Selling Information Through Cloud Diagnosis



Similar documents
Electronic evidence: More than just a hard drive. March 2015 Publication No

A revised standard for forensic accountants

Oppression remedies: who should buy out whom, and at what price?

The currency of choice

To gross-up or not to gross-up

forensics matters Is Predictive Coding the electronic discovery Magic Bullet? An overview of judicial acceptance of predictive coding

Information Sheet: Cloud Computing

Privacy Policy. 30 January 2015

OFFSHORING Data the new privacy laws

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

CORPORATE TRAVEL MANAGEMENT PRIVACY POLICY

THE PUBLIC RELATIONS CONSULTANTS ASSOCIATION. Find A PR agency Terms and Conditions for Clients

3 What Personal Information do we collect and why do we need it?

forensics matters Audit negligence: Who is to blame when it all goes wrong? Publication No

Data Protection Act Guidance on the use of cloud computing

Clevertar Privacy Policy

privacy and credit reporting policy.

Credit Reporting Privacy Policy of Baybrick Pty Ltd

Privacy and Cloud Computing for Australian Government Agencies

forensics matters Advanced interview techniques

Captain Compare Privacy Policy

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

Using AWS in the context of Australian Privacy Considerations October 2015

DESTINATION MELBOURNE PRIVACY POLICY

Privacy Policy Draft

2. What personal information do we collect and hold?

Hong Leong Asia Ltd.

CUA Group APP Privacy & Credit information Policy

The Cloud and Cross-Border Risks - Singapore

FISHER & PAYKEL PRIVACY POLICY

ShineWing Australia Wealth Privacy Policy

Plus500UK Limited. Statement on Privacy and Cookie Policy

Cloud Computing and Records Management

Credit Reporting and Credit Related Personal Information Policy. Corporate Legal Procedure

Police Financial Services Limited Copyright exists in this document Privacy Policy 1

CREDIT REPORTING AND CREDIT RELATED PERSONAL INFORMATION POLICY

MISCELLANEOUS CONSULTANTS PROFESSIONAL INDEMNITY PROPOSAL FORM

CYBER RISK SECURITY, NETWORK & PRIVACY

Revelian Pty Ltd ABN Privacy Policy Effective 1 September 2014

Custodian-Node data provision terms and conditions

Bruce Gerald Flint. Liability limited by a Scheme approved under Professional Standards Legislation

Information Handling Policy

DIRECTORS & OFFICERS LIABILITY INSURANCE PROPOSAL FORM IMPORTANT INFORMATION: PLEASE READ THE FOLLOWING INFORMATION BEFORE COMPLETING THIS PROPOSAL

Privacy Statement. What Personal Information We Collect. Australia

AASA Online Privacy Policy CRP.020

DailyMailz may collect and process the following personal information about you:

Data Protection Breach Management Policy

Application to access Chesters Trade

MEMBI PRIVACY POLICY

Postcode: Postcode: Australia Business Number (ABN):

You are authorised to view and download one copy to a local hard drive or disk, print and make copies of such printouts, provided that:

Mitigating and managing cyber risk: ten issues to consider

2.1 Certain words have special meanings when used in this Privacy Policy. These are shown below.

Data Protection Act Bring your own device (BYOD)

How To Understand The Privacy Policy Of Racing Internet Services

Mercedes-Benz Financial Services. Privacy Statement

PROFESSIONAL INDEMNITY RENEWAL DECLARATION IMPORTANT INFORMATION: PLEASE READ THE FOLLOWING INFORMATION BEFORE COMPLETING THIS RENEWAL DECLARATION

005ASubmission to the Serious Data Breach Notification Consultation

SOLICITORS EXCESS PROFESSIONAL INDEMNITY PROPOSAL FORM IMPORTANT INFORMATION: PLEASE READ THE FOLLOWING INFORMATION BEFORE COMPLETING THIS PROPOSAL

INFORMATION TECHNOLOGY SECURITY STANDARDS

UBS Electronic Trading Agreement Global Markets

REAL ESTATE AGENTS PROFESSIONAL INDEMNITY PROPOSAL FORM IMPORTANT INFORMATION: PLEASE READ THE FOLLOWING INFORMATION BEFORE COMPLETING THIS PROPOSAL

Daltrak Building Services Pty Ltd ABN: Privacy Policy Manual

PRIVACY AND CREDIT REPORTING POLICY

Questions to ask about a cloud service. enter

American Express Bank Account - How to Get the Correct Amount of Payments

Last updated: 30 May Credit Suisse Privacy Policy

Service Schedule for CLOUD SERVICES

Summary Electronic Information Security Policy

ABERDARE COMMUNITY SCHOOL

School Information Security and Privacy in the Cloud

Registrants must agree to their personal information being used by 3P Learning in accordance with this Privacy Policy before they may register.

Data Protection for the Guidance Counsellor. Issues To Plan For

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI v1.0

PUBLIC & PRODUCTS LIABILITY PROPOSAL FORM IMPORTANT INFORMATION: PLEASE READ THE FOLLOWING INFORMATION BEFORE COMPLETING THIS PROPOSAL

ABC PRIVACY POLICY. The ABC is strongly committed to protecting your privacy when you interact with us, our content, products and services.

Foreign investment managers and other financial

PUBLIC & PRODUCTS LIABILITY RENEWAL DECLARATION

LAUW Cyber erisks. SME Questionnaire.

REAL ESTATE AGENTS PROFESSIONAL INDEMNITY PROPOSAL FORM IMPORTANT INFORMATION: PLEASE READ THE FOLLOWING INFORMATION BEFORE COMPLETING THIS PROPOSAL

PART 1 PERSONAL AND CREDIT INFORMATION PRIVACY POLICY Document Purpose

Privacy Policy Statement

Belmont 16 Foot Sailing Club. Privacy Policy

CBHS HEALTH FUND LIMITED PRIVACY POLICY

UNILEVER PRIVACY PRINCIPLES UNILEVER PRIVACY POLICY

PUBLIC & PRODUCTS LIABILITY PROPOSAL FORM IMPORTANT INFORMATION: PLEASE READ THE FOLLOWING INFORMATION BEFORE COMPLETING THIS PROPOSAL

DISASTER RECOVERY INSTITUTE CANADA WEBSITE PRIVACY POLICY (DRIC) UPDATED APRIL 2004

INTERNET, AND COMPUTER USE POLICY.

Westpac Privacy Policy. Our privacy commitment to you

EXCESS SOLICITORS PROPOSAL FORM

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

Personal Data Protection Policy

APES GN 30 Outsourced Services

Cloud Computing in a Government Context

COUNCIL POLICY R180 RECORDS MANAGEMENT

SELECTING AN ENTERPRISE-READY CLOUD SERVICE

All copyright, trade mark, design rights, patent and other intellectual property rights (registered or unregistered) in the Content belongs to us.

PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA

AMP Bank. Credit Reporting Policy AMP Bank Limited

Transcription:

Storm clouds ahead? Part 2: Investigations and litigation using data stored in the cloud April 2014 Publication No. 14-03

1 Introduction 2 In Part 1 of this article, we considered the issues surrounding data privacy in the cloud. In Part 2, we now turn to consider the issues which arise when using data stored in the cloud as evidence in support of investigations or litigation. Most investigations and litigation discovery processes involve the review of electronic information held by organisations, such as emails, documents and internet histories. Organisations are often required to provide specific information to third parties, such as law enforcement authorities, within a short timeframe. Whilst cloud infrastructure may improve remote access to an organisation s data, in some cases from anywhere in the world, it also reduces an organisation s direct control over the data. This means that when faced with the need to quickly produce or disclose information, organisations who store data in the cloud face some unique challenges. In this article, Ronald Holtshausen from our Perth office considers the key issues surrounding the use of data in the cloud for litigation and law enforcement, including: acquiring data from the cloud the risk of modification of data data sovereignty data possession and control. 2 Data acquisition from the cloud Imagine that your organisation has just found out that it faces investigation by a regulator - it may need to provide the regulator with a large volume of data within a short time frame. Complying with this deadline will be hard. Even if there is no such specific request, the organisation needs to understand what data it has and perhaps start its own review of that data. But then you remember - your organisation stores some, or all of its financial, operational and email data in the cloud. What can be easier, you think. Doesn t storing company information in the cloud make data easy to access? Unfortunately, that is not necessarily the case when it comes to acquiring and preserving a copy of an organisation s data from the cloud for investigation and litigation purposes - this can prove to be slower, and more complex than originally perceived. It can also be costly, particularly if contractual arrangements are not in place for such an event.

Conventional computer forensic acquisition procedures look to acquire and preserve data from a storage device which the investigator can physically access. The investigator can then take the appropriate precautions to isolate the data from further access and ensure it is not altered or modified during the preservation, whilst also ensuring adherence to any specifications of the search or disclosure orders. 3 However, in many cases, data contained in the cloud will be stored in remote infrastructure that is shared by multiple organisations. This may limit an investigator s ability to physically access the data storage facilities and isolate it from further potential modifications. The investigator may then need to employ a different approach in order to acquire the data remotely, potentially being hampered by issues such as slow connection speeds to the cloud provider. Risk of modification of data Many investigators rely upon metadata (such as author information, file creation, modification and access times) as part of their work, for example, to piece together a sequence of events by preparing a chronology of a document s creation and modification. Unfortunately, whilst a cloud facility may increase an organisation s ability to access its data, it also increases the risk of potential data modification (accidental or deliberate) by employees and the cloud provider. Simple maintenance activities performed by a cloud provider can modify metadata associated with data. This includes activities such as backups, imaging, data relocation and data replication. This means that data which could prove crucial in investigating a user s activity may be modified or lost. When accessing data in the cloud (known as a remote acquisition ) for litigation purposes, it is crucial that appropriate precautions are taken to preserve data artefacts that may be modified by simply downloading the data from the cloud. We recommend that all remote acquisitions are done by experienced professionals. Example Mr Smith resigns from his software development job at Jones & Co and is immediately walked out of the building by security. Mr Smith sets up his own business with the intent of developing and selling similar software to that designed and owned his former employer. Jones & Co becomes concerned that Mr Smith has stolen its intellectual property. Jones & Co investigates whether Mr Smith accessed and copied its proprietary software designs and source code before his resignation. They therefore want to establish the date at which the software or source code was last accessed, and by whom. Jones & Co stores its software specifications and source code in the cloud, so it asks its cloud provider to check the metadata of the relevant files. Unfortunately, the cloud provider does not make a forensically sound copy of the files, and so accidentally accesses the files during this check. At approximately the same time Jones & Co s data gets replicated from the Singapore data centre to the cloud provider s German data centre. The data s replication to the German data centre has now resulted in further changes to potentially crucial metadata. This means that the previous date of access and modification was updated, and there is no longer any evidence linking Mr Smith to the file. Jones & Co are not able to provide any metadata to establish the theft of their intellectual property, and Mr Smith continued to run his own business as a competitor to Jones & Co.

3 Data sovereignty and international concerns 4 Data sovereignty is the concept that information which has been converted and stored in a digital form is subject to the laws of the country in which it is located. Data sovereignty is a key issue for organisations that use the cloud for data storage. Cloud providers often store data in offshore storage facilities to reduce costs. As a result, an organisation s data could physically be held in storage locations anywhere in the world and, potentially, in a number of different jurisdictions. The long arm of overseas legislation Because data may be stored outside Australia, it is important that organisations understand the privacy laws of the country where the data is located, as these may apply in contractual agreements with cloud providers. Organisations may even find their data susceptible to foreign government access in relation to investigations or litigation overseas. For example, through the use of the American Patriot Act, brought in as a response to the events of 11 September 2001, the US Government and its agencies have powers to access Australian data held by US owned cloud providers and their subsidiaries, wherever they may be located. This includes both: Australian data held in Australia by a US owned cloud provider Australian data located in the US by an internationally owned cloud provider. Susceptibility to foreign government access does not stop with the US. A study carried out by Hogan Lovells, an international law firm, found similar data access laws in other countries 1. The governments of the United Kingdom, Germany, France, Japan and Canada have similar laws in place allowing them to obtain personal data stored in the cloud during the course of a government investigation. Data Sovereignty and Australian Privacy Laws When storing data in the cloud, an organisation should be aware that the legal obligations over the protection of the data still reside with them under the Australian Privacy Principles 2 (APP 5 and APP 8). APP 5 requires that upon data collection from a customer, organisations notify individuals of their intention to disclose personal information to recipients overseas 3. They must also specify the location in which these disclosures may take place, if practicable to specify those countries. APP 8 requires that before disclosing personal information to an overseas recipient, the organisation must also take reasonable steps to ensure the recipients will not breach the Australian Privacy Act. An exception to this is if the overseas entity is an agency 4 and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or the [organisation] reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body and the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body. This means that if an organisation is required to provide data as part of an investigation, either by an Australian or foreign law enforcement agency, then it is not required to inform the customer of the disclosure of that data. However, organisations should determine whether their cloud provider is required to notify them of such requests as part of their contractual arrangements.

4 Issues with possession and control 5 In dealing with data stored in the cloud, it is important to understand not only where the data resides (the entity which has possession of it), but also which entity utilises the data and is able to modify it, i.e. the entity which is in control of the data. As we have discussed, many organisations who place their data into cloud storage may be required to produce this information for legal or investigative purposes; but to whom should investigators address these data requests? Should it be the user organisation, as they are the uploader or generator of the data and already have access to it? Or should it be the cloud entity, as they are the entity who have possession of the data storage? Cloud provider has possession of data Email data Organisation has control of data Cloud provider hosts the email data in one of its offshore storage servers. Organisation uploads data to the cloud and accesses it regularly. A Singapore Case A recent Singapore case 5 has discussed this very notion of possession and control of data from a legal discovery point of view when storing email communications and their attached data in the cloud. In particular, there was much discussion around the technical aspects of who has possession and control of cloud based email services. This is because, in so far as emails accessed using web browsers are concerned (such as Gmail, Yahoo, Hotmail, and web-based/off-site corporate email accounts), the email user does not technically have possession and custody over the emails, as the emails are stored on mail servers and data centres sited in remote locations. In this case, the user may still download and save a copy of the emails in his computer, hard disk, smart phone, tablet device, or some other compound document. However, unless the user has saved his emails in his computer or in similar devices, what the user has in his possession is not the email itself, but the username and password to access the emails in the possession of the email provider. To this end, the email provider is in effect a custodian of the electronically stored information in the user s email account. 6 With this in mind, a suitable understanding of the cloud infrastructure should be obtained before drafting discovery orders to ensure that they are correctly instructing the entities, and more importantly, identifying the correct entity when making orders for discovery. The judge in the Singapore case allowed the application for discovery, and commented from a practical perspective, saying: The plaintiffs are not seeking discovery of physical printouts of emails kept by the defendants, neither are they seeking discovery of soft copies of emails saved in the defendants computers, smart phones or other compound documents (storage devices or database). If this was the case, the defendants can be found to be in possession and custody of these physical printouts, or the saved softcopies kept in their computers. Instead, the plaintiffs are seeking discovery of the emails in the defendants email accounts. 7

On this basis, at least from a Singapore perspective, it suggests that for disclosure of web based email, suitable care should be taken to determine where the data may reside and which entity the discovery orders should be served on. 6 In our experience the appropriate use of forensic tools, together with the express permission of the web based email account user (and assuming there are no issues with the terms and conditions of the web based email provider) can allow for the appropriate collection of web based email accounts. To date, we are unaware of any Australian cases regarding such a scenario but there could be significant implications for data privacy. In the definitions of the Privacy Act an entity holds personal information if it has possession and control. Could it be that Google or Hotmail might be deemed to be holding personal information through its hosting of email accounts? 5 Our recommendations Storing data in the cloud has obvious cost benefits, but organisations who do so must address some unique challenges when faced with an investigation or litigation. In particular, the risks surrounding data privacy in the cloud (as discussed in the last article) mean that it is important to be litigation ready. We suggest that: All remote acquisition is undertaken by an experienced forensic technology professional, to avoid the risks of data modification. Alternatively, organisations may request cloud providers to assist investigators in acquiring data. This scenario should be discussed as part of contractual agreements to avoid additional costs, however, organisations should ensure that the cloud provider has the requisite experience to do this without modification of the data. Organisations should obtain confirmation (and ensure regular updates) from cloud providers of the location in which their data is stored, and whether the local legislation will apply. Whilst requests from regulatory and law enforcement agencies for data stored in the cloud may be unavoidable, ensure that suitable contractual arrangements are in place, including whether your cloud provider is required to notify you of such requests. Legal teams should give due consideration to the wording in their orders for the discovery of cloud based data. Again, expert assistance can assist in ensuring that the appropriate information is collected in a timely manner. So, ask yourself, when your organisation is faced with litigation, or required to provide evidence as part of an investigation, how ready will you be?

Endnotes 1. See http://www.hoganlovells.com/newsmedia/newspubs/ detail.aspx?news=2268 2. See http://www.oaic.gov.au/images/documents/privacy/ privacy-resources/privacy-fact-sheets/privacy-fact-sheet- 17-australian-privacy-principles_2.pdf. 3. See http://www.oaic.gov.au/images/documents/privacy/ engaging-with-you/current-privacy-consultations/draft-app- Guidelines-2013/Draft_APP_Guidelines_Chapter_8.pdf 4. As defined by the Privacy Act 1988, Section 6, an agency would include most Commonwealth government bodies and representatives, including the AFP and the Federal Court. See http://www.austlii.edu.au/au/legis/cth/consol_act/ pa1988108/s6.html 5. Dirak Asia Pte Ltd and another v Chew Hua Kok and another [2013] SGHCR 01 6. Dirak Asia Pte Ltd and another v Chew Hua Kok and another [2013] SGHCR 01 [12] 7. Ibid [11] 7 About the author Ronald Holtshausen Manager Perth +61 8 9220 9347 rholtshausen@kordamentha.com Ronald specialises in the areas of IT security, fraud, data analytics for investigations, computer forensic investigations and e-discovery. He has experience working on engagements in Australia, Asia and South Africa. Prior to joining KordaMentha, Ronald s experience was obtained by working for Big 4 accounting firms in their IT security and forensic practices, providing services to large scale mining organisations, banking institutions and government entities.

KordaMentha Forensic Technology 8 KordaMentha identify, preserve, analyse and present potential electronic evidence in a forensically sound manner to effectively support litigation, corporate and regulatory investigations involving: intellectual property (IP) infringement and theft corporate fraud and financial crime contractual disputes defamation and harassment identity theft misuse or unauthorised access to computing or Internet resources. Forensic technology Our experts have the technical qualifications and experience to forensically analyse a variety of electronic devices including personal computers, computer servers, mobile phones, digital media recorders and players from both common and complex technology environments. ediscovery KordaMentha has had significant exposure to some of Australia s largest matters in recent history. We have the technical qualifications and experience to deliver effective ediscovery advice and solutions, including early case assessment, to significantly reduce the time and cost traditionally associated with ediscovery. Key contacts Owain Stone Head of Forensic Melbourne +61 3 8623 3410 ostone@kordamentha.com Craig Macaulay Melbourne +61 3 8623 3373 cmacaulay@kordamentha.com Nigel Carson Sydney +61 2 8257 3080 ncarson@kordamentha.com Grant Whiteley Associate Director Perth +61 8623 3410 gwhiteley@kordamentha.com Brendan Read Associate Director Brisbane +61 7 3338 0254 bread@kordamentha.com Daniel Tay Associate Director Singapore +65 6593 9321 dtay@kordamentha.com Briston Talbot Manager Adelaide +61 8 8223 8114 btalbot@kordamentha.com

KordaMentha Forensic We provide clarity and objectivity to organisations when the commercial stakes are high, and the evidence is critical to the outcome. Our specialist forensic tools, rigorous analysis and clear presentation of the financial, factual and electronic information provides insights that are otherwise hidden in the detail of a dispute, investigation, or review. Melbourne Owain Stone +61 3 8623 3410 ostone@kordamentha.com Robert Cockerell +61 3 8623 3355 rcockerell@kordamentha.com Craig Macaulay +61 3 8623 3373 cmacaulay@kordamentha.com Brisbane David Van Homrigh +61 7 3338 0220 dvanhomrigh@kordamentha.com Brian Wood +61 7 3338 0250 bwood@kordamentha.com Sydney Andrew Ross +61 2 8257 3051 aross@kordamentha.com John Temple-Cole +61 2 8257 3077 jtemplecole@kordamentha.com Nigel Carson +61 2 8257 3080 ncarson@kordamentha.com Alex Bell +61 2 8257 3053 abell@kordamentha.com Paul Curby +61 2 8257 3050 pcurby@kordamentha.com Andre Menezes +61 2 8257 3023 amenezes@kordamentha.com Perth Jarrod Baker Director +61 8 9220 9330 jbaker@kordamentha.com Singapore Matthew Fleming +65 6593 9363 mfleming@kordamentha.com Adelaide Stephen Duncan +61 8 8223 8106 sduncan@kordamentha.com Briston Talbot Manager +61 8 8223 8114 btalbot@kordamentha.com Subscribe to our publications at kordamentha.com/subscribe Learn more about our forensic services at kordamentha.com/forensic This publication, and the information contained therein, is prepared by KordaMentha Forensic s and staff. It is of a general nature and is not intended to address the circumstances of any particular individual or entity. It does not constitute advice, legal or otherwise, and should not be relied on as such. Professional advice should be sought prior to actions being taken on any of the information. The authors note that much of the material presented was originally prepared by others and this publication provides a summary of that material and the personal opinions of the authors. Limited liability under a scheme approved under Professional Standards Legislation.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information