Why The CSO/CISO Should Care About eDiscovery Part -4-


Posted on

Part -4- Recent Landmark Legal Precedents and Opinions 

Two important court decisions indicate an early trend underscoring the importance of eDiscovery and digital evidentiary issues to the CSO/CISO. The first case, In re Vee Vinhnee, 336 B.R. 437 (9th Cir. BAP 2005) is a precedent setting case in which the court excluded Amex's own corporate records offer of evidence necessary to establish its case. Rather than the typical near-automatic admission of Amex's corporate records at trial, the Court imposed a higher standard for authentication and therefore admissibility of digital evidence. This higher standard resulted in the exclusion of evidence that was unopposed by either party and resulted in the ultimate loss of one of the two issues litigated. Some illustrative excerpts from that decision: 

"The court declined to admit plaintiff's computerized business records as inadequately authenticated ..." 

"...plaintiff would have prevailed on one of the two counts if the records had been admitted." 

"authenticating a paperless electronic record, in principle, poses the same issue as for a paper record, the only difference being the format in which the record is maintained ... the paperless electronic record involves a difference in the format of the record that presents more complicated variations on the authentication problem than for paper records. Ultimately, however, it all boils down to the same question of assurance that the record is what it purports to be." 

The ephemeral nature of electronically stored information (ESI) and the ease with which undetectable modifications can be made represent much more than "complicated variations." Indeed, there are fundamental differences related to issues of ESI and many of these issues reflect concerns of enterprise information security stakeholders. Examples include: the little understood difference between the first instantiation of ESI (source data) versus subsequent renderings, and how a computer generating ESI, in effect acting as a declarant, makes statements by a programmer through prescribed code. These examples (and there are many more) represent the tip of the iceberg of issues currently facing those who rely upon and seek to admit digital information as evidence.

Other excerpts from the Vinhnee case of concern to the CSO/CISO: 

"The logical questions extend beyond the identification of the particular computer equipment and programs used. The entity's policies and procedures for the use of the equipment, database, and programs are important."

"How access ... is controlled... How changes in the database are logged ..., as well as the structure and implementation of backup systems and audit procedures for assuring the continuing integrity of the database, are pertinent to the question of whether records have been changed since their creation." 

It should be clear that the reliability of ESI is based on establishing a foundation of authenticity, which in turn is based on factors extrinsic to the ESI itself. What are now becoming critical factors in digital evidence authentication and admissibility include the systems applications, and processes, procedures and people that generate, manage and provide a chain-of-custody to ESI throughout the information life cycle as well as the effectiveness of the policies and controls that are designed to ensure and demonstrate their reliable operation. These factors mirror the everyday concerns of enterprise info-sec stakeholders.

The second seminal decision in essence provides a preliminary guide not only to attorneys seeking to admit ESI in evidence at trial, but also to enterprise clients/ That distant train whistle is reflected in the terse warning by the Court to "get it right the first time". 

The decision in Lorraine v. Markel American Insurance Company, 241 F.R.D. 534 (D. Md. 2007) is remarkable for both its message as well as its length (more than 100 pages). The predominant portion of this decision is what lawyers call "dicta." Dicta typically provide important contextual, but not precedential information relating to the decisional process employed by a judge. The dicta in the Markel decision is notable in that it has been relied upon by an increasing number of subsequent judicial decisions. The Markel ruling, issued in May, 2007 by Judge Paul Grimm, Chief Magistrate of the United States District Court for the District of Maryland, sets forth in detail the burdens and pitfalls associated with the admission of ESI as evidence. This decision should be taken into account by enterprise info-sec stakeholders, as it provides a rudimentary framework for the approach to be taken in connection with the authentication and admissibility of digital evidence. Judge Grimm first recognizes that while there has been extensive discussion of the rules related to ESI discovery, very little has been written about... "what is required to ensure that ESI obtained during discovery is admissible into evidence at trial..."

Taken together, the Markel and Vinhnee decisions provide guidance for what will be required to ensure that ESI offered as evidence is admitted into evidence. In the Markel the court excluded from admission into email evidence from both parties even though neither party challenged the admissibility of the other's evidence. The basis for exclusion was that neither party met a minimum standard of authentication even under the existing Federal Rules of Evidence. Excerpt from the Markel opinion:

"... considering the significant costs associated with discovery ... it makes little sense to go to all the bother and expense to get electronic information only to have it excluded from evidence ... because the proponent cannot lay a sufficient foundation to get it admitted." 

In other words, from the point of view of supporting or defending your legal position, ESI that is excluded is information that never existed, and accordingly is not considered by either a judge or jury when rendering a decision. As in the Vinhnee case, exclusion of corporate records can have drastic consequences. Accordingly, it cannot be over-emphasized that ESI offered as evidence must be accompanied by a defensible rational for its authenticity. This requirement is supported by express guidance language in the Markel

"... counsel would be wise not to test their luck unnecessarily. If it is critical to the success of your case to admit into evidence computer stored records, it would be prudent to plan to authenticate the records by the most rigorous standard that may be applied." 

What is the "most rigorous standard that may be applied?" Is it effective external controls or content level detective controls such as "trusted" time stamping and digital signatures? Is it X.509? The ANSI X9.95 (2005) Trusted Time Stamp standard? TheMarkel Court does not delve into the definition of what would constitute the "most rigorous standard" and that is where decisional authority is in a state of evolution. 

The Markel opinion further stated: 

"The primary authenticity issue in the context of business records is what has, or may have, happened to the record in the interval between when it was placed in the files and the time of trial. In other words, the record being proffered must be shown to continue to be an accurate representation of the record that originally was created." 

It is important, therefore, to understand that "authentication" required by the Federal Rules of Evidence Article 9 requires the proponent (party offering) of ESI to demonstrate authentication, not only from the point in time it is identified, collected and preserved in the discovery process but also from the time the assertion (of relevancy to the matter in litigation). Is the ESI what it purports to be - at the time the assertion of relevance was made, for example, the contract was signed; the email was created and sent, etc. The message sent by the Markel and Vinhnee courts is clear and unambiguous: Courts are subjecting ESI to more scrutiny than ever before, and will exercise the power to exclude evidence, even where no party objects.

The takeaway for the CSO/CISO is that evidentiary authentication and admissibility issues will necessarily include data integrity and custody issues (read: policies, processes, and demonstrability) during the entire information life cycle. 

SWT 

Next: Electronic Discovery & Evidence Admissibility

Business Perspectives Identity

risk management identity management & governance law legislation

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs