CONSULTING
|
DIGITAL FORENSICS
|
E-DISCLOSURE
LEGAL NEWS Issue 15
www.cclgroupltd.com
DPAs: CRACKING DOWN ON CORPORATE CRIME IN A ‘PECULIARLY BRITISH’ WAY by Umar Yasin
From 24th February 2014, deferred prosecution agreements (DPAs) formally became part of the prosecutorial toolkit here in the UK. Available to both the Serious Fraud Office and the Crown Prosecution Service, DPAs are now formally enshrined in statute, under Section 45 and Schedule 17 of the Crime and Courts Act 2013, which received Royal Assent back in April 2013. DPAs can be entered into for a wide variety of economic crimes, ranging from bribery, theft and money laundering offences, to false accounting and fraud offences. According to the Attorney General, Dominic Grieve QC, DPAs ‘will enable prosecutors to take appropriate action against commercial organisations involved in economic crime, and that they will work well alongside existing methods’. Meanwhile, the SFO is hoping that this new tool at their disposal will help them to investigate and tackle corporate crime more effectively, particularly those offences that predate
the 2010 Bribery Act. Throughout the consultation period that ran until September 2013, it also became clear that both the CPS and the SFO are also hoping that the availability of DPAs leads to increased self-reporting by corporates. We discussed the key elements of DPAs back in Issue 8 of Legal News, such as the requirement for judicial oversight to determine whether a DPA would be ‘in the interests of justice’ as well as ‘fair, reasonable and proportionate’. Also, the fact that no corporate can request a DPA and can only be invited to discuss entering into a DPA by the SFO or the CPS. In addition, DPAs are only available to corporate bodies and not to individuals. Despite corporates not being able to request a DPA themselves, a prosecuting agency can be alerted to a potential corporate crime that can be dealt with by a DPA, through three main ways; either through self-reporting by the corporate or a
IN THIS ED
ITION...
> DPAs > Though ts for the month > Pre-CM C disclosure timeline > Review accu > Rise of th racy e cryptocurre ncies > The real CSI > CPD co urse > About C CL
whistleblower, or where the SFO or CPS are made aware of a potential crime through sharing intelligence and information with agencies, such as the National Crime Agency or the Security Services. We will continue to explore and discuss DPAs and what makes them a ‘peculiarly British’ arrangement over upcoming editions; particularly pertinent issues such as the seeming lack of incentive for corporates to self-report, which the Guidelines and Code of Practice on DPAs seem to suggest. For example, if DPA discussions fail, and the corporate has already disclosed documents, including internal reports, these documents can still be used by the prosecutor in any subsequent proceedings or prosecutions. Similarly, the fact that the Guidelines state that even after a successful DPA has been entered into, any financial penalty imposed should be comparable with the fine likely to have been imposed following an early guilty plea, which seems to provide little incentive for corporates.
1
RICHARD HALE, Senior Digital Forensic Analyst Richard has been with CCL for over six years and in this time has progressed from imaging technician to supervisor in CCL’s mobile device lab. Richard has completed in excess of 600 cases and appeared in court on numerous occasions to present evidence as an expert witness. In addition, Richard regularly writes and presents seminars on mobile device forensics for both university students and legal professionals. He also plays a key role in the selection process and training of CCL’s trainee mobile device analysts.
Richard’s thoughts for the month I was recently reminded of the prevalent use of social networking for more than just sharing news and events. A friend of mine was recounting a recent conversation with a colleague whose daughter had become a victim of cyber bullying through the use of a popular social networking site. What had initially started off as a minor falling out between school friends had quickly escalated. Fortunately, the situation was resolved swiftly. However, this type of bullying is not confined to the school yard and has become common in all walks of life, including the workplace. What can seem like a joke or a picture shared amongst colleagues can soon develop into cyber bullying. Companies need to be aware of this type of harassment, especially when it involves the use of company equipment. Many companies provide their employees with mobile devices, such as phones and laptops, but do they have a policy on viewing and collecting the data held on them? Some companies have also initiated a bring your own device (BYOD) policy, which has made monitoring of data increasingly difficult. Organisations may increasingly need to draw on the services of legal professionals to provide advice and guidance in relation to these issues. Over the years, CCL has provided many ‘first response’ courses to both corporates and law firms, giving advice on what to do when they suspect misuse of company issued devices, how digital forensics can help, the steps to take to ensure that potential evidence isn’t lost, warning signs and how to respond, as well as providing guidance on how to implement effective policies surrounding company data and BYOD – which all helps to minimise the potential impact and disruption these incidents can cause.
SIAN MARSH, Imaging Technician Sian is an Imaging Technician at CCL and joined the company in 2013. She carries out imaging, both in the laboratory and on-site, working with various types of digital media every day. Sian’s background is in traditional forensics. Prior to joining CCL, she worked at LGC Forensics within the marks and traces team. She holds a highly sought after qualification in blood pattern analysis and is also a registered technician with the Royal Society of Chemistry. Sian also teaches on behalf of Crime Scene Resources at their popular forensic awareness day held at various schools across the UK.
Sian’s thoughts for the month Having only recently entered into the world of digital forensics, it is already strikingly apparent how fast technology is advancing. The capacity of hard disk drives is ever increasing, with one case dealing you an 80GB drive and the next serving you a hefty 2TB drive, which in turn has impacts on timescales, not only within imaging, but further down the analysis route. This poses a bigger problem when it comes to on-site imaging. However at CCL, the equipment and resources that we have available to us mean that we can image a large number of devices on-site in one go, removing the need for seizure. By being able to effectively image a variety of devices such as USB memory sticks, servers, laptops and tower PCs on-site, we can reduce the disruption caused. We have various TD3, TD2 and TD1 devices at our disposal. These are portable imaging devices that work at high speeds to minimise the duration of the imaging process. We also have bootable imaging software contained on CDs and USBs such as Raptor and Macquisition. Therefore, if a hard disk drive is not easily removable or its removal may cause damage, CCL can still take a forensic image on-site. Due to the evolutions of technology, we are seeing more and more SSDs. To tackle this we keep an SSD adaptor in our field kits to allow us to image these on-site. At CCL we are always prepared - with our dedicated imaging kits packed ready to go so that we can attend a job with all the necessary equipment and brain power!
2
PRE-CMC DISCLOSURE TIMELINE by Rob Savage Much emphasis is given to the new pre-CMC deadlines imposed by Jackson in April 2013, and there have already been a number of highprofile dressing downs of parties who have not adhered to them - the now infamous Mitchell being the main example of this. When it comes to disclosure, parties now need to exchange and file the Electronic Documents Questionnaire (form N264) no less than 14 days prior to the first CMC, and discuss disclosure no less than seven days in advance. A naive lawyer will leave it to the last minute before looking to address these two requirements. As Rix LJ in Nichia v Argos [2007] EWCA Civ 741 said ‘Indeed, it is hard to think that even before launching proceedings, a claimant has not carried out, in its own interests, such a review of its own documents as will in all probability have already met, or all but met, the requirements of a reasonable search’. While in practice we know this is not always the case, in an ideal world completion of the EDQ should be an easy task if, as part of the pre-action stages of the litigation, sufficient attention has been given to electronically stored information. For example, I recently assisted a lawyer in the completion of the EDQ 15 days in advance of the first CMC. This assistance involved helping them to formulate a questionnaire for the client’s IT team and then subsequently collating and analysing the responses. I am sure that while the client was contemplating litigation they would have gone through a similar process internally, to find where relevant information might exist. Also, to ensure they were complying with their duty to preserve, an exercise must have been carried out to discover where information exists in order to preserve it. My point is, many of the questions in the EDQ are things that should have already been considered as part of the natural course of the case. Starting the EDQ at an earlier stage could be an effective way to capture this information and save yourself some effort further down the line. The Technology and Construction Solicitors’ Association (www.tecsa.org.uk) have published an e-disclosure protocol and associated guidance. Within the guidance there is a diagram that outlines the different stages of litigation and the actions in relation to e-disclosure that need to be taken at each stage. This is a very useful reference point and I would urge any lawyer faced with a case which may involve the searching and disclosure of electronic documents to refer to this, even if the case is not in the TCC.
For more advice and guidance on completing the EDQ, or information on any of CCL’s products and services, please call us on 01789 261200, email edisclosure@cclgroupltd.com or visit www.cclgroupltd.com
Suggested Pathway to the First CMC Parties exchange EDQs (To kick-start the dialogue process)
Disclosure Discussion (Requirement: no less than 7 days before CMC Nb: the disclosure discussion should take place significantly before this)
Parties agree Protocol
File Report & EDQ (Requirement: no less than 14 days before CMC)
File Form H (if applicable) (Requirement: no less than 7 days before CMC)
CMC 3
REVIEW ACCURACY - T PRIVILEGED INFORMAT Throughout the e-disclosure process a lot of time and effort is spent on ensuring the reliability of the exercise. We have processes and procedures in place to ensure that all possible data is captured and considered. Unfortunately, even though we may have the most advanced software and hardware on the market, and employ cuttingedge techniques, there remains one inherent flaw in the process. One unreliable element that is expensive, finite and error prone. An element that varies wildly in quality and reliability and can only function consistently for short periods at a time. That is, of course, the human element. Of all the phases in an e-disclosure project, the one which is most reliant on human input is the review. Up to this point the work has largely been done by e-disclosure tools such as Nuix and Clearwell. In contrast to, say, keyword searching where the tools make the decisions based on definite criteria such as keywords, the review process relies on humans to make many thousands of decisions over an extended period. In this article I am going to consider how likely it is that privileged documents will be inadvertently disclosed. I will approach this by taking a very simplistic look at the probabilities involved. I appreciate that this is perhaps an overly simplified model, but hopefully it will highlight the inherent risk when it comes to large scale review exercises. In a typical review exercise we would expect to see a review accuracy of between 85%-95%. This means that, even in the best case, for every 100 documents reviewed, five of these will be tagged incorrectly. This may not sound like many but when the review exercise involves, say, 50,000 documents, we would expect to have 2,500 incorrectly tagged. I took a quick look at the last few projects we have undertaken and found that, on average, roughly 68% of documents were tagged irrelevant, 31% relevant and 1% privileged. Extrapolating this means that in a review of 50,000 documents, 1,700 documents have been tagged irrelevant when they should not have been, 775 have been incorrectly tagged as relevant and 25 incorrectly as privileged. It is for this reason that most review exercises will have a QC phase, where the decisions made in the first pass review will be reviewed by a second reviewer. A typical way of undertaking this will be for all documents marked as ‘Relevant’ and ‘Privileged’ to be checked, and 10% of those marked ‘Irrelevant’ to be checked. So, all of the 775 documents tagged incorrectly as relevant and the 25 tagged as privileged have been
4
THE RISK IN DISCLOSING TION by Rob Savage re-reviewed. Assuming a 95% accuracy, I still have 39 documents incorrectly tagged as relevant and one incorrectly tagged as privileged. 10% of my 1,700 incorrectly tagged irrelevant documents have been re-reviewed at an accuracy of 95%, meaning I now have 1,539 documents tagged incorrectly as irrelevant. Any exercise needs to be proportionate and it would be wholly disproportionate to undertake secondary, tertiary or quaternary QC phases. In fact, you would need to review a population of 50,000 documents in its entirety five times over, to achieve a 99% certainty that every document is tagged correctly. In the case of Digicel (St. Lucia) Ltd & Ors. v Cable & Wireless Plc & Ors [2008] EWHC 2522 (Ch), Mr Justice Morgan stated that the rules do not require that no stone should be left unturned, even if a smoking gun is not found. With this in mind my concern would not necessarily be with irrelevant documents accidentally being disclosed, or relevant documents being overlooked, but with privileged documents mistakenly being disclosed. We know from the above that in a review of 50,000 documents with a single QC phase, statistically there will be 39 documents mistakenly disclosed. Working on the assumption that 1% of documents in a review set are privileged, means that in this case we have a 39% chance of inadvertently disclosing a privileged document. If our reviewers were operating at 90% accuracy instead of 95% across a population of 100,000 documents, then statistically we will end up not just disclosing one privileged document but three - a frightening prospect! There are two ways to tackle this: taking further steps to reduce the chances of incorrect disclosure, or taking steps to make it easier to ‘claw back’ incorrectly disclosed documents. Part 31.20 of the CPR states ‘Where a party inadvertently allows a privileged document to be inspected, the party who has inspected the document may use it or its contents only with the permission of the court.’ Meaning there is no automatic protection and right to claw back incorrectly disclosed material. The Technology and Construction Solicitors’ Association have published an e-disclosure protocol (www.tecsa.org.uk/e-disclosure). Part 7.2 of this gives suggested wording for direction in place of CPR 31.20, which is much more collaborative and, critically, states that there is no ‘waiver of privilege’ in the case of inadvertent disclosure. Ideally though, parties would never have to rely on directions such as this. While it may not be possible to guarantee 100% certainty, steps can be taken to get as near to this as possible. In my opinion, in cases where the risk is particularly high, it is worth putting in place such measures. The main risk factors to look out for are: high numbers of documents, large distributed review teams, drafted review teams who are not involved in the case on a day-to-day basis, complex issues, multiple parties and cases involving firms of lawyers or professional indemnity. For a case involving one or more of the above, it may be worthwhile putting in an additional QC phase with the sole objective of checking the disclosure list for privileged material, as a final check prior to exchange.
CASE STUDY EXTRACTION OF DATA FROM IN-CAR GPS NAVIGATION SYSTEM THE CASE: CCL was approached by a law enforcement agency to examine the GPS navigati on system built into a luxury sedan vehicle. The force were able to remove the navig ation unit from the vehicle, bu t had no means to extract any data.
WHAT CCL DID: Upon receipt of the exhibit, CC L’s analysts carefully stripped it down in order to locate and extract the storage devic e. It transpired that the storag e device was protected by the manufacturer so tha t it could only be used in tha t vehicle. Nevertheless, CC L’s analysts were able to by pass this security mechanism and acquire a full forensic im age of the navigation system . But this was only half of the challenge. The files acquir ed from the forensic image did not relate to any navigati on software which CCL had encountered previously. THE OUTCOME: The R& D team were able to quick ly reverse engineer these bin ary data structures and deco de details of visited destinati ons, phone calls and address book entries.
5
RISE OF THE CRYPTOCURRENCIES by Umar Yasin Bitcoins, Litecoins or Dogecoins; cryptocurrencies have hardly been out of the news in recent months, with a high-profile attack on Mt.Gox, a main Bitcoin exchange, and its subsequent bankruptcy attracting the increasing glare of regulators across the globe. A few months ago the main media association with Bitcoins was their use for various criminal activities on the online underworld marketplace, Silk Road.
currencies are dealt with. In Singapore, cryptocurrencies are classed as goods, so are subject to the usual goods service tax.
On a much more positive note, these cryptocurrencies have seen an increasing acceptance by major global businesses, with the likes of Virgin Galactic, WordPress, Overstock and Zynga already accepting Bitcoin payments. Earlier this year, the leading London media law firm Sheridans also announced that it would accept Bitcoins.
From Bitcoin ATMs mooted in Dubai to news of a US-based derivatives exchange exploring the creation of a Bitcoin swap (which would certainly be attractive to investors who are otherwise deterred by the massive fluctuations in price), cryptocurrencies are rising in popularity amongst consumers and are even increasing in acceptance amongst regulators. These issues and questions around the legality of cryptocurrencies, and the kind of regulatory environment that is needed, show no signs of going away. We will continue to explore the issues raised by the rise of the cryptocurrencies in upcoming editions.
Aside from any economic arguments for and against a non-fiat, digital, deflationary (Dogecoins are not deflationary, but both Bitcoins and Litecoins are) currency that is not controlled centrally; cryptocurrencies also throw up a plethora of legal and regulatory issues, from moneylaundering and tax implications to data privacy issues. Reaching some sort of consensus on cryptocurrencies remains to be seen; with regulators in different jurisdictions taking varying views just on the tax position of cryptocurrencies. Take the recent decision by the IRS in the United States to treat cryptocurrencies as property rather than currency, thus meaning that they are treated as taxable income if used to pay wages, and subject to capital gains tax in the same way as other assets. Contrast this with the recent Danish decision not to treat gains and losses from Bitcoin trading as being subject to taxation. HMRC has also recently revised its taxation treatment of cryptocurrencies, removing VAT from income received from Bitcoin mining activities, and exempting VAT on the value of any Bitcoins exchanged for Sterling or other foreign currencies, which brings HMRC’s approach towards cryptocurrencies much closer to the way in which other foreign
6
The taxation treatment for cryptocurrencies in various countries seems to be progressing, as compared with the legal and regulatory frameworks, which must catch up and provide a comparable framework for dealing with cryptocurrencies.
BLOCKCHAIN A shared public ledger on which the entire Bitcoin network relies. All confirmed transactions are included in Blockchain. This way, Bitcoin wallets can calculate their spendable balance and new transactions can be verified to be spending Bitcoins that are actually owned by the spender. The integrity and the chronological order of Blockchain is enforced with cryptography.
FINITE SUPPLY There will only ever be 21 million Bitcoins produced and it will take until about the year 2140 to get them all.
BITCOIN BLOCKS Every 210,000 blocks the number of new Bitcoins released by mining a block is halved. From January 2009 to November 2012 it was 50 Bitcoins per block, now it is 25. Around September 2016 it will be 12.5 and so on.
THE REAL CSI: REMOTE FORENSICS by Sarah Turner Picture the scene: 21:37: A black Hummer parks up discreetly across the street from the lavish offices of the large multinational. Cool as a cucumber, the Lieutenant hops out of the passenger side and leans on the van, hands on hips, gun in holster, gazing into the middle distance as the city traffic passes by. His uber-tanned, glossyhaired Lead Officer joins him.
We’ve been monitoring these guys for months. Half the senior management team are involved in this fraud. Luckily the internal investigations guy is on to them – he’s leaving the building open for us to get in once everyone has gone The pair wait as the last few office lights are switched off and the remaining late workers make their way home. With the all clear, the Lieutenant’s team of officers jump out of the Hummer and sneak into the building.
Get their computers… this’ll give us the evidence we need The tanned officers plug their devices into the executives’ computers and start copying files across for analysis. This all happens seamlessly and effortlessly, and is complete within a matter of minutes. The team then make sure the devices are all put back
exactly as they were found, ready for when the execs arrive in the morning. While certainly entertaining, is this the best way to conduct a covert investigation? There are many instances when forensic investigations need to be conducted covertly. For instance, corporate internal investigations where issues can include theft of IP, fraud and sabotage often require a covert approach, to enable business to continue as usual and to ensure that those under suspicion are not aware that they are being investigated. CCL has worked on a number of engagements where the key requirement has been for the investigation to be conducted covertly. Covert investigations can be conducted in two ways: deadbox – getting direct physical access to the device in question while the user is away, and taking a forensic image of it for further investigation; or remotely, over the network without physical access to the device. In the story above, our uber-cool colleagues in Miami are trying to go down the deadbox route. But this may only prove to be partially successful. With more and more employees now working primarily on mobile devices – laptops, tablets or smartphones, remote investigations are becoming an increasingly important method of investigation. Storming into offices at the dead of night may not be as useful as it was 10-15 years ago where the majority of people used a desktop.
CCL has conducted many remote investigations for clients. Launching a remote investigation involves implementing an investigative infrastructure within an organisation’s corporate network, which then allows investigators to remotely acquire data from custodians’ laptops, or other devices, when they are connected to the corporate network. This is achieved by deploying what is essentially a ‘Trojan’ to the devices (a Trojan which is secure and fully under our control), that we are able to access and acquire data from user devices without their knowledge. This has proved particularly useful when the suspects were remote workers, or even when custodians are based in different countries. Files, emails, web browsing history… this can all be investigated without even touching (or being anywhere near) the device itself. This data can subsequently be examined through keyword searching to confirm suspicions or even potentially uncover other avenues for investigation. So while not as action-packed as bursting into the swish offices of a mega-company at the dead of night to take copies of the devices involved, and sneaking around to make sure no one notices anything has happened, remote forensics can be a useful method of investigation when physical access to the device just isn’t feasible. Whichever approach – it is important that it is done in a forensic manner, ensuring all possible data and metadata is preserved and that the process is fully defensible should the integrity of the evidence ever be questioned.
For more information on remote forensics, or any of CCL’s other products and services, call us on 01789 261200, email edisclosure@cclgroupltd.com or visit www.cclgroupltd.com
7
ic n o r t c le ‘E E S R U CPD CO ’ e r u s lo c is d e d n evidence a e cover everything
es ses for lawyers. Th ur of co PD C es d vi ce and disclosure en CCL pro id ev ic on tr ec el about you need to know ed information. electronically stor e you an PD course will giv C r ou l, se un co in-house ns for you Delivered by our and its implicatio ce en id ev ic on tr elec understanding of and your clients. vers: osure’ course co cl is d ed an ce eviden e-disclosure CCL’s ‘electronic ic evidence and on tr ec el to n tio • Introduc EDQ ion 31B and the ct ire D e tic ac Pr • Missed an issue of Legal News? sts • Controlling co Don’t worry, all issues are ques ni ch te d an s ol • To available on our website at s se ca • Key www.cclgroupltd.com
OUR SERVICES COMING UP NEXT MONTH: FCA investigation into the mis-selling of Life Insurance Farewell Master Whitaker
For more information call Rob or Umar on
01789 261200
email: edisclosure@cclgroupltd.com or visit: www.cclgroupltd.com
ABOUT CCL CCL is the UK’s largest digital forensics laboratory, and a leading provider of e-disclosure and IT consultancy services. From our beginnings as an independent IT consultancy in 1986, we have developed our services to respond to advances in new technology, the increasing importance of data, and the need to manage, recover and protect it. In 2001, we set up our digital forensics laboratory. CCL is now the largest digital forensics provider in the UK, and the only one accredited to the ISO17025 standard for our computer, mobile phone and Sat Nav laboratories. We provide digital forensics services to a broad range of organisations, ranging from law enforcement agencies, civil and criminal law firms to corporate clients. CCL has been in the e-disclosure market since 2009 and has completed over 220 e-disclosure cases to date.
8
• Digital forensics and investigations - All operating systems - Smartphones/mobile phones - Tablets - Sat Nav analysis - Cell site analysis - CCTV analysis - Remote forensics - Social media forensics • E-Disclosure services • IT consultancy • Digital forensics hardware and software • Early case assessment tools • Data collections • Training • Search and seizure orders • Expert witness services
THE NUMBERS CCL employs over 100 full-time members of staff, including 65 consultants and analysts who have completed: • • • • • •
220+ 4250+ 55000+ 2200+ 750+ 475+
e-disclosure cases digital forensic (PC) cases mobile phone cases consultancy engagements civil and criminal cases expert witness assignments