Organisations need a digital evidence plan

Report by security industry body highlights importance of computer evidence

Businesses could lose legal disputes and miss out on insurance claims because of their inability to collect and preserve computer and internet-based evidence, experts have warned.

While firms are investing heavily in disaster recovery plans for low-probability events such as fire or terrorism, many are failing to identify and preserve important digital evidence required to tackle more frequent incidents, such as payment disputes, employment tribunals and fraud.

Unless companies put procedures in place to handle potential digital evidence contained in emails, web transactions, computers and mobile devices they could lose legal action and risk downtime when investigation teams seize systems as evidence, says security industry body the Information Assurance Advisory Council (IAAC).

The Directors and Corporate Advisors’ Guide to Digital Investigations and Evidence, published by the IAAC this week, also warns that businesses are ill-prepared to provide digital evidence to prove regulatory compliance or employee misbehaviour, and to defend themselves against possible corporate prosecutions.

‘It’s frankly astonishing that businesses are not doing this. It’s no different to having a security policy. Businesses look at tackling spectacular events, such as floods, hacking or the effects of terrorism, but fail to focus on the importance of digital evidence for events that happen all the time, such as bullying or sexual harassment,’ said Peter Sommer, senior research fellow at the London School of Economics and author of the report.

‘Most businesses and individuals don’t need to have on their staff a digital Sherlock Holmes, but they should have plans to identify and preserve important digital evidence such as email, web transactions, PCs, PDAs and mobile phones. They also need to understand some of the associated legal problems, such as admissibility and privacy.’

Detective chief inspector Charlie McMurdie, head of the Metropolitan Police Computer Crime Unit, says businesses could incur greater financial costs if they are not proactive.

‘Companies rely on computers to conduct their business, but many don’t give any thought to potential pitfalls, such as computer crime or how to document guidance or policy,’ she said.

‘Many don’t have any sort of investigative methods and end up having to outsource computer forensics after an event, which can be a costly minefield in itself.’

Poor preparation in the early stages of an investigation involving digital evidence can lead to failures in prosecution, as information can be ignored, destroyed or compromised, says the report.

IT directors also need to overcome the perception that computer forensics, the science of collecting digital evidence, is the preserve of ‘techies’. The use of technology is an everyday occurrence in business, and being able to keep and recall digital information should be no different to relocating and proving the integrity of paper files, says Sommer.

‘There have been many situations where companies have been asked to produce evidence for investigations but it had been lost. It’s a problem that comes up again and again,’ he said. ‘Lawyers are asking much tougher questions when it comes to digital evidence in court, and unless businesses are prepared they are going to be embarrassed.’

The report suggests that businesses analyse potential risks, to gauge what are likely to be the most frequent and threatening events. Building up a profile of potential incidents involving retrieval of digital evidence can help a company to link business continuity and IT security plans.

‘Assuming companies already have security and contingency plans in place, the additional cost to do this should be quite small, and in relation to the benefits it’s really quite tiny,’ said Sommer.

By building an understanding of risks, firms can also allocate resources and put procedures in place to ensure that digital evidence is not lost or compromised in any way, says the report.

‘If you moved into a new building you would think about physical security from the outset,’ said McMurdie.

‘But often, businesses overlook issues of IT security, prevention and evidential preservation.’

The need for computer forensics

Digital investigations are important when tackling attention-grabbing incidents, such as hacking or denial of service attacks.

But everyday occurrences handled by human resources or legal departments could also benefit from digital evidence procedures. Potential investigations include:

*Fraud by employees or third parties; contractual disputes and allegations of breaches in duty of care

*Email and internet abuse; online defamation; employee disputes and sexual harassment cases

*Theft of confidential information, data theft and industrial espionage; theft of intellectual property and software piracy

*Unauthorised access by employees and outsiders

*Failure of computer systems for which an organisation wishes to sue a supplier for breach of contract

*Failure of an organisation’s computer systems that causes damage to third parties, giving rise to legal claims for breach of contract or negligence

*Extortion attempts, whether based on physical threats or logical attacks such as distributed denial of service

*Insurance claims arising from all of the above

Source: IAAC