As a data forensic company, often times we get involved through defense counsel on matters involving investigations of an individual’s personal computer or personal cell phone. The matter could involve an attorney general investigation where a civil investigation demand is in place or there is an SEC investigation. Other situations where responsive data may also reside on someone’s personal device may be due to a“bring your own device”(BYOD) situation and the corporation is requesting the individual to provide company data in response to a litigation.
In situations such as these it is very common to have co-mingled personal and business data such as someone’s personal pictures, tax information, medical information, etc. not responsive to the litigation at hand. In that regard,a tremendous amount of sensitivity to this should be applied when dealing with the responsibility of collecting data in a forensically sound manner while at the same time protecting personally identifiable information (“PII”). Individuals are usually not keen to an outside data forensic company taking a full image of their personal computer. They see this as an invasion of their privacy. Often times individuals would like to direct the examiner to the relevant folders where responsive data resides or create new file folders and place responsive data there prior to collection. This is not a best practice. Outside counsel should tell their clients to avoid doing this, as metadata could be altered.
Our personal responsibility as forensic and testifying experts in this process is to ensure metadata is intact and a forensically sound approach to the data collection was followed. As difficult as it may be for individuals, a full forensic image of the individuals’personal device may be the only step possible.
Some Recommendations in Dealing with Collected PII
This post doesnot address best practices in how not to co-mingle personal data with company data. The short advice for that is: don’t do that. This post assumes an individual already has co-mingled data and seeks to set expectations that outside counsel should have when working with their forensic service providers:
- Forensic images and processed data should be collected to and stored on encrypted external devices only. It should never be stored on internal hard drives of forensic computers. That way the data can be always traced through chain-of-custody and not “left behind and forgotten” when the case is finished. The only alternative/exception to external devices could be dedicated encrypted location on a server.
- Access to forensic images and production data should be done by authorized personnel only.
- Documents with PII should never be produced, unless they are pertinent to the case. Usually, this has to be dealt with at the review stage by marking personal information as not responsive to the subpoena.
- If documents with PII have to be produced, PII should be redacted, unless it is pertinent to the case. Using a review platform that makes redaction easy and efficient is very helpful.
- Upon completion of the case, all collected data should be destroyed, in accordance with applicable laws, regulations, and policies, as well as whether the matter is decided or settled.
Avoid the Re-collection Quandary
Approach a data collection like this correctly the first time. Often times as a service provider we are brought in after the third or fourth round of data collection attempts because the data was not collected properly for one reason or the other by either the individual or an IT person. By that time, the custodian of the evidence is impatient with collection attempts and both time and money have been wasted.
Alex Gessen CCE, EnCE, CISSP, Security+ National Director of Forensics HAYSTACKID
Picture Courtesy Of: