This version of the story originally appeared in Computerworld's print edition.
It's not often that I'm contacted by my company's legal counsel, but when he sent me a meeting request with the topic of "data retention," I realized that this could mean only one thing: e-discovery. Whatever size organization they work for, security managers must be prepared to address this subject.
The Federal Rules of Criminal Procedure are definitely within the purview of legal counsel. E-discovery, though, is where the FRCP intersect with IT and information security. The FRCP require companies to preserve data, be it on paper or some electronic medium, that might be related to litigation, whether it's pending or merely anticipated.
Discovery, of course, is part of the process in all lawsuits. It involves lawyers for one side requesting information that the other party has access to. The FRCP bring this process into the 21st century, extending discovery to electronic media.
As I understand it, e-discovery is generally pretty straightforward. If a company is being sued for, say, sexual harassment, it would first have to disclose to opposing counsel the types of information it has available: paper memos, e-mail or instant messages from the period in question. What is available depends on the company's retention policy. If the policy is to keep e-mail for one year, then it isn't obligated to provide e-mail interactions relevant to the lawsuit that were sent two years ago.
Where things get interesting is when you're talking about "anticipated" lawsuits. According to some interpretations of the FRCP, if an employee tells a manager that he is "thinking about" filing a lawsuit against the company, the company must begin at that point to retain all data and communications that the employee is party to.
All this was reviewed as I sat in a conference room filled with lawyers. Of course, the lawyers didn't say any of it quite so simply; in fact, I had a bit of a hard time staying awake while the legal jargon droned on. In the end, though, I was able to make some sense of my responsibility.
First, I am going to inventory all of our data repositories and capabilities. What do I mean by "capabilities"? I'll explain with instant messaging as an example. We use Microsoft Office Communicator for IM. By default, we don't retain any IM communications the disk-space requirements for 8,000 employees are prohibitive. However, we have the capability of recording IM traffic and could initiate it at any time if we anticipated a lawsuit. The same can be said for technologies such as intrusion detection, data leak prevention and content filtering.
When my inventory is done, I will assign custodians for each repository and capability. They will be the contacts for their particular repositories if an e-discovery request is made. We're also going to have to set some data-retention policies for each repository.
Finally, we'll want to evaluate various technologies to assist with data discovery. The decision on that will come down to cost.
When an e-discovery request is made, we become responsible for finding the relevant data, be it in databases, file shares, mail archives, IM logs or some other place. If we did the search for the data manually, we would have to pay hundreds of dollars per hour. But there is no shortage of technologies that are designed for just this type of activity. We'll want to find a technology that integrates with as many of our data repositories as possible, has an easy-to-use interface and makes it even easier to provide the information to the interested parties.
I'm sure we'll find what we need. But I hope we'll never need it.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.
Join in. To join in the discussions about security, go to computerworld.com/blogs/security.