Post Process

Everything to do with E-discovery & ESI

Archive for the ‘Vendor Liability’ Category

Around the Block-March 23, 2010

Posted by rjbiii on March 23, 2010

A bit of industry-related news to examine. Let’s start, shall we?

E-Discovery and LPO firm Integreon has been cited in an Indian writ for the unauthorized practice of law. From the company’s press release:

Integreon was the only LPO company and non-law firm named in the petition. “It is unfortunate that our size and clear leadership position in the LPO market has made us the LPO target for the petitioner,” stated Liam Brown, CEO of Integreon. “We were surprised to hear that our range of LPO services, such as document review, e-discovery, contract management and other legal support services could be confused with the practice of law.”

“Integreon collaborates closely on all engagements with its law firm and legal clients to segregate complex legal tasks from those tasks that can be lawfully outsourced and performed by Integreon’s associates,” said Brown. “The premise of the services that we offer to law firms and corporate legal departments is to allow their lawyers to do what they do best: practice law.”

The ABA has posted an article discussing futurist Jordan Furlong‘s advice to bar associations and lawyers on “stay[ing] relevant in changing times.” From the article:

In the 21st century, lawyers need six essential skills, Furlong said: collaboration, project management, emotional intelligence, financial literacy, technological affinity and time management. Bar associations can help lawyers develop these skills by offering the leadership and services their members are seeking.

According to Furlong, lawyers should make themselves more visible while also showing worth to clients and potential clients. He said that lawyers should become holistic providers of “legal health” to clients.

I agree with much in the article…though the terms “lawyers” and “holistic” are rarely seen together…aren’t they?

The AmLaw Daily asks the question Is Mega Law a Dead Man Walking?

That was the subject of several sessions Monday at the Georgetown law school conference on law firm evolution. It speaks to the urgency of the matter, that an institution that thrives on the continuing health of big law firms to hire their deeply in debt graduating students would countenance the question.

The answers from the day: dead, dying, and changing.

A conference attendee’s session notes may be found here.

Posted in Articles, Industry News, International Issues, LPO, Vendor Liability | Tagged: , | Leave a Comment »

PI Licensing Laws in Texas and Michigan Continue to get Press

Posted by rjbiii on July 31, 2008

This time, the CEO (and former litigator) of Catalyst, John Tredennick, writing in Law Technology Today (reg’n may be required) passes comment:

Two states have recently enacted statutes that make it a crime for unlicensed individuals to engage in computer forensics. Texas passed a law that would give regulators the power to impose up to a year in jail and a $14,000 fine on people doing “computer investigations.” Michigan went a bit further. On May 28 th of this year, Governor Jennifer Granholm signed into law a bill that makes unlicensed computer forensics work in Michigan a felony punishable by up to a four-year prison term, damages of up to $25,000 and a criminal fine of up to $5,000.

Read the article for details, but Tredennick summarizes the Texas law thusly:

As I read these [Regulatory Agency] opinions, there is some comfort for people doing routine electronic discovery collection but not if there is a forensic or testimonial aspect to the collection. There is a strong suggestion that experts who are called to testify in Texas courts regarding examinations of electronic files better be licensed in Texas. If you don’t have a license, you might be pulled off the stand and escorted to the hoosegow for an extended visit.

Seriously…not the hoosegow!

With respect to Michigan:

How far does this reach?

Good question. If I were a forensics expert and offering testimonial services, I would be pretty nervous about this law. The Act seems to focus on:

Computer forensics to be used as evidence before a court, board, officer, or investigating committee.

Most electronic discovery is focused on collection rather than forensics and an argument could be made that your eDiscovery efforts are not about forensics but rather the collection of relevant evidence for review. But do you want to make this argument to some Michigan criminal court? I wouldn’t.

Post Process has previously blogged on this issue (here, here, here, here, here, and here).

Posted in Articles, Data Collection, EDD Industry, Forensics, Laws, Michigan, Privacy, Texas, Vendor Liability | Tagged: , | 2 Comments »

What we have here, is a failure to communicate…

Posted by rjbiii on July 10, 2008

In three different interviews, and one post-mortem editorial, networkperformancedaily gets caught in the crossfire of differing interpretations of Texas’ new PI licensing statute. The amended statute, first noted by Post Process in July 2007, expands the definition of an “investigations company” so that it may include those tasks engaged in, not only by computer forensics technicians and intrusion detection experts, but computer repair shops as well. We have also posted on the law here and here.

The first interview is with the drafter of the bill, who acknowledges the law might need to be “tweaked,” and who has a fairly narrow view of the scope of the law’s reach:

NPD: I am not a… um… pretty good reader of bills. So, what I wanted to know… The claim is that people who repair personal computers would need to get a private investigator’s license in order to continue repairing computers.

Driver: Yeah, and that’s what they’re claiming. It’s interesting that they’re claiming all that, and they filed a lawsuit on the same day that they decided to open their Texas chapter. To me, I just felt it was a way they’re getting a lot of free publicity, and a lot of free press, and free TV time and free radio time, because the bill to me, it says what it says. There’s three words that describe somebody that repairs computers, and that’s if people retrieve or provide information, and there’s three words that somebody “reviews, analyzes, or investigates” that material, then, they do need to have some sort of security clearance because they’re delving into people’s private lives or private property on the computer.

NPD: The one thing that I noticed was that it seems very clearly that this is for personal computer investigators, like someone who does analysis to determine whether a crime has been committed or something has been stolen, or intellectual property has been violated. It doesn’t seem to me that this would apply to people trying to just recover information for the person’s wishes.

Driver: Right, and you’re correct. You used one of the key words in my opinion, which is “analyze.” “Review, analyze, and investigate” are the three key words, in my opinion, that drive the need for people to have some kind of license. Because if they’re doing some of that, then they don’t need to be – it doesn’t need to be just anybody able to do that – they need to have somebody that has a security license. But if someone’s just retrieving information and providing information for someone who is going to analyze, to use one of the words, then that’s just a regular computer repair person. And those guys are great, they’re good at what they do, and we never intended for them to get any kind of license other than have the ability to repair.

So, Mr. Driver subscribes to the theory that the lawsuit is merely for publicity, and that regular computer repair isn’t affected. The Captain of the Texas Private Security Board gives his interpretation:

NPD: So, maybe I could give you a couple scenarios and you could help – maybe you could explain whether or not it would be covered. For example, let’s say there was a network engineer who is trying to find the root cause of a slowdown on the network, and in the course of investigating that, they discover that the root cause is some sort of criminal activity, such as a virus infection, or someone engaging in massive intellectual property violation, in other words “piracy,” something like that. Would they then require a private investigation license? Would they have to stop their investigation at that point?

Bowie: Based on the scenario you gave it sounds like they’re performing a repair or support service, and they’re not – the intent was not to go in and do an investigation, they are just collecting information that they found, and that doesn’t, based on that scenario, doesn’t rise to that level of an investigation.

NPD: What about a PC repairman who is being asked to check for viruses on a person’s computer?

Bowie: That does not rise to that level either.

NPD: What if a parent brought in a computer that they owned, but which is primarily used by a son or daughter, and they wanted to find out, say, the browsing history?

Bowie: That’s just considered normal computer repair or support service.

NPD: What wouldn’t be considered normal computer repair – can you give me a very specific example where that line is crossed?

Bowie: No, it’s – when you read into 1702.104, there is some interpretation there that you have to consider. I can’t give you a specific example, I could probably use some type of scenario in the sense of, for example, if an individual is contracted to come in and say, for example, investigate your computer at your company – you have employees there, and you believe identity theft has occurred, that there’s been some issues and you want this individual to come in, inspect the computers, you want them to come in, perform an investigation relating to the identity, the habits, the efficiency, movement, affiliations or locations or transactions and acts, or the character of a person, or the location and disposition of lost or stolen property, or some type of damage to the system, then I think you’re moving more towards the spirit of the law, and falling into an investigations company.

NPD: Okay, so once you get to that point – this is something that’s considered now to be routine is, if a person is suspected of – well, you could say a number of different things. Not just illegal activity but also perhaps, unauthorized use of the network – recreational network use – would that speak to the character of a person if they’re browsing YouTube at work, and an investigation is made to determine if someone is browsing YouTube at work?

Bowie: I think what you have to do is take those on a case-by-case basis, and do a thorough investigation into the matter to determine whether a violation of the code has occurred. You just have to keep in mind that every scenario and case is different, and you have to take it on a case-by-case basis, and use the utmost discretion.

The problem, here, is that case-by-case means it isn’t easy to see what’s regulated and what isn’t. Also, what kind of investigation is required? Is mere statistical analysis over aggregate data exempt? If not, why not? Next comes, Matt Miller, the attorney from the Institute of Justice, who is leading the suit to have the law struck down:

NPD: Is the problem with the law or the interpretation of the law that the Texas Private Security Board has taken?

Miller: Well, it’s with both. Laws can be interpreted in a lot of different ways, and the private security board has chosen to interpret this law very aggressively. Since the law can be interpreted in that way, there are problems with the law itself. The interpretations that the board has issues, is the reason that this case has come to our attention, because they say specifically that computer repair shops should be aware that if they offer to provide these services they’ve committed a crime. And that kind of caught our attention, so we started looking into it, and the law itself is problematic because it is subject to such a broad and aggressive interpretation.

NPD: Would it also affect network engineers performing network analysis on their own companies’ computers?

Miller: Sure, and let’s talk about that because, it is complicated and there is quite a bit of nuance. It kind of leads to how this applies to these guys. We’ve gotten calls from people who say, “Well, if somebody’s switching out a hard drive, then that doesn’t apply to them, right?” And the answer to that is, yes. It doesn’t apply to them. But anyone who is analyzing data in a situation where that data points back to the actions of a third party – so, somebody who is not the computer’s owner, or someone who is not the owner of the company – anytime a third party is implicated by data analysis, this law is potentially triggered.

What the board came back and did was, they said that any analysis of non-public computer data to determine the causes of events or the conduct of persons is what they’re calling a regulated service. Of course, that is extremely broad. You know, for instance, if an employer went to a company and wanted to know how their employees were using the computer – that constitutes an investigation. The Board has said that when the service provider is charged with reviewing the client’s computer-based data, for evidence of employee malfeasance and a report is produced that describes the computer related activities of an employee, it has conducted an investigation and has therefore provided a regulated service.

NPD: So, other than the lawsuit, is your organization taking any other actions?

Miller: We’ve obviously tried to bring this issue to light in the media. Because it is somewhat technical, we’ve had to educate the media on how this works. And they’ve been very responsive. But the primary vehicle we’re taking here is this lawsuit and our goal is just to change the law. We’re not seeking monetary damages, this is not a personal lawsuit – we’re going to a judge and saying: “Judge, this is a bad law, and it stops our guys from practicing their profession – it stops a lot of people from potentially doing the things they do on a daily basis, and the law needs to be changed.” So we’re asking the judge to strike the law down.

Finally, there is an editorial based on the three interviews from interviewer Brian Boyko:

So, where did things go wrong? I think the man problem was a key misunderstood concept by Texas State Rep. Driver when he wrote the law. It is clear from the interview with him that he believes that there is a clear and well defined line between “retrieval of data” and “investigation.”

“’Review, analyze, and investigate’ are the three key words, in my opinion, that drive the need for people to have some kind of license. Because if they’re doing some of that, then they don’t need to be – it doesn’t need to be just anybody able to do that – they need to have somebody that has a security license. But if someone’s just retrieving information and providing information for someone who is going to analyze, to use one of the words, then that’s just a regular computer repair person.” – Rep. Driver.

But what Rep. Driver simply did not realize is that in the practical realities of IT, no such line exists. Any and every interaction that any IT person has with a computer requires some sort of “review, investigation and analysis,” whether it’s simple troubleshooting or complex network latency optimization.

Another issue here is that none of these people are judges. Once the law is drafted and passed, the legislator is disconnected, for the most part, and the bench takes over. It would seem that a little study of the industry might have been prudent. Even the best, most conscientiously drafted laws can’t foresee everything. The text of this law cries out for want of clarity and precision. Or, at the very least, “tweaking.”

Posted in Articles, Laws, State Licensing Laws, Trends, Vendor Liability | Tagged: , , , , , , | 1 Comment »

Consulting firm sued by State for losing data

Posted by rjbiii on September 20, 2007

A news item published today reports that Connecticut officials will sue Accenture for the loss of sensitive data:

Attorney General Richard Blumenthal, who has been investigating a series of public- and private-sector security breaches that raise the risk of identity theft for Connecticut residents, said Accenture had violated the terms of a $98 million contract with the state by failing to adequately protect the state data.

Accenture was consulting on a project designed to centralize state accounting procedures. What might really have angered officials was how the data was lost:

The information was contained on a backup tape, which was sent home with an intern working for a state vendor as a security precaution, according to the state’s inspector general.

The tape was stolen from the intern’s parked car in June, though Wyman said she was not notified that the stolen information included data from Connecticut until Sept. 4.

Whenever a client’s data is handled by a vendor, the vendor will do well to remember that its obligation to protect that data is no small thing. In terms of EDD processing and computer forensics vendors, this should serve as a reminder of the necessity of implementing and using proper procedures for storing, and ultimately destroying, client data while minimizing the risks of accidental release to unauthorized parties.

Posted in Articles, Vendor Liability | Leave a Comment »