Legal risks related to electronic discovery present perhaps the most significant emerging enterprise information risk, but this new risk also provides a unique opportunity for the CSO/CISO to increase his or her strategic contributions to the enterprise. In everyday civil (and criminal) litigation. and regulatory investigations and proceedings, electronic discovery ("eDiscovery") presents perhaps the fastest-emerging new risk on the horizon.
But wait. Let's back up a moment, and discuss the definition of "discovery" --- The short definition of "Discovery" from a litigation perspective is the process occurring during a legal or regulatory proceeding or inquest by which relevant evidence, or information that might lead to relevant evidence, is identified, collected, requested, and produced to a requesting party (including a Court) in that proceeding. So long as these requests are relevant to the proceedings, they may be made (or "propounded") to an adversary. With some limited exceptions, and conditions to exceptions we'll discuss later, production is mandatory, and the failure to search and produce relevant requested evidence, or a destruction or withholding of that evidence, can carry with it severe monetary and even criminal penalties. In the Federal Court system, there is even an affirmative obligation to provide and/or disclose certain categories of evidence even before it is requested by the opposing party. Electronic discovery (or "eDiscovery" for those seeking to escape carpal tunnel syndrome) is a subset of discovery, and refers to what is termed "Electronically Stored Information" or "ESI." In sum, if information is computer generated, it may be considered ESI, and subject to an eDiscovery request.
Today, most information involved in legal discovery is, and will be generated electronically. Consequently, information offered as evidence will be in digital form, and is referred to generally as Electronically Stored Information (ESI). The onset (and onslaught) of ESI creates many new challenges and risks for the enterprise as a whole and for the legal department in particular. However, from the perspective of Information Security within the context of the Information Life Cycle, these new risks are simply another operational risk (e.g., legal).
The CSO/CISO has and will have an increasingly important strategic and tactical role to play in planning, execution and support of legal discovery and in the mitigation of some specific eDiscovery-related risks. This series of posts will discuss some of the steps a CISO can take to further enhance his or her role. What can a CSO/CISO contribute to this process? Help other enterprise stakeholders (including legal) develop a greater IS-centric understanding of:
Search and accessibility challenges of protected information in a highly distributed environment located on mobile end point devices such as laptops and PDAs, including those under the control of external parties;
Contractual and regulatory obligations that must be maintained while at the same time producing protected information to external parties and opposing counsel;
Methods of establishing the authenticity of ESI offered as evidence, a precondition to admissibility in legal proceedings.
You can choose to be reactive, proactive, or ignore the issues entirely, but Information Security will ultimately be involved in these processes. The CSO/CISO is responsible for establishing information security policies and putting in place controls that can test the effectiveness of those polices. This added responsibility represents a valuable opportunity to increase the CISO's role as more strategic to the enterprise eDiscovery efforts.
Next: The evolving landscape of eDiscovery.