IT security professionals are scrambling to learn how the latest change in federal regulations governing electronic legal documents affects their jobs.
The rule change clarified what constitutes electronic evidence and required all parties to be able to quickly and consistently produce this evidence during trials.
Most legal and IT experts said that the new requirements will have a ripple effect on IT departments across the country, many of which would be hard pressed to find specific e-mails or instant message logs on a tight court deadline.
"New federal rules could serve as an unanticipated wake-up call for many companies," said Jane Politz Brandt, attorney at Thompson & Knight. "These rules place tighter timeframes on the production of electronic information, but they also provide a rationale to look more closely at how corporate data is archived."
The federal rules governing e-discovery outline how electronic documents can be used as evidence. Though the courts have recognized electronic documents – such as e-mail – for over a decade now, procedural enforcement has been uneven, says John Patzakis, vice chairman and chief legal officer for Guidance Software.
"The way that e-discovery was addressed in the passed is that a lawsuit would be filed, the discovery phase would go forward, and there was always a question of whether or not electronic information would be sought," he says. "Would the other side press it? Would the judge require it? It was a crapshoot. So parties would sit back and wait and if it did become an issue then they would scramble and usually rely on outside consultants to address the issue on a fire drill basis."
The changes that went into effect on Dec. 1 make parties document all electronically stored information (ESI) they have available. The new rules say that all forms of electronic communication records are included, including instant messaging, which has not always been discoverable, depending on the judge.
"Now parties, at the outset of the litigation, have to address the preservation of ESI, they have to execute litigation holds and collection and preservation efforts at the outset and be able to come into the first conference and identify where the relevant ESI is stored," said Patzakis. "What this means is that companies can't ignore this anymore and (they) have to put a process in place. In order to be able to understand where your data is, where your systems are and to be able to routinely and systematically execute preservation and override your routine deletion activities, you have to have a process. You can't be parachuting in consultants."
While it might not appear that security professionals should feel a significant impact from a legal issue, Patzakis said they may become important players in the e-discovery process.
"IT security professionals understand the whole concept of conducting investigations and collecting data and handling evidence as relates to the core forensics background that infosec has and that translates well to e-discovery," he said. "E-discovery is essentially a very broad based and streamlined forensics investigation. So IT security should play a critical role in the e-discovery process."
This can be a significant opportunity for IT security professionals looking for more visibility and clout, he said. But it also poses complications, says Mark Dye, vice president of business development for Vivisimo.
"From a security perspective, you have security betwixt and between two situations," he said. "You have to lock down that information, but on the other hand you have to make the information readily available so that it can be searched by the right people with the right permissions very quickly."
In response to several breaches as a result of stolen laptops, one organization implemented encryption technology to improve data security in the event of future mobile device losses, according to one example relayed by Dye. However, the problem is that the organization is embroiled in a lawsuit and is having a hard time accessing discoverable ESI on some systems because the data is locked down and former users of these systems can't remember or won't divulge passwords for the encryption keys.
"So he lamented to me, ‘I'm damned if I do, damned if I don't,'" Dye said. "I don't think there are any easy answers to this problem."
Whether good or bad for information security, it is clear the rule change will have a long-reaching ripple effect on organizations. Some say that those most likely to have eye-opening experiences are mid-sized organizations that may have little compliance experience.
"I think where this hits hardest is in the midrange companies, smaller companies that are busy running their businesses and just haven't had time to think about it and don't have the money to implement this," said Peter Shaw of Akonix.
In fact, because these rules affect even the least-regulated businesses, they may have more impact than past regulations.
Patzakis said: "This is something we see having a huge impact on organizations – much more so than the Sarbanes-Oxley (Act of 2002), even, because this is more focused on digital evidence."
Click here to email Ericka Chickowski.