A panorama of legal issues concerning IT

forensic investigations

ACFE Annual Meeting | Brussels | 5 February 2014

Johan Vandendriessche

Partner (crosslaw)

| www.crosslaw.be |

GENERAL

2

Fraud – prevention, detection

and investigation

Fraud

• Deliberately practiced deception to obtain or secure an unlawful gain

• Civil wrong (“tortuous liability” or “contractual liability”)

• Criminal offence

• Fraud takes many forms

• ‘Unlawful gain’ can be very varied

Fraud prevention

• Technical and organizational measures

• Security measures

• Policies

• Contractual arrangements

Fraud – prevention, detection

and investigation

Fraud detection

• Organized detection

• Technical measures (e.g. camera surveillance, data

mining, …)

• Organizational measures

• Incidental detection

Fraud investigation

• Informal private hearing

• Private detective

• IT forensic investigation

• Criminal investigation4

Data Protection

Limitations in relation to the processing of

personal data

• Personal data: “any information in relation to an

identified or identifiable physical person […]”

• Very large legal interpretation to the concept of

personal data

• Not necessarily sensitive information (although stricter

rules apply to special categories of personal data)

• Processing: “any operation or set of operations which

is performed upon personal data […]”

5

Data Protection

Processing of personal data is prohibited, unless

allowed by the Data Protection Law

The data processing must comply with specific

principles

• Proportionality

• Purpose limitation

• Limited in time

• (Individual and collective) Transparency

• Data quality

• Data security

• (Individual and collective) Enforcement measures

6

Data Protection

Specific issues in relation to fraud prevention and detection• Employee surveillance

• Electronic Communication (CBA No. 81)

• Workplace Camera Surveillance (CBA No. 68)

• Camera Surveillance (security cameras)

• Whistle blowing policies

• Blacklists

• Access control / identity control (ID card related issues)

• Biometrical data (e.g. identification and access restrictions)

• Screening / background checks (e.g. “certificate of good behaviour”)

• Archiving

• Data mining

Impact on evidence value in case of investigations

7

PRACTICAL APPROACH

8

An example

Corporate espionage

• Internal vs external

• Employee

• Self-employed

• Third party

• Purpose

• Competing activity

• Other

• Object

• Corporate know-how and IP

• Client list / supplier list

• Confidential Information9

An example

Infringer

• Employee / Consultant

Nature of the wrong

• Civil / contractual

• Criminal

Equipment

• Laptop owned by employer/client

• Laptop owned by employee/consultant

10

Strategy

Options

• Internal investigation

• Forensic IT investigation on IT equipment

• External investigation

• Criminal complaint (?)

• Court proceedings

Sequestration (“sekwester” / “séquestre”)

Private search (“beslag inzake namaak” / “saisie en

contrefaçon”)

Court order to provide evidence

• Define actions (forensic or otherwise)

11

LEGAL ISSUES

12

Overview

Forensic IT investigation

• Capacity of the investigator

• Access to the IT equipment

• Company owned

• Third party owned

• Access to the data contained therein

• privacy issues

13

Cybercrime

Criminal acts posing a threat against the

confidentiality, the integrity and the availability of IT

systems and data

• Hacking

• Computer sabotage

Investigation powers

• (Network search)

• (IT system and data seizure)

• Cooperation duty of IT experts

Hacking

Hacking: “the unauthorized intrusion in or

maintenance of access to an IT system” (article

550bis Criminal Code)• Internal hacking

• Person with access rights that exceeds such rights

• With a fraudulent purpose or with the purpose to cause damage

• External hacking

• Person without access rights

• Knowingly

There is no requirement of breach of security

measures

Organizing hacking or using data that was obtained

through hacking are also criminal offences15

Hacking

Sanction (also applicable in case of attempt to hack)• Internal hacking

• Fines: 26 to 25.000 EUR (x6); and/or

• Prison sentence: 3 months up to 1 year (doubled in case of intent to fraud)

• External hacking

• Fines: 26 to 25.000 EUR (x6); and/or

• Prison sentence: 6 months up to 2 years

Criminal sanctions are increased in case of:• Copying any data on the IT system

• Use of the IT system or use thereof to hack another IT system

• Damage to the IT system or its data or any third-party IT system or data

16

Computer sabotage

Computer sabotage: “the direct or indirect insertion, modification or erasure of information in an IT system or any other change to the normal use of information in an IT system” (article 550ter Criminal Code)• Virus, worm, or any other malicious code

• Unauthorized time-locks or other blocking mechanisms

Developing, distributing or commercializing malicious code or tools to commit computer sabotage is a criminal offence

17

Computer sabotage

Sanction (also applicable in case of attempted sabotage):• Fine: 26 to 25.000 EUR (x6); and/or

• Prison sentence: 6 months up to 3 years (increased in case of fraudulent intent or intention to cause damage)

Criminal sanctions are increased in case of:• Causing damage to data in any IT system as a result of computer

sabotage

• Interfering with the proper functioning of any IT system as a result of computer sabotage

Sanctions are doubled in some cases of cybercrime recidivism

18

Privacy

What is privacy?

Various sources

• European Convention on Human Rights

• Treaty on the Functioning of the European Union

(TFEU)

• National (constitutional) legislation

Principle of privacy at work has been confirmed by

ECHR and Article 29 Working Party

19

Secrecy of letters

Secrecy of letters

• Article 29 of the Belgian Constitution

Drafts of outgoing letters

• Electronic documents

• Not applicable

Copies of incoming letters

Interception of incoming letters

• Address

• Mentions

20

Secrecy of electronic

communication

Electronic communication is protected

• Interception of electronic communication

• Art. 314bis of the Criminal Code

• Access to electronic communication

• Art. 124-125 of the Act of 13 June 2005

Specific problem for investigation of e-mail and IM

21

Secrecy of electronic

communication

General interdiction to:• Consult any electronic communication

• Identify participants to such electronic communication

• To process in any manner such electronic communication

UNLESS: if consent is obtained from all participants

Specific exceptions exist (only business relevant exceptions are mentioned):• If allowed or imposed by law

• With the sole purpose of ensuring the proper functioning of the network or the proper performance of the communication service

• For offering a service that consists of preventing the receipt of unsolicited electronic communication, provided consent has been obtained for the recipient

No distinction is made between private and professional communication!

22

Secrecy of electronic

communication

Monitoring of any form of electronic communication• Use of e-mail

• Use of Internet

CBA No. 81 allows a limited degree of monitoring• Surveillance is possible for limited purposes

• The prevention of illegal acts, slander and violation of decency

• The protection of the economic, trade and financial interests of the company

• The protection of the security and proper functioning of the company’s IT system

• The compliance with company policies in relation to online technologies

• Procedural requirements

• Collective information

• Individual information

• Sanctions?

23

EVIDENCE LAW

24

Evidence Law

Admissible

• Type of evidence (‘matters of fact’ vs ‘legal acts’)

• Lawful

• Illegal evidence

• Illegally obtained evidence

• Probatory value (‘credibility’)

• Weight carried by the submitted evidence

• Influenced by the reliability

Gathering process of digital evidence

Inherent reliability (?)

Evidence Law

“Antigoon” case law

• Illegally obtained evidence

• Evidence is no longer automatically discarded

Evidence is retained, except:

• Nullity is legally imposed sanction

• Unfair trial

• Impact on reliability

Small note: “Antigoon” case law is relatively new

and still evolving

26

Evidence law: lessons learnt

Problems with electronic evidence

• Rules of evidence strongly favour “paper evidence”

• Courts may be reluctant in the face of new

technologies

• Case law usually dismisses electronic evidence at the

slightest indication of the possibility of fraud /

tampered evidence

General rules

• ensure the accountability and integrity of any

electronic evidence at all times

• Implement procedures and policies / provide evidence

that these policies are regularly verified or audited27

Evidence Law: lessons learnt

Practical approach in Belgium

• Ensure that the evidence collection is organized in a

manner guaranteeing evidence integrity

• Assistance of a court appointed expert (feasible?)

• Assistance of a bailiff

• Assistance of a unilaterally appointed expert

• Assistance of the Belgian Federal Computer Crime Unit

(FCCU)

• Ensure that the evidence is stored in a secure

manner

Court proceedings are likely to include a court

expertise

28

QUESTIONS?

Thank you for your attention.

29