Chances are that you've recently been hearing quite a lot of buzz about e-discovery services. That's because amendments to sections of the Federal Rules of Civil Procedure took effect as of Dec. 1, 2006. Sections of these amendments set forth rules governing how companies prepare for litigation in regard to the collection of electronic evidence/information.
The rule changes are intended to recognize that companies manage and maintain electronically stored information (ESI) in fundamentally different ways than physical documents. The new e-discovery rules formally codify much of the preexisting case law related to e-discovery.
Fortunately, there's no need to panic as a result of the changes. Keep in mind that e-discovery is part of the litigation process, and should be driven by the corporation's legal team or outside council, not by IT. However, the e-discovery effort will involve several groups within the organization, such as legal, IT -- including security, storage and messaging -- and others as needed.
Preparing for e-discovery
Before there is ever a need to comply with an e-discovery request, there are several tasks that information security professionals should perform.
- Foster open dialog between security, legal, and other groups -- The only way to have a prepared response to an e-discovery services request is to be proactive. This, of course, requires laying some groundwork. Make sure that your senior-most security executives are aware of the civil procedure changes. Look to your company's legal team as the key stakeholder, but the security team should be prepared to perform e-discovery support functions. As a result, it will be seen as either an enabler or a barrier.
- Create clearly articulated data retention policies and procedures for retaining important information -- Companies are interpreting the e-discovery rules very differently. For instance, there are two lines of thought related to document retention. Some companies attempt to apply rigid policies related to document retention and destruction; they seek to limit the scope of their e-discovery search by limiting the volume of stored data. In addition, their hope is that some potentially damning ESI will be destroyed as the result of following normal business processes. The second line of thought is that companies should keep everything. This line of thought takes into account the fact that data is reproducible; there are always at least two copies of an email (sender and receiver), users tend to copy data to multiple locations, and so on. It will always be difficult for a company to reasonably state that certain data points are not available.
- Have an e-discovery action plan -- Realize that IT is a critical path for litigation. Regardless of your company's stance on ESI retention and destruction, it is important to have an established method for locating ESI that may be relevant to any current or pending litigation (including litigation which may be reasonably foreseeable). Often called a litigation hold policy, this process would include the ability to perform relevant keyword/key-phrase searches across the company's vast amounts of structured data (e.g. application data stores) and unstructured data (e.g. documents, email messages, spreadsheets, etc.). It is counterproductive for an organization to have to figure out how to accomplish this each time it is required to produce ESI, so be sure to have a product, process or combination of the two that will produce consistent results.
- Create and maintain templates for documenting an e-discovery log for each case -- Remember that the output of your ESI production process has legal implications. Be sure to keep track of the exact search words/phrases used to generate any records handed over. It is critical to have formalized, repeatable processes. The overall credibility of your company could be tarnished if the opposing party or the judge perceives your efforts as ad-hoc or haphazard.
- Maintain an accurate list of system/data types and their IT and business owners -- Pure and simple: the company will never be able to reasonably state that it has produced all the relevant data without knowing the location of all its data. Thus it is imperative to maintain a system inventory. Know the inputs and outputs, the data elements, and who owns the systems from both an IT perspective and a business perspective.
- Establish security and audit controls around the e-discovery services process -- Producing all of this data inherently increases risk to your organization. Chances are that there will be a great deal of sensitive information (both personally identifiable information and proprietary company information) in the data gathered. It is therefore imperative that security and audit teams have a hand in defining the processes involved.
Compliance with the new e-discovery rules will require the participation and cooperation of multiple groups within a company. Information security and audit teams need to be involved in the creation of e-discovery processes and procedures. It could be argued that at no time are confidentiality, integrality and availability more important than during litigation.
For further study
The following materials were consulted during the creation of this essay.
- Discovery: http://en.wikipedia.org/wiki/Discovery_(law)
- Report Regarding Changes to Discovery Rules Regarding Electronic Discovery
- A Summary for Computer Forensic Professionals of the Electronically Stored Evidence (ESI) Amendments to the Federal Rules of Civil Procedure, Dec. 1, 2006
- SearchCIO.com webcast: Strategies for creating effective e-discovery policies
- SearchCIO.com podcast: The nine biggest mistakes for e-discovery and how to overcome them
- InfoWorld.com: New litigation rules put IT on the front lines of data access
About the author
Perry Carpenter has spent nearly a decade working in IT and information security. Currently serving as the information security manager for a large wireless carrier, he has expertise in identity management, application security and data encryption and privacy. Earlier in his career he specialized in application development and Active Directory implementations. He maintains a security resource Web site at SecurityRenaissance.com.
This was first published in May 2007