CONSULTING
|
DIGITAL FORENSICS
|
E-DISCLOSURE
LEGAL NEWS Issue 4
www.cclgroupltd.com
BOARDS & BRIBERY ACT COMPLIANCE
serviCes
gy – developing the strategies that ensure
vely supports business objectives.
ess case – understanding the lifetime costs,
and wider implications of a planned IT project,
e our clients to make the right decision for
iness.
tion and selection – bringing our unrivalled
ge of the market to help clients select the right
m for their business. negotiation - ensuring that our clients’ interests
ected at all times and that suppliers deliver on their
, with well-defined terms that suit business needs.
management – using our proven project
ment methodology to reduce the risk of IT projects
Despite the best efforts of boards and directors, or policies and procedures, there is one interminable problem; people will be people. No matter how proportionate procedures are, how committed top-level management is, how thorough the risk assessment and due diligence is, or how clear communication is, in a business of any size or nature, people can be the biggest liability. Therefore, the most important element of any effective anti-bribery policy must address the sixth and last of the Ministry of Justice’s principles - monitoring and review.
ure they are completed on time, to budget and
ectives.
The burden on boards and directors is an onerous one, due to the far-reaching extent of the provisions of the Bribery Act 2010. For many years the US Foreign Corrupt Practices Act 1977 was regarded as the most comprehensive and over-arching anti-bribery regime in the world. As many readers will be aware, the UK Bribery Act 2010 differs from the FCPA in some important regards, and consequently the Bribery Act is arguably the strictest antibribery legislation in the world. Discussing the full implications of the Bribery Act or comparing it in detail with the FCPA is beyond the scope of this article, but it may be useful to bear the following key differences in mind. 1. The key difference is that the Bribery Act 2010 contains a strict liability offence for failure to prevent bribery, of which there is no comparable offence to be found within the FCPA. 2. There is no need to prove the ‘corrupt intent’ element that exists within the FCPA, as the Bribery Act requires only evidence of ‘improper performance’.
The FCPA only covers bribery of foreign public officials outside the USA, whereas the Bribery Act covers commercial bribery and bribery of UK and non-UK public officials. 3. Finally, at least for the purposes of this article, the Bribery Act also contains a specific offence relating to receiving a bribe, rather than just the offences of giving, offering or promising a bribe under the FCPA. In every business employees interact and communicate with one another, and with external parties, using a wide-ranging and ever-growing variety of digital devices. For any board to be fully satisfied that antibribery compliance is working effectively in their business, it is essential that businesses know and understand how they can ensure they have full end-to-end visibility of employee interactions across their digital data landscape, as and when necessary. This is even more important in view of the recent trend towards Bring Your Own Device (BYOD) in many organisations, and having effective BYOD policies in place can
IN TH
IS ED ITION ...
> T he Br ib > T houg ery Act hts of mo the > IP nth Theft : Firs > Ty t response p > E es of Fraud mplo ye > C CL’s d e Fraud eliver par y > A tners bout CC > C PD co L urse
help here. Please see Legal News issue 2 for our article on BYOD and e-disclosure. It is futile for a business to have comprehensive compliance procedures and policies in place, but no effective way of seeing exactly how those procedures are being followed in practice, whether proactively as part of a regular review of compliance procedures, or reactively in response to a particular allegation. Over the coming editions we will explore how digital data investigations and forensic accountancy solutions can assist in providing businesses with this clarity and confidence around compliance with their
anti-bribery obligations.
1
ELLIOT KRAUZE, Account Manager Elliot is an Account Manager at CCL. His background stems from the consultancy division of the business and as a result, he has strengths in the problem-solving aspects of digital forensics and electronic disclosure. Building strong relationships and providing a well-rounded customer experience is where CCL sees Elliot adding value. Elliot’s experience of dealing with multi-national corporates to local SMEs in industry sectors such as Professional Services, Aerospace & Defence, Automotive, Logistics, Food & Beverage and Life Sciences among others provides an appreciation for how business operates across the board.
Elliot’s Thoughts of the Month Much time has been spent over the past three months developing CCL’s Client Engagement Model. Formalising something we have been doing for over 25 years, the evolution of this model is essential in making sure we deliver the best possible service that we can. CCL’s ethos is to innovate and push boundaries. We achieved this in both the IT consultancy and digital forensics markets and we continue to push in both of these disciplines. This ethos is driving our e-disclosure division to become one of the de facto suppliers of choice for litigators. CCL’s Client Engagement Model is a necessary part of establishing a strong relationship with our clients. It allows CCL to apply an ISO17025 standard operating procedure specific to every client. This ensures a consistency of approach and the highest level of quality for every case. The preferences of each individual at each firm are taken into consideration and efficient processes are applied. CCL is the first organisation to apply these stringent ISO policies to our e-disclosure process to ensure defensibility, efficiency, proportionality, consistency and an experience that will ensure that the firms using CCL for e-disclosure will see us as their trusted and default partner.
NIKKI BRITTON, Case Co-ordination Team Manager Nikki leads two of CCL’s project delivery teams, with five direct reports. She manages CCL’s team of Case Co-ordinators, who administer all aspects of digital forensics cases for law enforcement and legal aid clients. She also leads CCL’s Client Projects Office which coordinates all of CCL’s projects for corporate and civil law firm clients. Nikki has been with CCL for over four years, and in this time has played an active role in the development of both departments. Nikki’s key priorities at CCL are project scoping, evidence management and delivery. Nikki’s team provides crucial communication links between clients and CCL’s technical departments. She also helps clients understand the details and progression of their cases. Nikki has also been able to use her previous legal knowledge and experience of working directly on commercial litigation cases to great effect, in displaying knowledge and understanding of the legal process.
Nikki’s Thoughts of the Month While evidence handling and chain of custody are an everyday part of my role at CCL, given the nature of the work we undertake for our clients, I cannot help but express the importance of it. Evidence management is an essential factor when dealing with digital data – especially when that data could potentially be relied upon in court, where cases can be won or lost on the integrity of the evidence. As such, evidential integrity is one of CCL’s top priorities. CCL’s in-house R&D team has developed a bespoke evidence tracking system, designed for the specific requirements of our laboratory. This system monitors and tracks the physical movement of evidence within CCL, in order to maintain an audit trail and ensure a fully defensible and unbroken chain of custody. We have also put a lot of work and investment into securing standards such as ISO17025 and ISO27001, which ensure that our standard operating procedures for evidence handling are adhered to, and that this process removes the risk of accidental contamination or deliberate tampering. Together, these systems and standards ensure the integrity of our clients’ data. They are also so embedded in our everyday processes and procedures that all our clients benefit from the stringency of this approach, but not at the expense of efficiency.
2
IP THEFT: FIRST RESPONSE by Rob Savage During the last six months we have been engaged on several cases of suspected intellectual property theft. For some of these cases it is nothing more than a suspicion which gives rise to a need to investigate the IT assets, but in others there is a confirmed leak and the aim is to establish who, how and when. Either way, there are certain things that should and should not be done as part of a first response when such an investigation is required. An investigation into data leakage is usually a digital forensics exercise, not electronic disclosure. There are steps that need to be taken to ensure that evidence, and its integrity, is protected - steps that would not necessarily be relevant to an e-disclosure exercise. In contrast to e-disclosure, a digital forensics investigation is not limited to ‘user documents’ such as email messages and Microsoft Office files. A case based on digital forensics may hinge on Windows artefacts, for example, registry entries that show when removable media has been connected to the computer, or ‘link files’ that show when documents have been opened and viewed. Additionally, deleted data, or fragments of deleted data, may be recovered in cases where a user has attempted to cover their tracks. Unlike live files, these forensic artefacts are volatile in nature. The action of merely shutting down a computer could potentially destroy some of this information. As such, it is vital that in cases where FIRST RESPONSE COURSE CCL provides First Response training courses for HR and IT professionals. The course is designed to give you the information you need in order to respond to a suspected incident swiftly, and get the evidence you need, in a way that will ensure it withstands legal scrutiny. Incidents can include: computer misuse, bullying and harassment, internal sabotage, IP theft, breach of policies and employee productivity. CCL’s First Response course covers: • What is digital forensics? • Why I might need a forensic response • Where data can be retrieved from • Case studies and examples • Forensic requirement warning signs and how to respond • Handling digital evidence For more information visit www.cclgroupltd.com/TrainingCourses
a forensic investigation is anticipated, the first responders are appropriately trained. As soon as the need for an investigation is identified, the priority should be to preserve information. It is always tempting to jump straight into the investigation; however, manually looking through data may actually damage its evidential integrity. There is only one opportunity to collect forensically and that is at the start of an investigation. At this point, a forensic copy should be made, which is a definitive snapshot of the system at that point in time. In the panic and haste associated with a data breach it is all too easy to overlook potential sources of information or avenues of investigation. The checklist below is based on our experience of dealing with these types of cases. This is by no means an exhaustive list, but will hopefully promote thought and discussion on those areas that can all too easily be neglected.
DATA L EAKAG E – FIRS T RESPO NSE CH • Has a ECKLIS list of all T • Has a potentia lly involv list of all e IT d partie assets a been ob sb ssigned ta to the id een created? - Lapto ined, including entified : ps parties - Issue d remov able me - Mob dia • Have ile phones the iden tifie - Whe re possib d IT assets bee n le, seize repre d by a H secured? • Have sentative and s R/mana to gement ch • Have ain of custody red in a secure forms b location the part een com . ies’ wor remova k areas pleted? ble med b e e n ia s - Anyth , CDs/D earched VDs? ing s for any custody eized should b e lo support g. • Do th ed by a e par chain of If so, ha ties have corpo v r e a t t e h e email • Are t files be email accounts he pa applicat rties able to ac en copied from ? cess any ions on the serv wo e o - Web mail (e.g rk issued devic f the below int r? ernet . Gmail, es: - Drop Hot bo - Socia x or other clou mail, Yahoo!) d storag l netwo • Are t he partie rks (e.g. Linked e services In, Fa s ab remova ble med le to connect a cebook, Twitte n r) ia, such hard driv as: USB d copy files to es, cam m • Are t e e r m a s o , MP ry st he • Has t parties able to 3 players, mob icks, external ile phon he leake write file es, etc.? d inform s to CD Could it s a / t DVDs? io n have be b e e n identifie en print parties d e • Do th have access to? d? If so, what p ? rinters d e partie s have re o the Has this mote ac access b c e ss een sus pended to their emails/ ? files?
3
DIGITAL FORENSICS
DIGITAL DATA INVESTIGATIONS: TYPES OF FRAUD IT Assets/Internet Misuse The aim of these investigations is to establish the actions of a user on a certain IT asset. This will require a forensic analyst to examine the machine and produce an expert report with supporting files.
IP Theft Investigations typically focus on the actions of a small number of individuals. It is not uncommon for guilty parties to to cover their tracks, thus requiring a digital forensic based approach to establish a chain of events.
Bullying & Harassment Investigations
Evidence may be present in a number of formats, for example: emails, mobile phones, voicemail, hard copy and ev The investigative approach will be determined by the scale of the investigation and the devices wit
Employee Disputes
These projects can vary in both scale and origin, and generally involve establishing the actions of a small n investigations of this nature are, more often than not, digital forensic driven. However, where the matter in e-disclosure tools may be used.
Employee Fraud
Employee fraud can take many forms. Depending on the MO, the data available and the either a digital forensics, e-disclosure or a hybrid approach could be ad
Price Fixing, Cartels & Market A
In investigations where the focus is on what has been communicated between parties, an e-disc facilitating easy review of large volumes of emails. Where communications exist on mobile devic their tracks, digital forensics techniques may be requir
Bribery Act & FCPA Investig
These investigations involve the searching of large volumes of emails and document requirements of proportionality as in litigation, so may also involve the recovery of deleted
Regulatory Reque
More often than not, these involve the identification and production of relev These high volumes mean e-disclosure tools are
ES INITIAL DATA VOLUM
Disclosure for Lit
Typically, this involves identifying relevant information from volu requirement to conduct a ‘reasonable search’ means that, more o
4
CASE STUDY Internet misuse THE CASE: A number of employees within the IT department of an SME were under suspicion followi ng a decline in productivity . Due to the relatively sm all size of the company, th ere was no web monitoring or filtering technology ins talled. Managers suspected th at they were wasting time by vis iting social networking and internet auction sites du ring working hours.
have attempted
ven social media messages. thin scope.
WHAT CCL DID: CCL was called in to investigate the computers of the three suspects, paying particu lar attention to internet his tory and chat logs.
number of individuals. As such, nvolves a large number of emails,
CCL found that the em ployees had been using both on line auction sites and their own websites to sell both pe rsonal items and goods belon ging to the company, such as used laptops, electrical cable s and CDs.
e aims of the investigation, dopted.
Abuse
closure approach may be more appropriate, ces or where a party has attempted to cover red.
ts. However, they are not subject to the same d documents and other digital forensics processes.
ests
vant material from across the corporate network. e often the best fit.
tigation
umes of collected data. Proportionality and the often than not, live data needs to be considered.
E-DISCLOSURE
gations
This evidence backed up the testimony of witnes ses within the department and gave the company ever ything it needed to suspend th e employees pending a further enquiry. The manageme nt asked CCL to investigate all other computers within the department to determ ine exactly which member s of staff took part in – or helpe d to cover up – the misuse. THE OUTCOME: The three original suspects were eventually permanently dismissed, with one jun ior member of staff receiv ing a warning for failing to inf orm management of the sit uation.
5
EMPLOYEE FRAUD by Elliot Krauze
In CCL’s experience, employee fraud often involves two or three people from different departments colluding together, rather than one individual
There are basic dynamics of fraud and a certain mind-set of fraudsters that, if understood and adequate measures are put in place to counteract and deter these people, organisations could save themselves much time, effort and money.
ULTIMATELY, THERE ARE THINGS THAT CAN BE DONE TO COMBAT EMPLOYEE FRAUD: 1. Depending on the nature of your business, ensure proper policies and procedures are put in place in the most vulnerable/ high risk departments, such as IT, procurement or finance. Introduce regular spot-checks and audits across the company, if practical. Sometimes just the threat of being caught is enough to deter. 2. Ensure there is a whistleblowing policy in place that assures anonymity for those who raise a concern. People are far more likely to highlight fraudulent activity if they think there will not be any personal repercussions. 3. Encourage staff to take a two-week break. Not only is it good for their health, it also helps to keep staff happy and motivated. This will also provide an opportunity to uncover any fraud. If staff seem hesitant to do this, then this could be because they do not want to get found out or have something to hide. 4. Try and have regular conversations with employees who seem stressed and generally suffering. Research has shown that these are the types of people most likely to commit fraud. 5. Also, be aware of employees who appear to be living ‘beyond their means’. Many fraudsters get caught in this way, living lavish lifestyles at the cost of the company.
It will never be possible to stop fraud altogether. However, taking these steps and generally becoming more aware of suspicious activity can assist in dramatically reducing the amount of employee fraud and avoid adding to the evergrowing statistic. *Source: City of London Police: http://www.cityoflondon.police.uk/CityPolice/Departments/ECD/
6
There is a model that is often referred to; the ‘Fraud Triangle’. It is a solid mechanism for understanding fraud and combating it. For those not familiar with this model, the most crucial component is: opportunity. Weak controls, poor supervision and a lack of proper procedure can provide a breeding ground for often minor, but still potentially damaging, fraudulent activity. e/ tiv en re Inc essu Pr
Financial crime now costs an estimated £38 billion a year* and in 2012, CIFAS Staff Fraud Database Members reported 539 confirmed frauds committed by staff inside an organisation: a 43% increase from 2011. The reasons for this are not clear, however the general state of the economy, job insecurity and lack of employer/employee engagement are suspected to be part of the cause.
acting alone. Fraud of a sizeable scale takes people of different disciplines with access to information across the business, and the ability to cover their tracks. Because of the wide net IT and technology casts across an organisation, and the logging functionality of these systems, it is often in this department where people are caught out. It is also the department that is contacted for assistance when fraudulent activity is suspected, which is why third party providers can be crucial in this area of investigation.
Ra tio n At alisa titu tio de n /
Fraud: a word that permeates its way into movie plots and courtroom dramas on what seems to be a weekly basis. But, how seriously is it taken in the real world?
Opportunity FRAUD TRIANGLE
The other two elements of the triangle ‘pressure’ and ‘rationalisation’ are both key factors, but are harder to detect and counteract.
CASE STU DY IP theft THE CASE : A large re cruitment became su ag spicious th at their da ency customer d tabase of etails had been stole departed e n by a rece m ntly customers ployee. A number o f their had got in to had been uch to exp con la manager to tacted by their prev in that they ious accou say that sh nt e account ha d moved to had left and that the ir a new com pany. The recruit ment agen cy determine if it could b contacted CCL to e shown th employee at this form ha er which in th d stolen their intelle ctual prop is case was erty, their custo mer datab ase. WHAT CC L DID: CC L analysed employee the former ’s c that the da omputer to look for evidence tabase had be removable media or m en downloaded on to ailed out. THE OUTC O before the ME: CCL found that employee one hour han the custom er accounts ded in her notice, download database h ed ad been informatio onto a thumb drive. n, the recru Using this itment com their legal p team, plac ed an injun any, with employee ction on th , to preven is t her conta more clien cting any ts, criminal pro and are considering instigating ceedings.
CCL’S SERVICE DELIVERY PARTNERS CCL has developed strategic partnerships with two firms whose services complement CCL’s expertise in digital forensics, e-disclosure, collections and digital data investigations. Between them, these firms provide services including forensic accountancy, dispute advisory services, investigations, reprographics, scanning, coding and reviewing.
KINETIC PARTNERS Kinetic Partners is an award winning and leading provider of tailored consulting, advisory and assurance services to the financial services industry globally, providing a full range of regulatory consulting, compliance consulting, tax, forensic, risk and assurance services. The Firm’s Forensic and Dispute team works on some of the most significant matters worldwide and offers a range of forensic accounting services, including litigation and dispute advisory services, financial, regulatory and due diligence investigations, fraud and financial crime prevention, restructuring and bankruptcy forensic services. Dedicated specialists provide a strong mix of in-depth financial services knowledge, regulatory expertise and technical accounting experience across jurisdictions including off-shore, the US, Europe and Asia. Kinetic’s highly experienced team has advised investment banks, retail banks, brokers, funds and fund managers, investors, auditors, insurers and regulators on the complex issues that often arise in disputes, regulatory proceedings and investigations in the financial services sector. www.kinetic-partners.com
LEGASTAT LTD Established for 60 years and located in the heart of legal London, Legastat is a leading specialist provider of a wide range of litigation support services. These services include extensive legal reprographic projects, hard copy scanning, coding and review services. Legastat has over 2000 customers who value their quality first approach and this is backed up by ISO9001 and ISO27001 certification for quality management and data security. Top law firms, corporations, government agencies, small law firms and sole practitioners all rely on Legastat to help them meet their litigation support requirements. In 2012, Legastat were awarded one of three places on a four-year Government Procurement Service framework (RM 924) for the provision of a range of litigation support services upon which CCL is an approved partner of Legastat Ltd. www.legastat.co.uk
7
OUR SERVICES
ABOUT CCL CCL is the UK’s largest digital forensics laboratory, and a leading provider of e-disclosure and IT consultancy services. From our beginnings as an independent IT consultancy in 1986, we have developed our services to respond to advances in new technology, the increasing importance of data, and the need to manage, recover and protect it. In 2001, we setup our digital forensics laboratory. CCL is now the largest digital forensics provider in the UK, and the only one to hold the ISO17025 standard for our computer, mobile phone and SatNav laboratories. We provide digital forensics services to a broad range of organisations, ranging from law enforcement agencies, civil and criminal law firms to corporate clients. CCL has been in the e-disclosure market since 2009 and to date, has completed over 200 e-disclosure cases.
• Part 31 e-disclosure services • Digital forensics - All operating systems - Smartphones/mobile phones - Tablets - SatNav analysis - Cell site analysis - CCTV analysis • Collections • Part 25 search and seizure orders • Part 35 expert witness services
COMING UP NEXT MONTH: Digital data investigations and forensic accounting – striking the right balance at the right time
Scan the QR code with your smartphone for more content.
THE NUMBERS CCL employs over 100 full-time members of staff, including 65 consultants and analysts who have completed: • • • • • •
200+ 2,500+ 50,000+ 2,000+ 700+ 450+
e-disclosure cases digital forensic (PC) cases mobile phone cases consultancy engagements civil and criminal cases expert witness assignments
For more information call Rob or Umar on
01789 261200
email edisclosure@cclgroupltd.com or visit: www.cclgroupltd.com 8
Predictive coding, smartphones and artificial intelligence
CPD C AND OURSE ‘E-D THE ISCL J ACK CCL prov SON OSURE ides ever yt C REFO elect hing you PD cour RMS s ronic e n s eed for la the J a ’ wyer ack lly store to kno
w s. son R d eform informa about d These c over isclo tion Deliv s. su unde e r Par re of ensu red by o t 31 re u and of th s you ar r in-hou se co e Jac e pre u three kson pare nsel, d R can b CPD hou eforms to mee our CPD t o r num e held at s are ava n e-discl the requ course i ber o osur ilable your e. O rements f atte offic , and n e e ndee s, su CCL’s bjec the cour to s. se t to a ‘ e D cour mini se co isclosure mum vers: and the J acks on R • Int eform rodu s’ ction • Pra to el ctice ectro nic d Direc • Ru isclo tion le 31 sure 3 1 B an .5A d the • Co ESI q ntrol ling uest Cost • To ionn ols a s aire nd te • Ke chniq y cas ues es