Notes from RSA 2008 San Francisco

This year I attended the Law and Liability sessions at RSA. Sessions with U.S. Magistrate Judge John Facciola, Howard W. Cox (Assistant Deputy Chief, US Dept. of Justice), Steven Teppler (Attorney, Florida), and Randy V. Sabett (Attorney, Washington, D.C) were extremely interesting.

Here are some of my notes from various session. (Note: Special thanks to Steven Teppler for reviewing the accuracy of my notes, and making necessary updates).

e-discovery: discovery in civil litigation which deals with information in electronic form

1. An unprepared organization can be crippled with an e-discovery request. Advance planning early in the ILM can reduce or minimize e-Discovery pain.
2. Preserve all data (email, databases etc) that may be relevant, or which may lead to relevant evidence once you get a notice of e-discovery OR legal hold OR are aware of a pending litigation. Asking your lawyer for advice before taking any action is a good idea.
3. Don't wait to stop all automated relevant document deletion after an e-discovery notice has been received. Your duty to stop routine and systematic document destruction is triggered by the filing of a lawsuit (way in advance of discovery) and might under certain circumstances be triggered even in advance of a lawsuit.
4. Destroying evidence by mistake is like "killing your parents and then throwing yourself on the mercy of the court because you're an orphan" (Magistrate Facciola)
5. A digital record is no longer just a digital record, it is a potential evidence in a lawsuit.
6. Many companies tend to settle out of the court in fear of burdensome costs of litigation, now including e-discovery. However, Settlement is NOT Justice (Magistrate Facciola).

Knowing Disregard (i.e. purposely not learning (ignoring) about an unlawful activity) => is same as knowing and not disclosing.

Overloading your organization with regulations and policies (PCI, SOX etc) results in loss of intelligence and creativity. Complying to the policies like PCI is important but do not make them the linchpin of the security of your organization. Be creative in securing your infrastructure. Complying to PCI, for example, may avert a lawsuit against you but it will not protect your reputation is case of a security breach. Sometimes these enforcement of these regulations create a false sense of security. False Confidence = Complacency.

beyond reasonable doubt ≠ mathematical certainty

Fact is a psychological construct

Habeas Data: right to own data. You own the information about yourself (Personally Identifiable Information (PII))

Safe Harbor Act also known as the European Union Data Protection Directive

1. The act prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection.
2. US based companies should try to obtain Safe Harbor Certifications
3. Slightly higher standard than California Privacy Laws. Somewhere between EU and US
4. Requires you to do the work up-front. 6 months - 1 year of work required. Annual re-certification required
5. Attaining Safe Harbor certification elevates reputation of the company

Other topics discussed:
PCI DSS
e-gold
18 USC Section 1960
Software Independent Voting systems. i.e. machine that implement measures that are independent of the software e.g. paper-trail.