Compliance in Data Forensic Investigations
Nowadays, as more and more work is done via electronic devices, employee misconduct is commonly carried out through instant messaging software, social media and emails. So long as the misconduct actually occurred, traces are left behind which may turn out to be crucial evidence for compliance investigations such as web-browsing history, chat records, document downloading and copying records. Therefore, data forensics has become one of the most important sources of evidence and may cause breakthroughs in compliance investigations. However, what compliance issues should an employer heed during the data forensics process? This article deals with this issue.
I. What is data forensic?
The subjects of data forensics include: computer data, mobile device data, and network data, which derives respectively from desktop/laptop computers, mobile phones, or internet devices such as modems and routers. Data forensics comprises of four steps: data evaluation, data acquisition, data analysis and report drafting. The detailed work for each step is illustrated in the diagram below:
Technically, data forensics are usually carried out via specialized data forensics tools; including hardware such as writing protection devices, imaging toolkits and software such as Encase, FTK, X-ways Forensics, and Forensics Master. Complete data can be acquired from electronic devices using the aforesaid tools, including local documents, web-browsing history, data copying or deleting records and so on.
Equally important, as digital data can be easily modified, employers shall take measures to fortify the authenticity of digital data, for example, notarize the data acquisition process or entrust judicial forensics institutions or facilities to acquire the data. Otherwise, even if an employer discovered crucial evidence from acquired data, the authenticity of such data may be challenged in litigation. If relevant evidence cannot be recognized by the court, the compliance investigation will be in vain.
II. Compliance issues arising from data forensics
What compliance risks should an employer be aware of other than fortifying the authenticity of digital data? For instance, if an employee stores personal data on his or her work computer, will the inspection of the computer data infringe upon the employee’s privacy rights? In addition, if an employee uses his or her personal computer for work, would it infringe upon the employee’s property rights and other rights involved? The following parts of this article discuss the issue through the analysis of two scenarios.
Scenario 1: Would an investigation of an employee’s work computer infringe upon privacy rights?
Case One: There have been complaints against D, an employee from Company A, that he spends a considerable amount of time browsing websites which are not work-related. Company A therefore launched a compliance investigation against D. For investigation purpose, Company A made a copy of all the data in D’s work computer, including personal photos and diaries without any notification to D in advance. The investigation result revealed that D spent working hours watching television series and browsing websites unrelated to work. Subsequently, Company A dismissed D for major breach of company rules. D sued Company A claiming Company A infringed upon his rights of privacy.
The court held that the computer which Company A inspected was work computer rather than personal computer; and that the company had property rights and management rights to work computers. In addition, data forensics process will unavoidably involve the copy and inspection of all the data on the work computer. The court also held that personal photos and diaries should not have been stored on a work computer. Consequently, the court ruled that Company A’s inspection of D’s work computer was within the scope of reasonable management measures of an employer, and did not violate D’s rights of privacy.
Case Two: Yao is a project manager from Company B. Yao was dismissed for embezzling a client payment to Company B. Nevertheless, before returning his work computer, Yao only copied and handed back to Company B part of the data on the hard-drive but deleted the rest. Company B then sued Yao, required the restoration of all computer data, and the return of client payment. Yao contradicted Company B’s claim stating the deleted contents contained private data, thus should not be restored.
The court held that, since Yao claimed that the hard-drive contained private data, and Company B could not determine the exact data to be restored, Company B’s claim cannot be supported.
In compliance investigations, an employer’s management rights are likely to clash with an employee’s privacy rights. Different reasoning can be concluded from the court’s ruling of the two cases above. In Case One, the court ruled in favor of the employer on the grounds of its management rights, stating that Company A has the right to review the data in the employee’s work computer. The employee’s claim that he has privacy rights over the privacy information stored in work computer was not supported. In Case Two, however, the court recognized the employee’s defense that his privacy rights should be protected, thus overruled the company’s claim to restore all the data in the work computer.
Moreover, as the protection of personal information and privacy strengthens, it is possible that courts may tend to emphasize the protection of an employee’s privacy rights and other relevant rights in their rulings. Consequently, even though the employer has justified reasons, such as management rights and “right to know”, before confiscating and reviewing an employee’s work computer during compliance investigations, precautions are to be taken to prevent infringement of an employee’s legal rights, such as rendering notices to employees and obtaining prior consent, or deleting and separating private information, to prevent the spread of private information.
Scenario 2: Can the employer retain an employee’s personal computer for compliance investigations?
Case Summary: Wang was the commercial assistant in Company B. Company B suspected Wang of embezzlement and dismissed him. Company B confiscated Wang’s laptop computer for further investigation. Wang sued Company B for illegal termination, demanded his laptop to be returned to him, and claimed compensation. To prove his claims, Wang submitted the laptop’s purchasing record to the court. Company B refused to return the laptop, arguing that Wang had been using his personal laptop computer for work, and there may be embezzlement evidence in the laptop which should be handed over to the police.
The court held that, since Company B confirmed that the laptop belonged to Wang, the laptop should be returned. The defense that the laptop should be kept by the company in case it should be handed over to the police was not justified.
An employee’s computer and mobile phone are all his or her personal property; an employer does not have the right to retain or inspect them without an employee’s consent. On one hand, retaining an employee’s laptop infringes upon an employee’s property rights; on the other hand, an employee’s personal laptop contains a great deal; of privacy information, the inspection of which will be violation of his or her privacy rights. In the above case, even if Company B suspected that Wang’s computer contained evidence for embezzlement, it did not have the right to detain or review his personal computer. Under these circumstances, the employer can consider turning to the police for assistance.
If an employer allows its employees to use a personal laptop for work, we suggest that the employer makes it clear in its company rules that work-related information stored in an employee’s personal computer is company property, and stipulate that: a) an employee is obligated to safeguard the confidentiality of work information stored in their personal computer; in the event of a virus or cyber-attacks, the employee shall instantly report the incident to the employer so that risk-prevention measures can be taken. b) when the employer demands the hand-over or the deletion of work information in an employee’s personal computer, the employee shall comply, especially during a compliance investigation; otherwise it would be deemed as the employee’s refusal to cooperate with the investigation, which is subject to discipline.
III. How to deal with compliance issues in data forensics
Based on the above cases, and on our past practice experience, it can be concluded that an employer is faced with two major risks when conducting data forensics: a. the digital data’s contamination during the forensics process, resulting in its deficiency as evidence; b. infringement of an employer’s legal rights, such as privacy rights and property rights, which may lead to disputes or even litigations. What measures can an employer take in its daily operations to prevent the above risks? The following are some advice for the reference of employers.
1. Risk control measures before the data forensics process
• With regard to hardware, we suggest providing employees with laptop computers for the convenience of work on the go. This is also an effective way to prevent an employee from frequently using personal laptops for work, thus storing large amount of work data on personal laptops, which makes misconduct more convenient and may bring difficulties to compliance investigations.
• As for information storage, an employer can stipulate in its employee handbook or IT policy that the work computer provided to employees by the employer can be used for work purposes only, and that storage of personal data is forbidden. Any personal data stored on a work computer by an employee are subject to the employer’s inspection, as it would be deemed that the employee has waived all personal information protection or privacy rights to the data.
• As for investigation compliance, an employer can provide clearly in its compliance investigation policy or procedures that an employee shall cooperate with the employer in the event of compliance inspections, including handing over his or her work computer for investigation or forensic purposes.
• With regard to privacy protection, if the employee points out that there is private information stored on the work computer, he or she shall be granted the opportunity to delete such information under the employer’s supervision.
2. Risk prevention during the forensics process
• While confiscating an employee’s work computer, in case the employee refuses to hand over the computer or insists on taking the work computer home, we suggest that the employer avoid physical conflict with the employee. If the employee ends up taking the work laptop home, the employer can consider reporting the case to the police for assistance.
• After an employer gets hold of an employee’s work computer, do not boot-up the computer, or perform any other operation on the computer, such as reading or writing. Instead, we suggest that the employer consign professional appraisal or inspection facilities to acquire and analyze the data to prevent contamination or other damage which may affect the data’s validity as evidence. Furthermore, the data being reviewed for data forensics shall be kept confidential, in case it contains an employee’s private information, and to prevent a privacy leak or infringement.
• We suggest the whole process of digital forensics is videotaped or recorded, to prevent disputes over the legality of the forensics process.
In conclusion, digital forensics is an effective tool for compliance investigations. However, if misused, it may bring disputes instead of investigation breakthroughs. An employer needs to take necessary measures to protect employees’ legal rights, such as privacy rights, and to ensure the authenticity and originality of the original data; only then can the potential of digital forensics be fully unleashed, and bring a positive impact to the compliance investigation.