It is time the UK's information security professionals
got to grips with the role they play in e-discovery
projects,the process of locating and providing current and stored
electronic recordsfor regulatory compliance
and civil or criminal litigation.
That's the message from Mike Lynch, CEO of search company
Autonomy. Right now, he says, only a small minority are up to
speed, typically those who work for organisations in highly
litigious industries (such as pharmaceuticals and financial
services) or at companies with operations in the US, where they are
subject to that nation's stringent
Federal Rules of
Civil Procedure (FRCP). But the majority of security
professionals still have much to learn about e-discovery, according
to Lynch.
- Lack of
awareness
- Secure as
standard
- Legal ramifications
Lack of awareness
"I see a wide lack of awareness among IT security staff that
e-discovery needs to be a factor in every architectural decision
they make. The problem, as I see it, is that much of what defines
an e-discovery project - making vast amounts of information
available at speed - would appear to fly in the face of what
information security professionals are trying to achieve on a
day-to-day basis; that is, keeping information safely locked
away."
As a market leader in the e-discovery tools space, Autonomy has
a clear commercial impetus for alerting as wide a community as
possible to the importance of e-discovery preparations. But even
more impartial industry watchers echo Lynch's view that any
e-discovery implementation has major implications for the IT
security team.
Fran Howarth, an
analyst with IT market research company Quocirca, says:
"Electronic information can easily be altered or even deleted if
the proper security controls have not been put in place. What is
needed [for e-discovery] is a highly secure, comprehensive
information management system to ensure all data is produced and
stored securely and is easy to retrieve through enterprise search
capabilities."
Secure as standard
Without appropriate security controls in place, she points out,
companies may struggle to convince the courts the information they
produce in response to a litigation request is admissable as
evidence. With that in mind, the
British Standards Institute (BSI) published the BS10008
standard in December 2008. This sets out requirements for the
implementation and operation of electronic information management
systems and aims to ensure any electronic information required as
evidence of a business transaction is afforded "maximum evidential
weight".
As such, many of the requirements focus on security issues: the
secure storage and transfer of information, with particular focus
on its authenticity and integrity; and its secure access, including
the use of identity management systems and electronic signatures.
All this should be familiar territory to the skilled information
security professional, whether or not they have yet scrutinised
BS10008. Preparations aside, information security professionals
also have a major role to play when a disclosure demand prompts an
e-discovery exercise within their organisation, says
Alessandro
Moretti, a member of the European Advisory Board at security
industry body (ISC)2 and executive director of IT security risk
management at UBS Investment Bank.
Legal ramifications
"E-discovery requires a suitably qualified IT security
professional to assist in
defining the search criteria. Only appropriate and relevant
information should be included in the search and the capture
process has to be strictly controlled, according to digital
forensic procedures," he says. Once evidence is captured, he adds,
access has to be restricted to the e-discovery team and, where it
includes personal information, data protection laws must be
observed. "A non-qualified professional could make many mistakes in
this process, contaminate evidence and potentially break data
protection laws," he says.
It is vital, too, that mobile devices, from smartphones to
laptops, are not left out. "The rules, as they apply in the UK, are
quite clear: if it is relevant to the case, it must be disclosed,"
says Lynch of Autonomy. "Your best endeavours will not be
considered sufficient if you can't demonstrate that you've trawled
through every disk on every device." In essence, IT security teams
are key strategic players in the process of enterprise litigation
and the choices they make for the creation, storage, archiving and
destruction of information have
significant effects on legal and regulatory evidence
handling.
In 2009, it seems probable that their skills will be more in
demand than ever. Redundancies are on the rise and the CBI has
reported a sharp rise in employment tribunal cases as a result. The
Competition Commission significantly increased its data disclosure
demands in 2008 and other regulators are likely to step up their
e-disclosure demands. Straitened financial circumstances
could push more employees in the direction of internal fraud
and there will be plenty of customers ready to seek compensation
from any organisation that they feel has wronged them. All these
factors point to an increased corporate need for e-discovery tools
and skills over the coming year. And what that means is that it is
vital for the IT security team to understand the core aspects of
e-discovery law and practice, especially where it involves data
availability, confidentiality and integrity - all critical security
objectives.
Image: Rex Features