The biggest threat for 2008 is lawyers.
Less than a year ago, an amendment to the Federal Rules of Civil Procedure (FRCP) radically changed how and when organizations produce documents in a lawsuit. And it directly affects you and the security policies you create.
Now a judge can request electronically stored information. This includes structured, unstructured and even semi-structured data such as instant messages, wikis, blogs, audio, video, ERP records, CRM records, Excel spreadsheets, Word documents, database records...get the picture?
So when (not if) your company gets sued, you must track down the requested records pronto. When paper documents were discoverable, it would be acceptable to take months, even years to get to the documents to the judge. Now these electronic discovery requests are expected in months, even weeks.
And the location of the data is irrelevant. Discoverable documents can be on highly distributed servers, PST files, backup tapes and even home computers of your employees. And they need to be in native format so the meta data can be looked at.
In a nutshell, any reasonably accessible documents must be made available by the stated deadline. If they are found at a later date, they may not be admissible in court, hurting your chances in the case.
What's more, the cost of these discovery requests is borne by the records holder. Don't have your documents classified or ready for the request? Law firms can charge upward of $350 an hour to have their recent law school grads go through thousands of electronic documents and classify them.
Sound scary? Well, it is if you weren't aware of the FRCP changes, aren't litigation-ready and don't have a data collection and retention policy in place. Create a document retention policy, avoid manual classification processes, educate your workforce on your policies and audit and test your policy compliance on a regular basis.
If you put a policy in place now, before you get sued, you'll be in a much better position to handle the requests, and have a legally defensible argument if you can't produce the documents.
The first step is knowing you have a problem. From there you can include the appropriate stakeholders to create a sound policy that, well, stands up in a court of law.