Migrated from eDJGroupInc.com. Author: Amber Scorah. Published: 2012-06-04 08:55:01Format, images and links may no longer function correctly. The best way to avoid costly disputes over the adequacy of eDiscovery processes and collections is to build a defensible litigation hold business process.
One means of doing this is by leveraging a company’s information security capabilities. Security risk assessment procedures can be used as an aid in building a defensible process around the execution of the duty to preserve. Jeffrey Ritter, CEO of The Ritter Academy (www.ritteracademy.com), has over 25 years experience in law, technology and academic research. I spoke with him and got some advice on how to do this.
Amber Scorah: You advocate using information security risk assessment procedures to evaluate litigation hold processes. Can you tell us how this is done?
Jeffrey Ritter: What a security professional does in managing a risk is to look at the problem differently. There are four steps that a security risk assessment involves:
1) First you have to identify a target. What is the system, device, or information asset that is vulnerable to something bad happening? In this case the duty is preserving the information. The bad things that can happen are: the information is gone, it’s lost, it’s destroyed, it’s intentionally deleted or altered, it’s manipulated, or it’s disclosed improperly. These are the kinds of risks that the litigation holds process is intended to identify— so step one is finding the target.
2) Step two is the threat. It turns out that the problems that have arisen in companies failing to execute their duty to preserve has actually been the action or the negligence of their own employees: people that ended up storing tapes in their home closets, lawyers that would allow data to sit on their laptops in an airport only for it to be disclosed to people that sit in airport lounges and try to steal data off laptops, people that have intentionally replaced hard drives of computers the day before they were going to be duplicated for preservation. So, with each of the targets we have to identify the threat. What is the factor that could destroy or compromise the information?
3) At this point there are two remaining pieces—one is the vulnerability. In other words, when and how do these threats target and take action against the information that we’re trying to preserve, and
4) What is the likelihood of this occurring? This helps us prioritize how we build the process so we protect the information correctly.
Of course, one of the most important sources and one of the most difficult to be navigated today is the use of email. Let’s take that four-step process and apply it—if email is a target, what are the threats? They could include employees that delete email rather than preserve them, or to go in and try to alter the text of an email.
What is the vulnerability? How can this happen? Is it poor security? Is it a failure to archive? Is it the fact that we allow people to send email form public servers and can access it? And what is the likelihood of this happening?
If we take this kind of step-by-step process using information security risk assessment, we can actually do the investigation and analysis of the status quo that allows us to move toward building a defensible litigation hold program.
A litigation hold program is a process. It’s structured, it has rules that need to be executed, and requires that these rules be executed in order for systems to be defensible. But in the absence of effective programs and effective controls that are responsive to risks, bad things can happen. One way those bad things will usually be expressed is in economic terms.
For more information visit http://www.e-discoveryevent.com, or email amber.scorah@iqpc.com.
eDiscoveryJournal Contributor: Amber Scorah, Legal IQ