In essence, IT teams are strategic helpers for enterprise litigation, and the choices they make for the creation, storage, archiving and destruction of information have significant effects on legal and regulatory evidence handling.
What this means is that it’s prudent for the security team to understand the core aspects of e-discovery law and practice. After all, the information lifecycle involves data availability, confidentiality and integrity — all critical security objectives. In addition, security practitioners should note the market landscape for e-discovery solutions and related products, including e-discovery point products, enterprise-search tools, classification systems and records archiving.
So, what’s the essence of e-discovery? Central to US judicial practice since the 1930s is the concept that parties in litigation are entitled to explore the facts fully (often resulting in out-of-court settlements) before presenting their cases to a judge or jury. Courtroom "surprises" may make for good television drama, but US judges frown on surprise as an element of justice.
Thus, the rules of procedure in federal and state courts require very liberal access in the discovery phase of litigation to any witnesses, documents, premises or "things" that might help assess each side’s legal claims and defenses. All of the preceding may be presented in a courtroom. Among these is ESI.
As security teams begin to ponder how to handle e-discovery, they often make some mistakes. First, they assume that they can best manage risk by saving all information forever. This isn’t true. Frankly, it’s not cost effective to save all data. Although storage continues to become cheaper with time, it’s not free and the amount of ESI created by organisations annually is staggering.
In addition, "oversaving" can lead to disclosing information that’s irrelevant to a case but might unnecessarily open other lines of investigation. Periodic and well-defined information destruction should be part of the normal cycle of business.
The second significant mistake is similar to the first: not only do IT and security teams believe that more information should be saved than is strictly required, they often believe data should be massively centralised to accommodate finding it.
Although a reduction in the number of repositories and instances of products can be a boon, it’s not feasible to create a "super-storage vault." Any sane response to e-discovery will necessarily involve multiple data sources. Organizations will have to employ many different technologies to attack the problem, including search, mapping, and categorisation/classification.
How can an organisation improve its stance for e-discovery? Six initial steps are critical:
Open lines of communication with the legal team:
Lawyers need to help make decisions in a number of critical areas, such as whether it’s appropriate to store document metadata long term, whether data can be archived in something other than its native format, who should be trained to testify in court about IT practices of the organisation, and what the triggers are for holds or data collection. Just as security teams must work closely with auditors for regulatory compliance, it’s now time to build ties with the legal group.
Create policies and procedures for discovery:
It’s easy to recommend — and not so easy to implement — but in the end, e-discovery means establishing policies and procedures, documenting them and building systems that support those policies. One of the first questions that courts will ask is, "What are your policies?" Every organisation needs a good answer. Policies should include data retention, holds, information integrity, and user education.
Develop internal leadership:
A number of large enterprises consider e-discovery to be of such paramount importance that they have named specific roles to lead the IT effort companywide. Such "e-discovery experts" close the gap between the legal team and the IT/security organization. They facilitate communication for operational issues and manage projects to improve e-discovery.
Don’t save if you don’t have to:
Only essential business information need be stored and made available for discovery purposes.
Therefore, part of the e-discovery project should be an assessment of what is stored across the organisation. Is it all satisfying a business requirement, contractual edict or regulatory mandate? If the answer is no, then retention of the information might not only be unnecessary but also unduly risky.
Mind the metadata:
Most documents have additional information (metadata such as creation dates, author notes, revision history) that can be very sensitive. Security teams must help assess whether documents should be archived with metadata intact or whether during discovery it’s acceptable to strip sensitive metadata from original ESI.
To balance costs with the security requirements of e-discovery, IT and security organisations will need to enhance policies and automate the processes of preserving, locating, and producing electronic evidence.
The first order of business is opening lines of communication with the legal team to understand the implications of e-discovery. But prudent technology changes will be required as well, and a maturity model helps organisations improve e-discovery response over time.
- Trent Henry is a senior analyst with Burton Group, an IT research and advisory firm.
Tips for a security team's role in e-discovery
By Trent Henry, on May 29, 2007 4:36PM