The Legal Line
Dear Ed:I have a few questions about VoIP records and how they can be used in court. I am the CFO at [an international reseller] and [we have] soft switches at various locations. We believe that a former employee sold an old administrative password to some rouge IP Company out there and that company then used our termination routes over time. This was not discovered initially as the IP Company bled us slowly over time and at low amounts over our various routes. We did not realize their use until almost 10 days later after a billing audit. My question to you is how to preserve our records of what happened. Were do we begin? Our lawyers are presently evaluating our civil claims and are now asking us for “whatever” evidence we have. I looked over some of the files at the employee’s old workstation and am not sure what may or may not be relevant. I am not an attorney so where is a good place to begin making sense of this mess?Not SherlockDear NS:It sounds as if your former employee was a tech of some sort because who else would have access to administrative passwords to a soft switch. If it’s a former tech, be prepared, this may eventually be a case that boils down to chasing electronic evidence. This is because a tech will likely have covered his electronic tracks to some degree - more so than any other type of employee you may have. You may eventually need the services of a forensic technician whose expertise is data collection and recovery in order to document the events of what happened more completely. This, however, may not be in your budget, so let’s first discuss some general evidence gathering that could be done in-house.I would approach collecting evidence just as if it were a crime scene. This can be done by anyone at [your company], but it is preferable to use an in-house technician who may be able to testify later as to the method and manner of information collection. Start with the workstation. The idea is to look for the obvious physical points of contact between the password and employee, and thereafter, move outward from those points to see if there may be other evidence of it nearby. It may even be wise to take a digital picture or two in this part of the process just to be able to re-check points of access to servers and systems. Next, go to the servers or systems in which the employee had regular contact and use. Ask basic physical questions like: “Do these systems have internal or external drives which may have held the password or facilitated in its transfer” or “can they access the soft switch, and how?” From these computers, check and make a list of files - both data and log files - and any backups that may show how the employee may have created, moved and/or deleted the old administrative password by use of e-mail (if he was real bold), by saving it to a movable disk, or simply copying it by pen and paper. The idea here is to make a detailed written accounting of the physical layout of the employee’s old workspace that was likely used by him at the time so that you can evaluate the possible ways the employee actually committed the act. Once this type of evidence is collected, it is best to have your current in-house tech review actual files or search for files on erased disk sectors on computers likely used by the employee. This should refine the search and leave room for a verifiable custody chain by your technician. It is also generally a good way to start the ball rolling to confirm that the former employee did take the password and it was not just and incident of hacking.In general, there are several types of evidence that may be of importance in a case like this one. The first is physical evidence. This would be the actual servers, disks, and hard drives that were used to misappropriate the password. Although sometimes cumbersome, having the actual physical source of data storage as evidence does carry weight if relevant, especially in a jury trial. The next type of evidence that may be important is documentary evidence. These would be things like files - log files, database files, traffic reports, routing reports or files, and billing files. As the name explains, they document events or activity in the systems in question. This may also include established protocols used to secure systems and passwords assigned to access them. The billing audit and its results are good examples of documentary evidence. The next type of evidence that may be important is demonstrative evidence. This would be evidence that demonstrates how particular event or activity occurs. This is important when presenting evidence to a jury or judge who has no idea of how VoIP, or a particular technology, works. Believe me, I understand the value of this, as I have had on various occasions the responsibility to explain to older judges (you know the ones that date back to the era of “Mi-Am-I” not Miami) just how a prepaid calling card works. Demonstrative evidence in the courts can be a blessing. I am sure the same will be similarly true for your lawyers in this case. This is where demonstrative evidence is key. It may not show how the password got into the hands of the rouge IP Company, but it can show how without it there would have been no access. It can also show how things are supposed to work without the unauthorized access. The final type of evidence that is important to cases such as these is testimonial evidence. Key here will be testimony from employees of [your company] that discovered the unauthorized traffic in the billing audit, and the techs that thereafter investigated it.I bring these various types of evidence to your attention because these are the types of evidence your lawyers will likely be looking for in “whatever” information you give them. Make their job easier and it will be less costly for you in the end. For this reason, it may be important to list the specific type of evidence that you believe you may have in hand contemporaneously, as you gather it in your investigation. Marking evidence in this manner should speed-up their fact finding as well as their time to evaluate your claims. In the end, this can only help you. Your lawyers will likely want to be a part of the in-house investigation once they know it is occurring, however, this is not always the case, and, knowing the types of evidence that may be available or admissible is important. I would also not concern yourself at this point with what substance of what is admissible evidence or relevant evidence as these are issues for your lawyers to wrestle with as they develop the case. What is key on your part right now is documentation of the evidence gathering process. It is also important to qualify your investigation by reducing it to writing or perhaps even a report. For example, the fact that your tech may uncover the exact way that the former employee generated a series of personal administrative passwords and sold them online is only testimonial evidence until he writes a written report of his findings and methodology to his investigation. Should you depend on testimony alone, there is some risk at trial especially if your tech (or witness) does not have very good interpersonal communication skills. However, the combination of a report, written documentation used to make it, and the testimony of the technician as to what he discovered, constitute the caliber of evidence that your lawyers can sink their teeth into and litigate upon. This is what you need to collect and build right now, and in my opinion, the best place to start.While your case deals with VoIP re-sale, the same process is true for documenting carrier service disputes with prepaid providers, the misuse of prepaid stored value services or re-charges, or theft of carrier VoIP services, it is the same evidence gathering process for all. At some point there are computer systems that process the services and prepayments that can be preserved in several ways: 1.) As physical evidence, 2.) As documentary evidence, 3.) As demonstrative evidence, 4.) And as testimonial evidence. Focus on collecting as much evidence as possible and mark it and classify it in the above categories to make the eventual litigation more effective and less costly. Again, let you lawyer wrestle the legal issues related to the evidence but use their input to move the direction of the investigation or fact-finding efforts. Most of all, remember that litigation relates to past matters, so do not neglect your regular business and role in your company by being absorbed by this. The matter will be most likely resolved at trial.Good Luck and Success in the Industry.Send your questions firstname.lastname@example.org.