Opinion: Are you prepared for when your company sues, or is sued, and you're ordered to produce particular data in particular forms?
Business decisions are already dominated by legal considerations in many fields. This will come as no surprise to you, I'm sure, but things are getting worse, especially for corporate IT.
Big legal changes have been happening over the last few years with respect to the use of digital evidence in legal proceedings. Digital evidence is getting to be just about the only documentary evidence there is. Research at Berkeley in 2003 showed that more than 92 percent of all corporate information was generated in electronic form. Nowadays, virtually all source information used in legal and regulatory proceedings will have been generated electronically. A recent white paper from the Microsoft U.S. National Security Team (who knew they had such a team?), entitled "The Evolving landscape of Legal Discovery & the Expanding Role of the Chief Information Officer," delves into these issues.
The laws on admissibility of and procedures related to evidence, such as discoverability, often go back a very long way. But their relevance to electronic data is tenuous. Governments and the legal profession have recognized the problem and, in some cases, the rules have adapted. For instance, in December 2006, amendments to the FRCP (Federal Rules of Civil Procedure) greatly expanded the scope of discoverable information with respect to electronic data. Court decisions are also evolving to address the problems. The FRE, or Federal Rules of Evidence, have not been adapted to the deal with electronic data, even though courts have been complaining about this problem for decades.
To be admitted, evidence needs to be authenticated, which means that it is established by the court to be what it purports to be. The rules for authenticating documents are old and well-understood, and in the United States controlled by the Federal Rules of Evidence.
But the state of law for authentication of digital data is, to put it kindly, under development. That's right, this part of our legal system is in beta. The white paper cites a number of cases, including one involving American Express (In re Vee Vinhnee, 336 BR 437, 9th Cir. BAP 2005
) in which the court excluded American Express' own corporate records for lack of sufficient authentication. As a result, Amex lost one of the two counts in the case.
What is the authenticity of the data based on? On everything that establishes the chain of custody to that data: the applications, the people, the business processes and procedures. All of these are part of the authentication of the data, and are relevant to the legal process.
The paper also cites a judgment in the case of Lorraine v. Markel American Insurance Company (241 F.R.D. 534 (D. Md. 2007)))
in May 2007 by U.S. Magistrate Judge Paul Grimm, in which Grimm went on in detail about the issues involved in the admissibility of electronic evidence. Much of this opinion is what lawyers call "dicta," an on-point lecture on a subject, but not controlling law. In a vacuous legal environment like this, such dicta is likely to be influential.
At the same time, the FRCP amendments vastly expanded the scope of what could be required for production. Data may be required in original, native and searchable formats, meaning that you have to produce system and application metadata in order to satisfy requests. The exact substance and form of the data to be produced is a matter for the parties' attorneys to work out well in advance of any trial. But if you think about it. if you are requested to produce copies of all forms and stages of some data that exists in your enterprise, could you do it? The Microsoft white paper states that "virtually any
instance of electronic information created in the normal course of business is discoverable."
If you're thinking that this could lead to the development of a new category of expensive software, the industry is way ahead of you. Products to help you preserve and manage evidence in the enterprise are in as much flux as the law, but they have to be on your big picture radar at this point. You may not be able to satisfy legal requirements that even the lawyers don't understand, but you have to prepare to deal with the issue. Don't be like Amex.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack