ICPL 7/25/2007

1. X Me ICPL 7/25/2007 What the New E-Discovery Rules Mean to You H. Morrow Long, MS, CISSP, CISM, CEH Director of Information Security Yale University

2. FRPC 2006 E-Discovery terms & points • ESI is now a separate category of discoverable info. • You must know what you have -- Sloppiness is no longer an excuse. Hire records management personnel? • You must respond to a request by a finite time frame. • Data is now delivered in electronic form as specified. • Don’t panic: “Good faith” efforts provide a “safe harbor”. • You will not be in trouble as long as you follow your repeatable (and documented) policies & practices. ILM! • You can face fines, adverse jury instructions or business disruption. • Plan and prepare. Set up arrangements between general counsel and IT as well as with outside firms if you are going to need their assistance (outsourced provider, forensics firm).

3. National Environment…IG Audits are gaining momentum HHS audit of Yale subcontract from UMass Medical School (February 2006) Major signal about responsibilities relating to subcontracts $194K of a $572K NIH award was disallowed by HHS Cost transfers (preaward, accounts in deficit), effort, cost allocation methodology NIH, DoD and NSF serve Yale with subpoenas (July 2006) FBI agents went at night to faculty and staff homes (and to one vacation destination!) to question them All information related to 47 grants from 13 departments (many closed) were subpoenaed Issues thus far…allocation of research expenses, the reporting of faculty effort devoted to grants, and numerous other matters relating to grant administration. “Just zero out the grant…” Whistleblower…? IG focus is on cost transfers, allocation of expenses, effort, administrative charging and subaward monitoring, conflict of interest 3 http://ora.stanford.edu/supporting_files/abc_0207_compliance.ppt

6. Yale University - Federal G&C Investigation June 26, 2006 - Yale is served with subpoenas from four federal agencies : HHS, NIH, DoD, NSF - 47 grants and contracts for $47 million in 14 Depts. “The amount of documents that have been requested by the federal government amounts to … hundreds of thousands, even millions of pages,” - Yale President Levin Yale Daily News, September 11, 2006 May 2007 - NASA investigation into Grant and Contract Accounting.

7. Yale University Response and Actions • Mobilizes to inventory, preserve, examine, catalog and index data to fulfil the subpoenas doc requests. • “100 Day Plan” to re-engineer accounting @ Yale. • New Research Administration department created. • Space reserved to store investgation’s paper documents • Floor of Class A office space reserved for the auditors and lawyers to sort through documents. • Communications: Sends e-mail and posts official message to the Yale Community on June 30, 2007 notifying employees (and others) what has occurred and what they should do.

8. Official Yale Communications • VP General Counsel June 30, 2006 memo to Yale • July 25, 2006 guidance on how this policy applies to newly created research data, • Reminders sent out on 11/2/2006, 3/30/2007. • May 9, 2007 Memo on NASA Investigation

17. Issues • Everyone began to ask what they could/should do before they : • Repurposed PCs • Disposed of computers and disks and tapes • Erased large datasets of research files… • Now there was ‘The List’ of “Persons of Interest”. • Over time the rule in IT became that you had to check ‘The List’ to see if a user was a named ‘Person of Interest’. • Our Remedy trouble ticket system even had a ‘Red flag’ tag added to display when a ticket was a “Person of Interest”. • Yale’s IT AUP (Policy 1607) provides a process for access to data on University owned systems without the user’s consent under a procedure with checks and balances (Section 2.B).

18. Yale Policy 1607 Section 2.BConditions of University Access B. Process. Consistent with the privacy interests of Users, University access without the consent of the User will occur only with the approval of the Provost and cognizant Dean (for faculty users), the Vice President for Finance and Administration (for staff users), the Dean of Yale College or of one of the graduate or professional schools, as appropriate (for student users), or their respective delegatees, except when an emergency entry is necessary to preserve the integrity of facilities or to preserve public health and safety. The University, through the Systems Administrators, will log all instances of access without consent. Systems Administrators will also log any emergency entry within their control for subsequent review by the Provost, Vice President for Finance and Administration, dean, or other appropriate University authority. A User will be notified of University access to relevant IT Systems without consent, pursuant to 1607.2, section A (1-5) depending on the circumstances, such notification will occur before, during, or after the access, at the University's discretion.

19. Problems • We ran out of tape and disk in our central TSM network backup system servers. • Research and administrator users ran out of disk space. • People became afraid to delete any files at all… • Eventually there was some tension between the Faculty and the Yale administration regarding : • Mandatory faculty training in research administration. • The process of accomodating the document preservation and production to the government in fullfilling the subpoenas.

23. ITS Involvement • 600+ Individuals named • 400+ accounts preserved (“held”) • 100 individual’s disks restored or ‘captured’ • 20+ 200GB disks shipped to internal investigators • Additional tape units, disks and computers to handle ePreservation and restorals/capture. • H/W Drive Encryption units for xfer to 3rd party firms. • 8 TB of disk space used for e-Preservation “SAFE” TSM vault. • Many hard disks, tapes and other media physically preserved (stored in my office, moved to cabinets) • Cataloging/indexing system for preserved ESI. • Wrote software to automate cataloging and restoring inactive (deleted/overwritten) files, tracking and reporting progress.

24. Timeline - 2006-7 • July - Preservation • August - Project Planning • September - Inventory • October - December - Restores and Captures • January - March - Clean up of outliers • June - we’ve returned to regular mode operation of disabling/deleting accounts not on ‘the list’ (now we have a new ‘list’ which includes all of the accounts in ‘holds’ The University negotiated with the Federal gov’t as to how many and who they needed to supply documents for, reducing the number of individual’s files affected

25. E-Collection Philosophy The University negotiated with the Federal gov’t as to how many and who they needed to supply documents for, reducing the number of individual’s files affected We’ve taken the concept of undue administrative burden to heart (pre E-Discovery 2-tier), restoring data which is not unduly difficult to restore. We have collected data from backups rather than directly from systems to reduce inconvenience to users. We usually only do forensic capture when a legal or internal (e.g. HR) investigation will require it.

26. December 2006 - Present E-Discovery • E-Discovery takes affect : New Federal Rules of Evidence for “ESI” • ITS and General Counsel discusses and determines: • We will use the procedures and processes we have been using for the G&C Investigation to handle eDiscovery “holds”. • General Counsel will send InfoSec a formal confidential request to preserve all centrally held data (E-Mail, PC backups and Pantheon home directory) for individuals/accounts. • InfoSec will coordinate tracking the preservation requests and responses. • We’ve had a dozen “Hold” requests from General Counsel. • We’re solidifying the P&P which has been hammered out. • We’ve taken one set of “frozen” files/archives off of “hold” (case was settled). • We’ve not unfrozen any of the G&C material (current case).

27. FRPC 2006 E-Discovery terms & points • ESI is now a separate category of discoverable info. • You must know what you have -- Sloppiness is no longer an excuse. Hire records management personnel? • You must respond to a request by a finite time frame. • Data is now delivered in electronic form as specified. • Don’t panic: “Good faith” efforts provide a “safe harbor”. • You will not be in trouble as long as you follow your repeatable (and documented) policies & practices. ILM! • You can face fines, adverse jury instructions or business disruption. • Plan and prepare. Set up arrangements between general counsel and IT as well as with outside firms if you are going to need their assistance (outsourced provider, forensics firm).

28. Issues for e-Discovery & e-Preservation • Data Formats - programs used, data formats change and many law firms can only handle certain files. Conversion is needed. • De-duplication of messages & documents is major. • Outsourcing is $$$ but really helps with the 2 tasks above. • There needs to be a formal policy and process / procedure for both preserving and eliminating ESI (taking files off of a “hold”). Retention period? Should U have a ILM policy? • Know what data you have and where it is (& how to get to it) • Buy or build tools to archive and restore any data needed to reduce the $$ and time, remove manual steps & add accuracy • Always have General Counsel contact faculty and staff first before an IT or InfoSec staffer is sent to secure or capture data from an end user’s system.

29. Conclusions

30. References - Yale Daily News Articles • Univ. reviews accounting - 100 Day Planhttp://www.yaledailynews.com/articles/view/17801 • YDN 2006/12/7 Univ. alters accounting for grantshttp://www.yaledailynews.com/articles/view/19258 • Faculty object to searcheshttp://www.yaledailynews.com/articles/view/19728

31. References - Yale Official Announcements • 2006/06/30 - Announcement of Investigationhttps://light.its.yale.edu/messages/UnivMsgs/detail.asp?Msg=17885 • 2006/07/25 - Guidance on Research Data https://light.its.yale.edu/messages/UnivMsgs/detail.asp?Msg=18018 • 2006/11/02 - Reminder on document retentionhttps://light.its.yale.edu/messages/UnivMsgs/detail.asp?Msg=20321

32. This has been a chalk outline™ production.