Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Security Learning its Role in E-Discovery

Security teams are learning their crucial role in processing e-discovery requests.

Find What You're Looking For?

Security Teams are learning their crucial role in processing e-discovery requests. In the film Erin Brockovich, the dramatic story of one woman's record-setting 1996 legal triumph over a negligent utility company, paper files of some 634 plaintiffs filled a roomful of boxes. That's a lot of information.

These days the lion's share of information in organizations is electronic. Such electronically stored information (ESI) increasingly represents the heart of litigation in civil cases, in which each side's legal teams request extensive evidence from the other.

With changes to the U.S. Federal Rules of Civil Procedure (FRCP) in December 2006, ESI received all the legal rights of those traditional boxes full of paper documents. This means it can be crucial evidence, and therefore must be handled accordingly. IT teams play an important role in the storing, finding and producing of critical ESI, but why is e-discovery a security issue? At stake is the integrity and availability of information, and in some cases, its confidentiality as well. Hitting three fundamental security objectives, it becomes clear that security teams should understand the requirements and challenges involved in e-discovery.

Common Pitfalls
At the beginning of a civil court case, legal teams meet to determine what types of evidence are relevant to a case. This process of discovery generates requests for email, word processing documents, logs of transactions, and other data that counsel thinks will help win the case. As IT and security teams begin to ponder how to handle e-discovery, they often make errors, either because they don't fully understand the requirements or don't communicate with counsel. Here are three common mistakes:

  1. Assuming that saving all information forever is the best way to manage risk. This isn't true. Frankly, it's not cost effective to save all information. Although storage continues to become less expensive, it's not free, and the amount of ESI organizations create annually is staggering.

    Even if it weren't cost prohibitive to save all information, courts don't expect an organization to follow this course. Information is expected to be destroyed during the normal flow of business. What's critical is that retention and destruction policies are well articulated, well known across the organization, and followed appropriately and consistently. The major caveat is that information relevant to a case that can be reasonably anticipated on the horizon should be spared from the normal destruction phase of the information lifecycle--that is, it should be preserved.

    In addition, over-saving information creates other risks that should be avoided. By keeping old information indefinitely, enterprises could possibly disclose facts that aren't material to a case but open other avenues of investigation that could have been closed if the information had been routinely retired, thereby protecting its confidentiality. Although no ethical counsel will advise the willful destruction of evidence, it is simply true that business records have a useful life, and when that life has concluded, the information should be discarded. The critical points of consideration are:

    • What external requirements necessitate continued preservation of information? These may include regulatory requirements or investigations, not just court cases.

    • What ongoing litigation or likely future litigation requires suspension of standard destruction practices? These are formally known as "legal holds," and are something to determine with the legal team.

  1. Believing data should be massively centralized in order to accommodate finding it. Although a reduction in the number of repositories and instances of products can be a boon, it's not feasible to create a "super-storage vault." Any sane response to e-discovery will necessarily involve multiple data sources and multiple technical approaches. Organizations will have to employ many different technologies to attack the problem, including search, mapping and categorization/classification. Clearly, reducing the number of deployments of, say, SAP from 20 to 10 can be beneficial. But for many organizations, simply knowing the location of relevant documents and records would be a step above their current situation.
  2. Thinking that most e-discovery problems relate strictly to email. This mistake can be blamed on misrepresentations by some vendors and media reports. While email is an important and often material piece of evidence in litigation, it's only one of a great many records that need to be found, preserved and presented. No enterprise is going to satisfy the e-discovery challenge simply by deploying an email archive and/or search tool. Proper management of email is necessary but not sufficient.

Haystacks and Needles
If data is stored and used as part of the normal course of business, then it's expected to be discoverable. The court has little tolerance for a claim that the needle is too hard to find in the haystack.

Some of the data types are obvious, such as email messages or electronic business documents. But security teams are sometimes confused about sources like video or event logs (see "Evidence Sources," below). Ultimately, legal counsel needs to rule on information's applicability, but because many types of ESI are generated and stored for audit or security purposes, they are fair game in court. For example, a company may choose to utilize access control logs as its evidence of control for a regulation such as HIPAA. Because these logs are routinely stored and used for the business, they become part of the organization's e-discovery landscape.

Evidence Sources
Examples of various types of information and places they may be stored that are relevant ESI evidence sources in many large enterprise.

The same goes for video. Many companies elect to save and periodically review digital security video for physical protection. Other companies retain tapes or digitally stored recordings of voicemail messages. Such data might play a role in a court case, which affects its long-term management.

Ultimately, there can be absolutely no uncertainty about a business process related to ESI lifecycles and retention. An organization must be clear about what it keeps, its policies for retention and retirement, and the responsibilities of data custodians across the enterprise (not just IT, but also business-unit and individual-user obligations). In a similar vein, there should be close ties between legal counsel and IT groups to monitor upcoming litigation, understand information-handling practices, ensure holds are executed properly (relevant information is not destroyed), and so on. The IT team should be able to answer questions about the data's location, when it was collected, who has access and control of it, how it's managed over time and how quickly it can be restored/ retrieved.

Road to Improvement
Maturing e-discovery capabilities in concert with critical phases of information management: data creation, storage/distribution, archival and destruction.

Maturity Model
Given the likelihood that an enterprise isn't fully prepared for e-discovery, what are the prudent steps to take? The good news is that, for once, cost reduction is a valid argument for IT and information security. Because a manual records search is extremely expensive and negative judgments are bad news for the enterprise, it's legitimate to make a case for policy changes and infrastructure enhancements to automate the processes of preserving, locating and producing electronic evidence.

The most developed organizations will integrate e-discovery into the standard lifecycle of information management (see "Road to Improvement," below). For example, during information creation, organizations will apply tags to data that help set context and enforce policies. These may include things like "Project: WidgetCo," "Last modified: ," "Business Unit: Manufacturing," and so forth. When data is stored, e-discovery tools may map the location, policies and relevant features of the information. This provides a central means of asking, "Where is the WidgetCo data?" and receiving a concise list of related resources.

Similarly, as data is to be archived, it may be de-duplicated (so there's only one canonical copy), have sensitive metadata removed (such as trade secrets), and be flagged for preservation if a known court case is pending.

A sticking point, however, in information lifecycle management is the important data users often create on their individual systems in an increasingly mobile world. This begs the question: What needs to be done about user PCs?

There are two answers. The first is to discuss the issue frankly with a legal expert. Given that ESI rules are still relatively new, it's not yet clear how courts will respond, and only an organization's lawyers can offer the final word. The second is to evaluate and deploy possible additional controls for the user environment. One approach could be improved host policy enforcement, perhaps through content-aware agents, monitoring, or rights-management solutions, but more likely via detective and deterrent effects of random or comprehensive audits. Ultimately, any technology choice must be buttressed with user training and awareness that makes clear the policies and processes, and what's expected from users.

Vendors are responding to e-discovery requirements, but they haven't fully climbed on the e-discovery bandwagon. Many organizations still turn to special (and high-priced) service providers to help them find and produce litigation data. However, many IT solutions are relevant to the storage, location, preservation and production of ESI. The exceptions, perhaps, are pure security infrastructure products, such as antimalware solutions, firewalls and other such technologies. On the other hand, security products can help protect ESI integrity, which is quite important.

Relevant types of tools include:
  • E-discovery point solutions: A handful of vendors have emerged to specifically address the e-discovery lifecycle. Such tools offer "one-stop-shopping" by locating important data in information repositories, helping to track legal holds and workflow, and keeping copies of information needed for cases. In truth, most products are grounded in a specific domain such as email archival, content management or forensics, which may not translate to all e-discovery needs. Example vendors in this category are PSS Systems and Iron Mountain's Stratify division.

  • Storing business information: Storage of important records spans document management, Web content management, records management, email archives, file systems (local, storage area, network wide) and many other places. The critical lesson for the security team is that no stone can be left unturned under threat of judicial or regulatory repercussions. In addition, secondary information repositories may be relevant for preservation and production. In particular, various IT logs used as part of business operations may be in scope for discovery. An event log might corroborate a claim about when a particular email was sent or a transaction executed, for example. Network management consoles, log management solutions and security information management (SIM) products all play in this arena.

  • Locating information: Classification tools help tag information or the containing repository with helpful meta data for finding data later. Although classification tools have not traditionally been used for discovery purposes, vendors are quickly adapting to the use case. Examples are EMC with its InfoScape product and StoredIQ. More common are search tools, which provide a means to index content in a variety of resources for later discovery. These include Web search, desktop search, enterprise search and taxonomy-management products.

  • Transforming information: E-discovery rules allow opponents to request different formats for information, not just native format. It's difficult to know in advance what types of data transformation might be required for a particular case. Although various products can change the format of files, none of them rises to the level of an architectural consideration. Instead, they are just tactical tools used in a case-by-case basis.

Communication Key
An important step in the e-discovery process is opening lines of communication with the legal team to understand the implications of e-discovery. Doing so may not be an easy task. A tug-of-war between the IT and legal teams may result from their debate over what needs to be accomplished.

For example, legal may ask for record retention and retrieval systems that are cost- and resource-intensive, thus blowing IT budgets out of the stratosphere. Another example is last-minute legal holds (preservation requests) that give IT little notice but tremendous amounts of work. This relationship is a delicate one that may require some business management oversight to balance cost and demand.

Developing internal leadership also is wise. A number of large enterprises consider e-discovery to be of such paramount importance that they have created specific roles to lead the IT effort companywide. Such "e-discovery experts" close the gap between the legal team and the IT/security organization. They help facilitate communication for operational issues and manage projects to improve e-discovery.

Prudent technology changes will be required as well. Although organizations shouldn't save everything--it's too costly and risky--they do need automated systems that properly preserve what needs to be saved, handle sensitive metadata appropriately, and can transform data in accordance with the requirements of the legal team.

By enhancing policies and making careful technology choices, organizations can, over time, improve e-discovery response. As legal and security teams work together more closely, the critical issue will be defining and following information lifecycle practices so organizations don't find themselves on the losing end in court.

Article 8 of 14

Dig Deeper on Information security laws, investigations and ethics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All