eDiscovery - An Enterprise Issue That Can't be Ignored
4.5.2017 securityweek Privacy
eDiscovery for Enterprises
eDiscovery is a concept born from litigation. It describes the need to find and retain electronic data that might be required in litigation ― whether for the plaintiff, the defendant or a third party. In recent years, eDiscovery has become considerably more complex. Business is increasingly litigious; legal obligations such as freedom of information (FoIA) laws and Europe’s General Data Protection Regulation (GDPR) are generating new demands; and the sheer volume and diversity of corporate electronically stored information (ESI) is expanding dramatically.
E-discovery Requirements
For Litigation
In its original sense, eDiscovery is the process of fulfilling the legal requirement to locate and present documents pertinent to a legal case; that is, litigation support. It goes beyond simple discovery to include the concept of ‘litigation hold’; that is, the safe preservation of such documents.
The need to do this is growing. A recent paper compiled by Osterman Research questioned nearly 150 decision makers from medium and large companies in North America ― and found that 60% of the respondents were somewhat or very worried that their organizations would be sued. The research also indicated that 75% of the organizations had received an average of 12 requests during the past 12 months.
The primary source of litigation obligation in the US comes from the 1938 Federal Rules of Civil Procedure. This was updated in 2006, and again in 2015. It now places greater focus on the preservation of ESI, and makes the failure to produce required documents potentially more expensive. There is effectively no source of ESI that is exempt, whether that is in the cloud, on social media, or stored on employees’ personal devices.
“In short,” notes Osterman, “any electronic information that contains a business record, regardless of the tool that was used to create it or the venue in which it is stored, will potentially be subject to eDiscovery. The amendments to the FRCP in 2006 and 2015 have, for all intents and purposes, made anything from any source potentially subject to eDiscovery.”
For FoIA
While litigation eDiscovery is governed by the Federal Rules, FoIA requests are governed directly by the Freedom of Information Act. The FoIA establishes a statutory right of public access to Executive Branch information in the federal government.
In litigation, only those parties involved can demand eDiscovery, and can only demand eDiscovery of litigation-pertinent ESI. FoIA requests, however, can be from anyone for anything, and there are no relevancy requirements. So, while FoIA targets may be fewer (limited to government), the source of requests is much greater and can include just about anything.
For GDPR
GDPR is a new type of eDiscovery driver that applies only to companies operating in, or with operations in (such as trading with) the European Union. It includes facets of both litigation discovery and FoIA discovery. Like FoIA, it does not require litigation, but it does require relevancy (that is, a customer or customer’s representative).
GDPR is a user-centric privacy law. It gives users greater control over how their personal information is used by commerce; with potentially huge sanctions on companies that break the law. Two example requirements will demonstrate the need for efficient eDiscovery: the so-called right-to-be-forgotten; and the requirement for unambiguous and revocable informed consent from the user to the company collecting and using personal data.
The only way an organization can comply with either is if it can ‘discover’ all instances of personal data that it needs to forget (remove), and can prove that it has removed those records. Similarly, to demonstrate that it has revoked consent, it will need a record of the initial consent that is now revoked.
The Scope of the Difficulty
“eDiscovery is a term that seems simple in conversation ― but no one is truly ready for what it really means,” warns Drew Koenig, security solutions architect at Magenic. “Off the record, I’ve seen a 200% increase in the last 3 years with Lit Holds and eDiscovery involved cases,” commented a CISO who did not wish to be named.
There are two primary categories to the eDiscovery problem: data and organization. The data issue comprises volume, variety of data types, and physical location of that data. The organization problem is one of ownership. Who owns responsibility for eDiscovery?
Volume
The sheer volume of ESI stored by corporations is staggering. Without specific procedures able to find relevant documents, the time and cost involved would be enormous. Part of the volume problem is data classification ― the need to know what data might be relevant.
Variety
eDiscovery draws no distinction over how data is stored. It could be in structured databases and spreadsheets, or unstructured email, voicemail, documents, presentations or CRM data. It simply needs to be stored.
Location
eDiscovery draws no distinction over where data is stored. It could be on in-house servers, in the cloud, on employees’ personal devices, on websites or in social media accounts ― or with a service provider.
Responsibility
eDiscovery involves multiple departments. IT is responsible for the infrastructure that holds ESI; Security is responsible for protecting it; Compliance is involved through regulations such as GDPR; and Legal is responsible for litigation aspects of discovery. With no single owner to take responsibility of eDiscovery, the danger is that no-one does.
The combination and interaction of these difficulties is a huge problem for many organizations. “Depending on legal requirements a business may have to reach out into social networks, personal home computers (BYOD), cloud services, IoT/mobile devices in addition to corporate assets,” warns Koenig.
“The ever-changing data flows makes a consistent model and applying control sets near impossible. The infrastructure to store and process is usually under-estimated. Most clients, in my experience, begin but collapse under the immense weight of data they realize they truly have. There is a growing compliance need for this, but no security tool will tell you how to be secure or how to classify data. That's up to the business to solve, then find the tools to solve them. eDiscovery is another example that security is a business problem not a technology problem. Without business security processes around data classification and use, no tool will help you fully.”
Solutions in Practice
Despite these difficulties, eDiscovery is a legal requirement that cannot be shirked. Adequate preparation is the key, so that when a discovery request or right-to-be-forgotten demand is made, it can be actioned efficiently.
“Lack of preparation for eDiscovery can expose a business to serious legal and financial risks if the organization can’t find the complete set of information requested,” warns Mike Pagani, chief evangelist at Smarsh, a provider of cloud-based information archiving solutions. “If the information wasn’t retained in an organized way for easy retrieval, or if it was altered in any significant way, that creates significant eDiscovery problems.”
The first task is that of ownership; and there is no single solution. Much will depend on the type and size of the organization.
For Samsung Research America, eDiscovery is owned by Security. Steve Lentz, CSO, explains. “Security is responsible here for anything to do with security, including eDiscovery. We work with the relevant departments, such as IT, Legal, HR, Lab, etc, to gather the data… Bottom line,” he adds, “is that you need to communicate and collaborate with the responsible departments.”
This is a good working model ― effectively a committee of relevant department heads that meets regularly, but with a specific chairman. In this organization, it is Security; in others that might be subject to a high rate of litigation, it could be Legal.
“The answer to the question,” suggests Brian Kelly, chief information security leader at Quinnipiac University, “like many legal questions, is ‘it depends’. The size of the organization is the key. In my role, I see the Information Security function as a ‘support agency’ to both Legal and Compliance (depending on the case being investigated). While I was at a health insurance company, it was part of Internal Audit. Ultimately, I think it’s a combination that works best with Legal directing and Information Security or IT completing tasks.”
The very largest corporations may require something different. “There was a prediction made not long ago,” says Martin Zinaich, information security officer at the city of Tampa, “that a new position would start to appear in larger organizations ― Chief Information Governance Officer ― a combination of Information Security and Governance. If that ever does happen, eDiscovery will have found its home.”
Technology
The volume of ESI, the diversity of data types, and its physical distribution combine to create a problem that for most companies can only be solved by technology. “eDiscovery systems are plentiful, from cloud hosted to on-site,” says Zinaich ― but choice is important. “The reality is most of the cloud based system are more record processing. They help identify, preserve, collect, review and process. The real trick is making sure everything relevant is in the eDiscovery system. On-site packages often tackle the collection of data from disparate systems and the processing of that data.”
Pagani believes the solution is in the cloud. “Modern comprehensive archiving technology can enable eDiscovery for blog posts, social media feeds, instant messages, text messages and much more, all in one platform,” he claims. The single platform is important to avoid multiple separate silos of discoverable EIS. “Furthermore,” he adds, “comprehensive archiving platforms that retain non-email electronic communications in their native, proper context (e.g. a Tweet as a Tweet and not an email representation of a Tweet) should be implemented to prevent material alteration of messages.”
The cloud becomes important, he suggests, “because it offers the scalability needed to keep up with the rapidly expanding volume of information created each day.” But technology alone is not enough ― especially where eDiscovery is based on separate silos of archived EIS.
Manual Processes
“From a pure legal standpoint,” comments Zinaich, “it is advantageous to keep records only as long as they are relevant or legally required. Yet, often that determination is based on the type of data.” An email archive, he explains, “is likely holding spam, solicitations, birthday announcements and other transitory data. Unless each email is categorized, the IT department is stuck with keeping everything, and they are not sure how long they have to keep everything.”
“Keeping track of where everything is, or could be, is daunting. In most cases email is the primary ‘place’ for evidence,” says Kelly. “Microsoft has some great Lit Hold and eDiscovery tools built in to Exchange and Office 365 (email, OneDrive, SharePoint). Collecting and searching can be done through automation and there is a host of vendors and tools out there.” But, he warns, “Making sense of the results is still a manual process that either staff lawyers, legal assistants or IT workers at counsel have the unenviable job of sifting through.”
“Another challenge is redaction,” adds Zinaich. “When information is gathered from all points, it has to be reviewed and appropriately redacted to keep security information, investigation information, intellectual property and other exempt data safe. While there are systems that help with a bit of AI, it is largely a very costly manual process.”
eDiscovery going Forward
eDiscovery is already a complex issue, involving multiple departments and a mix of business and technology processes. It is going to get worse. Both business and society are increasingly litigious; regulations such as the FoIA and GDPR are likely to increase; and both the volume and location of EIS are expanding.
There is one other emerging area that will make matters worse: the internet of things (IoT). It is already here in some areas, and will emerge in others. Consider a company connected car. If it is involved in an accident, access to the vehicle’s logs will be required either to make or defend a claim.
But it goes further, and even beyond business. “The IoT will move eDiscovery from the Boardroom to the Livingroom,” warns Kelly. “Every divorce lawyer will be looking for logs from NEST thermostats, webcams and maybe even the refrigerator.” Much of that could just as easily apply to the office.