LAW- F03 Michael Stortz - PowerPoint Presentation

LAW- F03 Michael Stortz PartnerDrinker Biddle & Reath Jay Brudz Chair, Information Governance & eDiscovery Group, Drinker Biddle & Reath Can I Get A Witness?Technical Witness Bootcamp Eric Hibbard CTO Security & PrivacyHitachi Data Systems Erez Lieberman Chief Counsel, Cybersecurity & Privacy Prudential

I. Introductions II. Trial Techniques Panel Discussion III. Simulation – Technical Witness TestimonyIV. Q&A

Framing the Discussion: Key Concepts 3 TestimonyOral or written evidence given by a competent witness, under oath, at trial or in an Affidavit or Deposition AffidavitA witness’ voluntarily sworn declaration of written facts Deposition Witness’ sworn out-of-court testimony (oral or written)Used to gather information as part of the discovery process May be used in trial, but usually hearsay

Framing the Discussion: Key Concepts 4 Stages of a Civil Trial Opening statements by both sides Plaintiff (P) calls witnesses and produces evidence Defendant (D) may call witnesses and produce evidence to disprove P’s case or prove D’s claims P may call rebuttal witnesses Closing arguments by both sidesJudge instructs Jury Jury deliberatesJury reaches its verdict Direct v. Cross Direct Examination The questioning of a witness by the party who called him/her in trial – asks for the witness ’ account Cross-Examination Questioning of a witness by the opposing – evaluate the witness’ account and the witness’ credibility

Framing the Discussion: Key Concepts 5 Lay Witness vs. Lay Witness TestimonyMore often than likely you will be a lay (or fact) witness, even in forensic cases Lay witness opinions are generally inadmissible, except when: Rationally based on the witness’ perception, Helpful to a clear understanding of his/her testimony or helpful to the determination of a fact in issue, and Not based on scientific, technical, or other specialized knowledge Expert Witness Expert Witness TestimonyAn expert may state an opinion or conclusion, if the:Subject matter is one where scientific, technical, or other specialized knowledge would assist the trier of fact; Witness is qualified as an expert (i.e. special knowledge, skill, experience, training, or education);Expert possesses reasonable probability regarding his/her opinion; and Opinion is supported by a proper factual basis. The expert’s opinion may be based on 1 or more of the 3 possible sources of information: (i) personal observation, (ii) facts made known to the expert at trial, or (iii) facts not known personally, but supplied to him outside the courtroom and of a type reasonably relied upon by experts in the particular field

Framing the Discussion: Key Concepts 6 Evidentiary Issues in Digital Cases AuthenticationProponent must produce evidence sufficient to support a finding that the item is what the proponent claims it isSeveral methods to authenticate (e.g., authentication by reply or content)Chain-of-Custody issues HearsayAn out of court statement (i.e. oral, written, or conduct) offered in evidence to prove the matter asserted; generally inadmissible, unless an exception applies Ex. Business Record ExceptionLikely accurate since they are made for running a business vs. for a litigation purpose

Framing the Discussion: Key Concepts 7 Purpose of TestimonyTrial StylePreparation ScopeRelevance Forensic FindingsTrapsSpeculationTechnical Limitations Remember : The underlying technology is NOT on trial!

Framing the Discussion: Key Concepts 8 DO…Look Nice Be PoliteSpeak Up and ClearlyPrepareEye Contact Be TruthfulAnswer the Questions DO NOT….VolunteerTake the BaitTry to Win the Case Fill SilencesGet Mad or CombativeOpen the DoorUse Tech Jargon

Simulation: Data Breach Trial 9 BuyMore Industries (“BMI”) is a company of 2,000 employees which manufactures artisanal snooze alarm back scratchers, sold primarily online through their homegrown ecommerce site. Last year, an intrepid reporter on the cybersecurity breach contacted your CIO to let them know that your data was available on the black market, shortly thereafter the story broke. BMI customers filed a class-action lawsuit against BMI alleging its failure in safeguarding their data. You are BMI’s Network Engineer, reporting directly to the CIO. You are responsible for network security as well as keeping the lights on. You have been asked to testify regarding the facts of the data breach. BMI Suffers Major Ten Million Accounts Compromised

Simulation: Data Breach Trial 10 In conducting your investigation, you have prepared a report regarding A forensic examination of BMI’s CEO’s computer, which received a spear phishing email with a malicious file attachment (found in unallocated space) How the malware attacked BMI’s network and led to the exfiltration of 10 million customer recordsThe report is shared with BMI and the plaintiffs’ attorney.Trial commences and BMI calls you to take the stand BMI Faces Class Action After

Simulation: Data Breach Trial 11 Witness’ Testimony: Key PointsBMI’s network security was in accordance with industry best practices and norms BMI’s main database of customer information was compromised The database contained 10 million customer records The breach originated with a phishing attack on the CEO’s personal email account

Simulation: Data Breach Trial 12 Witness’ Testimony: Key Points cont.

Simulation: Data Breach Trial 13 Phishing email recovered from unallocated space on CEO’s computer Exhibit 1: HR Manager <HR-Manager@BMI-HR.com> BMI.CEO@gmail.com Dear CEO, BMI’s Human Resources Department asks that you review your annual executive benefits elections for FY2016 in the attached document. BMI HR Department: Annual Benefits Elections

Simulation: Data Breach Trial 14 Demonstrative exhibit showing BMI’s network topology Exhibit 2:

Simulation: Data Breach Trial 15 Demonstrative exhibit showing breach process Exhibit 3:

QUESTIONS?