E-discovery forces security organizations to prepare for eventual litigation - Information Security Magazine

E-discovery forces security organizations to prepare for eventual litigation

The biggest threat for 2008 is lawyers.


Insider threats, botnets and the security patch du jour shouldn't have you worried. Rather, your top security concern should be about getting sued.

Less than a year ago, an amendment to the Federal Rules of Civil Procedure (FRCP) radically changed how and when organizations produce documents in a lawsuit. And it directly affects you and the security policies you create.

Now a judge can request electronically stored information. This includes structured, unstructured and even semi-structured data such as instant messages, wikis, blogs, audio, video, ERP records, CRM records, Excel spreadsheets, Word documents, database records...get the picture?

So when (not if) your company gets sued, you must track down the requested records pronto. When paper documents were discoverable, it would be acceptable to take months, even years to get to the documents to the judge. Now these electronic discovery requests are expected in months, even weeks.

And the location of the data is irrelevant. Discoverable documents can be on highly distributed servers, PST files, backup tapes and even home computers of your employees. And they need to be in native format so the meta data can be looked at.

In a nutshell, any reasonably accessible documents must be made available by the stated deadline. If they

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

are found at a later date, they may not be admissible in court, hurting your chances in the case.

What's more, the cost of these discovery requests is borne by the records holder. Don't have your documents classified or ready for the request? Law firms can charge upward of $350 an hour to have their recent law school grads go through thousands of electronic documents and classify them.

Sound scary? Well, it is if you weren't aware of the FRCP changes, aren't litigation-ready and don't have a data collection and retention policy in place. Create a document retention policy, avoid manual classification processes, educate your workforce on your policies and audit and test your policy compliance on a regular basis.

If you put a policy in place now, before you get sued, you'll be in a much better position to handle the requests, and have a legally defensible argument if you can't produce the documents.

The first step is knowing you have a problem. From there you can include the appropriate stakeholders to create a sound policy that, well, stands up in a court of law.

This was first published in November 2007