Can They Get That Stuff? Beyond & Word: The New Frontiers of Evidence

Can They Get That Stuff?

Our Panel

Daniel Karson – Moderator

Chairman, Americas

Kroll Advisory Solutions

Michael DuBose

Managing Director and

Cyber Investigations Practice Leader

Kroll Advisory Solutions

Andrea S. Gibson

Product Director, Core Discovery Solutions

Kroll Ontrack Inc.

Brian Moroney

General Counsel and Chief Compliance Officer

CRG

Michael DuBose

Managing Director and

Cyber Investigations Practice Leader

Kroll Advisory Solutions



SOCIAL NETWORKS

» YouTube, Facebook, Twitter, LinkedIn, MySpace



Two Evidence Types

1. Public Data: data mining, web crawlers; commercial databases.

2. Non-Public information: production must be compelled through legal process.

Compelled Disclosure



Stored Communications Act

» 18 U.S.C. §§2701-12 (Title II of the Electronic Communications

and Privacy Act)

Statutory privacy rights for customers and subscribers of Internet communication service providers like Comcast (ISP) and Facebook



Two Types of Service Providers

» Electronic Communications Services (ECS): transmission

» Remote Computing Services (RCS): storage

Compelling Production (Govt.)



The type of judicial process needed is determined by

the nature of data sought:

» Subpoena - subscriber records; unopened e-mail older than 180 days, w/notice; opened e-mail, w/notice.

» 18 U.S.C. §2703(d) Order - subscriber and transactional records;

opened e-mail w / notice; unopened e-mail older than 180 days, w / notice.

» Search Warrant - content of communications, no matter how old, whether opened or unopened.

Significant Cases Establishing Greater 4

Amendment Protections



Theofel v. Farey-Jones, 359 F3d 1066 (9

_{Cir. 2004):}

Expansive definition of what is considered to be “in

electronic storage.”

» Search Warrant now needed for opened communications, including

e-mail, less than 180 days old; previously could obtain through subpoena w/notice.



United States v. Warshak, 532 F3d 521(6

_{Cir. 2008):}

reasonable expectation of privacy for ALL e-mails stored

on third party servers; 4

_{Amendment protections apply.}

» Search Warrant needed for ALL stored communications, opened or

unopened, however long stored: previously could use subpoena to obtain unretrieved communications older than 180 days.

Current Practice (Criminal)



Subpoena:

of service, means of payment – include credit card or bank account number)



2703(d) Order

:

(account logs, temporary historical IP addresses)



Search Warrant

:

e-mails, messages, Tweeting, chat logs)

Civil



Public service providers may freely disclose

customers’ non-content records to any person other

than the government



Basic rules of evidence apply



Subpoena duces tecum served on ISP or social

network for non-content records (e.g., subscriber and

log-in information)



Party’s consent is required for content (including

private messaging), but can be compelled by court if

relevant to litigation and narrowly tailored

Andrea S. Gibson

Product Director, Core Discovery Solutions

Kroll Ontrack Inc.

Discussion Overview



Why Care?



Case Law & Legislation



Challenges Posed by Social Media

Why Care?

Why Care?

(1.) … It’s what we do.



Social media use is

becoming increasingly

pervasive in our society



Americans spent 22.7% of

their time online using social

networking sites and blogs as

of June 2010

» Represents a 43% increase from

June 2009

Internet Usage

The Nielsen Company,

http://blog.nielsen.com/nielsenwire/online_mobile/what-americans-do-online-Why Care?

(1.) … It’s what we do.



Mimecast survey: 85 percent of employees under age 25 –

“Generation Gmail” - send work-related documents and email

from personal email accounts.



Cyberoam survey: extracted and collaged information from

linkedin, Facebook and Twitter accounts of employees from 20

companies, in various industries and six countries.

» Salary and cash flow issues,

» Employees were looking for new jobs,

» Premature broadcasts of: launches, conferences, quarterly earning calls and financials

Mimecast’s survey was conducted by Loudhouse, which conducted 2,400 online interviews with corporate email users around the world

Why Care?

(2.) … Corporate Utility



80% of Fortune Global 100 companies use

some form of social media



Most used:

Why Care?

(2.) Corporate Utility



Majority of companies surveyed

saw demonstrated value in using

the medium to drive business and

customer relations

16

Source: Cyance, “Social Media in Business Census 2011”. Available at,

http://www.cyance.com/rsc/2011CyanceIDMSocialMediaCensus.pdf.

Why Care?

(3.) … It’s growing & evolving….



Social media is predicted to

replace

e-mail as

the dominant form of communication by 2014

Why Care?

(4.) …. Significant security threats



2008, virus named “Koobface” hit Facebook

and quickly spread

» Sent messages to infected users’ friends with a

clickable link, directing web traffic to contaminated sites

18



2011, Twitter reached a settlement with the FTC regarding

charges it failed to safeguard users’ personal information

» Lapses in Twitter’s data security led to access of non-public user

information and ability to send out phony tweets



11/30/2011, Facebook reached a settlement with the FTC

regarding “privacy breaches”

» Deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public

Why Care?

(5.) … Litigation & investigations

My boss is a complete

crook. No joke.

LOL – My company is full of crooks

Information on social media can be relevant

evidence in an investigation/trial

20

Why Care?

(5.) … Litigation & investigations



Jury Selection: Info for Voir Dire



Jury Instructions:

Summer 2010, the Judicial Conference Committee on

Court Administration and Case Management developed

a set of model jury instructions regarding the use of

digital devices and social media.

»

“You may not communicate with anyone about the case on your cell

phone, through e-mail, Blackberry, iPhone, text messaging, or on

Twitter, through any blog or website, through any internet chat

room, or by way of any other social networking websites, including

Facebook, My Space, LinkedIn, and YouTube.”

Why Care?

Why Care?

(6.) …. Lawyers are social creatures, too

22

2009, the Florida Board of Bar Examiners adopted rules

requiring Bar applicants to

give the Board full access to all

social media accounts

in the following situations:

 Applicants required to establish rehabilitation under Rule 3-13

 Applicants with a history of substance abuse/dependence



Applicants with “significant candor concerns”

 Applicants with a history of unlicensed practice of law allegations;

 Applicants who have worked as a certified legal intern, reported

self-employment in a legal field, or reported employment as an

attorney pending admission

Discoverability: Of course

it is….

»

Information contained on social

media is ESI, and therefore

generally discoverable

24

Federal Rules of Civil Procedure 26(b)(1) permits

discovery of electronically stored information (ESI)

“regarding any non-privileged matter that is

relevant to any party’s claim or defense.”

Discoverability:

“Private” is still public



Social media discovery

disputes often focus on

this distinction



Most courts have so far

considered “private”

material within the scope

of discovery

»

Must be relevant to the

matter

Private

Discoverability:

Social Media as Evidence



Court ordered production of data from Facebook

and MySpace account:

privacy is “wishful

thinking”

» Romano v. Steelcase Inc., 907 N.Y.S.2d 650 (Sept. 21, 2010).



Plaintiff ordered to preserve existing information

on MySpace and Facebook:

provide user names

and passwords to opposing counsel

» McMillen v. Hummingbird Speedway, Inc., No. 113-2010 CD (C.P. Jefferson Sept. 9, 2010).



Court finds private portions of Facebook and

MySpace accounts to be “fair game”:

orders

production of user names and passwords

» Zimmerman v. Weis Markets, Inc., No. CV-09-1535 (C.P. Northumberland May 19, 2011).

Discoverability:

Stored Communications Act



Prohibits

» Electronic Communication Service (ECS) and

» Remote Computing Service (RCS) providers



From:

» Knowingly divulging the contents of

» A communication

» It stores



Unless the divulgence is

» To an intended recipient of such communication or

» Express permission from the sender is obtained



Plaintiff moved to quash

subpoenas for private information

and communications contained on

his social networking site accounts.

 Court found that with respect to

private messages, social networking

sites acted as both ECS and RCS

providers, and the SCA prohibited

disclosure of privately stored

information.

-Crispin v. Audigier, Inc., 2010 WL 2293238 (C.D. Cal. May 26, 2010).

Discoverability:

Stored Communications Act

Discoverability: Production

The Case for Cooperation



Job of counsel “to make judgment calls – in good

faith and consistent with their obligations as

officers of the court – about what information is

responsive to another party’s discovery requests.



Discovery is intended to be a self-regulating

process that depends on the reasonableness

and cooperation of counsel

.”

Equal Employment Opportunity Commission v. Simply Storage Management, LLC, 270 F.R.D. 430 (S.D. Indiana 2010).

If counsel

doesn’t cooperate



Court may allow opposing

counsel to access and review

information contained in social

networking accounts

Or

…



Judge may step in and review

the information

Judge offered to

“friend” witnesses to

review photographs and

related comments in

camera.

– Barnes v. CUS Nashville, LLC, 2010 WL 2265668 (M.D.

Tenn. June 3, 2010).

Discoverability: Production

The Case for Cooperation

Challenges Posed by Social Media

(1.) Preservation

(2.) Collection

Challenge:

Preservation



All the discovery obligations apply,

including the duty to preserve



Problems…

»

Changes very frequently

»

Stored on third-party servers

»

Security and privacy settings block

access

»

Few reliable technologies available for

social media preservation

Challenge:

Preservation

LOL – My company is full of crooks

Issue litigation holds to third-party service

providers asap if litigation is anticipated so the

evidence might be preserved

How do you preserve social media that is stored in the

cloud by a third party service provider?

Danger!

Collection



Other than what might be located in

browser cache files, social media data

is retained by the social media service

provider (e.g., MySpace, Facebook,

Twitter, etc.)

»

If you try to get it without the consent of

the owner (e.g. - found password?) your

actions may violate federal (and state)

wiretapping laws (“Title III” - 18 U.S.C.

§§ 2510-2522)

What to do

Collection



Capture publicly viewable information

»

Investigators can freely search and extract

information from an open, public page

»

Capturing software is preferred method in

recording user’s internet activities by

investigators



Enlist the help of an investigator or

service provider

Ethical Challenges:

Social Media



“False friending”

» New York State Bar Association; Formal Opinion 2010-2: A lawyer

may not attempt to gain access to a social networking website under false pretenses, either directly or through an agent

– Sept. 2010, Opinion 843: lawyer representing a client in pending

litigation may access public pages of another party’s social networking website to obtain possible impeachment material

» Philadelphia Bar Association Professional Guidance Committee –

Ethics Opinion No. 2009-02

– Opinion held that an attorney must disclose his true intentions when attempting to access social media, noting other ethical rules prohibit attorneys from engaging in dishonesty, fraud, deceit or

misrepresentation

Ethical Challenges:

Advertising via Social Media



Many states have requirements for lawyer advertising, most of

which are not Twitter, etc. friendly. e.g.,:

» Filing with a reviewing authority prior to publication;

» Labels such as “Attorney Advertising” at the beginning and end of each

message;

» Inclusion of disclaimer language; and

» Retention of copies of each advertisement.



Tennessee Board of Professional Responsibility: LinkedIn

Ethical Challenges:

Lawyer as Social Creatures



The Florida Bar reprimanded

and fined an attorney

$1,200 for violating ethics

rules:



Attorney wrote on

courthouse blog that the

judge was an “evil, unfair

witch” with an “ugly,

condescending attitude”

Ethical Challenges:

Lawyer as Social Creatures

Galveston, Texas. State court,

Judge Criss:



A lawyer asked for a

continuance due to her

father’s death.



Oops! The lawyer had earlier

posted a string of status

updates on Facebook,

detailing her week of drinking,

going out and partying.

Managing Social Media

Proprietary and Confidential

What to do?



Gartner advises against banning social media,

except in a very small percentage of cases where (1.)

faced with security risks or (2.) clear regulation.

» Social Media Governance: An Ounce of Prevention (December 17, 2010).



Financial Industry Regulatory Authority (FINRA)

issued Regulatory Notice 10-06 in January 2010

» Firms regulated by Rules 17a-3 and 17a-4 under Securities Exchange Act of 1934 must ensure they can retain social media communications as

Managing Social Media:

Best Practices



Organizations should:

»

Control access

»

Monitor usage

»

Articulate clear policies

»

Ensure understanding

»

Update, disseminate and

make information

accessible

42

Onus is on organizations to set policies regarding

use in the workplace

Managing Social Media:

Usage Policies



Develop a social media policy that clearly

identifies what is and is not acceptable



No “one size fits all” approach



Policy reflects both corporate culture and law;



Must understand:

» Tolerance for dissent and risk,

» Relationship with workforce and



Possible policy elements include:

» Consequences of non-compliance

» Employee training

» Specifics on what employees can and cannot divulge

44

Managing Social Media:

Usage Policies



Employee education and awareness are critical

» Best policies are useless if employees aren’t aware or don’t

understand them

» Translation to electronic space not always intuitive



Expect and plan for a crisis

» Identify a team and a plan before disaster strikes

Managing Social Media:

Parting Thoughts & Questions

Proprietary and Confidential

Think!



Sorry, Grandma. If you

wouldn’t divulge something

in normal conversation to

your grandmother or boss,

don’t share it online.



Data never dies. In the

world of social media,

conversations live on

forever, so it’s especially

important to practice prudent

posting!

48

Brian Moroney

General Counsel and Chief

Compliance Officer

CRG

Social Media

Forms of electronic communications through

which users create online communities to share

information, ideas, personal messages and other

content.

Facebook

Twitter

LinkedIn

Quora

YouTube

Glassdoor

www.colemanrg.com 50

Benefits of Social Media Policy

• Avoid legal pitfalls in hiring and employment

decisions;

• Limit the disclosure of confidential

information;

• Minimize reputational issues;

• Ensure compliance with the law; and

• Protect employees’ privacy

Social Media: Hiring Considerations

• Should you review social media when making hiring decisions?

– How:

• Password sharing

• Friending someone at the employer • Login during the interview

• Issues:

– May come across information relating to an applicant’s protected status (e.g., race, age, sexual orientation).

– Illegal in some states: Maryland passed a law, which takes effect on October 12, 2012, to prohibit an employer from requesting or requiring an applicant or employee to “disclose any user name, password, or other means for accessing a personal account or service through” a computer or similar device. Md. S.B. 433 (2012).

• Hiring decision made without reliance on such information (but while in its possession) could be problematic.

• Tip: If you are going to review social media (including through requesting

passwords) before making hiring decisions, have an impartial third party gather and “scrub” any information relating to an applicant’s protected status.

www.colemanrg.com 52

Social Media Employee Monitoring

• Issues

– Advisable to monitor

• How to monitor: Publicly available information is easier to

monitor than password-protected information.

• Passwords. If you are going to ask for login information from

employees, do not pressure or use subterfuge. See Pietrylo v.

Hillstone Rest. Grp., No. 06-5754, 2008 U.S. Dist. LEXIS

108834 (D.N.J. July 24, 2008). Password protected site that

included only colleagues and no managers, complained

about work. Managers learned of site and requested a

password from an employee, who testified that she felt

pressured to provide the password. Company was found to

violate the Stored Communications Act (and a parallel state

statute).

Social Media Monitoring

• New York Labor Law §201-d

– Limits employers ability to terminate for certain off-duty

activities

• Political activities – courts have narrowly construed to essentially cover use of social media to run for office, advocate for a

candidate, or political fundraising only.

• Recreational activities – lawful, leisure time activities for which the employee receives no compensation and which is generally

engaged in for recreational purposes, including, but not limited to, sports, games, hobbies, exercise, reading and the viewing of

television, movies and similar material.

• NOTE: Any use of social media DURING WORK HOURS,

ON WORK PREMISES, OR ON WORK EQUIPMENT are

outside the scope of this statute.

Social Media Employee Monitoring

• If you know or have reason to know of risk or

potentially illegal behavior, you may have a

duty to act. See Doe v. XYC Corp., 887 A.2d

1156 (N.J. Super. 2005).

– Court found that company (i) had reason to

believe employee was using work computer to

store child pornography, (ii) did not react properly,

and held company responsible for the activities of

one of its employees.

Potential Legal Pitfalls

• NLRA

– Union activity, discussions of terms and conditions of employment.

• Whistleblower statutes

– Does the posting get protection from any relevant whistleblower statutes?

• Legal off-duty activities

– In some states, it is illegal to terminate someone for legal, off-duty activity.

• Political activities or affiliations

– Tends to be narrowly construed to running for office.

• Stored Communications Act

– Unauthorized access to email/social media

• References or recommendations (LinkedIn)

– Consider prohibition or having an approval process

Marketing Through Social Media

• Federal Trade Commission: Section 5 of the FTC Act

requires disclosure of a material connection between an

advertiser and endorser when the relationship is not

apparent to consumers, which includes bloggers and other

social media. 16 C.F.R. § 255 (2009).

• Earlier this month, the FTC fined Spokeo $800,000, in part,

due to fake endorsements. The FTC alleged that Spokeo

employees posed as customers of Spokeo and posted

reviews of the service. U.S. v. Spokeo Inc., Case No.

cv12-05001 (C.D. Cal. 2012).Guidelines:

– Adopt guidelines that comply with the law;

– Train employees appropriate; and

– Monitor their adherence to the policy.

Model Social Media Policy

Introduction

This social media policy applies to social networking sites, personal web pages, personal space provided by Internet providers and Internet presence (such as LinkedIn©, Facebook©, Twitter© and MySpace©) which make available personal views to the public or facilitate conversations over the Internet. This includes platforms such as YouTube ©, Flickr™, blogs and wikis.

The Company reserves the right to monitor compliance with this policy and its online reputation and take disciplinary action, including termination of employment, for violations of this policy.

As always, the use of common sense is the easiest way to ensure compliance with this policy.

Professional Use of Social Media

For any such websites that are used for professional purposes, you must maintain a separate professional profile for these purposes. This professional profile should include only professional information, such as the Company as your employer and your education information.

Use of your Company email address is use of the Company’s information system. Therefore, personal posts on external social media must be generated from a personal email account. This means, for example, you must not use your Company email address for your personal Facebook© profile. However, you may use your Company email address for a site associated with your official job responsibilities (e.g., a site associated with a professional/industry association or on sites where you have a separate, professional profile as discussed above).

Model Social Media Policy

Be Aware of Your Legal Obligations

When engaging in social media, you are expected to respect and adhere to all applicable laws and regulations, including those concerning financial reporting, insider trading, antitrust, copyright, anti-bribery and data protection.

Do not reveal any confidential or material non-public information, including, but not limited to, client names, project interests, contract terms, or sales figures.

Non-Disparagement

Avoid using these sites to make defamatory comments about, or to bring disrepute to, the Company, its employees, or clients. Remember that you are speaking publicly when you are posting on social media, and anything that brings damage to the Company or its reputation will ultimately be your responsibility. If you are unsure about a particular circumstance, please discuss with your manager or senior management before posting the comments.

With respect to any personal profiles or postings, if you make reference to your employment at the Company, please be certain to include a disclaimer that “the views contained in these web pages are my personal views and do not

represent the views of Coleman Research Group.” In addition, if you reference the Company in any social media, you must disclose that you work for the Company before you make any such reference.

EMPLOYEE SIGNATURE DATE

Online Resources

•

www.acc.com

– interesting articles and

discussions

• Social Media Governance has a database of

social media policies. Available at:

http://socialmediagovernance.com/policies.p

hp

60 Proprietary and Confidential