Editor: Please tell us about your professional background.
Wilson: I’ve been doing forensic collections for many years. I came to it from my work at Internet data centers in the 1990s, where I started getting involved in data recovery. Clients asked me to figure out why they’d lost information on their server, and, next thing you know, they were asking me to come to court and explain it to the judge. Over the course of time, I gave so much testimony that people began saying I was an expert in the field.
Editor: What typically drives corporate clients to seek out a forensics and collections expert like yourself?
Wilson: There are many types of cases and situations that drive the need for forensic collections, and they come down to concern about something that might happen or about something that has happened. The first thing that comes to mind is revenue loss within the company. Or, there may be confidential information exposure, for example, a salesperson takes a client list, or a researcher steals IP belonging to the company. Alternatively, you may be involved in a transaction that leaves you legally exposed to someone who could exploit that situation; or someone may have defamed your company, so you need data that establishes who said what, and when.
We’ve also worked with clients on staff productivity issues and helped on “hierarchy subversion” cases – i.e., employees trying to jump around a supervisor or a particular protocol – for which we need to find data. Sometimes we’re looking for evidence of behaviors that can facilitate fraud. Say I’m a mid-level manager, and I want to capture credit card data. I don’t have access to the server, but I speak with three more senior managers at the company to figure out the user names, the passwords and/or the various connectivity issues to get into the server. We’d call my behavior “social engineering,” and our job would be to find how I worked my way into the right situation.
We’re sometimes called to work on identity fraud, a persistent problem thanks to the growing amount of personal information stored in ever-increasing locations.
Finally, clients engage us when there’s a compromise to their system – a break in the firewall, for instance. While people commonly think of these concerns when they think of forensics, the truth is most of our work comes from the first three or four items I listed.
Editor: What are the credentials that potential clients typically require before going into detail with you about their specific concern?
Wilson: They’re generally looking for experience and expertise as well as some sort of clarification as to your specialty. There is no industry-standardized certification, but several software vendors have certifications such as AccessData Certified Examiner and Guidance Software’s EnCase Certified Examiner, which deal with handling tools. There are also more common certifications such as Computer Certified Examiner (CCE), ISFCE and dozens of others. CISSP is a certification around security and network intrusions. But while there may be no standard certification, you really should be looking to hire people who are certified.
Beyond that, clients should look for experience testifying and working on the kind of case you’ve got. If you’re dealing with confidential information exposure, for instance, you’re typically going to want to look for somebody with experience in that arena, versus somebody who’s more of a forensic accountant. It’s key to look into the background of the individual.
Editor: What about jurisdictional expertise?
Wilson: Jurisdictions can be a critical matter. In several states including Texas, for instance, there are additional laws about needing a private investigator’s license. You need to make sure that the people you are working with meet the requirements of their individual jurisdiction. In the international arena, which is where we specialize, much of the work gets very complicated because of the countless, complicated laws involved. In some places, it’s illegal to remove data without filing papers with the government. Especially in these international matters, you need someone with extensive experience in dealing with those particular challenges.
Editor: In putting a face on these challenges, what are the current areas driving engagements in 2014?
Wilson: Clearly one of the real challenges in 2014 that I see is social media. So many businesses have come to rely upon or are centered around social media, whether it’s for marketing purposes or customer interactions. The ability to capture, preserve and establish evidence from social media is definitely a major challenge and is bringing a large amount of casework to us.
And, although they’re not actually new, cloud servers and the various cloud services still present many challenges, especially for those who think their data is sitting in their office when it’s actually residing on a server in the middle of Europe.
Mobile devices, especially in BYOD scenarios, create many challenges because mobile devices require a much more complicated collection process. A single phone may have 30 different software installations, depending on the carrier and the version of the phone.
Finally, one issue that’s picking up some momentum is the tremendous increase in the use of non-Windows operating systems, thanks to the proliferation of the iPhone and the iPad. As people have become more accustomed to those devices, they’ve entered the Apple desktop and laptop market as well, so the use of the Apple operating system has exploded and, along with it, the demand for people who can capture the information on the Apple OS. Relatively few people yet possess the necessary skills and experience on these devices.
Editor: What are some of the exceptional challenges you have faced in your role as the Director of Forensics and Collections at TrustPoint International?
Wilson: I’ve coordinated and managed fast-moving cases and collections all over the world on a large scale, including those with upwards of 1,000 custodians at multiple locations at the same time. This is especially challenging when the case matter is sensitive, for example, a data leak or confidential information exposure that the company wants to stop before it is publicized, so the collection must be quick and well coordinated.
One broad challenge is that ESI can be stored almost anywhere today – on phones, computers, tablets, even in microwave ovens. We were able to establish that a custodian who denied being at a location at a certain time was not telling the truth because the microwave’s data showed he had used it there and then.
Another main challenge is making sure you can filter massive amounts of data down to the relevant information. And, as I mentioned earlier, with the proliferation of non-Windows-based systems, few people can find the right data and conduct the proper analysis to establish it as evidence.
Expert testimony is always a challenge. Many companies like to use their internal resources, for example, their IT director, as an expert. I always discuss this decision with my clients and ask them if they actually have experience testifying. Does the director know how to answer the questions without getting herself into a trap? Can she withstand her character being questioned? Often a cross-examination will involve impugning the expert’s character and then alleging that her knowledge is inconsequential.
Next, with companies having more remote employees and dispersed offices, remote data collection has become more common. The ability to collect and capture data remotely from multiple sites in a timely, efficient and sound manner is a complicated process that must also be managed alongside the onsite data collection.
Finally, as with using their own people as experts on the stand, some clients prefer to use their internal resources for collection as well. This can be dangerous, as there may be people in the organization who have collection skills but lack experience in litigation and the legal production side of collection, and this may expose the company to greater risk. But when the case can be made that it’s feasible and viable for a client, we support them in these self-collection efforts and serve as consultants, making sure that the client has a proper protocol in place for handling internal self-collection.
Editor: I understand you had a case with evidence in several European countries. I imagine this raised privacy issues.
Wilson: Yes. We’ve had some great success in large collections involving multiple European countries, some of them with rigorous data privacy rules. For instance, in Germany, you must report in with a data protection officer, and if you don’t receive approval, it can actually be a crime to perform the collection. We had a case involving four different countries, and in the course of two weeks we were able to effectuate a full collection in all four. We filed with the appropriate government agencies and protected the information for our client while meeting the various challenges of international legal work.
Editor: What guidance would you give corporate legal departments in regards to dealing with external forensics and collections experts in investigations and litigation?
Wilson: The best thing you can do is plan ahead. Make sure you have a retention policy in place within the company and that you follow it – otherwise a retention policy provides no protection. If you say you will only hold emails for 90 days, then you must do so. Companies get into trouble when they claim they hold data for 90 days and then proceed to collect from their server three-year-old data, thereby opening the door to anybody who wants to question their retention policy.
Companies should also have a proper incident response plan for events such as the departure of a key employee, in which case the plan should include the immediate preservation of all that individual’s relevant data – on their computer, in their mailbox, on the network, etc. Having an incident response plan allows you to respond in a sound and quick manner. Every day that goes by, more data can be overwritten – especially on cell phones, where phone and text logs turn over extremely quickly – and the potential for proving your case may diminish rapidly.
To that end, I always say, engage with your experts. Reach out to your consultants and get them involved as early as possible. The earlier you do so, the more intelligent they can be in helping you and ensuring that everyone at the table understands your case – including what data points should be looked at, be they in the system, in the cloud, in social media or on cell phones.
It’s also critical to define the roles and responsibilities of your key players, whether you are involving a third-party consultant or are relying on internal people. When an incident occurs, everyone should know how to react and understand the chain of command, as well as what must be done and when.
Before executing a plan, make sure that you have established reasonable expectations. Many times, I’ve been called by a client whose key employee has captured the company’s data, has quit and set up his own company, and has begun calling his former company’s clients. In such a scenario, make sure there’s an understanding of the expectations of the outcome of such an investigation. What will we be able to prove? Can we prove that the custodian’s information was on his computer, or that he pulled it from the network with a phone or other device? I’m very client driven, and I always set clear expectations because clients sometimes don’t really understand what the possibilities are and therefore can have unrealistic expectations.
Lastly, make sure you’re holding your experts accountable – that they are looking out for your best interests and that they are within your budget. You don’t want to hire an expert to handle a $100,000 case only to have him bill you $80,000. This goes back to establishing proper expectations and making sure everyone has a clear understanding of their responsibilities.
Published January 23, 2014.