ICPL 7/25/2007ICPL 7/25/2007

What the New E-Discovery Rules Mean to You

H. Morrow Long, MS, CISSP, CISM, CEHDirector of Information SecurityYale University

What the New E-Discovery Rules Mean to You

H. Morrow Long, MS, CISSP, CISM, CEHDirector of Information SecurityYale University

X Me

FRPC 2006 E-Discovery terms & points

• ESI is now a separate category of discoverable info.• You must know what you have -- Sloppiness is no longer an excuse. Hire

records management personnel?• You must respond to a request by a finite time frame.• Data is now delivered in electronic form as specified.• Don’t panic: “Good faith” efforts provide a “safe harbor”.• You will not be in trouble as long as you follow your repeatable (and

documented) policies & practices. ILM! • You can face fines, adverse jury instructions or business disruption.• Plan and prepare. Set up arrangements between general counsel and IT as

well as with outside firms if you are going to need their assistance (outsourced provider, forensics firm).

3

National Environment…IG Audits are gaining momentum

HHS audit of Yale subcontract from UMass Medical School (February 2006)

Major signal about responsibilities relating to subcontracts $194K of a $572K NIH award was disallowed by HHS Cost transfers (preaward, accounts in deficit), effort, cost allocation

methodology NIH, DoD and NSF serve Yale with subpoenas (July 2006)

FBI agents went at night to faculty and staff homes (and to one vacation destination!) to question them

All information related to 47 grants from 13 departments (many closed) were subpoenaed

Issues thus far…allocation of research expenses, the reporting of faculty effort devoted to grants, and numerous other matters relating to grant administration.

“Just zero out the grant…” Whistleblower…?

IG focus is on cost transfers, allocation of expenses, effort, administrative charging and subaward monitoring, conflict of interest

http://ora.stanford.edu/supporting_files/abc_0207_compliance.ppt

Y: The audit said Yale found an e-mail that had been altered and reported it. The original e-mail had asked for costs to be transferred from other grants to the sub-grant, which was about to expire with funds still remaining. A reference to "spending down" the sub-grant was deleted in the altered e-mail.

L: That e-mail was a matter of great concern to us. When we discovered the altered email, we immediately reported it to the federal auditors. It is intolerable, no matter what the intention, for a Yale employee to alter a document in the course of a government audit. And it's wrong to charge a research grant that is about to expire for expenses unrelated to the grant. There is simply no doubt about it.

Y: DHHS said Yale investigated and took disciplinary action. What was the outcome?

L: Disciplinary action was taken. I can't comment about the nature of it; it's against our policy to talk about disciplinary actions taken against an individual.

[http://www.yalealumnimagazine.com/issues/2006_09/q_a.html ]

Yale University - Federal G&C Investigation

June 26, 2006 - Yale is served with subpoenas from four federal agencies : HHS, NIH, DoD, NSF - 47 grants and contracts for $47 million in 14 Depts.

“The amount of documents that have been requested by the federal government amounts to … hundreds of thousands, even millions of pages,” - Yale President Levin

Yale Daily News, September 11, 2006

May 2007 - NASA investigation into Grant and Contract Accounting.

Yale University Response and Actions

• Mobilizes to inventory, preserve, examine, catalog and index data to fulfil the subpoenas doc requests.

• “100 Day Plan” to re-engineer accounting @ Yale.

• New Research Administration department created.

• Space reserved to store investgation’s paper documents

• Floor of Class A office space reserved for the auditors and lawyers to sort through documents.

• Communications: Sends e-mail and posts official message to the Yale Community on June 30, 2007 notifying employees (and others) what has occurred and what they should do.

Official Yale Communications

• VP General Counsel June 30, 2006 memo to Yale• July 25, 2006 guidance on how this policy applies to newly

created research data,• Reminders sent out on 11/2/2006, 3/30/2007.• May 9, 2007 Memo on NASA Investigation

From: Dorothy K. Robinson

Vice President and General Counsel

Re: Federal Investigation into Grant and Contract Accounting

Earlier today President Levin sent to you a memo to inform you of investigations being conducted by various federal agencies regarding Yale’s management of research grants. Several federal agencies have served subpoenas calling for the production of a broad range of documents relating to the University’s charging practices and grant- and contract-related recordkeeping. The subpoenas cover many years, many grants and contracts, and many Yale departments. At this point, no segment of Yale is exempt from scrutiny. We are working with expert outside counsel to respond to the subpoenas and to provide advice on all aspects of the investigations.

Document Retention

It is essential that all grant- or contract- related documents be preserved. Destroying relevant hard copy or electronic records may subject you to criminal prosecution as well as the full range of employment sanctions. Even inadvertent destruction or loss of relevant documents and electronic records can have very serious consequences.

This memorandum summarizes your obligations to preserve documents.

Scope: As of now, the investigations cover all aspects of federally sponsored research agreements where the sponsor is the Department of Defense, the Department of Health & Human Services, the National Science Foundation, or any component of any of those agencies. In case of doubt, you should assume that a funding arrangement is covered.

We do not yet know how far back the investigations will go. One of the subpoenas calls for documents going back to 1997. Do not assume that older documents and records are not covered. All routine destruction of documents and records related to federally sponsored research should be stopped immediately. If you have routine document or record destruction practices, and do not know if the documents or records pertain to federally sponsored research, please err on the side of caution, and stop the destruction until further notice. There should be no further deletion of electronic documents, including e-mails, relevant to federal research grants and contracts even if such deletions would have been routine.

What counts as a document or record? Documents and records that must be preserved include anything with words or numbers or data pertaining to federally sponsored research. That includes all letters, emails, research notebooks, voicemails, memoranda, notes, instructions, reports, analyses, telegrams, facsimiles, diaries, calendars, studies, logs, journals, books, plans, records, forms, charts, graphs, audio, visual and digital recordings, photographs (positive prints and negatives), slides, worksheets, checks, credit card charge slips, expense records, computation sheets, computer printouts and programs, tapes, videotapes, diskettes, CD-ROMS, DVDs, microfilm, microfiche, and handwritten comments on any of the above. It includes all copies of documents which are not identical, due to highlighting, handwritten notes, corrections, revisions, or other differences, no matter how minor. All versions of each document must be preserved.

Your document preservation responsibility is ongoing and exists until you are notified otherwise in writing by me. You are not being asked to copy or produce any documents now; you may be contacted by a Yale lawyer with specific instructions if that becomes necessary. …

If you have any questions about any of these matters, do not hesitate to contact me, Susan Carney, Deputy General Counsel, or Harold Rose, Associate General Counsel, at 432-4949.

Thank you for your careful attention to this very important duty.

-------

NOTE: This official Yale University message can also be viewed at:

https://light.its.yale.edu/messages/UnivMsgs/detail.asp?Msg=17885

… In my email of June 30, I gave initial guidance on Yale’s legal obligation, during the government’s investigation into grants and contracts management at the University, to preserve research data developed under federally sponsored research. Since then, many individuals have expressed concern about whether they are required to maintain every iteration of such research data until the investigation is completed. In response to these concerns, we have had discussions with the responsible government agent, who has now made it clear that the government does not wish its inquiry to interfere with the active conduct of scientific research. Specifically, we have been informed that, going forward, you do not need to preserve newly created research data. This applies to all types of data, including dynamic systems that continually update and analyze a base of existing information. However, if you currently possess federally funded research data that were created and preserved in a static form prior to June 28, 2006 (for example, lab notebooks), you should continue to preserve those data. …

Issues

• Everyone began to ask what they could/should do before they :– Repurposed PCs– Disposed of computers and disks and tapes– Erased large datasets of research files…

• Now there was ‘The List’ of “Persons of Interest”.• Over time the rule in IT became that you had to check ‘The

List’ to see if a user was a named ‘Person of Interest’.• Our Remedy trouble ticket system even had a ‘Red flag’ tag

added to display when a ticket was a “Person of Interest”.• Yale’s IT AUP (Policy 1607) provides a process for access to

data on University owned systems without the user’s consent under a procedure with checks and balances (Section 2.B).

Yale Policy 1607 Section 2.BConditions of University Access

B. Process. Consistent with the privacy interests of Users, University access without the consent of the User will occur only with the approval of the Provost and cognizant Dean (for faculty users), the Vice President for Finance and Administration (for staff users), the Dean of Yale College or of one of the graduate or professional schools, as appropriate (for student users), or their respective delegatees, except when an emergency entry is necessary to preserve the integrity of facilities or to preserve public health and safety. The University, through the Systems Administrators, will log all instances of access without consent. Systems Administrators will also log any emergency entry within their control for subsequent review by the Provost, Vice President for Finance and Administration, dean, or other appropriate University authority. A User will be notified of University access to relevant IT Systems without consent, pursuant to 1607.2, section A (1-5) depending on the circumstances, such notification will occur before, during, or after the access, at the University's discretion.

Problems

• We ran out of tape and disk in our central TSM network backup system servers.

• Research and administrator users ran out of disk space.

• People became afraid to delete any files at all…• Eventually there was some tension between the

Faculty and the Yale administration regarding :– Mandatory faculty training in research administration.– The process of accomodating the document preservation and

production to the government in fullfilling the subpoenas.

Mandatory training sessions for any faculty member whose work is funded by a source outside Yale will be offered multiple times through March, according to the Office of Research Administration. The hour-long sessions will cover policies and procedures related to grant accounting and reporting, though administrative staff will be responsible for carrying out most of the procedures. Attendees will later take an online quiz and must receive a passing score of at least 90 percent. Faculty members who do not attend one of the sessions and pass the quiz by June 30 will be barred from submitting new grant applications, according to a Nov. 27 letter from Provost Andrew Hamilton.

Though the training has not yet started, some researchers have already expressed dissatisfaction with the requirement, Deputy Provost Charles Long said. He said the mandatory training is a burden, but it is important to ensure that all faculty members understand the procedures better. Aside from the single training session, the ongoing changes in research administration should not have much direct impact on faculty members, he said. [YDN 2006/12/7 ]

Published: Friday, February 2, 2007

Faculty object to searchesUniv. copies info from hard drives in response to grant accounting investigation

Steven Siegel Staff Reporter

As a federal investigation into possible mismanagement of grant monies at Yale enters its eighth month, some professors are speaking out against what they say is an inappropriately invasive response from the University

[YDN 2007/2/7 ]

At a faculty meeting Thursday, some science professors said the University is impinging on privacy and academic freedom by copying documents from professors’ hard drives and requiring faculty members to undergo mandatory training or supervision in the grant administration process. But administrators said they have already addressed one of the faculty’s concerns about the training, and that they have simply taken steps required by government subpoenas.

The University has been taking information off some faculty hard drives in response to subpoenas, which some professors charged was a violation of their privacy. [YDN 2007/2/7 ]

ITS Involvement

• 600+ Individuals named• 400+ accounts preserved (“held”)• 100 individual’s disks restored or ‘captured’

– 20+ 200GB disks shipped to internal investigators

• Additional tape units, disks and computers to handle ePreservation and restorals/capture.

• H/W Drive Encryption units for xfer to 3rd party firms.• 8 TB of disk space used for e-Preservation “SAFE” TSM vault.• Many hard disks, tapes and other media physically preserved

(stored in my office, moved to cabinets)• Cataloging/indexing system for preserved ESI.• Wrote software to automate cataloging and restoring inactive

(deleted/overwritten) files, tracking and reporting progress.

Timeline - 2006-7

• July - Preservation• August - Project Planning• September - Inventory• October - December - Restores and Captures• January - March - Clean up of outliers• June - we’ve returned to regular mode operation of

disabling/deleting accounts not on ‘the list’ (now we have a new ‘list’ which includes all of the accounts in ‘holds’

The University negotiated with the Federal gov’t as to how many and who they needed to supply documents for, reducing the number of individual’s files affected

E-Collection Philosophy

The University negotiated with the Federal gov’t as to how many and who they needed to supply documents for, reducing the number of individual’s files affected

We’ve taken the concept of undue administrative burden to heart (pre E-Discovery 2-tier), restoring data which is not unduly difficult to restore.

We have collected data from backups rather than directly from systems to reduce inconvenience to users.

We usually only do forensic capture when a legal or internal (e.g. HR) investigation will require it.

December 2006 - Present E-Discovery

• E-Discovery takes affect : New Federal Rules of Evidence for “ESI”

• ITS and General Counsel discusses and determines: – We will use the procedures and processes we have been using for the G&C

Investigation to handle eDiscovery “holds”.– General Counsel will send InfoSec a formal confidential request to preserve all

centrally held data (E-Mail, PC backups and Pantheon home directory) for individuals/accounts.

– InfoSec will coordinate tracking the preservation requests and responses.

• We’ve had a dozen “Hold” requests from General Counsel.• We’re solidifying the P&P which has been hammered out.• We’ve taken one set of “frozen” files/archives off of “hold” (case

was settled).• We’ve not unfrozen any of the G&C material (current case).

FRPC 2006 E-Discovery terms & points

• ESI is now a separate category of discoverable info.• You must know what you have -- Sloppiness is no longer an

excuse. Hire records management personnel?• You must respond to a request by a finite time frame.• Data is now delivered in electronic form as specified.• Don’t panic: “Good faith” efforts provide a “safe harbor”.• You will not be in trouble as long as you follow your repeatable

(and documented) policies & practices. ILM! • You can face fines, adverse jury instructions or business

disruption.• Plan and prepare. Set up arrangements between general counsel

and IT as well as with outside firms if you are going to need their assistance (outsourced provider, forensics firm).

Issues for e-Discovery & e-Preservation

• Data Formats - programs used, data formats change and many law firms can only handle certain files. Conversion is needed.

• De-duplication of messages & documents is major.• Outsourcing is $$$ but really helps with the 2 tasks above.• There needs to be a formal policy and process / procedure for

both preserving and eliminating ESI (taking files off of a “hold”). Retention period? Should U have a ILM policy?

• Know what data you have and where it is (& how to get to it)• Buy or build tools to archive and restore any data needed to

reduce the $$ and time, remove manual steps & add accuracy• Always have General Counsel contact faculty and staff first

before an IT or InfoSec staffer is sent to secure or capture data from an end user’s system.

Conclusions

References - Yale Daily News Articles

• Univ. reviews accounting - 100 Day Planhttp://www.yaledailynews.com/articles/view/17801

• YDN 2006/12/7 Univ. alters accounting for grantshttp://www.yaledailynews.com/articles/view/19258

• Faculty object to searcheshttp://www.yaledailynews.com/articles/view/19728

References - Yale Official Announcements

• 2006/06/30 - Announcement of Investigationhttps://light.its.yale.edu/messages/UnivMsgs/detail.asp?Msg=17885

• 2006/07/25 - Guidance on Research Data https://light.its.yale.edu/messages/UnivMsgs/detail.asp?Msg=18018

• 2006/11/02 - Reminder on document retentionhttps://light.its.yale.edu/messages/UnivMsgs/detail.asp?Msg=20321

This has been a chalk outline™ production.This has been a chalk outline™ production.