Lee Neubecker: Expert in Cyber Forensics & Investigations

Curriculum Vitae Lee Neubecker

P‌DF Updated as of 3/21/2025

BIOGRAPHY

Lee Neubecker is the President and CEO of Enigma Forensics, Inc., a Chicago and Fort Lauderdale based Computer Forensics and Cyber Investigation consultancy. Neubecker assists Fortune 500 clients, government agencies, and private organizations with cyber-related investigations involving theft of electronic data, authentication of digital evidence, electronic medical records, fraud, counterfeiting, and online identity unmasking.

Neubecker also is the founder of IT Security Blog leeneubecker.com. Before starting Great Lakes Forensics, Neubecker had served as CISO for HaystackID and following the acquisition of Envision Discovery and Inspired Review by HaystackID, Neubecker was promoted to serve as CIO over the combined entities. Neubecker was named one of the top Global Computer Forensics and Cyber security experts by Who’s who Legal in 2018, 2019, 2020, 2021, 2022, 2023 and 2024 and many years prior to that.

During 2016 and 2017, Neubecker assisted the U.S. Federal Government in discovering important security compromises including, the compromise of NIST.gov wildcard certificate (boudicca.nist.gov) using deprecated encryption (December 2016), compromise of time.gov NIST time servers (December 2016), compromise of NIST NSRL Hash Set download page (December 2016) and leaked email usernames and passwords from U.S. Intelligence Agency email account credentials onto public sandbox websites such as pastebin.com. (December 2016 and January 2017). Neubecker has a track record of uncovering Cyber Data Breaches and has performed investigations on the State and Federal Government Agency levels.

Neubecker’s has performed extensive research pertaining to hardware based vulnerabilities and exploits including, Serial Peripheral Interface – chip stored malware that has been impacting individuals, companies and government agencies in the wild following the leak of

U.S. Cyber weapons cache. Neubecker identified and reported the hack of chicagoelections.com website, that resulted in millions of Chicago resident (and former resident) voting records being disseminated online. Neubecker also provided important intelligence collection and analysis services that helped bring the perpetrators of the Boston Marathon Bombing to justice. Prior to founding Enigma Forensics, Neubecker founded Forensicon, Inc. and sold the company to QDiscovery, a national eDiscovery services provider. While managing Forensicon, Mr. Neubecker provided consulting services in the areas of computer forensics, electronic discovery, data recovery and litigation support to a diverse range of clients. Mr. Neubecker has worked on both Plaintiff and Defense sides, and has served as a regular speaker on topics in the computer forensics and electronic discovery fields for Midwestern legal bar associations, Professional Associations and National Legal Conferences. Mr. Neubecker has been appointed a special master in civil litigation matters by the courts. Mr. Neubecker has been cited in the appellate court as an expert witness in the case, Liebert Corp. v. Mazur. The published opinion of Justice Wolfson, Circuit Court of Cook County, regarding Mr. Neubecker’s testimony can be found at the following link: https://caselaw.findlaw.com/il-court-of-appeals/1063543.html

Prior to founding Forensicon, Inc., Mr. Neubecker founded BuzzBolt Media, a web development and Search Engine Optimization consultancy which later became Forensicon, Inc. Before moving to Chicago in 2000, Mr. Neubecker led the online communities’ product

development and programming initiatives for the Lycos Network, a pioneering Web media model that included three Top 10 Web sites and was one of the most visited hubs on the Internet during Neubecker’s tenure. Neubecker was responsible for creating, launching and managing chat, instant messaging, message boards, and online games across the Lycos network. In this role, Mr. Neubecker led the company’s response to legal inquiries from law enforcement personnel and personally oversaw complicated international investigations involving transcontinental Cyber attacks against company servers and users.

Before joining Lycos and graduating with an MBA focused in technology, Mr. Neubecker launched and successfully managed Innovative Consulting, Inc., an information technology consulting company. Mr. Neubecker’s company deployed network management, contact management, sales automation and ERP solutions to small and mid-tier organizations. Prior to Innovative Consulting, Neubecker held operations and finance analyst positions with Ford Motor Company and Comerica Bank. Mr. Neubecker has experience in securities valuation and accounting from his position at Comerica Bank, where he served as a Trust Fund finance analyst. While serving at Ford Motor Company as an intern, Neubecker was integral in automating important processes and bringing financial forecasting methodologies online, resulting in more timely and accurate quarterly financial forecasts.

Mr. Neubecker graduated magna cum laude from Babson College with a Masters of Business Administration, focusing on Technology. Mr. Neubecker also holds an undergraduate degree in Finance, magna cum laude, from Eastern Michigan University.

NOTABLE CASES OF RECORD AS A COMPUTER FORENSICS EXPERT WITNESS

LESEAN DOBY v. ZIDAN MANAGEMENT GROUP, INC.

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

Case No. 1:23-cv-16602

Provided affidavit regarding the analysis of a biometric fingerprint lock in support of the defendant as it relates to the Illinois Biometric Information Protection Act.

JAQUAN SHORTER v. ADVOCATE HEALTH AND HOSPITALS ) CORPORATION, ET. AL.

IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS

COUNTY DEPARTMENT, LAW DIVISION

Case No. 2023L012024

Filed affidavit regarding user authentication to the defendant’s Electronic Medical Record system and the origins of the logon activities when accessing the patient’s health provider’s EMR system.

EUGENE EVANS v. CORRECTHEALTH CLAYTON, LLC and PAMELA BLAHA, LPN

IN THE SUPERIOR COURT OF FULTON COUNTY STATE OF GEORGIA, Case No. 2023CV379078

Filed affidavit regarding electronic medical records.

MARVA BURNETTE v. RUSSELL P. NOCKELS, M.D., IGNACIO JUSUE-TORRES, M.D., and LOYOLA UNIVERSITY MEDICAL CENTER

IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, LAW

DIVISION, Case No. 2023-L-000973

Filed affidavit regarding electronic medical records and audit trails.

CHRISTINE MCLAUGHLIN, CRYSTAL VANDERVEEN, JUSTIN LEMBKE, SCOTT HARDT, ET. AL. v. SELECT REHABILITATION LLC

UNITED STATES DISTRICT COURT FOR THE MIDDLE DISTRICT OF FLORIDA

JACKSONVILLE DIVISION

CLASS and COLLECTIVE ACTION Case No: 3:22-cv-00059-HES-MCR

Filed Declaration regarding the availability of EMR audit log records to show when staff were performing work.

CDL 1000, INC. v. SCOTT ROBERTSON

CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 2022-CV-00415

Provided affidavit detailing the lack of compliance with the courts’ order requiring handover of Robertson’s personal smartphone and computer for forensic preservation and analysis relating to a departed employee investigation and alleged electronic trade secret misappropriation.

DEVIN ESTIME v. SOUTHERN CALIFORNIA PERMANENTE MEDICAL GROUP

SUPERIOR COURT OF THE STATE OF CALIFORNIA COUNTY OF LOS ANGELES, Case No.: 22STCV06517

Filed affidavit regarding electronic medical records and audit trail productions.

ROBERT BRONSTEIN v. LATIN SCHOOL OF CHICAGO

IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, LAW DIVISION,

Case No. 2022-L-003763

Completed forensics analysis of iPhone, Macbook, and iPad of defendant in the case.

CONNIE & GARY ANDERSON v. PATIENT FIRST MARYLAND MEDICAL GROUP

IN THE CIRCUIT COURT FOR BALTIMORE COUNTY Case No. C-03-CV-21-001814

Provided affidavit related to EMR and audit trail logs.

PHOTOFAX, INC. v. JOSEPH BRADY CIRCUIT COURT OF KANE COUNTY, IL Case No. 21-CH-000167

Provided affidavit detailing the forensic examination of the PhotoFax issued laptop by the departed employee. Reported on the destruction of evidence and provided support for a motion to compel examination of the devices still used by Joseph Brady to look for sensitive company data and trade secrets.

JAMES ABRAHAM, successor Trustee of the JOHN A. ABRAHAM TRUST v. ELIZABETH CHAPMAN

IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, MUNICIPAL DIVISION

Case No. 2020 M170426

Provided affidavit regarding the authenticity of alleged lease produced by the defendant relative to a forensic analysis of computing devices.

JOSEPH NICOLOSI ET. AL. v. STANDARD PARKING ET. AL.

CIRCUIT COURT OF COOK COUNTY, IL Case No. 20-L-007912.

Provided affidavit detailing EXIF photo metadata extracted from the Plaintiff’s production of alleged photos taken of damaged artwork and other effects. Identified photos that were edited after they were taken using Photoshop.

PATRICK T. MCKINNEY, BY AND THROUGH HIS LEGAL GUARDIAN, RONI S. MCKINNEY, AND RONI S. AND TIMOTHY C. MCKINNEY, INDIVIDUALLY AND AS THE PARENTS AND NATURAL GUARDIANS OF PATRICK T. MCKINNEY v. THE CLEVELAND CLINIC FOUNDATION AND THE CLEVELAND CLINIC HEALTH SYSTEM

COURT OF COMMON PLEAS OF CUYAHOGA COUNTY, OHIO Case No. CV-20-931-660.

Provided affidavit in support of a motion to compel for supervised on-site obtainment of the plaintiff’s full medical records. Involved Epic EMR software.

NIMISH SHAH, AS THE NATURAL SON OF PUSHPABEN C. SHAH, v. ST. LUKE’S EPISCOPAL PRESBYTERIAN HOSPITALS, D/B/A ST LUKE’S HOSPITAL, ET. AL. CIRCUIT COURT OF ST. LOUIS COUNTY, MISSOURI. Case No. 20SL-CC04023. Div. 8.

Signed an affidavit exhibiting deficiencies in Defense’s production and supporting a motion to compel for an on-site collection of the plaintiff’s medical records. Involved Cerner software.

MARC STRAUSS v. KATHLEEN VAN VALKENBURG, M.D. and SIGHT MEDICAL DOCTORS, P.L.L.C.

SUPREME COURT OF THE STATE OF NEW YORK, COUNTY OF NASSAU, Index No. 608054/2020.

Submitted an affidavit in support of a motion to compel for full medical records involving MyCare iMedicWare EMR software.

DEBORAH CARR v. HOSPITAL SISTERS HEALTH SYSTEM

IN THE CIRCUIT COURT OF THE SEVENTH JUDICIAL CIRCUIT SANGAMON COUNTY, ILLINOIS, Case No. 2020-L-105

Provided affidavit related to EMR and audit trail logs.

RONI S. AND TIMOTHY C. MCKINNEY, v. THE CLEVELAND CLINIC FOUNDATION

IN THE COURT OF COMMON PLEAS CUYAHOGA COUNTY, OHIO

Case No.: CV-20-931660

Filed affidavit regarding electronic medical records.

AUSTIN ROBERTS v. IOWA HEALTH SYSTEM d/b/a UNITYPOINT HEALTH, TRINITY MEDICAL CENTER

IN THE CIRCUIT COURT OF THE FOURTEENTH JUDICIAL CIRCUIT ROCK ISLAND COUNTY, ILLINOIS, Case No. 2020 L 76

Filed affidavit regarding electronic medical records and audit trails.

SMART MORTGAGE CENTERS, INC. V BRIAN NOE, EILEEN PRUITT, AND NEXA MORTGAGE, LLC

IN THE CIRCUIT COURT OF WILL COUNTY, ILLINOIS TWELFTH JUDICIAL CIRCUIT Case No. 20 CH 292

Filed an affidavit regarding allegations of trade secret misappropriation.

PHILIPS NORTH AMERICA, LLC v. FITBIT, INC.

IN THE US DISTRICT COURT FOR THE DISTRICT OF MASSACHUSETTS

Case No.: 1:2019cv11586

Filed affidavit relating to forensic inspection of electronic data relative to allegations of trade secret misappropriation.

ROBERT WATSON and MARK SAULKA, v. RYAN TODD WEIHOFEN and POOL TECHNOLOGIES, LTD.,

IN THE CIRCUIT COURT OF COOK COUNTY ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION, Case No. 2019 CH 12252

Filed affidavit regarding the expected cost to comply with a subpoena for production of electronic medical records.

LOUIS ARGIRIS v. PAUL V. FAHRENBACH, M.D., GI SOLUTIONS OF ILLINOIS LLC, ATHANASIOS D. DINIOTIS, M.D., TIESENGA SURGICAL ASSOCIATES, S.C. d/b/a SUBURBAN SURGERY CENTER INCORPORATED, JOSEPH Z. PUDLO, M.D., and JOSEPH Z. PUDLO, M.D., S.C.

COOK COUNTY CIRCUIT COURT, ILLINOIS, Case No. 2019 L 012187.

Provided affidavit in support of a motion to compel for the revision history of the plaintiff’s medical records. Consulted with counsel in serving subpoena to EMR system provider.

Involved Greenway Health’s EHR platform.

CHRISTOPHER JOHANSEN v. NOW MARKETING SERVICES INC. AND INTERCOVE, INC.

CIRCUIT COURT OF WILL COUNTY, IL, Case No. 19-L-989.

Provided affidavit relating to departed employee apparent deletion activities including access of emails post employee departure in support of a motion to compel forensic preservation and analysis of the departed employee’s personal electronic devices.

ROBERT WATSON AND MARK SAULKA v. RYAN TODD WEIHOFEN AND POOL TECHNOLOGIES, LTD.

CIRCUIT COURT OF COOK COUNTY, IL, Case No. 19-CH-12252.

Provided affidavit discussing the expected costs of a third party producing electronically stored information.

BYRON FOXIE, as legal guardian and parent of TIGE W. FOXIE, v. ANN & ROBERT H. LURIE CHILDREN’S HOSPITAL OF CHICAGO, and ALMOST HOME KIDS, and OTHER UNKNOWN PARTIES, JOHN DOES 1-10 and ROE CORPORATIONS 1-10 CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 19 L 7430

Provided testimony in the form of three affidavits supporting a motion to compel during discovery due to deficiencies in EMR production. Involved Epic EMR software.

PHOTOFAX, INC. v. MICHAEL CALDARAZZO

CIRCUIT COURT OF KANE COUNTY, ILLINOIS, Case No. 19-CH-000217.

Performed forensic imaging of departed employee devices. Assisted with the construction of an ESI protocol. Analyzed, signed an affidavit, and testified regarding alleged misappropriation of trade secrets.

BLACK ROCK TRUCK GROUP, INC. FKA NEW ENGLAND TRUCK SALES AND SERVICE, INC. v. HARRY TARASIEWICZ and JOSEPH TARASIEWICZ

UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK, Case No. 7:19-cv-2367

Performed preservation of evidence, search and production of ESI. Analysis regarding allegations of trade secret misappropriation. Provided testimony regarding fabrication of emails and destruction of evidence.

TERRI BROWN v. MOUNT SINAI MEDICAL CENTER OF FLORIDA, INC. ET. AL.

IN THE CIRCUIT COURT OF THE ELEVENTH JUDICIAL CIRCUIT IN AND FOR MIAMI-DADE COUNTY, FLORIDA

Case No. 2018-016560-CA-09

Filed affidavit regarding the inadequate production of Plaintiff’s electronic medical records.

JERAME ANDREWS, and THERESA ANDREWS v ANKLE AND FOOT CENTERS OF GEORGIA. ET. AL

IN THE STATE COURT OF GEORGIA FULTON COUNTY Case No. 18EV003536

Filed affidavit regarding the inadequate production of Plaintiff’s Electronic Medical Records.

UNITED STATES DEPARTMENT OF JUSTICE V. BUYANTOGTOKH DASHDELEG, PETITION FOR REMOVAL.

Executive Office for Immigration Review Chicago, Illinois, File No. A218-056-722

Filed affidavit regarding the authenticity of email transmitted.

PEOPLE OF THE STATE OF ILLINOIS v. CHRISTIAN DAIGRE

CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 2018-cr-1626801

Provided affidavit regarding the lack of the original sources of data being preserved that would allow for authentication of SMS and MMS messages allegedly sent and received.

RILEY ANN BERGTHOLDT v. ADVOCATE HEALTH AND HOSPITAL CORP, ET. AL.

CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 2018-L-8647

Provided affidavit detailing deficiencies with defendant’s production of Electronic Medical Records (hereafter “EMR”) produced from Allscripts and from EPIC.

ANDREA BROCK, MICHAEL BROCK, S.B. v. THE UNIVERSITY OF CHICAGO MEDICAL CENTER D/B/A COMER CHILDREN’S HOSPITAL

CIRCUIT COURT OF COOK COUNTY, IL, Case No. 18-L-1175.

Provided affidavit in support of a motion to compel production of the Patient’s complete EMR, including Defendant’s secure file storage system, “Sticky Notes”, “In Basket” messages, audit trail records and complete revision history of the EMR as stored in the EPIC Hospital Information System.

TERRI BROWN, an individual, and ALAN ROCK, her husband, v. MOUNT SINAI MEDICAL CENTER OF FLORIDA, INC. d/b/a MOUNT SINAI MEDICAL CENTER, a Florida Corporation; and WILLIAM F. BURKE III, M.D., an individual; and BRETT C. FUKUMA, M.D., an individual

CIRCUIT COURT OF MIAMI-DADE COUNTY, FLORIDA, Case No. 2018-016560-CA-09.

Filed two affidavits in support of a motion to compel for an on-site collection of plaintiff’s electronic medical records. Involved Epic EMR software and Synapse PACS.

THE FOREST PRESERVE DISTRICT OF COOK COUNTY V. ROYALTY PROPERTIES, LLC; CANNON SQUIRES PROPERTIES, LLC; MERIX PHARMACEUTICAL CORPORATION, RICHARD KIRK CANNON, MERYL SQUIRES-CANNON, MCGINLEY PARTNERS, LLC, AND ROYALTY FARMS, LLC CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 18 L 315.

Provided in courtroom testimony on the significance of electronic file metadata as it relates to when documents were received and modified.

BROWARD ENERGY PARTNERS v. RAPPAPORT

CIRCUIT COURT OF COOK COUNTY LAW DIVISION, Case No. 18 L 1096.

Provided in court testimony and testimony via affidavit to assist with eDiscovery protocol process and address allegations of spoliation, withholding of information and authenticity of email.

JORIE LP, KOPLIN AND CONTENT CURATION & DATA ASSET MANAGEMENT v. ROBERTS MCGIVNEY ZAGOTTA ET AL.

CIRCUIT COURT OF DUPAGE COUNTY, ILLINOIS, Case No. 17 L 728.

Provided in court testimony and testimony via affidavit involving issues of email authenticity, cell phone fabrication of evidence, and eDiscovery.

MCMAHON v. DIGITAL FUEL SOLUTIONS

CIRCUIT COURT OF WILL COUNTY, ILLINOIS, Case No. 15 L 681.

Provided written affidavits regarding alleged software code misappropriation. Assisted counsel with seeking preservation of electronic data from third parties.

BORCHERS V. FRANCISCAN TERTIARY PROVINCE OF THE SACRED HEART, INC., ET. AL..

Case No. 2011 IL App (2d) 101257.

Testified in support of violation of the Electronic Communications Privacy Act by Plaintiff’s former employer.

http://www.illinoiscourts.gov/opinions/AppellateCourt/2011/2ndDistrict/December/2101257

.pdf

SABAN v. PHARMACARE MANAGEMENT, LLC ET. AL.

NORTHERN DISTRICT OF ILLINOIS (Chicago), Case No. 1:10-cv-02428.

Rebuttal witness regarding trade secret misappropriation.

TRANCO INDUSTRIAL SERVICES, INC. v. CAMPBELL

NORTHERN DISTRICT COURT OF INDIANA, HAMMOND DIVISION, Case No. 07-CV-206.

Won TRO – Violation of Computer Fraud & Abuse Act – Trade Secret Misappropriation Supervised and prepared our testifying expert for this case.

VALUEPART v. ITR NORTH AMERICA ET. AL.

NORTHERN DISTRICT COURT OF ILLINOIS, EASTERN DIVISION, Case No. 06-CV-02709.

http://www.forensicon.com/resources/case-summary/valuepart-v-itr

CHARLES A. KRUMWIEDE v. BRIGHTON ASSOCIATES, LLC AND ISMAEL C. REYES

NORTHERN DISTRICT COURT OF ILLINOIS, EASTERN DIVISION, Case No. 05-C-3003.

Supervised and prepared our testifying expert for this case. http://www.forensicon.com/resources/case-summary/krumwiede-v-brighton-associates/

S.C. JOHNSON & SON, INC. v. MILTON E. MORRIS ET. AL.

CIRCUIT COURT OF RACINE COUNTY, WISCONSIN, Case No. 04-CV-1873.

Led the investigation and preservation effort that uncovered personal webmail, revealing a fraudulent kickback scheme, which resulted in a law enforcement sting and later a successful conviction of the accused. This ultimately resulted in an award of $203.8 million to compensate SC Johnson & Son, Inc. for its losses. https://www.forensicon.com/resources/case-summary/wisconsin-appeal-sc-johnson-vs-mor ris-schelle/

LIEBERT CORPORATION ET. AL. v. JOHN MAZUR ET. AL.

CIRCUIT COURT OF COOK COUNTY, CHANCERY DIVISION, Case No. 04 CH 02139.

Appellate Court, Second Division, Case No. No. 1-04-2794.

Provided testimony via affidavit and in court, identifying patterns of trade secret misappropriation.

KALISH v. LEAPFROG ONLINE ET. AL.

CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 03-L-011695.

Performed analysis of the computer used by the recently departed employee and reported on the employee’s actions to the court.

http://www.forensicon.com/resources/case-summary/kalish-v-leapfrog-online/

LORILLARD TOBACCO COMPANY v. CANSTAR (U.S.A.), INC. ET. AL.

NORTHERN DISTRICT COURT OF ILLINOIS, EASTERN DIVISION, Case No. 03-C-4769.

Performed forensic preservation and forensic analysis that resulted in identifying a counterfeiting syndicate. Located personal email accounts and offshore wiring accounts used to perpetrate the counterfeiting scheme. More than $5 million was awarded from Neubecker’s discovery of a counterfeit scheme.

EDUCATION & PROFESSIONAL DEVELOPMENT

TECHNICAL SKILLS

Managed Engineering Development and data analysis activities across many disparate technologies, from legacy through more recent technologies and platforms including;

Database Technology:

Filemaker, MySql, Oracle, Sql, Sql Server, Law eDiscovery, & Medical ERP Patient Record Systems

Forensic Software:

Aircrack, Airmon, Access Data, Mobile Edit Pro, Cellebrite, Encase, Paladine, Recon Lab, Forensic Toolkit, Paraben, & WiFite

Online Reconnaissance:

Dark Web, IRC, GFI Languard, Maltego, & Usenet

Security Monitoring:

Nmap, Splunk, Snort, Wireshark, Sophos UTM, & Shodan

Operating Systems / Command Line Shells:

Mac OS X, Windows (Dos/3.1/NT/2000/XP/Vista/2008/2012/7/8/10), Windows Server NT, 2000, 2008, 2012 (Active Directory, Group Policy Management, Certificate Management), Bash, Busybox, Amiga, Commodore, CPM, TI 99/4a, Grub, Kali Linux, Linux, Raspbian OS, Solaris, VMware, Raspberry PI OS, & Unix

Programming:

C++, CVS, DOM, Pascal, Xcode, Xml, Kintone, Python, Fabric & Visual Basic

Software Applications:

MS Office, SDR, Webx, WebTrends, Camtasia, Adobe Photoshop, MS Office, MS Project, MS Access, MS Excel, MS Powerpoint, MS Word, MS Visio, Peachtree, Quickbooks & Quicken

Web:

Expert in Search Engine Optimization, ASP, Coldfusion, HTML, Java, Javascript, Python, PHP, Scripting Languages, Artificial Intelligence, & WordPress

EDUCATION & PROFESSIONAL DEVELOPMENT

  • M.B.A., Magna Cum Laude – Babson F.W. Olin Graduate School of Business – Wellesley, MA
  • B.B.A. Finance, Magna Cum Laude – Eastern Michigan University Ypsilanti, MI
  • Guidance Software – EnCase® Introduction to Computer Forensics 32 credits – Sterling, VA
  • Guidance Software – EnCase® Intermediate Analysis and Reporting 32 credits – Sterling, VA
  • Guidance Software – Information Risk and Policy Compliance 3 credits – Chicago, IL
  • Continuing Education – Computer Programming – Harry S. Truman College – Chicago, IL
  • Novell Computer Network Training – Walsh College – Troy, MI

PROFESSIONAL EXPERIENCE

EnigmaForensics.com — President & CEO
Chicago, IL (8/2018 – Present)

  • Provided direct consulting to clients involving complex issues relating to eDiscovery
  • Retained by Government Agency to assist with deposing technical deponent in litigation relating to patient health care records
  • Assisted with developing a court approved protocol for production of ESI
  • Conducted complex investigations involving the authenticity of emails

HaystackID — Chief Information Officer
Boston, MA (4/2018 – 7/2018)

  • Managed all IT resources for eDiscovery production environment and internal systems
  • Oversaw data center migration
  • Created documentation and work ticketing system for tracking problems and improving service response
    HaystackID — Boston, MA (1/2018 – 3/2018)Chief Information Security Officer
  • Performed initial security assessment of organization
  • Prepared for GDPR compliance initiatives of organization
  • Outreach to potential clients

FORENSICON, a QDiscovery Company — Founder and consultant, Chicago, IL (2016 – 2017)

  • Identified opportunities to provide existing client base with services available from combined companies
  • Presented on the Telephone Consumer Protection Act regarding strategies towards mitigating lawsuits

FORENSICON, INC. — Chicago, IL (2000 – 2016)President & CEO

  • Conducted fraud examinations involving misappropriation of funds, trade secrets, tax evasion, money laundering, and other white collar related investigations
  • Supervised a team of forensics experts in providing complex litigation plaintiff and defense consulting
  • Appointed by the U.S District Court of the Northern District of Illinois to assist defense counsel in the trial against accused terrorist trial of Tahawwur Rana – The single count where my firm presented testimony, the defendant was found not guilty
  • Performed online investigative work to identify and assist law enforcement with the apprehension of the Boston Bombing perpetrators, Dzhokhar and Tamerlan Tsarnaev
  • Uncovered and reported the third known data breach of the Chicago Board of Elections voter database and election worker personal information
  • Supervised testifying experts on many cases of record to prepare technical experts for cross examination and rebuttal of their findings
  • Preserved electronic evidence for a range of clients using legally sanctioned protocols
  • Selected as preferred vendor by the Illinois Attorney Registration Disciplinary Commission – assisted with investigating various claims filed against licensed Illinois Attorneys
  • Developed Custom ERP System for evidence management, project management, time tracking and billing
  • Provided expert testimony to resolve disputes for various commercial, nonprofit, and governmental agency clients
  • Appeared several times as a computer forensics expert on WCIU TV Chicago Channel 26, First Business, NPR Business News, NBC Chicago and more
  • Led data breach first responder efforts for; State Government Social Services Department, Non-Profit HealthCare Organization, Financial Services Company, Accounting Firm, Private Membership Club Organization and various Corporations
  • Oversaw the development and presentations made to attorneys and legal support staff at the Chicago Bar Association, Illinois Attorney & Discipline Regulatory Commission, DuPage County Bar Association, various associations and more
  • Provided expert witness testimony regarding willful deletion of evidence by a departing employee where the testimony was upheld on appeal proving spoliation of evidence
  • Compiled emails from numerous platforms into popular litigation support platforms
  • Speaker at various events on the topic of computer forensics (see list below)
  • Performed computer forensics examinations in FBI forensics labs
  • Led the successful forensic analysis defense efforts against a law firm client of our firm that was accused of willful spoliation of evidence – discovered and reported our findings to Judge Mikva that no spoliation had occurred as alleged, the drive was merely encrypted and contained all information
  • Led numerous anonymous online defamation investigations resulting in the identification of many anonymous persons responsible for the defaming activities
  • Expert in Search Engine Optimization

LYCOS, INC. — Senior Product Development Manager, Community Products Group,
Waltham, MA (1998 – 1999)

  • Managed and/or launched a large group of products including chat, message boards, and games
  • Responded to SEC/FBI Inquiries pertaining to illicit behavior in Lycos network online properties
  • Tracked hacker attacks on the Lycos network of sites to help identify and prosecute offenders
  • Implemented safeguards against denial-of-service attacks across product group
  • Instituted product development and service roadmap management system for teams
  • Created & managed multiple cross-functional product teams
  • Managed transition of products from external to internal hosting
  • Led engineering team on the development of scalable & secure online products

INNOVATIVE CONSULTING, INC. — President Brownstown, MI (1994 – 1997)

  • Led a company of five professionals providing IT support to various sized Companies
  • Provided Network support in a multi server environment (NT, Novell, Mac, Linux)
  • Implemented financial management software for tier 3 automotive suppliers
  • Designed & executed disaster recovery procedures for multiple businesses
  • Architected multi-office communication infrastructure for multiple companies

‌‌COMERICA BANK — Securities & Trust Fund Accountant, Detroit, MI (1994)

  • Audited security transactions for bank trust funds
  • Researched discrepancies in reporting
  • Published & verified daily yield rates of several portfolios of marketable securities
  • Initiated automation of trust fund daily reporting

FORD MOTOR COMPANY, INC. — Detroit, MI (1992 – 1994)Product Pricing Analyst

  • Estimated cost impact on production forecast for various product design changes
  • Benchmarked sourced products to ensure price competitiveness
  • Designed & implemented a profit forecasting system using Excel & EDI

PRESENTATIONS

  • “Keys to Unlocking Electronic Medical Records EMR”, MCLE Tuesday May 25, 2021 delivered via Zoom co-sponsored by the Illinois Public Defender Association, the Illinois Innocence Project, the Center for Integrity in Forensic Sciences, and the Family Justice Resource Center.
  • Illinois Public Pension Advisory Committee: Friday, December 2nd’s IPPAC Winter Conference “The Imminent Threat of Cyber Attacks to your Pension Boards” panel
  • National Society of Insurance Investigators: “Cellphones, Pictures, Videos . . . What a Cyber Forensic Investigation Can Reveal”, December 4th, 2014
  • The Disaster Conferences : “Cyber Threats and Data Breaches”, September 18th, 2014
  • First Chair Awards : “Data Breach & Incident Response: How to Mitigate Your Risk Exposure”, August 2014
  • Cigar Society of Chicago : “How to Catch a Terrorist”, September 2013
  • ICPAS Fraud Conference 2012: “What a Responsible Professional (CPA or Attorney)
  • Should Know about eDiscovery and Document Management”, September 2012
  • Law Bulletin E-Discovery Seminar: “Managing Scope & Review”, June 28th, 2011
  • NetSecure ‘11: IT Security and Forensics Conference and Expo: “Protecting Digital Assets from Hackers and Thieves”, March 24th, 2011
  • Chicago Association of Litigation Support Managers, CALSMposium: “Seventh Circuit Electronic Discovery Pilot Program”, October 7th, 2009
  • National Business Institute – “E-Discovery Searching the Virtual File Cabinets”:(co-presented with Christopher S. Griesmeyer, partner at Levenfeld Pearlstein, LLC and David W. Porteous, partner at Faegre Baker Daniels LLP) “Obtaining Electronic Data & Best Practices in using Computer Forensics”, September 19th, 2008
  • Law Bulletin E-Discovery Seminar — “Electronic Discovery in Practice”: (co-presented with Jennifer Wojciechowski of Kroll Ontrack) “Avoiding the Pitfalls of the Electronic Era”, October 2005
  • Institute of Internal Auditors, Chicago West Chapter Meeting: (co-presented with Cameron Nelson, attorney at Greenberg Traurig) “Using Computer Forensics To Conduct Investigations”, May 9th, 2006
  • Association of Certified Fraud Examiners Workshop: (co-presented with Kathryn Hoying, attorney at Johnson & Bell, Ltd.) “Using Computer Forensics to Conduct Investigations”, February 10, 2006
  • Chicago Law & Technology Conference: “Computer Forensic Update”, co-presented with Greenberg Traurig LLP Attorney Cameron Nelson, February 23, 2006
  • FagelHaber, LLC’s E-Discovery Conference: (co-presented with Richard Chapman, Gary Green, David Rownd and Robert Kamensky, attorneys at FagelHaber, LLC) “Avoiding the Pitfalls of the Electronic Era”, October, 2005
  • Chicago Bar Association, CLE Seminar: (co-presented with Kathryn Hoying, attorney at Johnson & Bell, Ltd.) — “Deliverables to Request From Your Computer Forensics Examiner”,2005
  • Chicago Economic Development Council: “Internal Fraud Investigations”, 2005
  • Law Bulletin Publishing Company E-Discovery Conference 2005: “Show me the Smoking Gun!”, 2005
  • American Law Firm Association’s International Client Seminar 2005: (co-presented with Joe Marconi, attorney at Johnson & Bell, Ltd and Donald Kaufman, attorney at McNees, Wallace & Nurick LLC) — “Discovery, Document Retention & eDiscovery in aPost-Enron/Andersen World”, 2005
  • Chicago Bar Association, CLE Seminar: (co-presented with William J. Cook of Wildman Harrold, Jeffrey L. Hartman of Competitive Advantage Solutions and Mark S. Simon of Eclipsecurity, LLC) “Computer Forensics For Lawyers”, May 6th, 2004
  • Chicago/Milwaukee Joint Midwest Law & Technology Conference 2004: “Finding the Smoking Guns: Legal Computer Forensics Without the Geekspeak”, November 30th, 2004
  • Chicago Bar Association, CLE Seminar: “Resolving Intellectual Property Theft with Computer Forensics”, October 20th, 2004
  • Chicago Bar Association, CLE Seminar: “Computer Forensics for Lawyers”, May 6th, 2004
  • Law Bulletin Publishing Company E-Discovery Conference: “Electronic Document Collection and Processing”, April 27th, 2004
  • LegalTech 2003, Chicago : “True Electronic Discovery”, October 30th, 2003
  • Chicago Bar Association (Law Office Technology Committee): “Electronic Discovery 101”, 2003
  • Illinois Academy of Criminology: “Electronic Discovery 101”, Circa 2003
  • Greater Chicago Chapter of the Association of Legal Administrators: “Electronic Discovery 101”, Circa 2003
  • Chicagoland Chamber of Commerce: “Web Page Programming For Search Engine Effectiveness”, Circa 2001
  • NORBIC: “Web Page Programming For Search Engine Effectiveness”, Circa 2001
  • Law Practice Today — (July 2004) — Invited to be a contributing expert on a roundtable article by Dennis Kennedy on the online magazine: http://www.abanet.org/lpm/lpt/articles/ftr07041.html

ARTICLES

CURRENT & PAST MEMBERSHIPS / CERTIFICATIONS

  • Certified Information Systems Security Professional (CISSP) — Chicago Chapter
  • HTCIA (High Tech Crime Investigation Association) — Past President — Midwest Chapter
  • Illinois Academy of Criminology — Chicago Chapter
  • U.S. Secret Service Electronic Crimes Task Force Member — Chicago Midwest Region
  • Union League Club of Chicago — Technology Group Member
  • Association of Certified Fraud Examiners — Associate Member
  • State of Michigan — Private Investigator — License Number 3701205872

Early Voting in Cook County

Do you have concerns about voting in person? Cook County Clerk Karen Yarbrough urges everyone to vote early or by mail. Make a plan and plan your vote. It’s easy peasy!

Cook County Clerk Karen Yarbrough sits down with Lee Neubecker, President of Enigma Forensics to discuss the do’s and don’ts of early voting in the Cook County election and how to receive your mail-in ballot.

Early voting begins on October 19.

Early Voting in Cook County

Lee Neubecker (LN): Hi, so I’m here again today with Karen Yarbrough, the Cook County Clerk, and we’re talking about the election that’s coming up. And today’s topic is specifically about early voting. Karen, thanks for being here.

Clerk Karen Yarbrough (CY): It’s always a pleasure, Lee.

LN: We’re actually seated roughly 12 feet apart from each other, practicing social distancing.

CY: Yes we are.

LN: And we can actually look at each other while we talk, which is nice.

CY: Yes we can.

LN: So tell us a little bit more about why people should consider early voting this election.

CY: You know Lee, I used to always pride myself in voting on election day. There’s something exciting about voting on election day. The camaraderie, seeing people you don’t see, you know, particularly every day. However, I got used to voting by mail because it’s convenient. And so people should, with this particular election, they need to make a plan and then plan their vote. I’ve already made that plan. And I plan to, I’ve already requested my ballot. I expect it in the mail any day now. And I plan to review my choices and I plan to drop it in a dropbox.

LN: Great. So when can you vote early in Cook County and the city of Chicago?

CY: So in Cook County, you can early vote on the 19th of October. There are some dates, October 7th, I believe for somebody who’s not registered to vote, they can actually register and vote on the 7th of October. In the city of Chicago, they will be starting that process on October first.

LN: So is there a website that people can go to if they want to get a–

Where to find more voting information

CY: I’m glad you asked Lee. All the information that you’ll ever want to know is at cookcountyclerk.com. Everything is there. Go to that website, click on elections, and you’ll see an array of information there that can answer each and every question that you ever have for elections for this particular election.

LN: And I know that the last election cycle that you told me about that, I actually did it. It only took less than, it was about a minute time–

CY: If it takes that long.

LN: And the ballot came and it was easy. What was nice is I had time to look up the different races. I could use my computer, I could do my research and be thoughtful with access to more than my smartphone. So I could actually read things while I was voting. So it was a nice experience.

CY: Easy peasy, that’s what I say. And, you know, you can give some time to actually looking at your selections. You can go online and research the candidates and make good solid choices.

LN: Yeah, and just so you know, my daughter voted for the first time in this election and we took her to early voting in person. And I asked could I early vote instead because I was there and he said I could but it would be a provisional ballot that wouldn’t get counted until later. So I thought that it seemed, at least, there was a check and balance. Your team knew that I had already requested a mail-in ballot and they had that checkup. But if I wanted to vote in person, I could have, you know, so like, if I lost my ballot, I could still vote. It’s just the provisional ballots don’t get counted until later.

CY: Yeah, and We want people to understand that process too because I’m suggesting to people to go ahead and order a ballot, go ahead, fill out the application. Like you said, it only takes a minute or so to do that. When your ballot comes, make a determination at that point do I plan to, you know, fill this out and mail it in or do I plan to drop it in our dropbox? Or do I plan to maybe do like some others who have suggested to me that they planned the, planned doing that would be their backup plan, just in case they can’t get to the polling place on election day. So I’m encouraging anybody and everybody to please, you know, order your ballot, get your ballot, do your research and obviously vote.

LN: So you can actually take your mail-in ballot and if you’re concerned that it’s going to be held up at the post office, you can drop by any polling place?

CY: We have, right now, over 60 early voting sites. And so if you’ve gotten your ballot and you want to drop it off at a dropbox, you can do that. You do not have to stand in line and we’ll have one of our election workers standing right there.

LN: So outside there’s actually–

Drop Boxes for Mail-In Ballots

CY: Inside, inside there will be a box that you can put your ballot in and there’ll be somebody right in front of that. You will not have to stand in line.

LN: Okay, so what if someone lives outside of Cook County?

CY: Somebody who lives outside of Cook County, you mean that maybe somebody in the military. That’s what absentee voting is all about. And you know, we’ve been doing that since the Civil War. Complete your ballot, send in for your ballot, complete your ballot and mail it in.

LN: Do you have any concerns about people voting more than the once?

CY: We do not because we put a number of things in place to make sure that kind of thing does not happen. One thing, we have election judges that, you know, they’re sworn in and they review every single signature. You know, you have to sign, so they will do that. Each person has a identification number, okay, that’s only germane to you. So that way we know it’s you. So if Mickey Mouse shows up, Mickey Mouse is not going to be able to vote because Mickey Mouse does not have this voter code that we have. Finally, you know, we have a, we’ve just gone through every idea and had people to kind of test, to make sure that we are ready for the November election to make sure that people, you know, do the right thing. And that’s what we’re telling them to do. Do the right thing. At the end of the day, too, we also do, we check out 5% of the ballots to make sure, you know, after the election, that they’re right on target.

LN: And so finally, when is the last time, the last date that you can request, that you can actually go in and vote early?

CY: The last time that you can go in and vote early actually is November 3rd which is election day, okay, They can vote that day, but the day before. So that would be November 2nd. Don’t wait and do it then. Do it early.

LN: Well, thanks a bunch for being on the show. I look forward to talking to you again soon.

CY: Thank you.

LN: And vote.

CY: Oh, absolutely, vote.

For more information go to cookcountyclerk.com

See other related video blogs below

Contact Tracing APPs are they ethical?

Are Contact Tracing APPs ethical? Are you willing to give up your private data to help slow the spread of the Coronavirus? Check out what these experts have to say!

Contact Tracing is it Ethical?

Apple and Google have the capability that allows cell phones to communicate with each other. Contact Tracing Apps use this capability and have been developed to find and alert the contacts of people infected with the Coronavirus / COVID-19. As soon as someone gets sick with Coronavirus, the APP could alert you if this is someone you have been in contact with. Alleviating the length of time it takes for a real live Contact Tracer who is doing the tracing. Basically, this is widespread human GPS tracking, that presents many privacy issues involving potential data breach, information storage, and sharing sensitive personal data. Should sensitive medical information and individual locations be available on an APP? Do you believe this type of electronic contact tracing is ethical?

Check out this video to listen in on experts as they consider the amount of data that is being collected and what it means for your data when you download a Contact Tracing APP.

Video Transcripts Follow

Lee Neubecker (LN): Hi this is Lee Neubecker from Enigma Forensics and I have Debbie Reynolds back on the show, thanks for coming back Debbie.

Debbie Reynolds (DR): Thank you for having me, very nice to be here.

LN: So I’m very interested to hear more of what your research is regarding contact tracing apps, and what you think that means for individuals that might put these apps in their phone. Tell me a little bit about what’s happening right now with the industry and how contact tracing apps are working.

DR: Yeah, so Apple and Google created a capability so that phones can communicate with each-other via beacon. So that they can store information on phones, or have phones bounce off of one another, so that if someone downloads a contact tracing app or registers there, if anyone who also has the app, it will be able to trace back, y’know, how long they spent with certain people and tell them whether they feel like they may have been exposed in some way, and tell them either to quarantine or go seek treatment in some way, or get tested. So it’s pretty controversial, the contact tracing app, for a couple of different reasons. One is, people are very concerned about privacy, like giving their potential medical information to a company that’s not a medical provider, meaning that they’re not protecting the data the same way. Also, as you know, Bluetooth technology isn’t exactly super accurate in terms of the distance that you are from someone, so the delta, in terms of how accurate it can be, may be way off. It may be several meters off, the phone can’t tell if you’re six feet apart or whatever, so I think that they’ve tried to tune that up with this new API that they created, but still, based on the science, we don’t know that it’s actually accurate or not.

LN: So you could still have a situation where, if you put one of these apps on and you’re outside biking, and you bike within 8 to 10 feet of someone who later does have it that you’re getting notified that you have to quarantine on a false basis. That’s a potential outcome of using an app like that, correct?

DR: Yeah, but I think that the way they having it now is that it’s supposed to register you spent more than 15 minutes near that person, so, y’know.

LN: Okay, that’s good to know.

DR: But let’s say you’re parked in your car and someone’s parked next to your car, so you aren’t physically near, y’know, you aren’t in any danger from that person but you wouldn’t know, just because your phone says you’re close to them. They don’t understand the circumstance that you’re in, to be able to tell that, so. I think people are concerned about, a lot about privacy, them taking the data or how the app is actually going to work, and it’s going to work differently in different countries. So what they’ve done is create this API, this capability that’s put on everyone’s phone, and then if you download the app, the app which you use will use that API to actually do this beacon exchange on people’s phones. So, that’s kind of what’s happening right now, is different countries and different places are implementing it in different ways, and some are really pushing back on them because they don’t have really any good guarantees about privacy, or data breach, data breach is a huge issue.

LN: Yeah, I mean, our Government’s never had data in their custody compromised ever, right? wink..wink

DR: Right, that never happened, exactly, so-

LN: You’re having your maps of where you’re walking, your GPS records-

DR: Yeah.

LN:time of day, your movement and that is going to Google and Apple, and under certain conditions they’re passing that data on to the CDC or other entities, law enforcement, enforcement groups.

DR: Well their concern is that data, because it’s at a private company, will get merged with other things, like let’s say your insurance carrier, or your medical, y’know, you get dropped from your insurance because you have this app-

LN: You drive too fast.

DR: No because you have this app, and they think that you may have been exposed, or you’re a higher risk, or a bank doesn’t want to give you a loan or something, because you have this app on your phone. I’ve been hearing a lot of different scenarios people are concerned about. But I’m curious, from your perspective, in terms of how certain things are stored on phones. I know beacons is a really big idea, but maybe you can explain a little bit about how Bluetooth actually works?

LN: Yeah, well Bluetooth is a near band wavelength that allows for peer-to-peer networking. Bluetooth has been exploited in the past to be able to take over devices, so it’s, a lot of people don’t like to have their Bluetooth on continuously because you’re opening your phone up to potential attacks, cyber attacks, via Bluetooth. You’re also broadcasting, when you have Bluetooth on you’re also broadcasting your MAC address identifier, your Bluetooth unique address and there have already been issues where retailers in London at one time, they had kiosks outside that would track the shoppers and they’d know how long they were at certain stores, and they’d use that information to serve custom video ads to people as they’re shopping and walking by.

DR: Right.

LN: So there’s privacy implications and security implications of having Bluetooth on all the time.

DR: Yeah, and that’s a big concern. So I know when I first heard this, about them doing this contact tracing, I was wondering like how exactly would they get the proximity right, and because we have no visibility to that we really don’t know, right?

LN: No.

DR: So we just have to sort of trust the black box and see what happens, to some extent, but I, for me I think my opinion is that contact tracing is a profession, it’s not an app. So, there are people who do this as a profession, only, let’s see, 55% of people in the world don’t even have smart phones, so you’re talking about a capability that’s only for 45% of the people, and not all those people are going to actually volunteer to get these apps.

LN: Yeah.

DR: So it doesn’t really help to contact, for people who do contact tracing, except it adds another layer that they have to work with because they still have to track people whether they have cell phones or not.

LN: It’s interesting stuff, thanks for bringing that to our viewers’ attention and thanks for being on the show again.

DR: All right, thank you so much, I really appreciate it.

LN: Okay.

Check out these related Blogs

Security Risks When Working From Home

Working from home? Have you been transferring files between work and personal computers? Be aware of the security risks that are out there. Experts talk about how to protect your company’s private data. Where should you start to make sure your remote workforce is secure? Listen to these experts!

Using Your Personal Computer to Work From Home

What are implications when working from home?

Let’s face it, these are weird times! Never before have we had the bulk of the country’s work force sheltering-in-place and working from home. We’re going on four months battling the spread of COVID-19. Workers have resigned, been terminated and furloughed and many have sensitive trade secrets loaded on their personal computers. Experts Lee Neubecker and the Data Dive Debbie Reynolds discuss currents situations and different audits they have performed for companies to retrieve intellectual property and company data. Check out this blog with transcripts.

Video Transcripts Follows

Lee Neubecker(LN): Hi, this is Lee Neubecker from Enigma Forensics. And I have Debbie Reynolds, the data diva back on the show from Reynolds consulting. Thanks for being on. Thank you so much for having me Lee. So what are your thoughts about the shift and changes that have happened over the last couple of months with everyone being stuck at home with their computers?

Debbie Reynolds(DR): I think it’s a interesting issue now, because as you know, even before the pandemic, there were people working at home. But now since there’s so many more people at home, it’s bringing up other security risks, especially with devices. And I’m sure you know, you probably explain more of your experience about working especially a forensic with people who are remote. And some of the challenges with those machines, especially, you know, the same people. They’re either working from home, people are getting furloughed or people are losing jobs where they’re, they’re not in the office. But they still have equipment. So I’m curious to see what you think about all that in terms of the device, the equipment, and some of the risks that come with that.

(LN) We’ve had a number of projects happen during this period where workers either have resigned, they’ve been terminated, or they’ve been furloughed, and there’s a need to get the company data back. And sometimes that data is on their personal computers. Other times the data is on a company issued laptop, but there are companies are just starting to get back to work. And there’s a whole host of issues. If you have sensitive trade secrets, and confidential electronic data on an employee’s personal or work computer, and you don’t have physical custody of that, there’s a real risk of that data getting disseminated to a new employer, maybe leaked online to the web, or maybe even you know, someone’s kid at home installs a game that opens up malware that puts those trade secrets at risk.

(DR) You know, we know a lot of people working from home, and a lot of people are using, I think the statistics said, the majority of people, maybe a slight majority, are using their own computers to, you know, tunnel in via VPN or whatever. But we all know that people still, under a lot of circumstances, let’s say they’re printing, or they have a file they want to, you know, leave locally or something. What is your advice from a forensic perspective? ‘Cause we can, we always see a lot of data co mingle together, unfortunately, where the personal and people’s business stuff maybe, you know, together in some way, so what is kind of your advice for people working at home for stuff like that?

(LN) If an employee’s is being asked to work from home, they should ask for a work issued computer.

(DR) Right

(LN) Also you should be using a virtual desktop of sorts.

(DR) Right. Yeah, exactly. But you’ve seen I’m sure you’ve seen a lot of situations where you’re asked to do forensic work. And there is a lot of personal stuff, even on a company.

(LN) Yeah, we’ve had situations where people have, despite having work issued computers, they’ve still connected their personal computer up to corporate resources, office 365. I’ve seen situations where there’s drives that are syncing to personal, former employees, personal computers, and even though the accounts are severed, so it can’t continue to sync, then all that data might still reside. So we’re doing audits right now for clients to look for, you know, what devices are synchronizing with corporate data stores, and some of those devices. You know, there really needs to be accounting and audit to match up those devices to ensure that only accounts of active employees are syncing and that those devices are company issued devices, not personal devices because it poses a real risk. It’s a problem that could be preempted by issuing, you know, work equipment, not co mingling work and home stuff.

(DR) Are you seeing problems where people are, let’s say they have a phone. And they have like, for example, let’s say they have an Apple phone and they have a iCloud account. And the phone belongs to the company, but their iCloud account is their own personal account where you have problems getting those passwords.

(LN) Yeah, for the most part, we’ve had compliance and I’ve worked to try to help solve the problem, you know, the employee might have stuff they need. And usually what we’re doing in most cases where we have co mingle data, where we’re giving the employee or former employee the opportunity to put all their personal stuff onto a drive that will then do a search against and then we’ll wipe, wipe, completely wipe, the original device. They’ll sign a certification of sorts, and then they’ll only copy the stuff that they, that they copied off that we verified, didn’t contain trade secrets, and they’ll pull that back down to the computer. But that relies on some level of trust that if the employee or former employee signs, a declaration or affidavit saying that they returned everything that they’re being honest.

(DR) Do you have people that are concerned, especially in the legal field about people doing remote document review, and having sensitive documents viewed on their computers at home?

(LN) Well, I think that’s a legitimate question. And you know, if, if companies are outsourcing document review, they should be asking the provider, provider questions about, you know, how, what steps are you taking to make sure that those endpoint reviewers aren’t using computers that are compromised? In many cases, companies are using independent contractors as their reviewers and they’re not issuing corporate equipment. So that that’s a real risk that the whole ediscovery industry really needs to grapple with, because someone’s going to get burned at some point in time, especially during this, this pandemic with, you know, resources taxed and people working from home.

(DR) I have one more burning question for you, actually. And this is about BYOD. What do you think? Because the pandemic, do you think more companies will start to do more or less, bring your own device things as a result? I think we’re going to see a lot of problems come out of BYOD devices where companies see the problem of losing control of their data. And, at least with the larger companies, I think you’re going to see probably more strict, more strict enforcement of using corporate resources. I mean, there were many companies right before Illinois shut down went into effect they were ordering laptops going running out to, you know, retail stores to quickly grab whatever they could, so they can issue laptops to their employees. And, and so I think you’re going to see, I think you’re going to see a movement away from BYOD in the future.

(LN) I agree with that. I think it’s been a long time coming. I don’t know if you remember when they were first doing this, you know, at first companies were giving people devices, then they decided well we’ll save money will be out BYOD Now it seems like a pain in the neck to deal with it. And it’s all these risk issues. So I really feel that they’re going to start to go back the other way.

(DR) Now, well there’s a cost associated with BYOD. And now people are furloughed and all your sensitive data is on former employees, personal computers. So then you’ve got to hire a forensic expert like me to try to work through to get the data back and to solve that problem, which, you know, it might have been much easier to issue a 500 dollar laptop to employee, then to have them synchronize that ’cause they’re going to pay more than $500 dollars to try to solve the problem of getting their data back. So after we get through this next bump in the business cycle where companies are paying out to have to retrieve their data, I think you’ll see that most CFOs will see it’s smart sense to issue corporate laptops and to block access to BYOD devices. But thanks for the question. It was a good one.

(LN) Thank you. Fascinating. Thank you for sharing.

(DR) Thanks

Related Articles

Check out our COVID-19 Statistics – Track your county!

Social Media and Cell Phone Forensics

Social media and cell phone forensics can play an important role in thwarting criminal activity. Check out this conversation between Cyber Forensic Expert Lee Neubecker and Data Diva, Debbie Reynolds. You will be so much smarter afterwards!

Snap Chat, Twitter, Facebook: Social Media and the Importance of Cell Phone Forensics

Lee Neubecker and Debbie Reynolds, the Data Diva, discuss the role of law enforcement in capturing social media posts when trying to thwart the bad guys coordinating a riot or the more recent looting incidents in Chicago. During this difficult time in our nation, what is the role that cell phone forensics should take? Did you know that Apple phones have the ability to automatically shut down when stolen and have a beacon that will detect the location of the phone making it easy for law enforcement to come knocking on the thief’s door? Check out this video to learn more about the role of social media and cell phone forensics.

Transcripts of Video Follows

Lee Neubecker (LN): Hi, it’s Lee Neubecker, and I have Debbie Reynolds back on the show, Debbie thanks for being on remotely.

Debbie Reynolds (DR): Thank you for having me.

LN: So I asked you to come on so that we could talk a little bit about some of the recent lootings that have happened in Chicago and other areas across the country. And what could be happening, as it relates to cell phone forensics and how law enforcement can be using that to get to the bottom of how these coordinated attacks are being planned and who might be involved.

DR: Most of what I know about this is basically what you told me so, why don’t you just sort of share what your experience has been so far in the current environment, and then we can talk from there?

LN: Sure. Well, right now, I know that some of the looters that were apprehended had cell phones on them. We don’t know exactly how the information is being used by law enforcement, but technically, an example of things that could happen could include, doing forensics on the cell phone, identifying Snapchat handles they have communicated with, looking at text messages, looking for Twitter accounts and postings. And potentially, what I saw happening during the last week, at least in one instance, there was a post made to Twitter by a user that made a reference to doing a gig at Urban Outfitters on the West Side, and roughly a few hours after, that post went out on Twitter, referencing Urban Outfitters, Nike’s, Liquor and other things. Around four hours after that, looting that went on at that store, so that handle that posted and anyone else that reacted to that post could certainly have been alerted to the potential for mass looting in a coordinated way via social media.

DR: Yeah, I think even though the police do have capabilities to do that type of tracking and tracing, they they do heat maps of certain things. The problem is that these incidents, if they are coordinated, they happen pretty quickly so it’s sort of hard for them to kind of preempt it. But as you said, always, they have capabilities, right? To do anything with like cell phones that they capture, but they also have capabilities to do things like geofencing about who was in the area at certain time. So, a lot of what they’re doing is not necessarily preemptive or pre-crime is more of, if something is happening or has happened, they can go back and try to backtrack or trace or… If there are people on the scene they can apprehend whoever is there that’s doing whatever and they sort of build it out from there, right?

LN: Yeah, but just the other day, someone was captured and apprehended in… They got caught because they were posting their raid via social media, and they had a live view of them going to bomb, they were threatening to bomb the place and looted, taking cash registers and the stuff was, this someone that was not from Chicago, I think from downstate, somewhere that came in and came in with a goal to create problems and had a past history of that, but the person had the audacity to post it to Facebook, and the FBI just busted them and they’re indicted now.

DR: I don’t know why people share such things on social media. Because yeah, they do track and trace that. But, a lot of the things especially as I saw, it seemed like a lot of stores that have things like mobile phones have been attacked. And as you know those things are pretty easy to trace back. So I don’t know how far people–

LN: Apple had LoJack, in all their phones at the retail store, and so people who took those phones likely those phones likely got located but-

DR: Oh yeah, definately.

LN: I don’t know that that’s happening at the the cheap cell phone stores, the burner phones.

DR: Well, yeah, those are… No, I mean, they probably… If anything, obviously may have serial numbers and stuff like that but, once you… Whether it’s broken, or people change sims or whatever, it’s harder to track that stuff down. But yeah, the Apple phones, yes. They wouldn’t have very much problem. I think as I heard, I read that what Apple had done is for all the phones that were stolen from them, they were able to lock those down. And then it had a screen on there so that you actually couldn’t use it. So, that’s what I heard was happening with Apple.

LN: Yeah, well, they also have the ability to beacon out and send GPS location so-

DR: Oh, absolutely.

LN: People who are buying stolen Apple phones might find someone knocking on their door, law enforcement.

DR: Yeah, it’s probably not a good idea to buy one off the street at this point. So yeah.

LN: Yeah. Well, any thoughts on your concerns if the privacy issues that might relate to mere surveillance on people and tracking social media posts and actually getting in and subpoenaing phone numbers that were taxed to help try to prevent looting from happening?

DR: Well, okay. I guess that’s a couple of different things rolled up into one. So, obviously I’m concerned with mass surveillance, especially if it is capturing information not accurately or targeting people who may not have even been involved. So for example, a cell phone can’t tell like let’s say for instance, you’re standing at a corner and I’m at the stoplight. It says we’re next each other, but we’re not together. So, a cell phone tracking can’t really tell that so eury people who aren’t involved, who are innocent, who are especially in this regard, peacefully protesting, having them be adjacent to other people doesn’t mean that they were involved so-

LN: Lets just say though, for instance, that they found that there was a string of businesses hit, the Foot Locker, then Denny’s Liquor, CVS and Walgreens.

DR: Yeah.

LN: There were a group of 20 people that all pinged off the four cell phone towers at the same times, and we’re in close proximity to that and a few other people were ID’d, would that be enough to justify surveillance on people where there were four cell phone towers in common across a range that put them all in the vicinity of where looting took place?

DR: I’m not sure if it would justify surveillance, so to speak, but I think that if they have other evidence, it may help them target those people more closely but, in terms of sweeping people up in surveillance exercise, I don’t think that’s going to happen unless they have additional information. So, let’s say they have information just like you said, like, okay, these people are in the vicinity and then they posted a picture on Facebook with some loot gear that they got, that would be enough, I think, to justify surveillance but just the fact, surrounding the vicinity, that’s probably not enough to go on, I don’t think.

LN: I appreciate your opinions and thoughts on this. It’s a difficult time right now and hopefully we’ll have stability and we’ll have people held accountable on all fronts, not just the leaders.

DR: Yep, I agree.

LN: Yeah, thanks Debbie.

DR: You’re welcome.

See Similar Posts

Who’s Who Legal Investigations 2020

We are proud to announce Lee Neubecker was once again nominated by his peers as one of the world’s leading practitioners in the Digital Forensic Expert field. Congratulations Lee!

Congratulations Lee Neubecker!

Enigma Forensic’s President and CEO Lee Neubecker was nominated by his peers as one of the world’s leading practitioners in the field of Digital Forensic Experts and is listed in Who’s Who Legal Investigations 2020 publication as such.

Since 1996 Who’s Who Legal has identified the foremost legal practitioners and consulting experts in business law and investigations based upon comprehensive, independent research.

Who’s Who Legal Investigations publications said, Lee Neubecker, is a “great expert” who receives widespread plaudits from sources who note he is “one of the most visible people in the field”.

Nominees have been selected based on comprehensive, independent survey work with both general counsel and private practitioners worldwide.

Issues When Working From Home

Issues when working from home are bubbling up. Are you working from the dining room table on important company information? We discuss the importance of forming a work from home policy.

We have reached a new era of remote business at levels few companies ever planned for. We all know, COVID-19 has driven businesses and their employees to operate from makeshift home offices. As a result, many issues when working from home have been exposed. In some of our past blogs, Enigma Forensics has provided insight to trade secret theft and given direction on how to protect company trade secrets from cyber attacks. In this blog we will address the current issues that have risen since we are all working from home.

First and foremost, the mass exodus from the business office to the home office was done at the flip of a switch. Working from home took many companies by surprise, sending employees home expecting this to be a short period of time. Most companies didn’t have time to prepare a proper security plan. In an effort to offer more accessibility to their employees some companies loosened their security standards to allow faster and more convenient access for employees. Some encouraged employees to use their own personal devices. These procedures have increased the risks that companies will be cyber attacked and offer opportunities for trade secret theft and loss of business confidential information. To lessen these possibilities companies must develop policies that address the risks.

Enigma Forensics suggests creating a work from home policy to inform employees of their obligations. Companies need to communicate how important it is to stay secure and that the future of the company depends on it. Employers must insist each employee maintain a two-factor authentication process to secure sensitive information. Each employer must restrict unauthorized access to company data. In other words, keep the kids off the company’s computer. It’s also imperative to prohibit the use of unauthorized third party cloud storage sites, and to make sure to apply security software to protect company data. Most importantly, no sharing of company devices.

Some more simple procedures companies can implement to protect their end points include:

  • Ensure endpoints have patch software and security updates applied monthly
  • Audit and enable Windows Defender or other Antivirus Solutions to protect end points
  • Ensure computers accessing company data are set to auto lock after five minutes of intactivity
  • Provide employees with dedicated work only equipment
  • Audit and ensure satellite workers have a firewall protecting their endpoints from potential attackers

Kids at home with not much to do may be interested in installing the latest video game on your computer which could introduce security vulnerabilities at home.

Enigma Forensics also suggests developing an inventory of what employee has access to which files. Know who is printing confidential information, and identify if family members have access to the same devices. Once all this is mapped out, a risk assessment needs to be conducted. Identify which employees have access to sensitive information should be prioritized and secured appropriately.

Eventually we will all be back working in the office but COVID-19 has exposed the need to increase security and to learn more about how your employees are utilizing company owned devices.

To Learn More About Trade Secret Theft Check out our blog below

Shelter in Place or Open Up?

Where do you stand? Stay sheltered in place or open up? We all have felt the pain of this pandemic. Is it time to open up are restaurants? Enigma Forensics wants to know your thoughts.

Is fear holding us back from moving forward?

Where do you stand? Shelter in place or open up! Is fear holding you back? If you don’t know what’s going on in the world today apparently you have been living under a rock. It seems so long ago when Enigma Forensics Lee Neubecker and Geary Sikich, President of Logistics Management Systems warned of what was to come and further outlined what would be the global impact. Enigma Forensics started posting our first post about COVID-19, Coronavirus: The Global Impact was on March 6.

Mayor Lightfoot announced today that Chicago will not be able to open restaurants for outdoor seating on May 29. It’s different than what the state has outlined. As stated by the City of Chicago, we will be following “Protecting Chicago” framework. The City will be using this guide to govern Chicago’s reopening process amid COVID-19. The framework – organized into five phases in alignment with the State of Illinois’ “Restore Illinois” plan – will advise Chicagoans on how to safely exit from shelter-in-place while continuing to prioritize the health of our most vulnerable residents.

Did we anticipated COVID-19 spread to the U.S. to wreak havoc like it has? Absolutely not. Even though this is a play book that has never been written before, Lee Neubecker drew upon his cyber forensic skills and made it the company’s focus to track information on the rise of positive cases and deaths. Our intention was to save lives!

Illinois is now ranking third for COVID-19 cases behind New Jersey (#2) and New York (#1). According to the Illinois Department of Health, as of 5/21 Illinois has (102,687) Positive Cases and (4,607) Deaths and (672,723 ) Tests performed. Over all, according to the Center of Disease Control reports, the US has (1,581,903) Positive Cases, (93,806) Deaths, and (301,341) Recovered Cases.

Education trumps fear. Wear a mask and wash your hands. Based on these numbers, where do you stand? Stay in shelter in place or open up?

It started when…CDC: Center for Disease Control announced first COVID-19 case in the United States. Jan. 21.

https://www.cbsnews.com/news/coronavirus-centers-for-disease-control-first-case-united-states/

On Tuesday, March 13, we helped Cook County Clerk Karen Yarbrough spread the word on safe voting tips and how to keep yourself safe.

We wondered what was the fastest growing Zip Code in Illinois.Enigma Forensics started tracking COVID-19, on 3/8.

We uncovered the highest growth rate and reached out to the Hispanic Community Leaders

Coronavirus Impact on States that Shelter at Home

President and CEO of Enigma Forensics, Lee Neubecker remotely converses with Geary Sikich, President of Logical Management Systems, to discuss the current state of impacts the Coronavirus has brought to citizens taking shelter at home. Data experts Lee and Geary explain statistics state by state and expose interesting facts for those states that have implemented shelter at home policies.

The Transcript of the Video Follows.

Lee Neubecker: I am here today, again with Geary Sikich, reporting from my basement. Geary is the principal of logical management systems. I am the president of Enigma Forensics. We’ve been talking on our show previously about the Coronavirus and the impact. And today we’re going to be talking a little bit about the current data trends and what’s happening. Geary thanks for being on the show remotely.

Geary Sikich: Thanks Lee it’s kind of an interesting way to work.

LN: It’s the new reality probably for a while, huh?

GS: I think for, yes, a little bit more than two weeks that’s for sure.

LN: Yeah, so I want to pull up some of the data that we were talking about earlier. A spreadsheet that we had here. Is that up on the screen for ya?

GS: Yes.

LN: Okay, great. So it’s showing that, this is data that was obtained from the John Hopkins website. They’ve got a place where you can download the historical data. Which I showed you a little earlier. Let me just pull that up. So what you see here, you can go on the map tool. You can actually scroll by clicking on the tab. Internet’s running a little slow. We discussed that previously.

GS: Welcome to the world of not enough pipe.

LN: Yeah so you might not have noticed it but there’s a little section that says admin one. If you hit the right arrows you can scroll through and cycle through and see the data reported differently. First it’s by country, and we’re now at 41,708 in the US. When you click, you can see the total. It’s running very slow today.

GS: Yeah John Hopkins, I know that one of the issues with their website is so many people are using it. That it, by this time of day it starts to slow down a bit. So it’s kind of a challenge to get in there and see the data as it stands. But I just noticed on the statistics for today, that the US stats at noon, when I checked I was doing a webinar today on hospital pandemic planning and drills. And US infection rate has jumped up pretty substantially.

LN: Yeah I want to show you some specifics of concerns as we drill down. I pulled the top 10 states And you can click here, you can see by states and regions. You can see New York is getting devastated right now. Then Washington, and then Cook County Illinois here is running right up next in line. But what I found interesting is as you pull the historical data out, but you can get off, we can see, here is New York. That’s a pretty scary curve, and it’s a trajectory that doesn’t suggest it’s going to get any better any time soon. And then you have Illinois, New Jersey, and what not. But what was real interesting is we had a cross. Illinois is this line right here on the screen there. Illinois is, where is Illinois here. We got, actually what I did is I pulled out New York so I could get more zoned. So excluding New York, you can now see what’s going on. And Michigan, that didn’t have a band until they just announced today that they’re instituting a lockdown. But Illinois, more dense, more likely to get a contagious outbreak than Michigan in my opinion. Because they quarantined early enough, you start to see that at least so far Illinois holding out. Now I think that number’s going to jump up. I think that the number, they haven’t fully reported the count for today yet. But it was interesting to see both Louisiana and Michigan and Florida jump up and surpass. And right now, Florida doesn’t have a ban in place. Georgia doesn’t have a ban in place. What do you think’s going to happen with Georgia?

GS: Well I think what your statistics are showing, and it’s interesting is that the early adopters of shelter in place and working remotely, etcetera, cut the bands, if you will. The early adopters of that are finding that social distancing is actually working. The late adopters who have yet to come to the point of doing shelter in place and what not are finding much like the parallel with Philadelphia and Denver during the Spanish Influenza, Denver closed the city very quickly, very little in terms of issues that they had. Philadelphia on the other hand kept everything open and actually did a parade to try to raise money for bombs for World War One. And as a result they had a significantly higher infection rate. And so I think you’re seeing a parallel in terms of history and what’s happening today. So I would say that those states that are late adopters are probably going to see a higher rate of infection. The other thing it would be, is if we can, you’d have to do some manipulation on data with this but is to look at those states which have large cities. Chicago, New York City, Los Angeles. Some of the bigger cities are going to have a significantly bigger concentration of casualties, if you will. That is going to result, it results from the fact that people are living in close proximity in those cities. The other aspect is that, if you think about it, a lot of downtown populations don’t have the, how do I put it, the infrastructure to do a lot of at home cooking. So it’s either they don’t have the storage facilities for food or they just don’t cook because restaurants are so plentiful. And suddenly we’re finding that with restaurants closed and other things being shut down, as far as businesses and what not, that there’s a greater dependence for people to be a little bit more self-sufficient, if you will.

LN: Yep, it’s certainly going to get interesting here. Well, thanks for coming on the show again and talking about this. I’m sure we’ll have some more things to talk about again soon.

GS: Thank you for having me.

LN: Great, thanks.

Other Related Videos

View John Hopkins Coronavirus Map

https://coronavirus.jhu.edu/

View CDC Guidelines

https://www.cdc.gov/coronavirus/2019-ncov/faq.html#anchor_1584386949645

View State of Illinois Website

https://www2.illinois.gov/

Data Breach Response After the Fact

Your email has been frozen and your company website is down. Your IT department has confirmed a data breach. What do you do next? Incident Expert Lee Neubecker and legal expert Kari Rollins offer easy instructions about your next important steps.

It’s a fact! Your IT team confirmed a Data Breach or incident has occurred. What do you do after the fact? Forensic Expert Lee Neubecker and Legal Expert Kari Rollins say don’t panic! First, convene with your incident response team, start to investigate under privilege, and contact a 3rd Party forensic expert to help preserve vital information. Watch the rest of this video for further recommendations about data breach response after the fact!

View Part 3 of our 3-Part Series on Data Breach

Part 3 of our 3-Part Series on Data Breach

The Video Transcripts of Part 3 of our 3-Part Series on Data Breach follows

Lee Neubecker: Hi I’m back again with Kari Rollins, and she’s here talking with me today about data breach incident response. The Sedona Conference recommends, how an organization should respond to such incidents. And we’re talking in this third part segment about what to do after an incident has been reported. So Kari, please tell me what the initial issues are that come to mind when you get that phone call from a client that says something happened.

Kari Rollins: Sure, so usually, as we were talking about in a prior segment, you may not know whether you’ve had a breach as defined by law. You are just told by your information’s security team, or an employee or a manager that you’ve had, there’s been an attack. Or there’s been, “I can’t get access to my email,” Or, “My account’s frozen.” So you immediately start to investigate. You want your.. according to your incident response plan which we’ll hopefully have in place, you’ll convene your incident response team; you’ll start to investigate under privilege. You’ll call if you need your outside forensic investigator to help you access it. Help you access what’s happened, right? That the facts in an incident are really, really important because they drive the legal conclusions. Have you had a breach, or have you had an incident that has resulted in the acquisition with just the access to personally protected information? Or are you.. did you have an incident where maybe the systems that house the personal information were accessed, but there’s no evidence that the malware ever made it into the room where the family jewels are hidden and they were taken out. And that’s an important part of understanding whether you actually have a legal obligation to notify regulatory authorities or consumers. So the first step is always convening the team, putting it under privilege, calling your experts, and starting to investigate the important facts. Was this an outside threat, was it an insider threat? I know you’ve had experience a lot with investigating internal threats, which are on the rise these days as I would expect.

LN: And a lot of these incidents, it may be reported as a data breach, and the question is well, how did it happen? And sometimes, it’s not too uncommon that IT staff don’t receive the resources they request, and that data incidents happen as a result of being under-resourced. And in circumstances like that, there’s still a lot of pressure on the people managing IT, to not only run the organization ongoing but to deal with this whole new layer of troubles. So having that team in place beforehand where those relationships are there really helps.

KR: Yes

LN: And the other thing too is, you know, if there is a failure internally, it’s more difficult and less likely that you’re going to get the facts quickly if you’re using the team responsible in some way for the breach to report on what happened. I always recommend that after that initial meeting that preservation of key data occurs, and is offloaded outside the organization. You know, log files, certain key computers, email systems to the extent that they were modified so that there’s the ability to do that analysis. Because when an organization has an incident, it’s quite possible that all the data disappears, and the effort to cover the tracks.

KR: Or it’s not even, it may not be as nefarious as that. It could be that the teams are working so quickly a lot of the remediation plans are to thwart the malware and to remove it. But, in a lot of instances, you need to safely remove it and keep a copy of it, because you need to reverse engineer it. And understand how it got there, understand other signatures it might have; so being thoughtful, and we talk about this being thoughtful about evidence preservation is really critical, especially if you get to the point at which you do have a breach that requires notification. And litigation regulatory inquiry ensues, you will have been expected to preserve that evidence and show the chain of custody. Otherwise, you could have allegations of spoliation leveled against your company.

LN: And I’ve seen circumstances too where a legitimate data incident happens and we’re able to get it quickly and identify the impacted individuals. And sometimes it’s just been a few people; in a circumstance like that, it’s much easier to reach out to those individuals, make things right, and resolve the issue. And be able to report to them what happened. It’s much better than having to publish on your website and report to the attorney general that you had some massive data breach. So, not all data incidences are massive data breaches.

KR: That’s true, some of ’em impact you know, one or two individuals, and you may still have an obligation to notify them under the relevant law. But they don’t have to be the big massive breaches. And again, I think the great thing about the Sedona Conference Guide is that it’s, you know, it helps companies navigate small to big breaches. You know, it’s not intended to be the ultimate authority on the law in this area, because the law is ever-changing. But what it does is it helps companies issue spot from a practical perspective so that they know what laws they need to consult, and why and what issues they need to address, like for example, notifying your insurance carrier. One of the big questions we always get is, Well, we’re the victims, here; the company X is a victim of this cyber attack. Who’s going to pay for it?

LN: Yes.

KR: And so, insurance coverage for cyber incidents has is a really hot button issue these days. And so it’s important for companies to know in advance what their policies say, what the notification requirements are. Even if they just have a sniff of an incident – maybe it’s not a breach. So that the third party and first-party costs are covered, and that you’re working with your insurance carrier, and you’re working with your insurance council to ensure that coverage. And to make sure that you’re getting the right information to your insurance carrier about your forensic teams. Are they approved? What rate are they going to be reimbursed? What type of reporting do you have to do from a cost an expense perspective to your insurance carrier? So.

LN: And, it true that if companies use their own internal IT resources to do the investigation, that the insurance carriers usually won’t pay out their own internal resources?

KR: It really depends. It depends on the policy.

KR: It really depends on the policy. There are, in some instances, some policies would cover the first party staffing costs, so for example, if you had to pay staff overtime to work 24 hours a day to try and investigate, you may be able to claim that. But it really depends on your policy. There’s certain.. there’s certainly reimbursement line items for business disruption and business interruption. Or, you know the loss of business, loss profits line items, as a result of ransomware tax. But again, knowing your policy is a critical step in preparing.

LN: Where do you see the benefits of using an outside forensic investigator as opposed to internal IT to investigate when an incident happens?

KR: You know I think it’s two-fold, one, a lot of internal IT teams are taxed as it is with their day to day obligations. And if an incident is one that is medium-high critical, you want to be able to dedicate the resources to the incident to investigate swiftly, and to ensure that there’s no delay. And so pulling in a third-party forensic expert alleviates some of that burden and stress on the IT teams. And then separately and secondly, it also creates a level of objectivity that is.. that benefits the company in the event. Or in the unfortunate event, someone in the IT group may have made a mistake that caused the vulnerability. There’s less likely that that mistake would be covered up. Or there’s going to be more candor from the third party expert, the to management team say like, “Hey, this issue should have been addressed”. And it wasn’t, and now you know what thwarts may be in the event. You have some litigation down the road and you need to defend. But so I would say really sort of time and devotion of resources where needed, and objectivity.

LN: Great, well thanks a bunch for being on this show; this was great.

KR: Absolutely, thank you.

Part 1 of our 3-Part Series on Data Breach

Part 1 of our 3-Part Series

Part 2 0f our 3-Part Series on Data Breach

Part 2 of our 3-Part Series
Data Breach Incident

To Learn More About Sheppard Mullin / Kari Rollins

https://www.sheppardmullin.com/krollins