Think Tank: Are businesses ready to meet the requirements of e-discovery regulations?

To what extent is e-discovery understood and accommodated by IT and the business?

To what extent is e-discovery understood and accommodated by IT and the business?

Until the law is clear firms need to be ready to discover all potentially relevant information

Alessandro Moretti, co-chair European Advisory Board, (ISC)2

For the past few years, businesses have been implementing strategies for running e-discovery solutions under the management of internal departments. This year there remains a heavy reliance on external experts who command hefty fees - a situation that will probably prevail for some time.

The concept of e-discovery is understood; we are seeing increasing numbers of tools becoming available to manage it, but the processes are immature, if present at all.

Part of the challenge lies in the fact that there is no one standard of practice that is accepted as defensible in court. With e-discovery largely about satisfying a request from a legal source in respect of an active legal or litigation case, the processes deployed to produce all of the data that was requested must be good enough to stand up in court. This involves assessing both the processes themselves and those who certified them as being adequate.

More often than not a company will only discover that they should have made such an assessment at the last hurdle, when a case is thrown out of court.

Companies are taking two technical approaches: either to maintain a central repository of all data in the company and perform a query on this repository, or to use criteria and key words determined by the legal team to do a selective discovery across the company.

In the end, they must defend the position that all of the relevant data sources were queried, and that the data inventory was accurate and representative of the discovery request.

To manage it internally, companies usually refer the queries to the forensics team if they have one, but processes are often poorly defined.

Generally, the tendency is to over-collect data and then use external consultants to make the query, which has the advantage of the consultant pre-challenging the collection and methodology before any evidence is presented in court. There is, however, a real risk of external consultants being overwhelmed by the over-collection of data, or the discovery request never ending and being successfully challenged in court. It seems there are no sureties where legal matters are concerned.

IT professionals need to be familiar with the legal requirements

John Bace, research vice-president, Gartner

Too many IT industry stakeholders - technology providers, investors, enterprise buyers and end users - fail to recognise that the e-discovery market is very different from other areas of technology, with unique business drivers and stakeholder demands. Failure to recognise these differences can result in unacceptable risk and expense for organisations.

For more than half a century technology has been advancing at the steady pace defined by Moore's Law and its Gilder and Metcalf corollaries. Information technology becomes more powerful, costs less and is more widely deployed, all to a predictable timetable.

Once manual processes are automated, and information and most communications are digitised, the business justification for many IT projects becomes, "We can do this," rather than "We need to do this." The result - especially once the rapidly increasing capacity and equally rapidly decreasing cost of storage are factored in - is that many enterprises' information governance strategies essentially mean keeping everything, and keeping it forever. This is almost always a mistake.

IT and the business need to keep in mind three unique characteristics of the e-discovery marketplace.

First, the legal profession is slow - agonisingly slow - to adopt new technology. Take the US legal system as an example, although many of the points translate to other localities: in the United States, discovery is governed by the Federal Rules of Civil Procedure, written in the 1930s and amended only three times since then to consider the impact of technology in evidentiary discovery. Before the latest amendments went into effect on 1 December 2006, some lawyers were actually still arguing that a document or a record didn't exist unless it could be held in someone's hand.

Second, lawyers' priorities are very different from those of IT professionals. The IT professional designs and builds projects within traditional business frameworks and metrics, aligning business and IT goals to increase revenue, reduce cost, speed up processes and increase competitiveness. The legal professional's role is not so clearly defined. Lawyers' responsibilities run the gamut from complying with legal and regulatory requirements to avoiding unnecessary litigation to protecting intellectual property, and more. Meeting those responsibilities is no simple matter. One indicator: Black's Law Dictionary, the authoritative source of legal terminology in the US, takes nearly two thousand pages to define more than 43,000 terms and concepts.

Finally, the rules that govern e-discovery are subject to interpretation, modification and evolution based upon case law - that's what lawyers are for, after all. This means the e-discovery market is driven - and should be driven - not so much by Moore's Law as by highly changeable judicial fiat. Today's best-practice for responding to a civil litigation matter may be totally inappropriate in tomorrow's interrogatory for an intellectual property issue.

The key to understanding and accommodating e-discovery within the organisation is for IT professionals to become familiar and comfortable with basic legal concepts. Legal professionals also need to have a basic understanding of the technological infrastructure and its complexity, but that's likely to take a lot longer.

Crucially, senior management inside organisations must monitor and mediate between the two sets of stakeholders. There are few, if any, absolutes in e-discovery, and management must be prepared to help with tough decisions about potential risks and rewards.

Some UK regulations have already moved firms in the right direction

Ollie Ross, head of research, Corporate IT Forum

Differences in culture might be one of the reasons behind UK corporates' seemingly lower priority allocation to e-discovery compared to the US. But that's not to say there is any less awareness or comprehension. Indeed the new government's plans to extend the scope of the Freedom of Information Act - and the implications this may have for both the public and private sectors - will have been carefully noted.

What stands out in terms of most large organisations today, is that lessons of the past are well and truly learned; practical experience, the application of maturity to technology and systems selection, and careful investment have led to increasingly fewer knee-jerk reactions to the emergence of newer e-risks and issues.

Most Corporate IT Forum members are aligning themselves with ISO/IEC 27001/2 and, in line with ongoing revisions, would expect to address the challenge of e-discovery during the process, if not already taken into account in a business-wide approach to information security and management.

Beware the potential marketing hype to sell you e-discovery tools

Peter Wenham, committee member of the BCS Security Forum strategic panel and director of information security consultancy Trusted Management

Pondering on the value of 42, the meaning of life, the universe and everything, I alighted on the supplemental question of how you find information in companies' (computer) networks.

The answer is, "With difficulty", but how many companies would even know that they need to be able to find specific information quickly and why? The answer in many instances is, "Not many." Legal and regulatory are the reasons behind needing that capability to find specific information quickly, and these days it reaches out further than just e-mails.

But of course it could just be that e-discovery and e-discovery tools are the new marketing hype to sell us things that we don't need, or rather won't need if our companies internal governance is up to scratch.

US penalties will spark a hike in demand for sound e-discovery policies and tools

Raj Samani, vice-president for communications, ISSA UK

Nothing focuses business more than enormous financial penalties or significant adverse publicity. In 2005, there were two legal cases that arguably put e-discovery into the spotlight of big business. A former UBS AG equities trader won $29m (£19.9m) when a judge ruled that UBS failed to present missing e-mails. This was followed by a $1.6bn award against Morgan Stanley, also accused of failing to turn over digital evidence.

Even recession has failed to dampen demand, with Gartner reporting an estimated 23% increase from 2009 for e-discovery software, meaning the market should surpass $1.2bn this year. This upward trend is understandable, with a reported 90% of US corporations involved in some form of litigation, and the average company bigger than $1bn wrestling with 147 lawsuits.

The recent BP oil spill, for example, has more than 100 lawsuits filed against it and other companies responsible for the spill. Such action is likely to require BP to provide "massive amounts of data, perhaps more than any other case in US litigation history" according to Tom O'Conner of the Gulf Coast Legal Technology Center.

This example clearly demonstrates the need for governance regimes that support the e-discovery process, so in the event of major litigation the business can provide the data in a cost-effective manner. Although such high-profile cases may draw attention to e-discovery, the practical application of being ready is rarely implemented. A 2009 survey of 431 IT managers by Kroll OnTrack found that while most UK companies (80%) have a document retention policy, only 41% of those policies are specific to (electronically stored information) ESI disclosure readiness. Furthermore, 30% did not know whether they had an ESI disclosure readiness strategy.

The severe financial penalties for US companies failing to produce data have driven the demand for e-discovery services and software. For example, 90% of the demand for e-discovery software has been driven from the US. The perceived lack of penalties in the EU is likely to contribute to the lack of UK businesses having a state of ESI readiness. However, much like the US example, it may just be worthwhile being ready before your business is attributed with kick-starting e-discovery market in Europe.

Take a lesson from the US 'gold standard' for e-discovery

Grega Vrhovec, research associate, Information Security Forum

Some time has passed since legal discovery meant teams of lawyers rifling through filling cabinets. E-discovery is now part of the day-to-day legal process.

Organisations have also got their heads around the concept of e-discovery and learnt the difficulties of being able to disclose all legally relevant electronically-stored information in short time-scales. Basic principles to provision e-discovery are now commonly built into policies and procedures of most medium and large enterprises. The extent to which organisations have accommodated e-discovery will, however, largely depend on a number of conditions, such as jurisdiction(s) in which the organisation operates; types of regulated data stored or processed by the organisation; the support of senior management; or the industry sector.

Driven by the requirements of their legal systems, organisations operating in North America often represent the 'gold standard' in e-discovery. For example even multi-function printers are sometimes considered in scope of e-discovery and the costs associated with such an e-discovery exercise can quickly accelerate. Nevertheless, getting it wrong may mean a defeat in court and is a compelling argument to create and implement appropriate procedures before the discovery order lands on the desk.

Are you worried whether your organisation is ready to tackle e-discovery?

Policy, procedures and information systems are the place to start. These should be designed with the aim of preserving evidential weight of all electronically stored information. Furthermore it is vital that one is able to demonstrate information systems comply with these policies, especially in relation to retention or destruction of electronically stored information.

It is also considered good practice to have a team of e-discovery experts readily available either internally or on a contractual basis. Starting the work too late is perceived as one of the most common pitfalls - looking through the volume of all stored information is time-consuming (eg missed deadlines) and some information could already be lost (eg due to housekeeping processes).

Most of all, be sure to seek legal advice for every jurisdiction in which you store or process your electronically stored information (including your third parties) before an e-discovery request comes knocking on your door.

The ISF published a briefing paper on Electronic Evidence in 2008.

Businesses need to use e-discovery technology to save time and money meeting regulatory requirements

Kevin Wharram, member of ISACA Security Advisory Group

Many of us would have seen an episode of the TV series House, where Dr Gregory House, in one of his diagnostics sessions, says, "Send the patient for an MRI scan."

The MRI was invented in the late 1970s and totally changed the way doctors performed surgery. Before MRI, doctors had to do investigative surgery to determine whether there was an internal problem, which was costly and detrimental to the patient. MRI allowed doctors to see a visual representation of the body before surgery.

A business is not dissimilar to the human body. It has vital parts which are not immune to failure and other problems. In the case of a business, more often than not it will be involved in a regulatory investigation, litigation or compliance request which will involve the supplying of Electronically Stored Information (ESI) to other parties.

Most of the ESI information that is generally requested could be in the form of e-mails, documents, spreadsheets, audio files, etc and is often dispersed across computers, file systems, databases, e-mails, backups, etc. Trying to locate that information in a legal or compliance request could be like a surgeon in the days before the MRI.

With the hefty fines, internal costs and negative publicity of failing to retrieve ESI information when requested to do so, increasing numbers of organisations have turned to e-discovery or e-disclosure (as it's known in the UK), which refers to the retrieval of ESI information originating from computers, file systems, databases, e-mail, backups, etc.

However, a recent survey commissioned by Recommind showed that UK firms are still not ready for e-disclosure, which suggests they don't understand the benefits.

So why has e-discovery, the US equivalent, taken off? Is it because the US is litigation-happy or because of the Federal Rules of Civil Procedure (FRCP) amendment, which took effect on 1 December 2006, which required US organisations to preserve, collect and produce "electronically stored information" that is potentially relevant to a litigation.

How do UK companies deal with Subject Access Requests (SARs) which is a legal obligation under the Data Protection Act 1998? Surely, it's a burden on an organisation to search and retrieve information it holds on individuals. The cost to an individual seeking an SAR is £10, but it costs a company far more in manpower and hours searching for the data.

What about Data Retention laws, where companies are required by law to delete information after a certain period of time? Or when the information is no longer deemed necessary, how do organisations find the information and delete it? Then there is the issue of personal data being in locations where it should not be, how do you know where that data is?

Maybe we should change the term from e-disclosure to e-seacovery (search and recovery), which is probably a term most business people would understand. Because, clearly, the technology behind e-discovery/e-disclousure is useful, but not fully understood.

Rather like the doctors today having the use of MRI scans, businesses should use the technology behind e-discovery/e-disclousure to save time, money and manpower in retrieving the information, whether this information it is requested in compliance, litigation or even to discover where personal data is within the organisation.

Read more on IT risk management