The same question was met with consternation by the legal department. Counsel definitely considered unanswered requests their problem, but they had no idea if the court orders had been fulfilled, because they had never been told of their arrival.
This was the beginning of a tentative alliance between corporate counsel and the security team. Through trial and error, we established methods to tackle requests for access to computerized data. If your security team does not work with your corporate legal team, make it your mission to build this partnership. Although the challenges seem unusual, the execution resembles functions that your team already provides within your organization. When your participation has become entrenched, you can set priorities for any other new task.
Our team's first priority was establishing requirements for good practice. By design, court orders related to customer data are not to be disclosed to the subject. We determined that good practice also meant keeping involved parties within the company to a minimum. This indicated the need for team members with wide-ranging system administrative access, a commissioned notary public, and predetermined rules of engagement and disclosure for circumstances when cooperation from other departments was necessary.
Evidence must be defended, so we polished public speaking skills for court appearances. Our arsenal grew to include stock answers for when a response cannot be provided, procedures for evidence acquisition, and a chain of command for receiving requests and providing answers.
After determining required skills for team members, we listed necessary equipment and resources and updated that list constantly. We realized quickly that we needed a safe for evidence storage, but it took longer to determine that we needed a template for evidence chain of custody.
When we were comfortable with our response capabilities, we turned our sights to building relationships with law enforcement. Frequent exposure and face-to-face meetings built the necessary equilibrium to treat law enforcement with an unfussy respect that inspired confidence and eased communication.
As with any effort, practice made perfect. One of our challenges was convincing law enforcement personnel that court orders would not be answered until the lawyers had seen them, and that this didn't mean we were stalling. We knew the system worked when we were unexpectedly served an early morning seizure warrant at a remote facility. A frantic call from the operations staff set us in motion, but the resulting calm turnaround satisfied even the agents who were on-site to serve the warrant.
A year or so after adding legal engagement to our team's dance card, this same company was the victim of a highly publicized computer security event. We contacted law enforcement and reported the incident. They engaged us in their response as we gained control of the incident, instead of dropping by to collect evidence then disappearing. This assured senior leadership that we were capable of handling the event.
Is it worth taking on this extra work even though your security team is overloaded with day-to-day responsibilities? I believe it is. There are many rewards, including a higher profile for your security team, interesting new assignments that keep your team members engaged, and a better working relationship with your lawyers. The greatest reward is this: When answering a court order for your own company data, your team will be clear-headed and in control of the results.
- Alison Gunnels works and teaches in the field of information security, specializing in computer forensics and business continuity planning.