Published: 01 Mar 2008
| Find What You're Looking For?
These days the lion's share of information in organizations is electronic. Such electronically stored information (ESI) increasingly represents the heart of litigation in civil cases, in which each side's legal teams request extensive evidence from the other.
With changes to the U.S. Federal Rules of Civil Procedure (FRCP) in December 2006, ESI received all the legal rights of those traditional boxes full of paper documents. This means it can be crucial evidence, and therefore must be handled accordingly. IT teams play an important role in the storing, finding and producing of critical ESI, but why is e-discovery a security issue? At stake is the integrity and availability of information, and in some cases, its confidentiality as well. Hitting three fundamental security objectives, it becomes clear that security teams should understand the requirements and challenges involved in e-discovery.
| Common Pitfalls
At the beginning of a civil court case, legal teams meet to determine what types of evidence are relevant to a case. This process of discovery generates requests for email, word processing documents, logs of transactions, and other data that counsel thinks will help win the case. As IT and security teams begin to ponder how to handle e-discovery, they often make errors, either because they don't fully understand the requirements or don't communicate with counsel. Here are three common mistakes:
Some of the data types are obvious, such as email messages or electronic business documents. But security teams are sometimes confused about sources like video or event logs (see "Evidence Sources," below). Ultimately, legal counsel needs to rule on information's applicability, but because many types of ESI are generated and stored for audit or security purposes, they are fair game in court. For example, a company may choose to utilize access control logs as its evidence of control for a regulation such as HIPAA. Because these logs are routinely stored and used for the business, they become part of the organization's e-discovery landscape.
| The same goes for video. Many companies elect to save and periodically review digital security video for physical protection. Other companies retain tapes or digitally stored recordings of voicemail messages. Such data might play a role in a court case, which affects its long-term management.
Ultimately, there can be absolutely no uncertainty about a business process related to ESI lifecycles and retention. An organization must be clear about what it keeps, its policies for retention and retirement, and the responsibilities of data custodians across the enterprise (not just IT, but also business-unit and individual-user obligations). In a similar vein, there should be close ties between legal counsel and IT groups to monitor upcoming litigation, understand information-handling practices, ensure holds are executed properly (relevant information is not destroyed), and so on. The IT team should be able to answer questions about the data's location, when it was collected, who has access and control of it, how it's managed over time and how quickly it can be restored/ retrieved.
| The most developed organizations will integrate e-discovery into the standard lifecycle of information management (see "Road to Improvement," below). For example, during information creation, organizations will apply tags to data that help set context and enforce policies. These may include things like "Project: WidgetCo," "Last modified:
Similarly, as data is to be archived, it may be de-duplicated (so there's only one canonical copy), have sensitive metadata removed (such as trade secrets), and be flagged for preservation if a known court case is pending.
A sticking point, however, in information lifecycle management is the important data users often create on their individual systems in an increasingly mobile world. This begs the question: What needs to be done about user PCs?
There are two answers. The first is to discuss the issue frankly with a legal expert. Given that ESI rules are still relatively new, it's not yet clear how courts will respond, and only an organization's lawyers can offer the final word. The second is to evaluate and deploy possible additional controls for the user environment. One approach could be improved host policy enforcement, perhaps through content-aware agents, monitoring, or rights-management solutions, but more likely via detective and deterrent effects of random or comprehensive audits. Ultimately, any technology choice must be buttressed with user training and awareness that makes clear the policies and processes, and what's expected from users.
| Relevant types of tools include:
| Communication Key
An important step in the e-discovery process is opening lines of communication with the legal team to understand the implications of e-discovery. Doing so may not be an easy task. A tug-of-war between the IT and legal teams may result from their debate over what needs to be accomplished.
For example, legal may ask for record retention and retrieval systems that are cost- and resource-intensive, thus blowing IT budgets out of the stratosphere. Another example is last-minute legal holds (preservation requests) that give IT little notice but tremendous amounts of work. This relationship is a delicate one that may require some business management oversight to balance cost and demand.
Developing internal leadership also is wise. A number of large enterprises consider e-discovery to be of such paramount importance that they have created specific roles to lead the IT effort companywide. Such "e-discovery experts" close the gap between the legal team and the IT/security organization. They help facilitate communication for operational issues and manage projects to improve e-discovery.
Prudent technology changes will be required as well. Although organizations shouldn't save everything--it's too costly and risky--they do need automated systems that properly preserve what needs to be saved, handle sensitive metadata appropriately, and can transform data in accordance with the requirements of the legal team.
By enhancing policies and making careful technology choices, organizations can, over time, improve e-discovery response. As legal and security teams work together more closely, the critical issue will be defining and following information lifecycle practices so organizations don't find themselves on the losing end in court.