
Forensic matters pose a variety of challenges. Sometimes potentially important data has been deleted; sometimes the cost of labour is restrictive, and all too often, the deadline by which processing and analysis must be completed is extremely tight. There are a myriad of solutions for these issues, but what do you do when the device itself is the thing that’s making the case so difficult?
Just when we thought we’d hammered out a practical and scalable approach, an Elf named Sugar Toes raised a thorny problem: namely, the fakers. You know the ones: those kids who act nice, especially when adults are watching, but who actually are not nice at all while interacting with others on social media. It seems that Sugar Toes had done a spot check of the Nice List, cross-referencing the children’s Twitter and Facebook accounts, and what he’d uncovered was concerning. The Nice List was full of cyber bullies, haters, and internet trolls (not to be confused with Christmas trolls, who steal candy). There were even instances in which children had posted bathroom selfies.
It’s that time of year again - the time when girls and boys all over the world start to behave a little better in hopes of getting on the list. They go to bed on time, eat their vegetables without being told to, finish all their homework, and even treat their siblings nicely for a change. Not so long ago, these efforts would have done the trick, but this year, Santa is introducing a game changer, and naughty boys and girls had best be prepared.
With offices throughout the United States and Europe, Altep staffs experts in a wide variety of fields, including litigation and law enforcement, information security, compliance, and ediscovery/edisclosure.
Each location brings its own unique experiences and specialties to the table; we talked to Eamonn Markham, Alteps' Regional Account Executive in San Francisco, to understand what makes the San Francisco office special.
2015 was a watershed year for malware development. Not only did we see more unique malware than in any other year, we also witnessed a very clear shift in malware behavior: namely, a trend toward polymorphism.
By Hunter McMahon and Sara Skeens
Surviving eDiscovery can be just like conquering an obstacle course race (OCR). It takes the right gear, experience, training, and attitude. As obstacle course enthusiasts and eDiscovery strategists alike will tell you, you don’t get to choose the course or the obstacles—they are given to you “as is.” Therefore, preparation and agility are key characteristics of a true OCRer.
Ever since the March 2, 2015 Rio Tinto opinion and order, there has been a lot of buzz in eDiscovery around the phrase “Continuous Active Learning” (CAL). Judge Peck briefly mentioned CAL while summarizing the available case law around seed-set sharing and transparency. For the sake of clarity, the term seed-set in this post refers to the initial group of training documents used to kick off a Technology Assisted Review (TAR) project. We refer to the review sets that follow as training sets. The point of Judge Peck’s mention of CAL, as I understood it, was to alert readers to the possibility that seed-set selection and disclosure disputes may become much less necessary as TAR tools and protocols continue to evolve.
I recently started getting back into training mode. I dusted off my road bike, my swim cap, and my running shoes to attempt a personal record on a triathlon I had done a few years ago. I mapped out a plan, prepared my training tools and started to push forward. My training included many techniques to help with the efficiency of my workouts and accommodate my busy schedule. My plan was clearly defined, running smoothly, and I was getting stronger and faster each day.
If you are reading this blog, you have probably heard the story many times by now. Document review is the most expensive part of eDiscovery. Like many, I find myself asking the same question again and again. How can we do it better? One obvious answer is by defensibly reviewing less. The not so obvious part of that answer is the available methods for doing so.
Earlier this month I ran in the Spartan Super race in Asheville, NC (Black Mountain). After more than 2,000 feet in elevation gain and a rapid descent, spanning over 10 miles, overcoming 26 obstacles, pushing through 155 burpees…I was DONE! It was by far the hardest competition I’ve completed.
There are many kinds of data that hackers find profitable, and any number of different targets, from retailers to universities, where that data can be found. However, one group of victims is by far the most popular among data thieves, not because they are necessarily the easiest to breach, but because the data they hold is more valuable.
What has more value to you: your medical records or your financial data? At first glance, it would seem that an x-ray wouldn’t be worth as much as a debit card number – after all, one is just an image of the skeleton, but the other can be used to purchase practically anything, in person or online. However, the truth is that medical records often contain a great wealth of Personal Identifiable Information (PII) and Protected Health Information (PHI), including your first and last name, date of birth, physical address and - most importantly - your Social Security Number.
You’ve Been Breached. Pay the sum of 950,50 Bitcoins, or else...
Has it happened to you yet? Take notice of the not-so-subtle “yet”. I’ve been fortunate to work with some of the best and brightest InfoSec people, as well as my own data forensics group, on incident response engagements (IR). It’s dizzying and quite chaotic until the teams are plugged in and making hurried sense of complex events. Who got in? How many times? What was the point of ingress? Bad firewall rules? Weak VPN passwords? Third-party software vulnerability?
Dynamo Holdings Limited Partnership v. Commissioner
In an order dated July 13, 2016, the U.S. Tax Court once again strongly supported the use of Predictive Coding. The case had already featured some notable opinions and orders on the topic. This recent order is a fun read for analytics nerds and newcomers alike, as the Court did a great job of laying out the associated facts and addressing the typical arguments for and against use of the technology. Here are a few items that caught my attention as I read it.
This article assumes that Technology Assisted Review is being deployed in a production review setting where the user seeks to identify potentially relevant documents from among a larger corpus, and to subject those documents to full manual review. The use of TAR as an investigative or fact finding tool is a more financially flexible proposition, and the efficiency of that approach should be evaluated via separate standards.
There has been some debate in the past few years about the proper role of the Subject Matter Expert (SME) in technology assisted review (TAR) – a discussion which has understandably resulted in plenty of disagreement. There was a time when most blog posts and white papers swore that SME training was the only path to success, but that position looks to have softened some.
I say this to colleagues all of the time: “People will trade privacy for convenience every step of the way.” My contemporaries nod reassuringly, perhaps in an attempt to hush my banter, though maybe they actually represent a large contingency of informed people who agree.
By Joshua Tolles and Sara Skeens
Solving Challenges in the Presentation Phase
In our last post, we discussed the value of looking at analytics in e-Discovery with a creative mindset, and a few steps that you can take to expand your problem solving horizons. As we noted there, analytics is most commonly thought of as a tool to be applied during the review phase of the EDRM to control data sizes; however, we'd like to change that. At Altep, we frequently use analytics to solve many more problems than just those found in the production review arena. With a firm grasp on the technology, plenty of curiosity, and a healthy passion for "building a better mouse trap," we have found quite a few areas where analytics can help turn the eDiscovery rat race into a more methodical and scalable process.
This past Spring I splurged and bought the Garmin Fenix 3. The thought was that if I better understood how I was training, I could elevate my efforts and become more effective in planning my workouts. I may not be a professional athlete like Hunter McIntyre or Ryan Atkins, but with limited hours in the day I need to make sure my time is spent as efficiently as possible. So of course, I needed more data.
These days data is one of the most valuable commodities in the ever-growing global market. Companies are collecting data on users, site visitors, patrons, etc. through a myriad of methods. Data generation and retention has grown exponentially along with the value of data, as the cost of storing it has declined. There are two very clear results of this trend (among many).
First, there is an assumption that it is easy to understand data. The benefit of data is that "it is what it is;" however, without context it is often hard to understand data. For example, the number "53" means nothing in and of itself. Associating it with me personally, still not much. Tied to me as my resting heart rate…now you've got data with purpose. Unfortunately, today's disparate data sources do little to simplify this problem, despite the advancement of technology. Data is becoming more complex and multidimensional. Ultimately, the value of data is limited to how it can be understood and applied to a given situation. Without that, having a vast amount of data is a liability.
Second, there has been an impact on privacy. The more connected we are as a society, the more data there is available on us as individuals. Your shopping habits, web browsing habits, the route you take to your favorite coffee shop, the coffee you order, etc. – all of these data points are available for collection by anyone with the motivation to do so. Unfortunately, most consumers don't understand just how often they leave digital breadcrumbs. Potentially more concerning, some companies don't understand the ultimate impact of all the breadcrumbs they are gathering. Responsibility for failing to appreciate this impact lies with both the business and the consumer.
As with data collected by a business, the training data I now have access to is only helpful to the degree that I can leverage it to upgrade my training plan. Fortunately for me, Garmin has developed a multitude of dashboards and insights that help consumers understand all of the data it is collecting during a workout (pace, elevation, heart rate, temperature, etc.). Garmin is very aware of the type of data they are collecting and have privacy policies and security FAQ's readily available on their website. I personally like this statement, "While Garmin partners with many third parties to provide you with a rich experience, we do not provide third parties access to your personal data without your consent."
Of course, my success at improving my training is predicated on one very important factor – that I am willing to put forth the effort. So despite soreness from the Spartan Revolution workout this past weekend, I got out and went for a good run earlier this week and here's some of my data! Do you know what it represents?
What is your data saying?
Mine constantly says MOVE…FASTER!
This post also appears on Hunter's LinkedIn Page.
The United Kingdom has not left the European Union. This endeavour will be painfully drawn out and will take anywhere from two to four years for it to be done and dusted –the exit that is. In a decent technology analogy, this will be a bit like yanking the single power lead from a tangled mess of surge protector madness beneath your feet.
The largest areas of concern are general immigration, employment law and large regulation changes, namely the financial sector. Nothing is going to change in the interim, though preparation is definitely a huge necessity for corporate entities. I am an American by birth, but a UK Resident via the EU right to reside (read: thanks, wife). I am not sweating this aspect, however; companies ought to look at contracts and other areas to evaluate risk where it may arise.
There needs to be a clearly articulated understanding about free movement before the highly-Googled Article 50 of The Lisbon Treaty can be invoked. This is the key step in the exit process for the UK and its subtleties will no doubt be highly contested. Notification must take place before the exit process can even begin. For instance, single terms like "shall" are being poured over by some of the world's greatest legal minds, largely in protest of Thursday's outcome I suspect. The people have spoken, albeit insanely narrowly, so MP's are likely to confirm the mathematically popular "leave" voice. Both sides of the referendum camp created a duplicitous platform that confused voters more than it aided.
I'd prefer this short piece not percolate into a hot brew of political chit-chat since speculation is not the nature of a data forensics expert. In the interest of providing an opinion however, I find it necessary to reiterate the sentiment I pushed in an earlier post prior to the historic vote, which is that the UK (or whatever is left of it following implications of a Scottish independence referendum as well as Northern Ireland) will likely adhere to a finalised version of the EU's GDPR. Even heavy hitter Brexit campaign leaders like former London Mayor Boris Johnson have expressed a great deal of interest in negotiating a single EU trade bloc deal between the Union and the UK, despite being told by German and French leaders that we in the UK would have zero preferential access to the single market, as it were.
In areas of trade and immigration, we are likely to see changes in the UK, and in a reciprocated sense, the continental EU, since the UK is Europe's second largest economy trailing Germany. Whilst the UK appears to be moving towards a leave effort, the desire for life and commerce to remain relatively unchanged will be a priority, and as such, data privacy and transfer mechanisms will follow suit. It is early days, but we should know much more as the calendar pages flip. My colleagues and I are certainly plugged into this to ensure our clients are well informed as early as possible.
Do not hesitate to e-mail with any enquiries, but please expect a delay.
This post also appears on Tim's LinkedIn page.
"…in the event of a Brexit, Britain will no longer be subject to its provisions. What regulations might the UK adopt instead, and how will they impact the global political and business landscape?"
Either way, companies in, around or dealing with data in the EU will most certainly need to take steps to prepare for the new requirements that will take effect in May of 2018.
Just as there are different environmental climates that can quickly impact your training, there are different data privacy environments that will impact your data obligations. The amount of water I may take with me on an evening run in Southern California is drastically different from the amount I'll need in a muggy summer evening in Georgia. Whether your endeavor involves ESI or OCR, understanding how to be prepared and fulfill those needs before you are out and about is critical for success (on the trail without water or transferring and processing data without permission).
This post also appears on Hunter's LinkedIn page.