Survival Strategies under New Court Rules for Electronic Evidence

Author: Jeffrey Ritter

April 2008

Summary
Information security professionals will increasingly be involved in the discovery, recovery, preservation and production of electronically stored information (ESI) as evidence in legal actions. New rules adopted in Federal and state courts, and similar procedures being employed by regulatory agencies, emphasize the role and importance of information security in assuring the integrity of electronic evidence.  

The New Rules
The most significant new rules are those set forth in the Federal Rules of Civil Procedure, for which amendments became effective in December 2006.  The rules apply to any civil litigation in any Federal court in the United States; however, most state courts have adopted similar rules during the last two years. 

The new rules integrate into the traditional practices for identifying and producing business records, called discovery, new procedures through which adverse parties can require the identification, review and production of electronic records. Collectively, the new rules and related business and legal practices are called e-discovery.

Many of the systems records created and maintained as part of information security management become potentially relevant evidence that companies must be prepared to identify and preserve for possible review by adverse counsel.  

Information security management will often be either the custodian of ESI requiring preservation as part of a records hold process, or have management involvement in the systems operations, archives, and backup facilities in which the primary ESI assets may be maintained.  Information security must be closely involved in defining how, and ensuring that, a company’s records hold process is turned on following a trigger event in order to better assure a company’s full compliance with the legal preservation duty, or chain of custody.

Information security management practices that permit the overwriting, disposition, or deletion of systems and operating data that may be potential ESI should be documented and be defensible as part of the overall information management processes of the organization.  Similarly, the ability to suspend or alter those practices, when required by a records hold process, should be designed, implemented, and tested for its reliability.

Information security professionals can expect to be involved in many cases, either as the primary e-discovery liaison or an important secondary actor. Preparations, in advance of any specific lawsuit or discovery action, are required to have an orderly process established and also discuss how information security practices will be described in any litigation or disclosures to adverse parties (or regulatory authorities). Indeed, an essential key for good security—non-disclosure of the actual security controls employed—can be in conflict with the legal system’s expectation for disclosure of relevant systems information.

Survival Strategies
Here are five recommended survival strategies for how information security professionals can better position themselves in support of their company’s e-discovery needs and improve the value of information security to the overall management of the enterprise’s legal and compliance risks.   

Start a Dialogue—Information security professionals should reach out to their legal department and start a dialogue regarding the impact of the new Federal rules and the potential role(s) information security services can perform in support of the company.

Demonstrate “routine, good faith operation”—Ideally, information security and records management are working more closely than ever.  Any disposition, overwriting, deletion, or similar activities that could be viewed in hindsight as the purposeful destruction of ESI should be well-documented and managed.  

Prepare to Hold—Rules and procedures for the suspension of existing records disposition activities are difficult to craft and execute, for example, suspending auto-delete functions within e-mail servers.

Protect the Lawyers—Both in-house counsel and outside law firms frequently overlook the need for implementing information security mechanisms in their own communications, particularly for the law firm’s custody and management of a company’s ESI (which, by virtue of the nature of a dispute, could be very sensitive information).  Information security can deliver a great deal of proactive help to assure that law firms employ information security controls no less demanding than other third
party custodians of sensitive corporate information.   

Conclusion and next steps
Over 97% of all business information is created in electronic form. Establishing the truth of the matter will now virtually always involve the discovery and use of ESI.   It will, however, be insufficient to just locate and produce the records; demonstrating the integrity and reliability of a company’s information will be essential to demonstrating the admissibility and trustworthiness of that information as evidence. The new e-discovery rules confirm that information security is now an essential service in the management of enterprise legal risk. Acting on the insights and strategies presented in this note will empower information security professional to demonstrate added value for information security to their organization