The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's virtual private network. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case of Terry Childs, who is accused of holding the city's network hostage by refusing to give up administrative networking passwords. Childs was arrested July 12 on charges of computer tampering and is being held in the county jail.
Mr. Childs is a good example of the "Insider Threat" that any savvy CSO has on their mind today. As a result of the case evidence being gathered and the eDiscovery involved with proving the case in court, now we have additional exposures to the City of San Francisco. A system administration nightmare only if the city has not implemented tools such as Multi-Factor authentication and encryption of sensitive personal identifiable information or classified data.
Childs faces four felony counts of computer network tampering and one penal-code violation for causing losses in excess of $200,000. He has pleaded not guilty but remains in custody in lieu of $5 million bail.
The ordeal has spurred the city's IT department to bolster network oversight and to consider hiring outside auditors to monitor a security upgrade. City officials also will review all access to its FiberWAN network, the hub through which payroll, e-mail and criminal files flow.
It has also persuaded other cities to scrutinize their own systems.
As more cases like this one enter our legal system it is imperative that attorneys for both the plaintiff and defense realize the implications of their search for justice. The identities of people who may be witnesses in an upcoming trial have a sensitivity just as the ID's or login credentials for city employees and officials. As these types of cases become more prevalent there will be new procedures and controls invoked by judges who have learned their lessons about releasing sensitive information such as network passwords to the public record.
So What! What does Operational Risk have to do with a criminal case? What would eDiscovery have to do with this? Where do you think they got all of these passwords? Inside a paper notebook sitting on a shelf?
In a case that did not receive a lot of publicity the Court in United States v. O'Keefe, 537 F. Supp. 2d 14, 18-19 (D.D.C. 2008) applied the federal civil ediscovery amendments to a federal "criminal" case. This was a significant decision in that DOJ's federal prosecutors (over 4000), defense counsel, and others have some guidance from a federal magistrate regarding ESI in the criminal area. The Court stated:
In criminal cases, there is unfortunately no rule to which the courts can look for guidance in determining whether the production of documents by the government has been in a form or format that is appropriate. This may be because the "big paper" case is the exception rather than the rule in criminal cases. Be that as it may, Rule 34 of the Federal Rules of Civil Procedure speak specifically to the form of production.
The Federal Rules of Civil Procedure in their present form are the product of nearly 70 years of use and have been consistently amended by advisory committees consisting of judges, practitioners, and distinguished academics to meet perceived deficiencies. It is foolish to disregard them merely because this is a criminal case, particularly where, as is the case here, it is far better to use these rules than to reinvent the wheel when the production of documents in criminal and civil cases raises the same problems.