Manage Learn to apply best practices and optimize your operations.

E-discovery management: How IT should interact with the legal team

Amid the growing important of electronic discovery, it's critical that an organization's IT team strike a good working relationship with its legal team. But this can be un-chartered territory for IT personnel. In this tip, contributor Trent Henry supplies some e-discovery questions IT should ask the legal team and unveils some of the conversation that needs to happen to bring the two teams together.

Live webcast: The e-discovery tool landscape
Join us on March 26th at 12:00 p.m. as Trent Henry provides an overview of several product categories that can offer insight into the e-discovery process.

Since the 1930s, there's been a central concept in U.S. judicial practice: that parties in litigation are entitled to explore the facts of a matter fully (often resulting in out-of-court settlements) before presenting their cases to a judge or jury.

Courtroom "surprises" might make for good television drama, but U.S. judges frown on surprise as an element of justice. Thus, the discovery phase of litigation mandates liberal access to any witnesses, documents, premises or "things" that might help assess each side's legal claims and defenses in a courtroom.

Enter the growing relationship between IT and legal teams. Given the importance of electronic information in businesses, much of the evidence that can help to assess legal matters is managed by IT and information security teams. Logically, lawyers expect access to this information. So how should IT and information security work with legal counsel?

There are two fundamental questions that need to be asked: "What data should be saved?" and "What needs to be preserved?" The legal team asks the first question, and IT helps to answer it by discussing business requirements (including regulatory and contractual drivers) for systems and the information they hold. The IT team asks the second question, and lawyers offer guidance for current or upcoming court cases that will require special retention of information.

In conjunction, IT teams should ask two related questions: First, "What's the status of preservation orders?" It turns out that discovery rules offer a green light for IT to continue normal information life cycle practices. That is, courts expect data to be destroyed as part of typical business processes—as long as they are clearly documented. Organizations are granted a safe harbor for this activity. In other words, they won't get in trouble with the courts if they're following normal business procedures. However, if litigation is underway or reasonably expected, relevant information should be preserved as part of a "legal hold." Therefore, IT needs to be in constant communication with legal counsel to understand what legal holds are in effect and what data should be preserved.

The best course of action is for IT to always stay informed on what the legal team is up to. Hence a second question, "What's the on-boarding process for new or expected litigation?" What IT doesn't want is an obscure voicemail message such as, "It looks like WidgetCo might sue us next week. What have we done about the data around that project?" Far better is ongoing, forward-looking conversations about impending cases.

Because they negotiate with opposing counsel, the legal team needs to understand how costly it will be to produce data. Will a piece of information stored in a long-lost underground vault cost a fortune to dredge up, or is it used routinely for sales forecasts, making it easy to gather? As a case unfolds, IT teams might need to help legal counsel assess the production timeframes and location of critical data. Specifically, they need to answer the questions, "Where is data? In what timeframe was it collected? Who has access and control? How's the data managed over time? How quickly can it be restored or retrieved? What will it cost?"

For more information:
In this Data Protection Security School tip, Perry Carpenter explains why security pros should prepare for e-discovery services in advance.

Network security expert David Strom demonstrates how to use a log-filtering tool to quickly make use of log files.

Contributor Noah Schiffman highlights internal risks as well as some storage-specific DLP issues.


The legal team needs to offer critical advice to IT as well. An important question is, "What should we do about document metadata?" For example, consider if a plaintiff alleges that a former employee carried trade secrets with him to a new employer. It would be telling if metadata on the new employer's documents showed that they originated with the old employer.

Ideally, unnecessary metadata and previous file versions should be stripped away from documents and records before they are stored. However, the legal community itself is still grappling with file-format and data-redaction issues. Therefore, it's best to clear any decisions about the technology of handling metadata with the legal team before going forward. For example, don't modify document metadata in archives before talking with counsel.

Metadata issues not only relate to incrimination, but also to legitimate questions of information accuracy and integrity. For example, does a requester really want a native file that contains the macro "DATE_TODAY()?" The document received will necessarily be different than the original, which might not be the desired result.

Finally, IT should be able to answer the question, "How can I show that this data is good?" Business records are entitled to a presumption of validity under the rules of evidence. And a party challenging that validity has the burden of rebutting that presumption (for example, providing evidence of tampering or non-routine destruction). But it's wise to let the legal team know what security controls help protect the integrity of information.

Given the requirements of e-discovery and the conversation needed between legal and IT, what's the bottom line? Each team has expertise required by the other. And each team needs to focus on its core subject matter. Issues of case strategy, negotiation among claimants, and the details of e-discovery rules should lie with the legal time. Issues of information retention policies, appropriate use of automation, and how best to preserve information should lie with IT and security groups. The key steps will be to ask, listen, and continuously work together to ensure proper and cost-effective e-discovery management.

About the author:
Trent Henry is research director with Midvale, Utah-based research firm Burton Group. Henry is a Certified Information Systems Security Professional (CISSP) with more than 15 years of experience in information technology working at companies including Identrus, Digital Signature Trust, Ameritech, and Apple Computer. His past work includes PKI industry security management and technology research, Internet server and protocol product development, and operations leadership of large-scale network and distributed systems deployments. Henry has participated in security standards bodies including X9 and Internet Engineering Task Force (IETF) and contributed to the first Common Criteria Protection Profile slated to become an ANSI standard. He is a respected speaker and writer on information security, audit, and compliance topics and received his undergraduate degree from Stanford University.

This was last published in March 2008

Dig Deeper on Data security strategies and governance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.