tadamichi - Fotolia

Three vital e-discovery security issues

It is time the UK's information security professionals got to grips with the role they play in e-discovery projects, the process of locating and providing current and stored electronic records for regulatory compliance and civil or criminal litigation.

It is time the UK's information security professionals got to grips with the role they play in e-discovery projects, the process of locating and providing current and stored electronic records for regulatory compliance and civil or criminal litigation.

That's the message from Mike Lynch, CEO of search company Autonomy. Right now, he says, only a small minority are up to speed, typically those who work for organisations in highly litigious industries (such as pharmaceuticals and financial services) or at companies with operations in the US, where they are subject to that nation's stringent Federal Rules of Civil Procedure (FRCP). But the majority of security professionals still have much to learn about e-discovery, according to Lynch.

  1. Lack of awareness
  2. Secure as standard
  3. Legal ramifications


Lack of awareness

"I see a wide lack of awareness among IT security staff that e-discovery needs to be a factor in every architectural decision they make. The problem, as I see it, is that much of what defines an e-discovery project - making vast amounts of information available at speed - would appear to fly in the face of what information security professionals are trying to achieve on a day-to-day basis; that is, keeping information safely locked away."

As a market leader in the e-discovery tools space, Autonomy has a clear commercial impetus for alerting as wide a community as possible to the importance of e-discovery preparations. But even more impartial industry watchers echo Lynch's view that any e-discovery implementation has major implications for the IT security team.

Fran Howarth, an analyst with IT market research company Quocirca, says: "Electronic information can easily be altered or even deleted if the proper security controls have not been put in place. What is needed [for e-discovery] is a highly secure, comprehensive information management system to ensure all data is produced and stored securely and is easy to retrieve through enterprise search capabilities."

Secure as standard

Without appropriate security controls in place, she points out, companies may struggle to convince the courts the information they produce in response to a litigation request is admissable as evidence. With that in mind, the British Standards Institute (BSI) published the BS10008 standard in December 2008. This sets out requirements for the implementation and operation of electronic information management systems and aims to ensure any electronic information required as evidence of a business transaction is afforded "maximum evidential weight".

As such, many of the requirements focus on security issues: the secure storage and transfer of information, with particular focus on its authenticity and integrity; and its secure access, including the use of identity management systems and electronic signatures. All this should be familiar territory to the skilled information security professional, whether or not they have yet scrutinised BS10008. Preparations aside, information security professionals also have a major role to play when a disclosure demand prompts an e-discovery exercise within their organisation, says Alessandro Moretti, a member of the European Advisory Board at security industry body (ISC)2 and executive director of IT security risk management at UBS Investment Bank.


Legal ramifications

"E-discovery requires a suitably qualified IT security professional to assist in defining the search criteria. Only appropriate and relevant information should be included in the search and the capture process has to be strictly controlled, according to digital forensic procedures," he says. Once evidence is captured, he adds, access has to be restricted to the e-discovery team and, where it includes personal information, data protection laws must be observed. "A non-qualified professional could make many mistakes in this process, contaminate evidence and potentially break data protection laws," he says.

It is vital, too, that mobile devices, from smartphones to laptops, are not left out. "The rules, as they apply in the UK, are quite clear: if it is relevant to the case, it must be disclosed," says Lynch of Autonomy. "Your best endeavours will not be considered sufficient if you can't demonstrate that you've trawled through every disk on every device." In essence, IT security teams are key strategic players in the process of enterprise litigation and the choices they make for the creation, storage, archiving and destruction of information have significant effects on legal and regulatory evidence handling.

In 2009, it seems probable that their skills will be more in demand than ever. Redundancies are on the rise and the CBI has reported a sharp rise in employment tribunal cases as a result. The Competition Commission significantly increased its data disclosure demands in 2008 and other regulators are likely to step up their e-disclosure demands. Straitened financial circumstances could push more employees in the direction of internal fraud and there will be plenty of customers ready to seek compensation from any organisation that they feel has wronged them. All these factors point to an increased corporate need for e-discovery tools and skills over the coming year. And what that means is that it is vital for the IT security team to understand the core aspects of e-discovery law and practice, especially where it involves data availability, confidentiality and integrity - all critical security objectives.


Image: Rex Features

Read more on IT legislation and regulation