This forensic readiness plan is written in response to a recent incident regarding a former employee, Mr. Keith Jackson, who is suspected of intellectual property (IP) theft from Allied Technology Systems (ATS). Mr. Devin Roberts, Human Resources Director for ATS has informed that during his exit interview, Mr. Jackson made a comment to the effect of “it is okay because I have a new job already and they were VERY happy to have me come from ATS, with ALL I have to offer.” Because of this comment, Mr. Roberts has suspicion that Mr. Jackson will be taking ATS IP with him to his new employer, who is believed to be a competitor to ATS. Before his termination, Mr. Jackson was involved in the “Project X” development, which means that he had ready access to “Project X” source code. ATS is relying on “Project X”, and is counting on its success to generate revenue in excess of several million dollars over the next several years.
While there is no clear and convincing evidence at this time of any crime, Mr. Roberts has advised that ATS wants to retain the option to refer the investigation to law enforcement in the future. With this in mind, ATS would be well-served to implement a “forensic readiness” plan for this alleged theft, and any other data breaches in the future.
1. Prior to any incident happening, it is important for any company to implement a “forensic readiness” plan. Discuss the benefits of a forensic readiness plan and name what you believe are the top three (3) requirements to establish forensic readiness within a private sector business like Allied Technology Systems. Support your answers. (Please note that while cyber security and digital forensics have overlaps in incident response preparation, please limit your answers here to forensic readiness in the digital forensic arena, not cyber security.)
In a paper by Mr. Robert Rowlingson, he lays out that a sound forensic readiness plan offers several benefits to any organization. Namely, benefits include due-dilligence, crime deterrence, cost reductions via systematic and structured methods to obtaining and storing evidence, sound corporate governance of information assets, and demonstrating sound regulatory compliance (Rowlingson, 2004). Further, by implementing a sound forensic readiness plan, interactions with law enforcement, including sharing of evidence will be greatly enhanced (Rowlingson, 2004). Finally, one more benefit of this sort of plan is that it supports enforcement of employee acceptable use policies, and provides suitable sanctions in the event this and other policies are violated (Rowlingson, 2004).
In standing up a forensics readiness plan, the top three issues to be addressed are, but not limited to:
(1) Define scenarios that require digital evidence retention;
(2) Train employees in incident awareness; and
(3) Secure storage and handling of potential evidence (Rowlingson, 2004).
For issue (1), a risk assessment of ATS must be performed. This risk assessment will establish how and where digital evidence collection must be performed. Examples where digital evidence can be found are computer hard drives, CD-ROMs, mobile phones, to name a few (“Digital Evidence and Forensics,” 2016).
Issue (2) is especially critical, as it lays out rules and expectations for employees of ATS as they relate to digital evidence, and the punitive measures taken when violation of company policies occur. Additionally, employees must understand the roles they play before, during and after an incident, as these employees may play a part in obtaining evidence for investigations (Sule, 2004).
Finally, issue (3) is critical, as without properly obtained and retained evidence, a case may be dismissed due to legally insufficient evidence. Because digital evidence is relatively easy to erase through various means, ensuring a suitable backup medium and written retention policy is essential to proper long-term preservation. Additionally, by establishing a chain of custody, records can be kept, which aids law enforcement and courts in ensuring that evidence was not tampered with, and can be relied upon to support charges (Ceresini, 2001).
2. Mr. Roberts, out of concern for the theft/sharing of the “Product X” source code, is requesting that you, your supervisor, or Mr. Dewberry start searching the areas in which Mr. Jackson had access within the building. Can you or Mr. Dewberry search Jackson’s assigned locker in the Company’s on-site gym for digital evidence? Support your answer.
In the U.S. Constitution, the Fourth Amendment lays out that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the person or things to be seized” (“U.S. Constitution Article IV, § 1,” n.d.). Despite the protections afforded by the U.S. Constitution, because ATS is a privately-held company and does not perform substantial work with the U.S. Government (Sack, 2013), then yes, a search of Mr. Jackson’s company-owned locker is permissible.
It should be noted that the Fourth Amendment protects a citizen from Government-originated searches (Sack, 2013), but it is still advisable to consult with local and state authorities, as the law shifts, and what was precedent in the past may no longer be the case (Sack, 2013). Further, because ATS owned the locker in which Mr. Jackson used for his personal belongings, there cannot be a reasonable expectation of privacy (Sack, 2013). Therefore, ATS is entitled to search with no warrant or probable cause needed (Sack, 2013). It should be noted however, that establishing an employee policy regarding searches is strongly advised, as the opposite helps to support a right to privacy claim in court. If no employer policies on expectations of privacy are established, then an employee can present a defensible argument that absent any policy, assumption of privacy was assumed (Sack, 2013).
3. Can you or Mr. Dewberry use a master key to search Jackson’s locked desk for digital evidence, after Keith Jackson has left the premises? Support your answer.
In certain situations, yes (Johnson, n.d.). If a company is privately-held, then the employer has a right to search locked areas (Johnson, n.d.). In this situation, because Mr. Jackson is suspected of stealing IP, specifically “Project X” source code from ATS, then justification can be made, in addition to private employer privilege in this regard. However, this desk search assumes that ATS has a workplace policy that defines expectations of privacy at the workplace (Johnson, n.d.). Further, ATS needs to recognize that while Fourth Amendment protections don’t apply, that certain states do in fact, have laws regarding expectations of privacy in the workplace, and that is recommended ATS be advised of these precautions intended, as to avoid liability, should a civil suit arise (Johnson, n.d.).
It should also be stated that there is a distinction between public and private employers, in that public employers do fall under Fourth Amendment compliance, and that reasonable suspicion must be first established in order to perform a similar locked drawer search (Johnson, n.d.). However, in both public and private employer scenarios, it is prudent to search locked drawers only if a reasonable suspicion of a crime is/has taken place (Johnson, n.d.).
4. The police have not been called or involved yet, however, Mr. Roberts asks how involving the police will change your incident response. Describe how you will respond to Mr. Roberts concerning how the parameters of search and seizure will change by involving the police in the investigation at this time. Support your answer.
Involving the police places additional complications on top of the search and investigatory processes particularly because the police would require a search warrant in order to perform a lawful search (“Search and Seizure,” n.d.). Additionally, by involving police before all evidence is gathered, ATS loses jurisdiction over itself, handing investigation control over to law enforcement. While not necessarily a bad issue per se, adding the additional overhead (e.g. police involvement) may affect ATS’s ability to gather evidence, as it must be assumed some evidence may go missing courtesy of the time delay in the police obtaining warrants, conducting searches, etc.,
To further complicate matters, police, both federal and state, must abide, in whole or in part, the Fourth Amendment (“Search and Seizure,” n.d.). As a result, law enforcement may be hesitant, or outright refuse to search Mr. Jackson’s locked desk drawer and locker on assumption, instead relying on plain-view evidence gathering. This complicates matters, because a warrant must explicitly state what is suspected, and what evidence is expected to be gathered (“Search and Seizure,” n.d.). Further, the willingness of law enforcement to prosecute Mr. Jackson on a crime depends heavily on their willingness to prosecute, and whether Mr. Jackson demonstrated intent to commit a crime (Rowlingson, 2004). Finally, due to heavy caseloads in many jurisdictions, prosecution of Mr. Jackson may also be delayed or set aside, barring mission priorities and manpower limitations of the prosecuting agency (Rowlingson, 2004).
5. There is a page in the Company’s “Employee Handbook” that states that anything brought onto the Company’s property, including the employees themselves, are subject to random search for items belonging to Allied Technology Systems. There is a space for the employee to acknowledge receipt of this notice. Mr. Jackson has a copy of the handbook but never signed the receipt page. Does that matter? Explain.
While it is convenient to have, a new employee sign an acknowledgement stating that they have read and understand the contents of the employee handbook, most courts have affirmed that a valid contract must only be agreed upon by both parties. The manner in which agreement is made does not necessarily have to be a signed confirmation from the recipient (“An unsigned contract can still be legally binding,” 2003). In fact, courts have upheld verbal acknowledgements, or even something as simple as a receipt showing the price of merchandise (“An unsigned contract can still be legally binding,” 2003).
Of relevance to this discussion: In the case (Schnider v. Carlisle Corporation, 2001), the Tennessee Court of Appeals found that an unsigned contract between a restaurant and a Chef for a three-year employment was still legally binding upon the restaurant. Further, because both parties were complying with the contract, despite no signatures being taken down, the court found sufficient performance of the agreement and ruled in favor of the plaintiff.
6. Allied Technology Systems uses a security checkpoint at the entrance to the building. A sign adjacent to the checkpoint states that the purpose of the checkpoint is for security staff to check for weapons or other materials that may be detrimental to the working environment and employee safety. Screening is casual and usually consists of verification of an employee’s Company ID card. Can security staff at this checkpoint be directed to open Mr. Jackson’s briefcase and seize any potential digital evidence? Support your answer.
It could be argued in court that a search of Mr. Jackson’s briefcase could be in accordance with company policy in that, in his exit interview, his comments suggested that he intended to harm the working environment of ATS. Namely, his theft of “Project X” IP would serve to degrade ATS’s ability to provide a safe and secure environment by losing out on the revenue that “Project X” is expected to bring in the future. The lack of expected funding could severely degrade ATS’s ability to continue infrastructure, health and comfort, and security maintenance/upgrades. Regardless of the legal spin, Mr. Jackson’s comments indicated his intent to harm ATS. As such, it is not unreasonable, nor unlawful to ask the security checkpoint to perform a search of Mr. Jackson’s briefcase.
As stated in a previous response, ATS, as a private company, is not held to Fourth Amendment standards. Therefore, assuming that employees understand that personal property searches can be conducted, ATS is within its legal right to search Mr. Jackson’s briefcase if it believes a theft of company property has occurred (“Workplace Searches,” n.d.). ATS’s scope is limited however, it the confines of the legal place of business (“Workplace Searches,” n.d.). For example, ATS cannot go to Mr. Jackson’s house and perform a search, it would need to notify law enforcement and obtain a search warrant in this situation (“Workplace Searches,” n.d.).
7. You know that it is important to document the details of your investigation if the company wants to insure admissibility of any evidence collected in the future. However, Mr. Roberts has never heard of the term “chain of custody.” How would you explain to Mr. Roberts what the chain of custody means, why it is important, and what could occur if the chain of custody is not documented. Support your answer.
The chain of custody is a critical part of evidentiary rules in criminal courts. Essentially, the chain of custody is a term of art given to the process of evidence collection, retention, and verifiable logs of who had the evidence at what stage (Tan, 2001). While the chain of custody is critical at all points of the lifecycle, this process must be adhered to from the very beginning, as something as simple as someone outside the authorized chain personnel picking up, or otherwise tampering with a piece of evidence could cast doubt on its validity (Stone, 2015). A defense attorney can then use this compromised chain to derail the evidence, and possibly cause the case to fail in court (Stone, 2015).
Additionally, the custodians of the evidence must ensure the evidence passing through the chain is preserved, and that a detailed log of names, signatures, dates, and other relevant information be kept, as this must also be passed as discovery to the defense for their scrutiny (Stone, 2015). The court will also ask for the chain of custody log in order to validate the evidence as admissible. It is up to the judge to determine if the evidence is valid; the prosecutor does not have a say in this regard (Bergman, n.d.).
An unsigned contract can still be legally binding. (2003, November 1). Retrieved October 16, 2017, from https://www.businessmanagementdaily.com/1369/an-unsigned-contract-can-still-be-legally-binding
Bergman, P. (n.d.). “Chain of Custody” for Evidence. Retrieved October 16, 2017, from https://www.nolo.com/legal-encyclopedia/what-chain-custody.html
Digital Evidence and Forensics. (2016, April 14). Retrieved October 16, 2017, from http://www.nij.gov:80/topics/forensics/evidence/digital/Pages/welcome.aspx
Johnson, S. C. (n.d.). Does an employer have a right to search an employee’s locker or desk? | FAQs | Tools | XpertHR.com. Retrieved October 16, 2017, from http://www.xperthr.com/faq/does-an-employer-have-a-right-to-search-an-employees-locker-or-desk/6902/
Rowlingson, R. (2004). A Ten Step Process for Forensic Readiness. International Journal of Digital Evidence, 2(3). Retrieved from https://www.utica.edu/academic/institutes/ecii/publications/articles/A0B13342-B4E0-1F6A-156F501C49CF5F51.pdf
Sack, S. (2013, September 16). The Limits to an Employer’s Search. Retrieved October 16, 2017, from http://theemployeeslawyer.com/blog/2013/09/the-limits-to-an-employers-search/
Schnider v. Carlisle Corporation, No. W2000–01695–COA–R3–CV (Court of Appeals of Tennessee, Western Section, at Jackson April 19, 2001). Retrieved from http://caselaw.findlaw.com/tn-court-of-appeals/1257505.html
Search and Seizure. (n.d.). Retrieved October 16, 2017, from http://legal-dictionary.thefreedictionary.com/Search+and+Seizure
Stone, A. (2015, September 17). Chain of Custody: How to Ensure Digital Evidence Stands Up In Court. Retrieved October 17, 2017, from https://www.govtechworks.com/chain-of-custody-how-to-ensure-digital-evidence-stands-up-in-court/
Sule, D. (2004). Importance of Forensic Readiness. Retrieved from https://www.isaca.org/Journal/archives/2014/Volume-1/Pages/JOnline-Importance-of-Forensic-Readiness.aspx
Tan, J. (2001). Forensic Readiness. OSIRIS Lab. Retrieved from https://isis.poly.edu/kulesh/forensics/forensic_readiness.pdf
U.S. Constitution Article IV, § 1. (n.d.).
Workplace Searches. (n.d.). Retrieved October 16, 2017, from https://www.workplacefairness.org/workplace-searches
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
Related ContentAll Tags
Content relating to: "Criminal Law"
Criminal law is the body of law that covers offences that are criminal such as murder, manslaughter, assaults, fraud, theft, and criminal damage. Most criminal law is enacted by a legislature.
Legal Aspects of Stalking and Cyberstalking in the Maltese Criminal Code
This research starts with a thorough assessment of parliamentary debates in Malta which took place prior to the introduction of the relevant provisions in the Criminal Code criminalising the conduct of harassment and stalking respectively....
Representation of Hope: Content Media Analysis of the Hope Solo Domestic Violence Case
The purpose of this article is to explore how media content represents Hope Solo throughout her domestic violence case....
DMCA / Removal Request
If you are the original writer of this dissertation and no longer wish to have your work published on the UKDiss.com website then please: