CCSK

Course
New
Time
9 hours 29 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Transcription

00:03
in this video, we're gonna finish off our discussion of domain three and talk about Elektronik. Discovery
00:09
in particular, will cover the basics of discovery as well as electronic discovery, and then examine a real world case ripped from the headlines
00:20
discoveries. The compulsory ERI disclosure of relevant documents between opposing parties in litigation.
00:27
So it's time to go to court.
00:29
Both parties, the plaintiff and the defendant need to exchange certain materials. This is the official way to go about doing it.
00:38
If you personally or your company, it was ever active in litigation or reasonably foresee and anticipates litigations gonna happen. You don't want to destroy the materials. This is a very bad thing. In fact, when this happens, the jury will be instructed to assume that the destroyed evidence
00:57
contains the worst
00:58
possible information against you. The most damning information there. So it's not a good practice to do this, and it is very much illegal, and it can end up putting you in a very bad situation. Even worse. So then, if you had just
01:14
let the information remain handed it over in accordance with standard
01:18
process of discovery.
01:21
To that end, if you can obtain the information, you must provide the information just because your data is physically managed by 1/3 party, a cloud provider that doesn't remove it from scope of discovery. So when that information is requested, you are expected to provide it. And we're talking about electronic discovery
01:41
and here expected to provide it in standard formats
01:42
like a PdF or see SV or plain text file formats.
01:49
In the legal sense, authentic has a very special word. Data must be authentic to be admissible in court, so that means that it has to pass through a certain chain of custody.
02:00
And in the case that data cannot be authenticated. It can't be considered admissible evidence in the court of law.
02:08
So we've ever watched crime shows. They talk about the physical evidence that was collected at the scene of the crime, and there's certain procedures that need to take place to inventory the evidence at the scene of the crime, pass it through and into the evidence room, check it into the evidence locker of the police department. It's kind of similar in the Elektronik discovery sense,
02:29
but
02:29
cloud it does make an effect and an impact on that chain of custody. Take, for example, a cloud of provider may allow you to export certain data. Say AH, large scale data dump two CSB format. But there could be certain metadata that gets stripped as part of that process. For example, I p logging
02:49
not just who updated the record, but
02:51
what was the I P address that this individual was coming from? And that's important because that metadata that isn't get included in the standard export process that may be required to really validate that the data is indeed genuine and therefore admissible into a court of law. So again, your data in the cloud is subject to discovery,
03:09
and your contract should have
03:12
terms that require that the cloud provider themselves send you notice something that lets you know this third party has issued them discovery, and that gives you a moment to really ensure. Is this discovery valid? Don't forget. There's a lot of smart bad guys out there could currently have anti competitive behaviour,
03:30
and they're forging documents and sending it to cloud providers
03:34
so that they can get a copy and access to ah lot of key and important information for your company and really do some nasty things, so it's very important that the cloud provider give you that opportunity and send you that notice so these you can make sure this is legitimate. It's definitely not on the onus of the cloud provider themselves to ensure this is legitimate.
03:53
Let's talk about the United States Cloud Act
03:55
clarifying lawful overseas use of data. It was introduced in 2018 and in empowers US and foreign police to take certain actions against US based providers. Or, conversely, it requires that U. S base providers be very cooperative
04:14
with certain U. S. And foreign police,
04:16
and it minimizes the noticed and procedural requirements
04:20
four U. S. And foreign police to seize data from U. S based cloud providers. And when I say us based, I mean their headquarters are in the United States, but their data centers could be anywhere in the world. In fact, Microsoft, when toe to toe against the United States
04:39
starting in early 2013 the FBI had a warrant to access data
04:44
that was in one of Microsoft's data centers but resided in Ireland, which clearly outside the United States and Microsoft, said no. In fact, the whole procedure escalated to the Supreme Court in 2016 and then, while undergoing review during the Supreme Court, the CLOUD act was passed.
05:01
Ultimately, the FBI issued a new warrant under the Cloud Act.
05:05
And then the ongoing case between Microsoft in the United States about that 2013 warrant was dismissed because the new warrant compelled Microsoft to provide FBI with the information that they wanted to access located in that data center.
05:20
So earlier in this module, we talked about the effects of the cloud providers headquarter location and that has impacts on data privacy laws.
05:30
This is a great and clear example where the fact that you have a cloud provider in the US regardless of where the actual data is their location and their headquarters and it has an impact on how US based cloud providers sas past iess, what have you
05:46
have to cooperate with U. S. Authorities, regardless of which country the data centers are located? And regardless of
05:55
what kind of information they have about what citizens, from where in the world
05:59
the cloud lacked is probably not going to be on the sea csk exam. But I do think it is a great example toe look at and really understand and bring things full circle into a real world perspective. Why you want to take into account all these different things when you're evaluating not just the data privacy regulations applicable the U
06:17
but the cloud provider.
06:19
And what's that going to do in terms of your company and the risks it may set you up for? And in closing, we covered the basics of discovery. We talked about the nuances of electronic discovery. And then we examine the real world case of Microsoft versus the United States, and we took into account the more recently passed
06:39
Cloud Act,
06:40
which provides the U. S authorities with the ability to reach across international boundaries to seize data from U. S based cloud providers.

Up Next

CCSK

This course prepares you to take the CCSK exam certification by covering material included in the exam. It explains how the exam can be taken and how the certification process works.

Instructed By

Instructor Profile Image
James Leone
Cloud, IoT & DevSecOps at Abbott
Instructor