In 1996 I was involved in a lawsuit between my then-employer and another company. My employer had engaged outside counsel for the litigation, and I needed to send some documents their way. I thought e-mail would be the best method, so I called the outside counsel to ask for an appropriate e-mail address. To my bemusement, he replied, “We don't have e-mail here,” and went on to explain that his office applications were a couple of versions behind. Hiding my surprise, I pointed out that perhaps his firm was a little behind the times and at some disadvantage. The lawyer's reply: “We lawyers are a bit slow to catch up, but we always manage to.”
Indeed, the legal system has caught up with the information age with the amendments to the Federal Rules of Civil Procedure (FRCP) that became effective December 1, 2006. The new rules, often referred to as eDiscovery, address corporate electronically stored information (ESI) that may be subpoenaed under a civil action. The rules intend to redress both real and perceived problems involving ESI.
Security's Role Regarding ESI
While it is the primary domain of lawyers to take charge of legal matters, security executives should understand the principle points of the new rules and help lead necessary ESI change management within their corporations. Failing to abide by the new rules could lead to litigation sanctions that include fines, evidentiary exclusions, adverse jury instructions, increases in settlement/risk value of cases and potential obstruction of justice and criminal liability charges.
EDiscovery rules significantly affect the way in which counsel approaches the timing and scope of discovery—the process of locating and searching data for use in legal action. The rules also place new requirements on corporate IT resources to identify, describe, preserve, and produce corporate information. Companies should reexamine their information retention program and develop a defensible strategy that includes abiding by the rules. Security leaders must become cognizant of the company's IT infrastructure and data archiving policy and programs, for data stored outside as well as within the United States .
While the FRCP was amended to address seven principle areas. let's briefly examine two of the more problematic and significant changes: Early Attention (Rule 26f) and Forms of Production (Rule 34).
Rules for Dealing with Data
The amendments require parties to meet early in the discovery process and address ESI issues that can include preservation, scope of discovery, costs and burdens, forms of production, privilege concerns, privacy/security/confidentiality, and accessibility. For the first time, parties are required to discuss ESI preservation and develop a discovery plan.
For example, many companies use third-party software to record and manage security incidents and investigation files. Upon request for discovery, how will that ESI be produced? In hard copy? Fine, but how will requests for the original source data be handled? True, the data is often in an open-architecture file format and may be accessed in a non-proprietary application. But then, how will redacted data be managed? If the data needs to be presented in court in the application in which it was originally created, does your company need to establish and maintain a legacy application library?
Data is becoming more prevalent across the enterprise in an increasing variety of forms: in e-mail, voice mail, instant message, on PDAs, local drives, shared drives and Web sites. Preparing for litigation implies that all of these new data repositories must be included in a data and records retention policy and program. Security executives involved in litigation could be called upon to describe their company's records retention policy and be knowledgeable of the systems used to manage their department's data. Lacking a credible program or failing to adhere to the policy is indefensible in court and may expose the company to legal risk.