Electronic Discovery

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

9 hours 59 minutes
Video Transcription
in this video, we're gonna finish off our discussion of domain three and talk about Elektronik. Discovery
in particular, will cover the basics of discovery as well as electronic discovery, and then examine a real world case ripped from the headlines
discoveries. The compulsory ERI disclosure of relevant documents between opposing parties in litigation.
So it's time to go to court.
Both parties, the plaintiff and the defendant need to exchange certain materials. This is the official way to go about doing it.
If you personally or your company, it was ever active in litigation or reasonably foresee and anticipates litigations gonna happen. You don't want to destroy the materials. This is a very bad thing. In fact, when this happens, the jury will be instructed to assume that the destroyed evidence
contains the worst
possible information against you. The most damning information there. So it's not a good practice to do this, and it is very much illegal, and it can end up putting you in a very bad situation. Even worse. So then, if you had just
let the information remain handed it over in accordance with standard
process of discovery.
To that end, if you can obtain the information, you must provide the information just because your data is physically managed by 1/3 party, a cloud provider that doesn't remove it from scope of discovery. So when that information is requested, you are expected to provide it. And we're talking about electronic discovery
and here expected to provide it in standard formats
like a PdF or see SV or plain text file formats.
In the legal sense, authentic has a very special word. Data must be authentic to be admissible in court, so that means that it has to pass through a certain chain of custody.
And in the case that data cannot be authenticated. It can't be considered admissible evidence in the court of law.
So we've ever watched crime shows. They talk about the physical evidence that was collected at the scene of the crime, and there's certain procedures that need to take place to inventory the evidence at the scene of the crime, pass it through and into the evidence room, check it into the evidence locker of the police department. It's kind of similar in the Elektronik discovery sense,
cloud it does make an effect and an impact on that chain of custody. Take, for example, a cloud of provider may allow you to export certain data. Say AH, large scale data dump two CSB format. But there could be certain metadata that gets stripped as part of that process. For example, I p logging
not just who updated the record, but
what was the I P address that this individual was coming from? And that's important because that metadata that isn't get included in the standard export process that may be required to really validate that the data is indeed genuine and therefore admissible into a court of law. So again, your data in the cloud is subject to discovery,
and your contract should have
terms that require that the cloud provider themselves send you notice something that lets you know this third party has issued them discovery, and that gives you a moment to really ensure. Is this discovery valid? Don't forget. There's a lot of smart bad guys out there could currently have anti competitive behaviour,
and they're forging documents and sending it to cloud providers
so that they can get a copy and access to ah lot of key and important information for your company and really do some nasty things, so it's very important that the cloud provider give you that opportunity and send you that notice so these you can make sure this is legitimate. It's definitely not on the onus of the cloud provider themselves to ensure this is legitimate.
Let's talk about the United States Cloud Act
clarifying lawful overseas use of data. It was introduced in 2018 and in empowers US and foreign police to take certain actions against US based providers. Or, conversely, it requires that U. S base providers be very cooperative
with certain U. S. And foreign police,
and it minimizes the noticed and procedural requirements
four U. S. And foreign police to seize data from U. S based cloud providers. And when I say us based, I mean their headquarters are in the United States, but their data centers could be anywhere in the world. In fact, Microsoft, when toe to toe against the United States
starting in early 2013 the FBI had a warrant to access data
that was in one of Microsoft's data centers but resided in Ireland, which clearly outside the United States and Microsoft, said no. In fact, the whole procedure escalated to the Supreme Court in 2016 and then, while undergoing review during the Supreme Court, the CLOUD act was passed.
Ultimately, the FBI issued a new warrant under the Cloud Act.
And then the ongoing case between Microsoft in the United States about that 2013 warrant was dismissed because the new warrant compelled Microsoft to provide FBI with the information that they wanted to access located in that data center.
So earlier in this module, we talked about the effects of the cloud providers headquarter location and that has impacts on data privacy laws.
This is a great and clear example where the fact that you have a cloud provider in the US regardless of where the actual data is their location and their headquarters and it has an impact on how US based cloud providers sas past iess, what have you
have to cooperate with U. S. Authorities, regardless of which country the data centers are located? And regardless of
what kind of information they have about what citizens, from where in the world
the cloud lacked is probably not going to be on the sea csk exam. But I do think it is a great example toe look at and really understand and bring things full circle into a real world perspective. Why you want to take into account all these different things when you're evaluating not just the data privacy regulations applicable the U
but the cloud provider.
And what's that going to do in terms of your company and the risks it may set you up for? And in closing, we covered the basics of discovery. We talked about the nuances of electronic discovery. And then we examine the real world case of Microsoft versus the United States, and we took into account the more recently passed
Cloud Act,
which provides the U. S authorities with the ability to reach across international boundaries to seize data from U. S based cloud providers.
Up Next