e-discovery

Email to the editor: ‘Data security: The missing piece of e-discovery’

This post below is an email to the editor received from Robert DeFazio of Calabria Consulting, responding to Data security: The missing piece of e-discovery” by Paul Roberts. This views expressed are those of Mr. DeFazio, not this publication or its editors. Comments on its content are welcome.

In an infamous commercial in the 1970s, the actor Chad Everett, who played a handsome doctor on the television series Emergency Room, said, “I’m not a doctor, but I play one on TV.” I’m not attorney, but I have read a lot about the practice of law and how it addresses computers and electronic evidence.

Part of what I do is to provide suggestions as to how data needs to be kept to mitigate the costs of e-discovery. What I have found is that IT department heads, enabled by the very business owners who would suffer the most in litigation, often feel comfortable dismissing the idea that lawyers properly belong in the loop when it comes to making decisions about how data is stored. Instead, they point to conventional “best practices” that represent the path of least blame should something ever go awry.

The harsh realities of litigation should strike fear into the hearts of every CTO and CIO. Why? The requirements for the admissibility of evidence in court regarding electronic documents focus largely on how hearsay evidence is treated.

In some jurisdictions and courts, the Federal Rules of Evidence and Federal Rules for Civil Procedures are disregarded when it comes to electronic documents because, quite frankly, the judges and attorneys involved simply don’t understand the nature of digital data. They have no idea of what metadata is and why it is important. They don’t seem to understand why the concept of presumption, which is used so often in other areas of legal theory, is often inappropriate when it comes to the authentication of electronic documents. They seem not to understand that electronic documents in native file formats can be manipulated easily. They naïvely trust that anything that comes from a computer is accurate and not hearsay because it’s not produced with a “touch from human hands.”

In other courts, they pay attention to the rules of evidence. They want software that purports to offer factual evidence itself to be authenticated. They want real proof that a document is an original copy or that the copy offered can be shown to meet tests that demonstrate it matches, byte for byte, a reference copy that has an unbroken chain of custody. They want to see that there are specific written policies and procedures that would reasonably assure that a stored document would not be altered during its archival. They want to see things like digital signatures, asymmetric encryption key pairs being used to secure documents, and a host of other up-to-date practices that courts in other countries regard as the ONLY measures that assure the authenticity of documents.

This means that data security must be viewed from a different perspective from what the prevailing notion of best practices. Not only does data need to be retained for operational efficiency in the event of a data disaster, but it must also be managed along a separate pathway in such a way that it will meet the needs of attorneys who must defend the corporate endeavor in the event of litigation. Data needs to be cataloged at the time it is stored in accordance to its likely future legal usage. Archived data needs to be kept in two different ways: one for purposes of disaster recovery and the other for legal purposes.

Moreover, the legal archives should not be regarded as a form of “backup data.” They should be regarded as comprising a database in their own right, requiring their own disaster recovery backups.

Why? E-discovery is very expensive. In most states, it is the respondent to a demand for documents that must pay for discovery costs, not the requesting party. E-mail, backup tapes, instant messages, word processing documents, cached files from Web browsers, deleted and fragmented files, network logs, databases, event logs, contents of PDAs and cell phones, and entire disk drives from on-site servers, workstations, home computers, contractors’ computers, and much more is what is typically sought in the process of e-discovery. Litigation holds can be placed on parties even if they are not directly involved in the lawsuit that dictates. These parties then cannot add, delete or modify the contents of disk drives or other equipment not only during the discovery process but perhaps even until the litigation is finished and has gone through all appeals.

Just how expensive e-discovery can be is illustrated in specific cases and the assumptions that the legal profession has made about what is a reasonable range of e-discovery costs. In the 2002 case of Rowe Entm’t v. William Morris Agency, e-discovery costs incurred exceeded $10.9 million before the first day of the trial ever occurred. In cases of patent litigation, the common costs of litigation easily run between $4-5 million, most of that being e-discovery costs. Many attorneys now accept that the costs of e-discovery for litigation involving a small to medium-size company would range between $2-3.5 million.

E-discovery is now a multibillion dollar industry. Sharks go where there is blood. Litigation support industries spring up around the areas of litigation where there is the most confusion, with respect to evidence, and the highest likelihood of maximum billable hours. When companies keep data here, there and everywhere in ways that make sense to a tech employee whose job it is to keep the machinery of the company moving, it will require an incredible amount of time and work to reconstruct data and documents for purposes of pursuing litigation in court. A tech employee wouldn’t usually understand this, but the company’s attorney would or should. The company’s attorneys need to be part of the group of decision makers when it comes to establishing data storage requirements.

“Anathema!” you say? Get used to it, or eventually go out of business. Litigation is often not so much the pursuit of justice as it is the exercise of legal intimidation. By escalating the demands for electronic documents in the pretrial stages, the costs to be borne by a respondent can rapidly become more than the amount the party intended to recover by going to court in the first place, forcing settlement instead of resolution. Managing data so that it is easy to identify from a legal perspective may not make sense at the moment, but as soon as a suit is filed that seeks damages in the amount of $50 million, the cost of maintaining parallel archives (disaster vs. legal) would seem like a drop in the bucket.

I am sure that someone who reads this might conclude that keeping electronic data in this way is just about as expensive as keeping everything on paper. To that, respond, “You might be right.” The American mind-set always wants proof that this or that is true. If you have the original stone tablet, you can compare the chisel marks to samples of other stone tablets made by the same person to authenticate it. A stone tablet or a piece of paper represents a finished work, where further modification has ceased. The ephemeral nature of electronic data, however, erodes nearly all the traditionally understood landmarks of evidence trustworthiness. The bar is, therefore, set much higher when it comes to the admissibility and weight afforded to electronic evidence. In some cases, a man’s freedom might be at stake because of a decision about the authenticity of an e-mail message. In another case the survival of an entire corporation and all the jobs and income it produces might hang on the wording of a single sentence in a 200-page document where the opposing parties offer copies where there is a difference of one word.

Data processing costs have been traditionally viewed as being economical because the cost of litigation was never folded into the mix of expenses of running a data-centric business. E-mail, instant messages, electronic documents, databases … all these things make the operation of business much easier to achieve. They also make the defense of a business much more expensive to conduct when things go wrong.

The cost of running an IT department includes:

• high levels of security
• backup procedures for purposes of disaster recovery
• archives where the documents must be individually cataloged for future legal use
• backups of legal-oriented archives
• indexing legal documents using OLAP approaches
• retrieval of documents during litigation
• maintaining both on-site and one or more off-site storage facilities

That’s a much bigger number than one that just takes into consideration running some servers and workstations and making daily backup tapes. It is that number that needs to be stacked up against the cost of doing things on paper.

What online privacy expectations exist for social media use at work?

If you read Professor Jonathan Zittrain’s rebuttal on cloud computing to Bernard Golden at CIO.com today, you know that both agree that privacy is the No. 1 concern for cloud computing. Compliance officers have to worry about more than just privacy, of course, but protecting the private information of employees and customers alike is a crucial component of any enterprise-class security regimen.

Given, say, Twitter security risks, I knew the premise for SearchCompliance.com contributor Andrew Baer’s recent tips on social media use in the enterprise holds considerable merit: Social media platforms demand a clear employee Internet use policy.

When it comes to the details, however, I was left with more questions than answers. I understand that as a lawyer and e-discovery expert, Baer is naturally risk-averse. Moreover, I recognize that he’s forgotten more about e-discovery and the law than I currently know as a journalist.

That said, Baer’s position on online privacy and the rights of the employer to access the online activity or posts of employees veers into more ambiguous territory. Baer writes that a “policy should also state prominently that employees have no expectation of privacy in anything they store or transmit using corporate IT resources or post on the Internet, and that the enterprise reserves the right to monitor all usage of IT resources and Internet postings without notice and does so periodically.”

I imagine most observers can agree that enterprises need to create a Web 2.0 usage policy that extends existing rules and reminds employees of established guidelines for electronic communications and expectations for online privacy. Such guidance is even more crucial in regulated environments, as explained in ″Compliance concerns dog enterprise 2.0 collaboration software.″

Baer acknowledges the privacy issue: “Monitoring employee Web 2.0 use and terminating or disciplining an employee based on that use can raise legal privacy issues if an enterprise’s Web 2.0 strategy is not well planned and administered.”

The bottom line, however, is that Baer’s advice to compliance officers would appear to extend far beyond IT compliance into something else that he appropriately calls “Big Brother”-like action. As Baer observes, “Some employers may not want to go this far, since policing what employees say outside of work may seem Orwellian and lead to image problems.”

Image problems may just be the tip of the iceberg. I’m left wondering what other e-discovery experts, attorneys, security experts and compliance officers think about online privacy in this context.

George Moraetes, an independent security consultant for Securityminders Inc. in Illinois, agreed via email with Baer that “employees should have no expectation of privacy in anything they store or transmit using corporate IT resources.”

Moraetes wrote “that is a correct assumption, most companies treat email the same way. Employees have separate accounts using own resources. The only way to assure privacy is to encrypt your transmissions, in addition to using aliases. Most users are not techies and lack sophistication. Many companies do not implement DLP and NAC systems, although this in itself will not stop it.”

Moraetes went on describe the issue further:

“I demonstrated to the IRS a project back in 2004, the ability to leak information and not be caught. They told me they would catch anyone — or so they thought.

“In my demonstration to them, I advised that perimeter firewalls all must have ports 80 and 443 open bi-directionally. Otherwise, how would your staff and external users access resources? Obviously, when someone goes to Gmail or even Playboy their network captures and blocks them, reporting them to security — which is a serious offense. In saying that, I launched OpenVPN, communicating directly to my proxy/VPN server from Washington, D.C., to Chicago. I went anywhere that was prohibited and the internal traffic from their DLP systems could not detect or see me. There was nothing they could do about it. There are more ways to skin a cat to breach and leak out information, including Web 2.0 and using TweetDeck, email and the Web. Funneling encrypted traffic can bypass the majority of corporate systems.”

I’m writing an article about online privacy that will capture more viewpoints of other IT practitioners and e-discovery experts. If you have opinions about the use of social media on corporate systems and the online privacy expectations the surround them that you’d like to share, please comment here, @reply to @ITcompliance on Twitter or relate them directly to ahoward@techtarget.com with instructions on whether you’re willing to see them published.

Managing e-discovery and compliance: What would Eliot Spitzer do?

E-discovery - or electronic discovery - has many technical aspects. Questions of available tools, case law, regulations and scope are critical. One of the most important and often overlooked elements, however, is managing e-discovery and compliance.

As a senior manager at Putnam Investments, bizarre coincidences and convergence of fate with the soon-to-be famous marked my tenure. Few chapters embodied all these elements as thoroughly as the following e-discovery anecdote, for reasons that are obvious now, but were less so in 2003.

On Monday, Nov. 3, 2003, Putnam Investments fired its CEO, Larry Lasser, following a probe into market timing. Eliot Spitzer, New York’s attorney general, and William Galvin, the Massachusetts state regulator, had brought significant pressure to bear regarding market timing charges.

Spitzer, then known best as U.S. Attorney for the Southern District of New York, issued a subpoena two weeks later for Putnam documents. In the process, he indicated that criminal charges were being considered. From that day onward, senior managers at Putnam had a critical new IT project: managing e-discovery and compliance.

Unlike other IT projects, which include a feasibility analysis, budgeting and decision-making process prior to kickoff, e-discovery really starts from subpoena receipt. Spitzer’s reputation for a “take-no-prisoners” approach to investigations and prosecutions, not atypical for situations many firms face during litigation, had implications for IT.

From the moment a subpoena is received, senior technology managers should be called in. From IT’s viewpoint, e-discovery then becomes a new IT project on the list that requires reprioritization of existing resources.

The first step in managing e-discovery is to assign an IT project manager. Given that this will be a high-risk project, a seasoned individual is required. That means either hiring a backfill candidate for an existing project, or cancellation or delay of exiting work. E-discovery is usually a good example of a project that has no real, measurable ROI. This is a handy data point for all those IT projects that you, the IT manager, have to argue for each year during the budgeting process. That process demands an ROI even for operating system, database and other major software upgrades, which are also projects that evade calculating an ROI.

The next step in managing e-discovery is stakeholder and requirements identification. While vendor or tool selection usually comes later in the process, for a specialized project like e-discovery, identifying requirements should be fast-tracked from Day One. Firms and experts specializing in e-discovery are crucial for this type of project, which typically will be handled only once in a company’s lifetime – you’re lucky. Your staff is likely to lack experience with e-discovery, a reality best addressed by selecting an advisor immediately after selecting a project manager.

In the next post, I will address how to adapt standard project management techniques to the e-discovery project.

Questions? Write to editor@searchcompliance.com or reply to @SecuritySources on Twitter.

EDiscovery.gov has launched: Will e-discovery be nationalized?

Have you been to Ediscovery.gov yet? Before you gasp, remember what day it is. If it’s April 1, it must be time for online jokes and hoaxes — check out TechCrunch’s list of April Fools jokes.

Compliance officers and infosec professionals will be especially amused by what Kurt Leafstrand at Clearwell Systems worked up: “Government launches bold new recovery effort.” Here’s the demo:

Kurt and his compatriots put some time into this effort. Here’s the faux press release:

SEEKING NEW AVENUE FOR COST-CUTTING, GOVERNMENT LAUNCHES BOLD NEW RECOVERY EFFORT

WASHINGTON — Senior Administration officials today took the wraps off of their latest effort to stabilize the American economy: The nationalization of the electronic discovery industry. According to a senior official who declined to be identified, “Even before the beginning of the current turmoil, everyone acknowledged that electronic discovery costs were out of control. Now, with litigation accelerating and corporate earnings plummeting, something had to be done. Without this action, a significant number of leading American corporations would be in danger of shutting their doors due to the overwhelming burden of e-discovery.”

Effective immediately, all electronic discovery projects are being centralized under a single authority, the National Electronic Record Discovery Institute (NERDI). The Institute will be launching a nationwide electronic discovery portal on April 1, 2009 at www.ediscovery.gov. The site will build upon the recent success of the government’s economic recovery accountability site, www.recovery.gov. Said one Institute official, “Just drop the ‘r’ and insert a ‘dis’, and you get eDiscovery. It really is the next logical step in the government’s efforts to help the country in a time of profound need.”

Industry experts initially expressed skepticism about the government’s ability to make electronically discoverable information available in an efficient, expedient, and secure manner. Early plans had the government using the U.S. Postal Service and the network of I.R.S. tax return servicing centers as the logistical backbone for managing the collection and processing of documents. However, after negotiations with the National Security Agency, this step was eliminated from the process. Instead, all electronically-generated information in the United States will be instantly processed and made available through the ediscovery.gov site. Commented an NSA spokesman, “We have all the information anyway; why not make it easily accessible, instead of pretending it’s not here?” As for security, officials stated that “individuals can expect the same level of security and identify protection they’ve come to expect from their financial institutions and credit card companies, along with the additional protection and responsiveness they’ve come to expect from the Federal government.”

Nicely done, folks. We look forward to a briefing from NERDI later today, as we’ve heard a global NERDI initiative may be undertaken in 2010.

(Hat Tip: Gabe’s Guide, via The Posse List)

IT and legal up in a tree … d-i-s-s-i-n-g

Whatever their relationship in the past, IT and legal departments should probably be pretty tight these days given the expectation that financial regulations will intensify and litigation increase in the wake of the fraud, foreclosures, massive layoffs and other ills perpetrated by the greed of Wall Street financiers.

But a recent survey conducted by Osterman Research Inc. for Recommind Inc. suggests that the disconnect between IT and legal remains alarmingly entrenched. According to the survey, conducted in early January of 250 mostly IT enterprise employees, only 37% said IT and legal are working more closely together than a year before; 33% reported an “average” or “poor” working relationship between the departments.

While respondents generally held their legal departments responsible for policies concerning legal hold (73%), data retention (50%) and records management (47%), nearly three-quarters (72%) said that IT was expected to take the lead on all buying decisions. The disjunction no doubt will lead to many bad technology purchasing decisions, at a time when companies cannot afford to make mistakes.

Blind leading the blind

As the lawsuits come pouring in, expect more stumbles on e-discovery. The survey also showed that only 29% of IT respondents believe IT “truly understood” e-discovery technical requirements. A meager 12% expressed confidence in their legal teams’ understanding of the requirements. In any case, neither side is of much use when it comes to implementing e-discovery technology and initiatives: only 27% of respondents said IT is helpful in these projects; make that 12% for legal aid.

Corporate reporting: The next information governance frontier?

This is a guest post from Barclay T. Blair, author of Information Nation and head of the information governance practice at Forensics Consulting Solutions LLC.

“[S]unlight remains the best disinfectant for problems in our capital markets.”

- Christopher Cox, former chairman of the Securities and Exchange Commission (SEC), June 2008

Back before the failure of Lehman Brothers, the ouster of John Thain from a combined Bank of America/Merrill Lynch, and before a new president said we were “facing the greatest economic challenge of our lifetime,” the SEC began working on an initiative to improve public company “transparency by making disclosure information more accessible and easier to use.”

This 21^st Century Disclosure Initiative published a report in January that proposes, among other things, requiring “tagging” of financial information so it is more interactive and useful, and moving away from a document-centric paradigm. The intent is to modernize the way that investors receive information about the companies in which they invest.

This initiative, which may or may not have legs under a new SEC commissioner, raises some interesting issues for information management and corporate governance.

It will be difficult for the SEC — or anyone else — to “shine some sunlight” onto the financial and governance practices of corporations until the corporations themselves take control of their information.

Most organizations today struggle to understand where all their information resides, what it is, how to get to it, or how long to keep it. Witness the astounding numbers and ugly battles (like the e-discovery dispute centered around the SEC’s delivery of 1.7 million documents involving the SEC) that routinely arise when organizations are asked to dig up digital information — especially email and office documents — in the context of electronic discovery.

The reality for most institutions is that the most valuable information resides in the least managed locations. How many companies still rely largely on spreadsheets and email to comply with the Sarbanes-Oxley Act?

If my practice is any gauge, most of them.

Regardless of what happens with the SEC’s initiative, most politicos seem to agree that we are heading into an era of increased regulation under the Obama administration. I would recommend that organizations try to get ahead of what’s coming by looking at their current information governance practices with an eye to improving internal transparency — before someone steps in to make them do it.

To this end, perhaps it is time to revisit document retention and management practices. Here are some questions to think about:

• Are your valuable financial records being maintained in appropriate systems, or are there unmanaged copies in poorly controlled network drives and “drop boxes”?
• What do your email practices look like? Is email retention controlled? Do your employees export email out of the email system into unmanaged locations?
• How much important financial information (including the records that underpin financial information) resides in unmanaged, unsecured locations?
• Are you using your backup tapes for archiving purposes? If so, do you understand the potential cost and risk should those tapes need to searched for SEC investigations or litigation?

Barclay T. Blair is a consultant to Fortune 500 companies, software and hardware vendors and government institutions, and is an author, speaker and internationally recognized authority on a broad range of policy, compliance and management issues related to information governance and IT. Blair heads the information governance practice at Forensics Consulting Service LLC, and can be reached at bblair@fcsig.com or (403) 638-9302.