Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

E-discovery forces security organizations to prepare for eventual litigation

The updated Federal Rules of Civil Procedure elevates understanding of e-discovery requirements to a high priority.

The biggest threat for 2008 is lawyers.

Insider threats, botnets and the security patch du jour shouldn't have you worried. Rather, your top security concern should be about getting sued.

Less than a year ago, an amendment to the Federal Rules of Civil Procedure (FRCP) radically changed how and when organizations produce documents in a lawsuit. And it directly affects you and the security policies you create.

Now a judge can request electronically stored information. This includes structured, unstructured and even semi-structured data such as instant messages, wikis, blogs, audio, video, ERP records, CRM records, Excel spreadsheets, Word documents, database records...get the picture?

So when (not if) your company gets sued, you must track down the requested records pronto. When paper documents were discoverable, it would be acceptable to take months, even years to get to the documents to the judge. Now these electronic discovery requests are expected in months, even weeks.

And the location of the data is irrelevant. Discoverable documents can be on highly distributed servers, PST files, backup tapes and even home computers of your employees. And they need to be in native format so the meta data can be looked at.

In a nutshell, any reasonably accessible documents must be made available by the stated deadline. If they are found at a later date, they may not be admissible in court, hurting your chances in the case.

What's more, the cost of these discovery requests is borne by the records holder. Don't have your documents classified or ready for the request? Law firms can charge upward of $350 an hour to have their recent law school grads go through thousands of electronic documents and classify them.

Sound scary? Well, it is if you weren't aware of the FRCP changes, aren't litigation-ready and don't have a data collection and retention policy in place. Create a document retention policy, avoid manual classification processes, educate your workforce on your policies and audit and test your policy compliance on a regular basis.

If you put a policy in place now, before you get sued, you'll be in a much better position to handle the requests, and have a legally defensible argument if you can't produce the documents.

The first step is knowing you have a problem. From there you can include the appropriate stakeholders to create a sound policy that, well, stands up in a court of law.

Article 12 of 16

Dig Deeper on Data security strategies and governance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All