Most information security pros have a handle on the major data types found in their environments, but they also know that there is a whole lot more data lurking around the edges. These unknown data types can include documents used by individuals, or whole applications owned by departments that have quietly become essential to the business.
Most of the time, focusing on the squeaky wheels is an acceptable strategy; if there's no "squeak" then there's no need to worry. But when it comes to litigation, and especially managing the electronic discovery process, what you don't know can hurt you.
There are four major types of data in use today: paper documents; structured data sets, like databases; semi-structured applications, like email and image stores; and unstructured repositories, like file servers. Comprehending the vast volume of these varied records can be a challenge for everyone involved, which includes information technology, records management, legal staff, and even the data owners themselves.
But since almost all business information is stored in digital formats today, electronic storage systems are the most popular target for the discovery motions filed as part of legal proceedings. It is most efficient for a litigator to head straight for your email, spreadsheets and applications, looking for what they term electronically stored information (ESI).
Making matters worse for IT administrators, new rules for civil litigation enacted at the end of 2006 (called the Federal Rules of Civil Procedure, or FRCP) have pushed up the timetable of electronic discovery. What was once a delayed and informal process has become much more structured, with lawyers meeting to discuss available ESI, typically just a few weeks after legal action commences.
When litigators sit down for these "meet and confer" sessions, they are now required to provide a map describing the various types of ESI (or data) applicable to the matter at hand. As anyone familiar with enterprise IT systems knows, the creation of such a matter-specific ESI map could take months of manual effort. They would have to examine the entirety of electronic records from scratch, determine which were relevant to the case at hand, and then map the location and custodian of each relevant record type, ensuring that there is a proper retention schedule and hold process in place.
Therefore, the only way to be ready to quickly respond to an e-discovery request under these new FCRP guidelines is to be prepared by creating a general survey map of all ESI ahead of time.
An organization can get started by preparing an ESI survey data map for all the electronic records it uses. This map should include the following information for each electronic record type in use:
- Who is the custodian of the record? The map must identify individuals who can be called upon to elaborate on each electronic record type, and they may be called to court as witnesses.
- Which electronic systems and formats are used to store it? The FRCP has specific requirements for the storage and production of different types of metadata, and companies may be required to produce electronic records in their native formats.
- Are there limitations to the accessibility of the records? The rules recognize that old backup tapes and legacy systems may be difficult and costly to access.
- What are the retention policies for these records? Routine destruction of old records is acceptable, as long as a consistent policy is in place.
Note that these rules do not apply to merely the core records from important production systems and applications. Lawyers can request records from the computers of individual employees, old applications that are no longer in use, and even the content of CD-ROMs and backup tapes. It is essential that an ESI map identifies data that is no longer accessible due to technical limitations and retention policies. Some organizations also include an estimate of the cost to recover certain inaccessible data. This allows the judge to weigh the impact of e-discovery against the potential usefulness of the records requested.
One of the best ways for companies to protect themselves from costly and time-consuming searches through outdated records is the creation and implementation of a record retention policy. Routinely deleting outdated data according to a sensible schedule reduces the potential impact of e-discovery requests. Although the specifics of retention can vary from one organization to the next, records generally must be retained long enough to satisfy external regulations, legal requirements and business productivity needs. A good record retention policy has many other benefits in areas of security and privacy compliance as well.
Consider also the limits of IT in destroying electronic records. Email messages, for example, are the property of two or more people, and each can easily save or move copies to other systems outside the control of the IT staff. Personal archives and backups, home computers and portable media like thumb drives, can thwart even the most comprehensive record retention schedule. For this reason, many experts recommend a "save more" strategy for the retention of many types of electronic records. Such a strategy calls for retaining more records for longer timeframes than required by regulations and laws, ensuring that any data that is uncovered can be qualified with surrounding contextual information. For example, routinely saving all email for four or five years can help to explain an offhand remark in a single message from long ago.
One final element to consider is a procedure to freeze the destruction of relevant data once litigation appears likely. Although the declaration of such a legal hold is up to a firm's legal team, the process must be documented and ready to implement for each record type, and data must be quickly and effectively retained to avoid serious legal penalties. In fact, if data is destroyed through negligence (or worse), many judges will instruct juries to assume that it was damning evidence under a principle known as spoliation.
Although the construction of a general survey of ESI data might seem difficult or tedious, the penalties of not knowing what data you have and where it is stored can be far worse. After the implementation of the FRCP in December 2006, the message is clear: Get to know your data or face the consequences!
About the author:
Stephen Foskett is director of Contoural's data practice. This group provides strategic consulting to Fortune 500 companies that assist enterprise customers in aligning their storage and computing infrastructures with their business objectives. Foskett has provided vendor-independent end-user consulting on storage topics for more than 10 years, has authored numerous articles, and is a popular presenter at industry events.
This was first published in July 2008