Houston, Texas
April 4, 2013
Bryan Foster
Mark Michels
Deloitte Financial Advisory Services LLP
1
Overview
The legal context
• Civil
• Criminal
3
Mobile device proliferation 17
Mobile device discovery and forensics 21
Implications for in-house counsel 27
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Disclaimer
The oral presentation and this written material (collectively, the “Materials”) contain general information only and Deloitte Financial Advisory Services LLP and its affiliates, are not, by means of these Materials, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. These
Materials are not a substitute for such professional advice or services, nor should they be used as a basis for any decision or action that may affect your business.
Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte Financial Advisory Services LLP and its affiliates shall not be responsible for any loss sustained by any person who relies on these Materials.
2 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Mobile device discovery
The legal context*
* Deloitte Financial Advisory Services LLP does not provide any legal advice or address any questions of law.
4
Pro
: Mark Michels, Deloitte Discovery
Con
: Bryan Foster, Deloitte Discovery
Copyright © 2013 Deloitte Development LLC. All rights reserved.
5
Federal Rule of Civil Procedure 26(b)(1), Discovery
Scope and Limits, Scope in General
Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense — including the existence, description, nature, custody, condition, and location of any documents or other tangible things and the identity and location of persons who know of any discoverable matter. . . Relevant information need not be admissible at the trial if the discovery appears reasonably calculated to lead to the discovery of admissible evidence
.
Copyright © 2013 Deloitte Development LLC. All rights reserved.
6
Texas Rules of Civil Procedure, 192.3(a), Scope of
Discovery
In general, a party may obtain discovery regarding any matter that is not privileged and is relevant to the subject matter of the pending action, whether it relates to the claim or defense of the party seeking discovery or the claim or defense of any other party.
It is not a ground for objection that the information sought will be inadmissible at trial if the information sought appears reasonably calculated to lead to the discovery of admissible evidence.
Copyright © 2013 Deloitte Development LLC. All rights reserved.
7
Federal Rule of Civil Procedure 34. Producing
Documents, Electronically Stored Information, and
Tangible Things. . .
(a) In General. A party may serve on any other party a request within the scope of Rule 26(b):
(1) to produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control:
*******
(B) any designated tangible things;
Copyright © 2013 Deloitte Development LLC. All rights reserved.
8
FRCP 34 Advisory Committee Notes to 2006
Amendments
Rule 34(a)(1) is expansive and includes any type of information that is stored electronically. . .. The rule covers – either as documents or as electronically stored information – information
"stored in any medium," to encompass future developments in computer technology. Rule
34(a)(1) is intended to be broad enough to cover all current types of computer-based information, and flexible enough to encompass future changes and developments.
Copyright © 2013 Deloitte Development LLC. All rights reserved.
9
Texas Rules of Civil Procedure, 196.1(a), Request for
Production and Inspection to Parties
A party may serve on another party — no later than
30 days before the end of the discovery period — a request for production or for inspection, to inspect, sample, test, photograph and copy documents or tangible things within the scope of discovery.
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Discovery request for mobile phones
Example Request
Please produce for inspection any and all mobile phones possessed by the Defendant from October
1, 2010 to present. (Plaintiff’s counsel will arrange for a replacement phone during the time of the inspection, not to exceed ten (10) business days from the date of production.)
10 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Preservation requirements — one court’s take
Rimkus Consulting Group, Inc. v. Cammarata , 688 F. Supp. 2d 598, 612
(S.D. Tex. 2010) (citation and internal quotation marks omitted).
11 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Sanctions for failing to preserve mobile device data
Defendant’s wiping of all emails, calendar items, text messages, and telephone records from . . .
[Defendant’s mobile devices] warranted an adverse inference jury instruction regarding defendants’ failure to preserve data . . . that would have been advantageous to plaintiffs and disadvantageous to
Defendants.
Southeastern Mechanical Services, Inc., v. Brody, et al., 657 F. Supp 2d 1293 (M.D. Fla. 2009)
12 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Smartphone Preservation Failure Sanctions
Defendants had a duty to preserve smartphone text messages but took no steps to preserve them. Failure to preserve smartphone text messages warranted sanctions.
“[P]laintiffs will be permitted to introduce evidence at trial, if they wish. . . of defendants failure to preserve [smartphone] text messages. Plaintiffs may argue whatever inference they hope the jury will draw. Defendants may present evidence in explanation, assuming of course that the evidence is otherwise admissible, and argue that no adverse inference should be drawn.”
Christou v. Beatport , 2013 WL 248058 (D. Colo.)
13 Copyright © 2013 Deloitte Development LLC. All rights reserved.
14 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Law enforcement cellphone demands
“Cellphone carriers reported that they responded to a startling 1.3 million demands for subscriber information last year from law enforcement agencies seeking text messages, caller locations and other information in the course of investigations .”
More Demands on Cell Carriers in Surveillance , New York Times, July 8, 2012 http://www.nytimes.com/2012/07/09/us/cell-carriers-see-uptick-in-requests-to-aidsurveillance.html?pagewanted=all&_r=0
15 Copyright © 2013 Deloitte Development LLC. All rights reserved.
DOJ pen/trap devices
Original orders
25000
20000
15000
10000
5000
0
1998 2000 2002 2004
Pen register
2006 2008
Trap and trace
2010 2012
ACLU, “New Justice Department Documents Show Huge Increase in Warrantless Electronic Surveillance, 09/27/2012” http://www.aclu.org/blog/national-security-technology-and-liberty/new-justice-department-documents-show-huge-increase
16 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Mobile device discovery
Mobile device proliferation
Mobile device proliferation
• 290+million mobile phones in the United States (ITU, 2011)
• 88% of American adults have a cell phone and 19% have a tablet computer (Pew, April 13, 2012)
• Almost half (49.7%) of U.S. mobile subscribers now own smartphones (Nielsen, February 2012)
• 4.4 billion mobile subscribers worldwide, (Ericsson Mobility
Report Interim Update February 2013)
• 53 percent of employees are using their own technology for work purposes (Forrester Research, June 2012)
18 Copyright © 2013 Deloitte Development LLC. All rights reserved.
27% of the U.S. population own tablets and about half
(49%) own smartphones
Among all respondents
Desktop computer
Laptop/Netbook
Multimedia smartphone
Multimedia handheld device
Tablet device
Dedicated e-reader
Flat-panel high-definition TV
Digital video recorder
Total
29%
25%
70%
50%
75%
74%
Trailing millennials
(%)
Leading millennials
(%)
49 58
Xers
(%)
79
82 85 76
46
48
19
29
62
41
65
37
28
20
69
49 50
58
33
30
28
68
Boomers
(%)
82
67
39
19
27
22
72
50
Matures
(%)
89
66
29
12
20
25
80
59
Minimum value
Midpoint value =
50 percentile
Deloitte Development, LLC “Devices, Consumption, and the Digital Landscape”, 2012
19
Maximum value
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Half of tablet owners are currently employing their device in the work place, but few use it solely for work
Total tablet usage Tablets: personal/work overlap
Personal use:
93%
Personal only: 46%
Both personal and work: 47%
Work only: 7%
Work use:
54%
Q. TABLETS: Respondents using the tablet device for personal use, for work, or for both?
20
Deloitte Development, LLC “Devices, Consumption, and the Digital Landscape”, 2012
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Mobile device discovery
Mobile device forensics
Mobile devices and operating systems
• More than 3600 devices
• Multiple operating systems
• Often not backwards compatible
22 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Mobile data types
• Application data
• Audio
• Bookmarks
• Calendar
• Call logs
• Chat
• Contacts
• Cookies
• Device information
• Device settings
• Device voicemail
23
• Files
• Locations
• Memory card content
• MMS
• Notes
• Pictures
• SMS
• Tasks
• Video
• Web history
• Wi-Fi history
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Hierarchy of mobile forensics collections
• Physical — A physical collection of a mobile device, captures the physical device in its entirety. This is a bit for bit image of the data area of the mobile and allows the examiner to view the device’s unallocated space and recover deleted content in unallocated space
• Filesystem dump — A Filesystem Dump is a special variety of a Logical collection that captures everything on the physical device except unallocated space
• Logical — A Logical collection reads the data from the device and pulls it in to a report. The data collected will vary based on the capabilities of the device and vendor support
• Backup utility — Although using a Backup Utility such as iTunes or
Desktop Manager to collect a device is a last resort; a device backup will often produce data on par with a File system collection or at a minimum above a Logical collection
24 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Data types from Physical, Filesystem and Logical
The ten most commonly desired data types are preserved in Physical,
Filesystem and Logical collections. This is of course dependent on the device capabilities and vendor support.
Data type
Audio
Calendar
Call logs
Contacts
Device information
Device voicemail
Files
Memory card content
MMS
Notes
Pictures
Server voicemail
SIM card
SMS
Tasks
Video
P/F/L
P/F/L
P/F/L
P/F/L
P/F/L
P/F/L
N/A
F/L
P/F/L
P/F/L
P/F/L
P/F
P/F
P/F
P/F/L
P/F
P/F/L
In collection
Copyright © 2013 Deloitte Development LLC. All rights reserved.
25
Industry standard tools
• Current tools can be divided into software based tools and hardware based tools. No single tool covers all of the thousands of mobile devices. Hardware and software based solutions are needed to properly and efficiently perform collection and advanced data analysis.
• Tailor the tool to be used based on the make, model, and operating system of the mobile device being preserved.
Secondarily, the type of preservation Physical, Logical or
File System is selected based on the types of data of interest as well as the ability of the solution to extract that data.
26 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Mobile device discovery
Implications for in-house counsel
Discovery/incident response plan
• Identify device types in enterprise
• Know location of devices
• Understand mobile device back-ups
28 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Investigations involving mobile devices
• Person to person communications (harassment)
• Personal email accounts (IP theft)
• Behavioral analysis (misuse of resources)
• Bank fraud (malware)
• VPN access to company network (hacking)
• Lost or stolen items — (PII)
29 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Mobile device security policy
• Does your company provide clear direction to their end users on acceptable use?
• Some mobile device leading practices
– Encryption of device
– Anti-virus/malware scanning
– Backup procedures
– Acceptable usage policy
30 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Mobile device asset tracking
• Device types
• Usage dates
• Physical location of devices
• Device usage
• Service provider account information
31 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Q&A
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu
Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited