eDiscovery as the CIO
Just as breaches will happen, litigation holds will happen
I recently read a comment made by a colleague, “The most common anti-forensics tool I see used in engagements is time. The bad guys persists their malware in known locations, and it still goes undetected for so long that logs roll over, deleted files are overwritten, and artifacts oxidize.”
"Minimize the process of searching for, reviewing, and analyzing that data in discovery—using cloud technologies"
I immediately thought of eDiscovery. The organization must be responsive to the request to preserve. Fine and penalties are the end result of failing to preserve or provide. What data do I have and where is it?
Having been a computer forensic investigator, eDiscovery specialist, big data scientist, and a CIO I have a unique perspective that is worth sharing.
Architecture—defined by Webster— is the complex or carefully designed structure of something. Complex is accurate when speaking technology. The ‘or carefully’ aspect is only in the eye of the beholder.
Rarely, have I come across an organization that has its networks diagrams, server configurations documented, applications inventoried, and all end nodes known.
In the normal course of business what happens to data?
It is archived, deleted, or stored in multiple locations because applications are configured to store only what the developer thought a user would need. Possibly a focus group told the developers what and how much to store. Suffice to say there are a large number of possibilities. On my soapbox for a minute, no one ever checks with cyber security or legal to ask how long and what do they need.
No two organizations are the same. Some have data retention policies, some delete data because they need space, some move data offsite or to the cloud. All present different opportunities and a dilemma.
Why have these conversations? Statement above— Fine and penalties are the end result of failing to preserve or provide information ordered by the court.
Data preservation a tricky business by itself, is made all the more complicated by the numerous systems that exist in most corporations:
■ Email: Gmail, Outlook, Yahoo Mail, GMX, AOL Mail, Zoho Mail, Lycos Mail, Inbox.com, Hushmail and more
■ Databases: Oracle, Sybase, MySQL, DB2, Informix, SQL Server, NoSQL, Hadoop and more
■ Instant Messaging: Spark, Jabber, Slack, Yahoo, AIM, Google Talk, and more
■ Network Storage Systems
■ Desktop and Notebook Computers and Operating Systems
Why is this important? In a word, sanctions
In Small vs. University Medical Center of Southern Nevada, the special master discovery misconduct so egregious as to “shock the conscious” and make “a mockery of the orderly administration of justice.”
In Pradaxa (dabigatran etexilate) Prods. Liab. Litig. , MDL No. 2385, 2013 WL 6486921 (S.D. Ill. Dec. 9, 2013). In this case, the court addressed the adequacy of Defendant’s preservation efforts, including the implementation of their litigation hold(s) and determined that sanctions were warranted for Defendant’s violation of the court’s case management orders in bad faith.
Summarizing, the categories of discovery violations relevant were:
■ The failure to timely identify as a custodian a “high-level scientist that worked on Pradaxa and published articles on Pradaxa as a lead author,” and the resulting failure to preserve much of his relevant information (although the scientist left Defendant’s employ before the time of this opinion, the duty to preserve had been triggered before his departure)
■ The failure to provide the vendor assisting in the collection of relevant materials with the proper passwords, resulting in the delayed identification and production of relevant data
■ The failure to properly preserve text messages, including by failing to specify the need for such preservation in the litigation hold(s) and failing to disengage the auto delete feature of employee cell phones, allowing “countless records to be destroyed.”
What is a CIO to do?
A CIO must create a relationship with their legal counsel. Working with counsel, discuss what data is being created and what must be kept, and for what length of time. Create information retention schedules.
Next, consider the availability of technologies to assist in this process. These will minimize the process of searching for, reviewing, and analyzing that data in discovery—using cloud technologies such as Microsoft Office 365. Today, they offer services such as Compliance Center tools to support eDiscovery, including mailbox and internal site search, legal hold, and predictive coding and text analytics capabilities.
A final step that CIOs work with legal counsel to ensure that the eDiscovery processes is effective. By doing this the CIO creates a workable retention program that is defensible and responsive. Start the today by seeking advice.