As many compliance officers can attest, there's definitely no shortage of compliance regulations – except, that...
is, when it comes to e-discovery strategy. This creates a precarious situation for some businesses: In a world where regulation often dictates IT direction (almost to a fault), how do you make sure your e-discovery strategy is on the right track?
In this Q&A, SearchCompliance.com Editorial Director Scot Petersen talks with attorney Jeffrey Ritter, an expert on technology law and CEO at the Ritter Academy, about the challenges this lack of direction creates for corporate e-discovery strategy.
What are the standard "musts" we should include in our IT and procedures manual to ensure a quality e-discovery strategy?
Ritter: One of the things we do not have yet in the field of e-discovery is a clear expression of what a defensible best practice may be. In records management, we have an ISO standard for records and information management. In information security, under [ISO] 27001, we have a standard against which compliance can be certified. For companies to find, preserve and produce information that can serve as evidence, we don't have any such standard. So, the companies are challenged to figure out "how can we reduce our risk?" We don't have a directory, a guide, a publication or a standard we can point to in e-discovery.
More on e-discovery strategy
Organizational development's influence on the e-discovery process
Now, step away from e-discovery for a moment and think how often in business we ask the question, "Are these the right sales data for the Southeast region?" or "Have you checked these to make sure there are no changes since last year?" and "Who's this person and what was their responsibility for producing the report?"
The courts are asking the same thing: If you want this information to be considered as evidence, we need to know where it came from, we need to know how it was maintained and we need to know that it has the same benchmarks that are often associated with good information security. In fact, what has been interesting is the emergence of a standard out of the British Standards Institute on the admissibility and weight to be given to digital information as evidence. What was fascinating about the publication of this standard is that it essentially provides the perspective that good information as evidence is information that has been maintained pursuant to a strong information security management program. So a company that has good information security almost by default has the ability to find and recover information.
How will this affect companies' e-discovery strategies?
We don't have a directory, a guide, a publication or a standard we can point to in e-discovery.
technology law expert and Ritter Academy CEO
As we move forward over the next, I think, five to 10 years, what's going to occur is that companies are going to be looking for a global standard that integrates both the legal rules and also these technology standards so they have one consistent point of reference. The key thing that comes across all of this is that, if I'm looking to find and preserve information as evidence in e-discovery, can I apply consistent, continuous improvement, good monitoring, good efforts at remediation and do better? The key to good e-discovery is documenting the steps you've taken and being able to evaluate how well they were performed. Put those into the policies and procedures manual as the natural outgrowth of information security, and you've gone a long way.
What about certification processes for e-discovery and information security? Do you have any ideas or anything to offer on that area?
In certification, you have to be very careful, particularly around e-discovery. There are a couple commercial companies that are selling you training and the ability then to say you've been certified. So, you sit in a lecture hall for eight hours and then take a small test, pay your money -- I forget how much it is -- and you're so-called "certified." But I would caution anyone to believe that leaves them competent to handle e-discovery, or that it would be tremendously meaningful to either customers or insurance carriers.
Compare that to the weeklong and multipart segments that are required to get your CISSP in information security. In e-discovery, we're still looking to find that right benchmark. At the Ritter Academy, we offer online training available 24/7, but we do not offer certification because we actually don't know what the benchmark of minimum competency is. Things change so much; it's important that we provide continuous learning. I think we may see some specialization emerge for lawyers, litigation support professionals and non-lawyers -- but we're not there yet on e-discovery.