So you passed your recent compliance audit. Your documentation and technical safeguards are in tip-top shape. You even have management on your side, providing reasonable money and support. All's well in the world of security and privacy -- that is, until your business gets sued and receives an e-discovery request.
Suddenly, the strong controls and leadership you have in place might not seem so robust. Electronic discovery, and more specifically information classification and retention, is arguably the biggest IT-related weakness in any given organization. Regardless of the size of your business or what industry it's in, you likely have some gaps in your
When asked how they inventory, store and dispose of electronic information, many IT leaders respond with "I don't know," "We're working on it" or "Legal handles that." The majority of information management scenarios I see in my work are lax, at best. Many people simply keep all electronic information indefinitely. It seems easier that way, but it usually only serves to help the opposition in a lawsuit. On the other hand, I have seen scenarios where lawyers who weren't up on compliance and technology just assigned random retention periods for electronic information. Even worse, the people in IT and compliance who needed to know about these policies were out of the loop. Nothing was getting done.
Many e-discovery cases have shown that the courts don't take too kindly to sloppy information management practices such as a lack of retention periods and inconsistent policy enforcement. There's a general false sense of security around e-discovery. Management and IT admins often assume that they'll just be able to do some quick searches and find whatever's needed when the time comes. The reality, however, is that electronic information is scattered about in every nook and cranny of the business. From decommissioned servers to off-site tapes to laptops and beyond, information that could be fair game in an e-discovery request is everywhere. Finding information -- especially if it hasn't been properly labeled, classified and stored where it should be -- can be an insurmountable situation if you get in a pinch and need the information quickly.
"Dig your well before you're thirsty." It's an ancient Chinese proverb that fits nicely into the context of e-discovery. By this, I mean get management's support and clearly define roles and responsibilities in the information management process so everyone is on the same page and can hit the ground running when needed. For example, the IT team will be responsible for the technical components, legal counsel for defining what to keep and for how long and so on. You also need to determine what information you have and where it's located, and clearly define the business's policies and procedures for information retention and disposal. Your security/governance/compliance committee would be perfect for all of this. Some companies even have a dedicated e-discovery coordinator who's responsible for this stuff 24/7. Just do something. Check out the Electronic Discovery Reference Model for further information on widely accepted practices in this area.
Finally, automating information classification and retention is essential for keeping e-discovery-related costs down. They say necessity is the mother of invention. Once lawyers and IT staff have to sift through everything manually to satisfy an e-discovery request, they'll see the value in information management products from companies such as StoredIQ and Kazeon.
E-discovery is a beast that's easily controlled if you make the right choices. As with information security assessments, if you're going to effectively manage IT risks and keep all aspects of compliance in check, you have to ensure electronic information is managed in the right ways by the right people using the right tools and some good old-fashioned common sense.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. He can be reached at www.principlelogic.com.
This was first published in July 2009