The terms "custody" and "control" should be very familiar to cyber-security stakeholders. We are, after all, concerned with internal security issues pertaining to role, access and location management as well as identity management. Note that data location means real or virtual, for those cloud type schema. It's well understood that data can't be protected unless we know what we want to protect, where it is, and where to find it. If we can agree that these functions are considered part and parcel of a CSO/CISO's responsibilties, we can also expect that the role of the CSO/CISO will be expanded in two areas: First, s/he will be required to divulge the means of classification, location, types of access control, and perhaps even testify as to data custodial and locational issues both prior to and during litigation. Second, this also means that a CSO/CISO should take preventive steps to reduce the custodial, management and locationa risks well in advance of any potential lawsuit.
So, what does "custody or control" mean? A simple answer might be any computing equipment that is "obtainable" by the party required to produce...Consider the following decision in Allcare Dental Management, LLC v. Zrinyi, 2008 WL 4649131 (D.Idaho 2008) in which a Court orders production to a forensics expert of both work and home computers. The Court addresses the scope of a discovery request "custody and control language and held that custody or control expressly included those computing equipment regardless of geographic location:
"Defendants Zrinyi and Greene are further ordered to make available to Plaintiffs' designated computer forensics expert any and all computers and portable or detachable hard-drives in Defendants' possession, custody, or control and used by Defendants since August 24, 2008, including but not limited to any computer or portable or detachable hard drive in their homes or place of business. Defendants shall make available all of the computer equipment described above, at their places of business or residences, to Plaintiffs' designated computer forensics expert immediately upon being served with a copy of this Memorandum Decision and Order."
We need no real stretch of the imagination to expect that well informed counsel will have little problem extending the notion of "geographic" location to include the virtual locations.