Post on 08-May-2015
description
transcript
A panorama of legal issues concerning IT
forensic investigations
ACFE Annual Meeting | Brussels | 5 February 2014
Johan Vandendriessche
Partner (crosslaw)
| www.crosslaw.be |
GENERAL
2
Fraud – prevention, detection
and investigation
Fraud
• Deliberately practiced deception to obtain or secure an unlawful gain
• Civil wrong (“tortuous liability” or “contractual liability”)
• Criminal offence
• Fraud takes many forms
• ‘Unlawful gain’ can be very varied
Fraud prevention
• Technical and organizational measures
• Security measures
• Policies
• Contractual arrangements
Fraud – prevention, detection
and investigation
Fraud detection
• Organized detection
• Technical measures (e.g. camera surveillance, data
mining, …)
• Organizational measures
• Incidental detection
Fraud investigation
• Informal private hearing
• Private detective
• IT forensic investigation
• Criminal investigation4
Data Protection
Limitations in relation to the processing of
personal data
• Personal data: “any information in relation to an
identified or identifiable physical person […]”
• Very large legal interpretation to the concept of
personal data
• Not necessarily sensitive information (although stricter
rules apply to special categories of personal data)
• Processing: “any operation or set of operations which
is performed upon personal data […]”
5
Data Protection
Processing of personal data is prohibited, unless
allowed by the Data Protection Law
The data processing must comply with specific
principles
• Proportionality
• Purpose limitation
• Limited in time
• (Individual and collective) Transparency
• Data quality
• Data security
• (Individual and collective) Enforcement measures
6
Data Protection
Specific issues in relation to fraud prevention and detection• Employee surveillance
• Electronic Communication (CBA No. 81)
• Workplace Camera Surveillance (CBA No. 68)
• Camera Surveillance (security cameras)
• Whistle blowing policies
• Blacklists
• Access control / identity control (ID card related issues)
• Biometrical data (e.g. identification and access restrictions)
• Screening / background checks (e.g. “certificate of good behaviour”)
• Archiving
• Data mining
Impact on evidence value in case of investigations
7
PRACTICAL APPROACH
8
An example
Corporate espionage
• Internal vs external
• Employee
• Self-employed
• Third party
• Purpose
• Competing activity
• Other
• Object
• Corporate know-how and IP
• Client list / supplier list
• Confidential Information9
An example
Infringer
• Employee / Consultant
Nature of the wrong
• Civil / contractual
• Criminal
Equipment
• Laptop owned by employer/client
• Laptop owned by employee/consultant
10
Strategy
Options
• Internal investigation
• Forensic IT investigation on IT equipment
• External investigation
• Criminal complaint (?)
• Court proceedings
Sequestration (“sekwester” / “séquestre”)
Private search (“beslag inzake namaak” / “saisie en
contrefaçon”)
Court order to provide evidence
• Define actions (forensic or otherwise)
11
LEGAL ISSUES
12
Overview
Forensic IT investigation
• Capacity of the investigator
• Access to the IT equipment
• Company owned
• Third party owned
• Access to the data contained therein
• privacy issues
13
Cybercrime
Criminal acts posing a threat against the
confidentiality, the integrity and the availability of IT
systems and data
• Hacking
• Computer sabotage
Investigation powers
• (Network search)
• (IT system and data seizure)
• Cooperation duty of IT experts
Hacking
Hacking: “the unauthorized intrusion in or
maintenance of access to an IT system” (article
550bis Criminal Code)• Internal hacking
• Person with access rights that exceeds such rights
• With a fraudulent purpose or with the purpose to cause damage
• External hacking
• Person without access rights
• Knowingly
There is no requirement of breach of security
measures
Organizing hacking or using data that was obtained
through hacking are also criminal offences15
Hacking
Sanction (also applicable in case of attempt to hack)• Internal hacking
• Fines: 26 to 25.000 EUR (x6); and/or
• Prison sentence: 3 months up to 1 year (doubled in case of intent to fraud)
• External hacking
• Fines: 26 to 25.000 EUR (x6); and/or
• Prison sentence: 6 months up to 2 years
Criminal sanctions are increased in case of:• Copying any data on the IT system
• Use of the IT system or use thereof to hack another IT system
• Damage to the IT system or its data or any third-party IT system or data
16
Computer sabotage
Computer sabotage: “the direct or indirect insertion, modification or erasure of information in an IT system or any other change to the normal use of information in an IT system” (article 550ter Criminal Code)• Virus, worm, or any other malicious code
• Unauthorized time-locks or other blocking mechanisms
Developing, distributing or commercializing malicious code or tools to commit computer sabotage is a criminal offence
17
Computer sabotage
Sanction (also applicable in case of attempted sabotage):• Fine: 26 to 25.000 EUR (x6); and/or
• Prison sentence: 6 months up to 3 years (increased in case of fraudulent intent or intention to cause damage)
Criminal sanctions are increased in case of:• Causing damage to data in any IT system as a result of computer
sabotage
• Interfering with the proper functioning of any IT system as a result of computer sabotage
Sanctions are doubled in some cases of cybercrime recidivism
18
Privacy
What is privacy?
Various sources
• European Convention on Human Rights
• Treaty on the Functioning of the European Union
(TFEU)
• National (constitutional) legislation
Principle of privacy at work has been confirmed by
ECHR and Article 29 Working Party
19
Secrecy of letters
Secrecy of letters
• Article 29 of the Belgian Constitution
Drafts of outgoing letters
• Electronic documents
• Not applicable
Copies of incoming letters
Interception of incoming letters
• Address
• Mentions
20
Secrecy of electronic
communication
Electronic communication is protected
• Interception of electronic communication
• Art. 314bis of the Criminal Code
• Access to electronic communication
• Art. 124-125 of the Act of 13 June 2005
Specific problem for investigation of e-mail and IM
21
Secrecy of electronic
communication
General interdiction to:• Consult any electronic communication
• Identify participants to such electronic communication
• To process in any manner such electronic communication
UNLESS: if consent is obtained from all participants
Specific exceptions exist (only business relevant exceptions are mentioned):• If allowed or imposed by law
• With the sole purpose of ensuring the proper functioning of the network or the proper performance of the communication service
• For offering a service that consists of preventing the receipt of unsolicited electronic communication, provided consent has been obtained for the recipient
No distinction is made between private and professional communication!
22
Secrecy of electronic
communication
Monitoring of any form of electronic communication• Use of e-mail
• Use of Internet
CBA No. 81 allows a limited degree of monitoring• Surveillance is possible for limited purposes
• The prevention of illegal acts, slander and violation of decency
• The protection of the economic, trade and financial interests of the company
• The protection of the security and proper functioning of the company’s IT system
• The compliance with company policies in relation to online technologies
• Procedural requirements
• Collective information
• Individual information
• Sanctions?
23
EVIDENCE LAW
24
Evidence Law
Admissible
• Type of evidence (‘matters of fact’ vs ‘legal acts’)
• Lawful
• Illegal evidence
• Illegally obtained evidence
• Probatory value (‘credibility’)
• Weight carried by the submitted evidence
• Influenced by the reliability
Gathering process of digital evidence
Inherent reliability (?)
Evidence Law
“Antigoon” case law
• Illegally obtained evidence
• Evidence is no longer automatically discarded
Evidence is retained, except:
• Nullity is legally imposed sanction
• Unfair trial
• Impact on reliability
Small note: “Antigoon” case law is relatively new
and still evolving
26
Evidence law: lessons learnt
Problems with electronic evidence
• Rules of evidence strongly favour “paper evidence”
• Courts may be reluctant in the face of new
technologies
• Case law usually dismisses electronic evidence at the
slightest indication of the possibility of fraud /
tampered evidence
General rules
• ensure the accountability and integrity of any
electronic evidence at all times
• Implement procedures and policies / provide evidence
that these policies are regularly verified or audited27
Evidence Law: lessons learnt
Practical approach in Belgium
• Ensure that the evidence collection is organized in a
manner guaranteeing evidence integrity
• Assistance of a court appointed expert (feasible?)
• Assistance of a bailiff
• Assistance of a unilaterally appointed expert
• Assistance of the Belgian Federal Computer Crime Unit
(FCCU)
• Ensure that the evidence is stored in a secure
manner
Court proceedings are likely to include a court
expertise
28
QUESTIONS?
Thank you for your attention.
29