"As a business owner, you may be concerned about the recent media attention given to the new federal rules regarding electronically stored information that went into effect December 1. It can be confusing and even a little scary trying to figure out what you need to do to protect your business and still play by the rules.
I am not an attorney, so none of what I am about to tell you should be considered as legal advice. However, as a security professional with over 13 years of experience in the industry, I recently attended a meeting of the Chief Information Security Officers (CISO) Executive Forum in Washington, D.C., where a group of senior security executives, a subset of the Information System Security Association (ISSA) members, meets quarterly to discuss current trends and challenges related to information security. The topic for the session was "Emerging Trends in Information Security and the Law: Plausible Deniability is Dead," and it was co-sponsored by the Georgetown University Law School. Our topic was a timely one, since both the national news and our local papers have published articles about the new federal rules on electronically stored information I mentioned earlier. In this article, I'll summarize some of the key points that were discussed, since many of these issues are significant whether you are a Fortune 1000 enterprise or a small privately held company. Of course, being Washington D.C., there was also discussion about what the impact of the results of the recent election might be, as it relates to information security, and I'll share a summary of that as well.
Much of the discussion revolved around two current challenges that cross the boundaries between legal issues and information security issues: electronic document discovery (e-discovery) and electronic document retention. These areas are important to companies that are in (or who may be or anticipate to be in) litigation, or who have to comply with Sarbanes-Oxley or other similar statutory or regulatory requirements.
Electronic discovery
The discovery of electronic information and documents is becoming the centerpiece of every litigation as more and more corporate and personal information and documents are stored electronically, and in some cases are only stored electronically. When litigation is reasonably anticipated, the courts now expect that the parties will take steps to prevent the destruction of relevant information and documents and to ensure that newly created relevant documents are preserved for disclosure in the litigation. This means that things like automatic e-mail destruction or rotation of backup tapes (overwriting the previous information) must stop if those systems could contain pertinent information.
The failure to preserve, locate, and disclose relevant electronically stored information properly can lead to catastrophic results. Two highly publicized orders against major corporations include:
An order against a national brokerage firm that led to a directed verdict on liability issues, and eventually a verdict for $1.58 billion.
Another order that assessed $2.5 million in civil litigation sanctions against a major tobacco company and precluded it from calling 11 witnesses in the current federal tobacco trial.
Obviously, this is a growing area of concern to information security professionals, who are typically the ones who will be called upon to testify to the existence (or lack thereof) of measures to preserve and protect information, and how that information was protected from loss, damage, or alteration throughout its life.
What can you do?
There are some things that an organization must be able to do in case it is ever required to produce electronic information in case of litigation or because of regulatory requirements. First, you need to be able to identify information that is critical to the litigation or regulatory compliance issues. This will most likely require the assistance of your inside or outside legal counsel.
Second, you need to locate where the information is kept and processed in the myriad electronic storage and information processing systems. Here, you'll need expertise from both the business and the information technology groups.
Third, you need to be able to retrieve the information in an acceptable manner. Under the new federal rules, parties have the right to request documents in their 'native' format, with all metadata preserved. Metadata, which describes other data, is usually embedded in electronic documents. Metadata can include information such as when and by whom a document was last modified and prior drafts of a document, enabling people to see all edits. Understanding metadata is crucial to this process.
Finally, you must be able to preserve the relevant information by developing litigation hold notices and processes to be used by your organization. You must be able to review the collected information and documents to determine what parts are relevant and responsive. You must be able to sort out any privileged information, maintaining the proper logs to comply with applicable law, and you must then be able to produce the relevant and responsive information to the opposition. You will want to accomplish all of this in the most cost-effective manner in order to keep down what can be astronomical costs.
Electronic document retention
It has been more than three years since Sarbanes-Oxley took effect, and still many businesses struggle with compliance issues. As a result of some of the new government regulations, publicly traded companies are required to closely monitor electronic and paper document retention. Blindly destroying e-mails, electronic documents and backup tapes could put a company at risk of facing sanctions. With at least 92 percent of all business information being generated in digital form and the total number of electronic records produced expected to double every 60 minutes over a 10-year period, it is easy to see how important a proactive electronic record retention plan is to your business.
Records retention best practices
A proactive document retention process can assist in protecting your company during the e-discovery or regulatory examination process. Some risks that an electronic document retention process can guard against include:
Spoilation risk: dismissal or default sanctions, fines or evidence preclusion for loss or destruction of evidence.
Cost of retrieval risk: astronomical costs associated with e-discovery fishing expeditions.
Inability to defend risk: inability to properly defend a claim due to loss of critical evidence.
An effective document retention process includes a policy that includes retention schedules regarding electronic communications and other electronic documents and that complies with statutory and regulatory requirements, and current reported case law. It must also allow for your company's unique needs, culture, business processes, and IT environment.
The document retention process should also have an implementation, compliance, and audit or review plan, and be included in employee training. Also, the process should include a procedure for establishing litigation holds on information (so that it is secured against scheduled destruction), a process to respond to litigant's discovery requests, and a uniform indexing and document naming system.
Impact of the power shift on information security
The impact of the results of the recent elections on regulatory compliance and governance was also a significant topic of discussion at the conference. I'll summarize the outlook expressed by the keynote speaker, Richard A. Clark, as it reflects a consensus of what I heard from other speakers and attendees.
The first point is that the previous indications that the Sarbanes-Oxley Act will be somewhat watered down will not happen now. There will likely be a shift in focus from corporate protection to consumer protection, a view that was echoed by Joel Winston, who is associate director of the Division of Financial Practices in the Federal Trade Commission.
Regarding legislation, bills that are in process that water down state laws on consumer protection will not likely pass, and there is a good chance that there will be legislation proposed to standardize the variety of issues of consumer protection as related to protection of personal information. Congress has paid little serious attention to cybersecurity and that is likely to change, as it's become a high-visibility concern.
2007 is destined to bring a great deal of changes to the information security field, and the better prepared you are, the safer you, your employees and your customers' information will be.
Andrew J. Brinkhorst, CISM, is security solutions director, Systems Design Group, Inc. of Lexington, www.sdgky.com.