You know that feeling you get when you realize you forgot to do something important? That's how you'll feel if you overlook something during the e-discovery process when your company is involved in legal proceedings.
And the consequences could be devastating. Judges don't take kindly to lost or destroyed evidence, so your company could be hit with multimillion-dollar fines or lose an otherwise winnable court case. Here are some best practices to help you avoid such a scenario.
Talk to your legal department on a regular basis. Let's face it -- the legal department isn't an IT manager's favorite place to spend time. However, it's vital that legal and IT are on the same page when it comes to information management policies and e-discovery processes. One benefit of meeting with in-house counsel regularly is that you'll get to know the key contacts so you'll be prepared to act fast if your company does face legal action. And the best part is that it greatly reduces the surprises you could face down the road.
Make your information-handling practices routine and consistent. It's critical to be able to prove in court that your standard operating procedures are maintained and followed by every individual in your company.
For example, waiting until your backup system pages you because it needs a tape mount and then grabbing the last few tapes from an old backup that you "know is out of date" and sticking them in for overwrite should not be routine or consistent. Trust me; you don't want to have to explain later why you chose those specific tapes to overwrite. And no, "because they were on top" isn't an acceptable or defensible answer.
If your data retention policy requires the destruction of data, then it's even more critical for you to be unfailingly consistent with your approach. Destroying data on time is just as important as backing it up.
Keep a trail. Backup logs, system and event logs, shipping receipts, help desk tickets, work requests, e-mail, meeting notes, journal entries, and yellow sticky notes can all be resources for you to draw on when (not if) you need to recall or prove what you did or didn't do in the course of a typical day.
Once an e-discovery project starts, you'll hear the term chain of custody often. Basically, this means that you need to know -- and that you should be able to prove -- who had the data and when. The tricky part is that the chain has to start long before the e-discovery matter begins, so you need to take steps now to ensure that you can track the chain of custody in the future.
For instance, when an employee creates a file on your network and then you back it up, you need to keep track of the original author. Most backup software does this, or, at the very least, you can tell from the directory structure whether the file was in someone's home directory.
Your description of the chain of custody should indicate when a file was a shared resource for a group of users, as opposed to something held by a specific individual. For example, you may know that a file named StatusReport2.doc was created by Ann Smith, but she saved it in a shared folder where her seven teammates could, and frequently did, open it and enter their own comments.
In that case, you'd describe the group (Ann's Team) that had access to the documents as the custodians. When you back up the file and send the tapes off-site, you are the custodian.