FRAMINGHAM (10/08/2003) - Q&A Cybersleuth Joan Feldman reads other people's mail for a living. As president of Computer Forensics Inc., she and her team collect and analyze electronic data that will be used as evidence in civil litigation cases. We spoke to her recently about the current state of forensic investigation and how CSOs can best protect their companies.
CSO: How has the role of cyberevidence changed?
Feldman: What has happened through use of computers--particularly for e-mail--is that many conversations that once were just hearsay because they took place on the phone or face-to-face are recorded and therefore admissible as evidence. Lots of people don't really think about this, including CSOs who have never been involved in litigation. When I started in this industry 12 years ago, it wasn't routine for people to ask for e-mail or computer-based information in litigation, they would just ask for the contents of a file cabinet. Technology has in many ways outstripped the control of the corporation. There's now a tsunami of evidence that's created all day long by businesses and public agencies--and how it's gathered and used is important for people to understand. Any company involved in litigation will have to identify where the responsive evidence is; it's the organization's burden and duty under civil discovery. And if your company hasn't been sued yet, your day is coming.
What is the cost of a forensic investigation?
The average cost to make an evidentiary copy of a hard drive and lift the entire contents runs about US$2,000. It involves the use of forensic software to create a tamperproof copy and an audit trail. The cost of a review once the copy has been created can be anywhere from $1,500 to $3,000.
How have the government and the legal system approached the issue of forensics?
The issue of privacy has been raised now that companies have awakened to the fact that they can take a closer look at employee activity. Some legislatures have (tried to enact measures to) protect employees but haven't been successful. The closest was in California, where legislators vetoed a bill that would offer some protection. As citizens, we have some protection from phone taps. But as employees, we don't have much protection from employers "listening in" on e-mail conversations. I think unified messaging will tip the scale. When people start leaving voice mail on the same server where they leave e-mail, it'll be hard to collect and review the messages in proprietary and separate systems. When you leave a voice mail, you have made a tacit agreement to have it recorded. As unified messaging becomes more routine, it'll be shocking enough to (raise) the whole issue about what employers can look at and listen to.
What can a CSO do to make sure his company doesn't get burned by something turned up in a forensic investigation?
Often (CSOs are) penny-wise and pound-foolish. They don't want to expand server capacity. Instead, they tell people to reduce the volume of e-mails. But users need to understand why they can't save everything. You need to educate them about retention, about the liability involved with large storage of e-mail and institute regular purging schedules. It's technology in conjunction with policy and education. (It requires) coordination between the general counsel and IS to avoid getting buried in huge litigation costs. For example, the biggest ticket item of all in an investigation would be uncovering an e-mail from a manager that said, "We can save a lot of money if everyone older than 48 gets laid off." All you need is that one pinhead comment. It's thoughtless, and it's recorded, and it's stuck out there like a bug in amber. Companies can take some basic steps by organizing file cleanup and e-mail purging--just make sure you're not already under a subpoena or you'll look like Arthur Andersen.