Published on February 6, 2014
A panorama of legal issues concerning IT forensic investigations ACFE Annual Meeting | Brussels | 5 February 2014 Johan Vandendriessche Partner (crosslaw) | www.crosslaw.be |
Fraud – prevention, detection and investigation Fraud • Deliberately practiced deception to obtain or secure an unlawful gain • Civil wrong (“tortuous liability” or “contractual liability”) • Criminal offence • Fraud takes many forms • ‘Unlawful gain’ can be very varied Fraud prevention • Technical and organizational measures • Security measures • Policies • Contractual arrangements
Fraud – prevention, detection and investigation Fraud detection • Organized detection • Technical measures (e.g. camera surveillance, data mining, …) • Organizational measures • Incidental detection Fraud investigation • • • • Informal private hearing Private detective IT forensic investigation Criminal investigation 4
Data Protection Limitations in relation to the processing of personal data • Personal data: “any information in relation to an identified or identifiable physical person […]” • Very large legal interpretation to the concept of personal data • Not necessarily sensitive information (although stricter rules apply to special categories of personal data) • Processing: “any operation or set of operations which is performed upon personal data […]” 5
Data Protection Processing of personal data is prohibited, unless allowed by the Data Protection Law The data processing must comply with specific principles • • • • • • • Proportionality Purpose limitation Limited in time (Individual and collective) Transparency Data quality Data security (Individual and collective) Enforcement measures 6
Data Protection Specific issues in relation to fraud prevention and detection • Employee surveillance • Electronic Communication (CBA No. 81) • Workplace Camera Surveillance (CBA No. 68) • • • • • • • • Camera Surveillance (security cameras) Whistle blowing policies Blacklists Access control / identity control (ID card related issues) Biometrical data (e.g. identification and access restrictions) Screening / background checks (e.g. “certificate of good behaviour”) Archiving Data mining Impact on evidence value in case of investigations 7
PRACTICAL APPROACH 8
An example Corporate espionage • Internal vs external • Employee • Self-employed • Third party • Purpose • Competing activity • Other • Object • Corporate know-how and IP • Client list / supplier list • Confidential Information 9
An example Infringer • Employee / Consultant Nature of the wrong • Civil / contractual • Criminal Equipment • Laptop owned by employer/client • Laptop owned by employee/consultant 10
Strategy Options • Internal investigation • Forensic IT investigation on IT equipment • External investigation • Criminal complaint (?) • Court proceedings Sequestration (“sekwester” / “séquestre”) Private search (“beslag inzake namaak” / “saisie en contrefaçon”) Court order to provide evidence • Define actions (forensic or otherwise) 11
LEGAL ISSUES 12
Overview Forensic IT investigation • Capacity of the investigator • Access to the IT equipment • Company owned • Third party owned • Access to the data contained therein • privacy issues 13
Cybercrime Criminal acts posing a threat against the confidentiality, the integrity and the availability of IT systems and data • Hacking • Computer sabotage Investigation powers • (Network search) • (IT system and data seizure) • Cooperation duty of IT experts
Hacking Hacking: “the unauthorized intrusion in or maintenance of access to an IT system” (article 550bis Criminal Code) • Internal hacking • Person with access rights that exceeds such rights • With a fraudulent purpose or with the purpose to cause damage • External hacking • Person without access rights • Knowingly There is no requirement of breach of security measures Organizing hacking or using data that was obtained through hacking are also criminal offences 15
Hacking Sanction (also applicable in case of attempt to hack) • Internal hacking • Fines: 26 to 25.000 EUR (x6); and/or • Prison sentence: 3 months up to 1 year (doubled in case of intent to fraud) • External hacking • Fines: 26 to 25.000 EUR (x6); and/or • Prison sentence: 6 months up to 2 years Criminal sanctions are increased in case of: • Copying any data on the IT system • Use of the IT system or use thereof to hack another IT system • Damage to the IT system or its data or any third-party IT system or data 16
Computer sabotage Computer sabotage: “the direct or indirect insertion, modification or erasure of information in an IT system or any other change to the normal use of information in an IT system” (article 550ter Criminal Code) • Virus, worm, or any other malicious code • Unauthorized time-locks or other blocking mechanisms Developing, distributing or commercializing malicious code or tools to commit computer sabotage is a criminal offence 17
Computer sabotage Sanction (also applicable in case of attempted sabotage): • Fine: 26 to 25.000 EUR (x6); and/or • Prison sentence: 6 months up to 3 years (increased in case of fraudulent intent or intention to cause damage) Criminal sanctions are increased in case of: • Causing damage to data in any IT system as a result of computer sabotage • Interfering with the proper functioning of any IT system as a result of computer sabotage Sanctions are doubled in some cases of cybercrime recidivism 18
Privacy What is privacy? Various sources • European Convention on Human Rights • Treaty on the Functioning of the European Union (TFEU) • National (constitutional) legislation Principle of privacy at work has been confirmed by ECHR and Article 29 Working Party 19
Secrecy of letters Secrecy of letters • Article 29 of the Belgian Constitution Drafts of outgoing letters • Electronic documents • Not applicable Copies of incoming letters Interception of incoming letters • Address • Mentions 20
Secrecy of electronic communication Electronic communication is protected • Interception of electronic communication • Art. 314bis of the Criminal Code • Access to electronic communication • Art. 124-125 of the Act of 13 June 2005 Specific problem for investigation of e-mail and IM 21
Secrecy of electronic communication General interdiction to: • Consult any electronic communication • Identify participants to such electronic communication • To process in any manner such electronic communication UNLESS: if consent is obtained from all participants Specific exceptions exist (only business relevant exceptions are mentioned): • If allowed or imposed by law • With the sole purpose of ensuring the proper functioning of the network or the proper performance of the communication service • For offering a service that consists of preventing the receipt of unsolicited electronic communication, provided consent has been obtained for the recipient No distinction is made between private and professional communication! 22
Secrecy of electronic communication Monitoring of any form of electronic communication • Use of e-mail • Use of Internet CBA No. 81 allows a limited degree of monitoring • Surveillance is possible for limited purposes • The prevention of illegal acts, slander and violation of decency • The protection of the economic, trade and financial interests of the company • The protection of the security and proper functioning of the company’s IT system • The compliance with company policies in relation to online technologies • Procedural requirements • Collective information • Individual information • Sanctions? 23
EVIDENCE LAW 24
Evidence Law Admissible • Type of evidence (‘matters of fact’ vs ‘legal acts’) • Lawful • Illegal evidence • Illegally obtained evidence • Probatory value (‘credibility’) • Weight carried by the submitted evidence • Influenced by the reliability Gathering process of digital evidence Inherent reliability (?)
Evidence Law “Antigoon” case law • Illegally obtained evidence • Evidence is no longer automatically discarded Evidence is retained, except: • Nullity is legally imposed sanction • Unfair trial • Impact on reliability Small note: “Antigoon” case law is relatively new and still evolving 26
Evidence law: lessons learnt Problems with electronic evidence • Rules of evidence strongly favour “paper evidence” • Courts may be reluctant in the face of new technologies • Case law usually dismisses electronic evidence at the slightest indication of the possibility of fraud / tampered evidence General rules • ensure the accountability and integrity of any electronic evidence at all times • Implement procedures and policies / provide evidence that these policies are regularly verified or audited 27
Evidence Law: lessons learnt Practical approach in Belgium • Ensure that the evidence collection is organized in a manner guaranteeing evidence integrity • • • • Assistance of a court appointed expert (feasible?) Assistance of a bailiff Assistance of a unilaterally appointed expert Assistance of the Belgian Federal Computer Crime Unit (FCCU) • Ensure that the evidence is stored in a secure manner Court proceedings are likely to include a court expertise 28
Thank you for your attention. QUESTIONS? 29
Canvas Prints at Affordable Prices make you smile.Visit http://www.shopcanvasprint...
30 Días en Bici en Gijón organiza un recorrido por los comercios históricos de la ...
Con el fin de conocer mejor el rol que juega internet en el proceso de compra en E...
With three established projects across the country and seven more in the pipeline,...
Retailing is not a rocket science, neither it's walk-in-the-park. In this presenta...
Technical Challenges of Forensic Investigations ... and on acquisition logistics and legal issues ... Concerning the technical aspects of forensic ...
Digital forensics and the legal system: ... Digital forensics, legal issues, ... Forensic investigation processes ...
Issues in Computer Forensics Sonia Bui ... and the legal and ethical aspects of ... The three main steps in any computer forensic investigation are ...
Legal and Technical Issues Concerning Evidence in Data Breach Cases ... undertake an independent forensic investigation to corroborate the
Legal Aspects of Digital Forensics ... articulation of standards for digital forensics investigations, and ... concerning the collection ...
... computer forensic investigations must also be conducted under an ... The legal dictionary [2 ... some common issues of computer forensics include ...
Ethics and Forensic Science ... examined analysts concerning invalid testimony and rarely ... or against a suspect in an investigation. Legal, ...
Many forensic investigations involve fraud allegations. By way of background information, ... legal issues may also arise if there is an “expectation of
Ethical-legal problems of DNA databases in criminal investigation. ... and controversial issues are ... concerning the use of DNA analysis ...