Winnie Chan T: +852 2106 3801 E: WChan@lecg.com www.lecg.com A global expert services company providing expert testimony, authoritative studies, and strategic advisory services to clients including Fortune Global 500 corporations, major law firms, and governments worldwide. www.lecg.com

1. Forensic Data
Investigations in China
ASIS 3rd Annual Asia
Pacific Conference
February 2009
A global expert services company providing expert testimony, authoritative studies, and strategic advisory services to
clients including Fortune Global 500 corporations, major law firms, and governments worldwide. www.lecg.com

2. 2
Topics
 Drivers (aka: why you should care)
 Investigation
 Compliance
 Litigation
 Challenges
 Legal
 Logistical
 Technical
 Getting Ready
 Case Studies

3. 3
Drivers
 Investigations
 Internal incident response
 Internal investigation
 Fraud
 Theft of intellectual property
 Compliance/Congressional
 FCPA
 CFAA
 Antitrust/Anti-dumping
 Local compliance expectation

4. 4
Drivers
 Litigation
 Intellectual property
 Product liability
 Class action

5. 5
Where do computers come into all this?
 Estimated that well over 90% of information is held digitally
 International and local landscape on computers & crime:
 FBI sets up CART 1991
 IOCE former 1995
 G8 Lyons Group former 1998
 ASEAN MMT, ASEAN +1, ASEAN+3
 INTERPOL Asia Pacific Working Group on IT Crime
 Japan HITEC, Hong Kong TCD, PRC PSB

6. 6
The very long-arm of the law
 FCPA
 1977 Law
 Imposes criminal and civil penalties for bribing foreign officials to obtain or
maintain contracts
 Covers the corporation overseas and its agents
 Working with SOEs in China – all employees considered government
officials
 CFAA
 Part of Title 18 on Fraud
 Covers fraud through unauthorised access or exceeding authorised
access (internal fraud)
 Amended by PATRIOT Act in 2001 to append extraterritoriality

7. 7
Changes to the Civil Litigation Landscape
 “Have your IT house in order”
 Hon Lee Rosenthal, Chair, Federal Rules Committee
 “If it is critical to the success of your case to admit into evidence
computer stored records, it would be prudent to plan to authenticate
the record by the most rigorous standard that may be applied”
 Hon Paul Grimm, US magistrate, Maryland
 “The ground has shifted....by these new rules”
 Hon John Facciola, US magistrate, Washington DC

8. 8
What changes?
 United States Federal Rules of Civil Procedure
 Amended December 2006
 Six years to determine amendments
 Specifically describes Discovery of “Electronically Stored Information”
(ESI)
 Ongoing impact and precedents
 March 2007 Federal Judges' guide to ESI
 Maryland Protocol

9. 9
What Rules?
 Inclusion of ESI (Rule 34)
 Scope and accessibility
 Form of production (Rule 34(b)
 “Claw Back” (Rule 26(b)(5))
 Preservation and sanction
 Early attention (Rules 26(f)(3), 16(b)(5), 16(b)(6))

10. 10
What does that mean?
 Effectively brings civil and criminal action to the same standard
regarding digital evidence
 Long Arm precedent in less than one year:
 Columbia Pictures Industries vs Bunnell, May 2007, US District Court CA
 Foreign statutes do not deprive an American court of the power to order a
party subject to its jurisdiction to produce

11. 11
Why you have to get it right
 Zubulake vs UBS Warburg LLC
 The obligation to preserve evidence arises when the party has notice that the evidence is
relevant to the litigation or when a party should have known that the evidence may be
relevant to future litigation
 It is not sufficient to notify all employees of a litigation hold and then expect that the party
will then retain and produce all relevant information
 UBS Warburg – roughly 100 pages of email, Zubulake – roughly 400 pages of email
 Judge: adverse inference advice to jury
 USD 9.1 in compensation, USD 20.2 million in punitive damages
 Coleman (Parent) Holdings vs Morgan Stanley
 Morgan Stanley produced email partway through trial from newly discovered backup
tapes
 Adverse inference: USD 603 million in compensation and USD 850 million in punitive
damages

12. 12
The Other Jurisdiction?
 China does not have a “blocking statute”
however....
 Article 40 of the Constitution
 “the freedom and privacy of correspondence of citizens of the People's
Republic of China are protected by law. No organisation or individual may,
on any grounds, infringe upon the freedom and privacy of citizens'
correspondence”
 Regulations on Employment Service and Employment Management
 Oct 30 2007
 “Any publicity of personal data of laborers and any use of... laborers'
intellectual achievements shall be used under written consent of laborers”
 Scope??

13. 13
PRC, the internet and email
 1997 Administrative Measures on Security Protection for International
Connections to Computer Information Networks
 No one may use internet connections to “infringe upon...legal rights and
interests of citizens”
 Article 7
 2006 Measures for the Administration of Internet Email Services
 Article 10
 Definition of “non-operator Internet information services”

14. 14
So the laws are circling....now what?
 Where is the data physically?
 Local offices
 Data centres
 Who do you have to help?
 Investigations personnel
 IT administrator
 Legal counsel
 Outside help
 Outside counsel
 Third party expert support
 Are you/they authorised to investigate or represent you in China?

15. 15
Other logistical challenges
 Where is the data logically?
 Do you have an up-to-date data map?
 What's a data map?
 Do you have an enterprise network diagram?
 What user data and what enterprise data is needed?
 Email – where is it? User's PC? Server? Blackberry/smartphone? All of
them?
 Files – local copies? File servers?
 CDs, thumb drives?
 Backup tapes and systems?
 Any legacy systems?

16. 16
So now you can start to collect....
 Collection expectations:
 ACPO
 Maryland Protocol
 Volume:
 1GB = 75,000 pages
 1CD = 20 boxes
 1 DVD = 150 boxes
 40GB HDD = 1,200 boxes
 300 GB HDD = 9,000 boxes

17. 17
Technical challenges
 Legacy systems
 Machines still around? Working?
 Cost to collect/examine/produce? Penalty for failure?
 Back-up systems
 Identified?
 Formats? Cost to restore?
 Rotation and housekeeping?

18. 18
More technical challenges
 Enterprise systems
 3D CAD
 Proprietary formats
 Structured data
 Language
 Review and analysis
 Technical processing: ASCII, Unicode, and legacy code pages
 LOTS AND LOTS OF LITTLE SQUARES
 Validity of review

19. 19
So what can you do about all this?
 Corporate digital data readiness
 Do not reinvent the wheel
 CISO/CIO?
 Incident Response
 Information classification policy
 Pre-define roles and responsibilities – CSO to legal counsel
 Identify skill-sets and hire those that make sense
 Know the law
 US emphasis on pre-trial conference
 Third-party ESI expert
 Know the technology

20. 20
Data Analytics

21. 21
Case Study: Securities Class Action
 Chinese technology company listed in US
 Share price goes down. Class action launched
 Adverse inference strategy...?
 The challenge:
 100+ custodian PCs
 Unknown network configuration
 Unknown enterprise systems
 The solution:
 ESI source mapping emphasis
 Selective acquisition of documented data sources

22. 22
Case Study: IP Litigation
 Technology companies in dispute over team defection
 China facilities in-scope
 The challenge:
 Multiple custodian PCs
 Multi-server CAD environment
 Multi-server design version control environment
 The solution:
 Technical review of enterprise system
 Forensic acquisition
 Server re-build: defensible, repeatable

23. 23
Thank You
Any Questions?

24. 24
Contact Details
LECG Hong Kong Limited
3505-06 Tower Two
Lippo Centre
Admiralty
Hong Kong
T: +852 2106 3800 (Richard Kershaw)
E: RKershaw@lecg.com