It seems like everybody’s talking about e-discovery nowadays — just take a look at any IT trade journal or IT news source and you’re likely to see at least one article about what e-discovery is and how to prepare for it.
However, despite all this attention, both in IT and legal circles, there are still a number of unanswered questions from folks seeking to best prepare their firms for matters involving digital evidence. In fact, one of the most common questions I get about this topic comes from what you would think to be a fairly unlikely source: small and medium-sized businesses (SMBs).
Quick Recap: What Is E-Discovery?
To quickly recap, the current buzz around e-discovery centers around recent (December 2006) changes to the procedures followed by United States courts for civil suits — as codified by the Federal Rules of Civil Procedure (FRCP) — regarding the way that electronic evidence is handled in legal proceedings.
Given that quite a bit of the evidence that might be applicable to a given case exists only in electronic form, it only makes sense that the evidence not be destroyed during the normal course of doing business so that it can be brought in and potentially play a role in a trial. Specifically, amendments to the rules dictate that electronic records potentially related to the matter need to be preserved so that they can be made available during the proceeding.
Of course, this can be a tall order for most IT shops given the volume of data — documents, correspondence and records — constantly generated within the typical firm. Moreover, much of this data is transient in nature, deleted as a matter of course during the ordinary process of doing business or over time as documents, correspondence and records become “stale.”
Unique Challenges in the SMB
Most large organizations have responded by implementing specific procedures and processes designed to ensure that the right personnel (both from internal counsel and IT) are brought to the table early to make sure that artifacts of this type are preserved appropriately.
However, SMBs have unique challenges that large firms don’t have. For example, many SMBs don’t have dedicated internal counsel. Many SMBs don’t have the same type of IT specialization in-house as larger firms. For example, whereas a large firm might have a team of individuals dedicated to maintaining e-mail services (an area where preservation of evidence might very likely be a clearly defined part of the job description), a smaller firm might have one or two individuals responsible for the entire production environment, with e-mail services only one small part of what they’re responsible for.
“SMBs are caught between the proverbial rock and a hard spot when it comes to the mandates of the FRCP,” said e-discovery guru Bill Spernow of Security Mentors. “Given most are involved in Interstate Commerce it’s possible they may end-up being sued in Federal Court. But typically SMBs don’t have a CIO or corporate counsel on-board, nor is their outside legal counsel likely to have federal experience when it comes to electronic evidence. So before-the-fact technical and legal guidance is lacking, and that’s what the FRCP electronic evidence rules demand.”
In other words, while SMBs might have constraints that larger firms don’t related to the resources and specialized expertise in-house, they still have just as much skin in the game when it comes to litigation. In fact, some SMBs (in fields like healthcare, for example) might have as many or more lawsuits relative to their size than some large firms and so need to prepare just as thoroughly for discovery of electronic records.
Strategies for the SMB
Clearly, SMBs looking to gain an advantage and protect themselves in the event of litigation have their work cut out for them. What can be done? How can these firms prepare so that they’re able to respond in a timely manner and not lose critical evidence?
Generally speaking, it is useful for SMBs — just like larger firms — to think about the subject ahead of time and spend time preparing for e-discovery in their environment. Thinking about topics like which people should be involved is difficult in the “heat of the moment” (i.e., when the clock is ticking) but can be more easily approached with cool heads — when the prospect is still hypothetical rather than a reality.
In other words, firms that think about and prepare a processes ahead of time concerning what to do in the event that litigation is imminent (i.e., in the event that they’re sued or are likely to be sued) are likely to be significantly better equipped than firms that wait until there’s an issue to think about it. In the case of an SMB, however, it’s useful to take the nuances of the environment into account during the planning process to ensure that issues related to what staff and what expertise might be available.
In a large firm, the process of planning for e-discovery typically involves setting up defined communication channels and documented processes to initiate data retention or data preservation measures. In a smaller firm, where in-house counsel or dedicated IT staff might not be maintained, the strategy is the same.
However, the process might “work around” areas where specialists might not be available. For example, in the case of a firm that doesn’t have internal counsel, the process might initiate data preservation within IT in a manner that’s tied to bringing in external counsel. That way, rather than wait for external counsel (who may not know the ins and outs of the firm) to initiate evidence preservation, the SMB is already ready to accommodate discovery requests.
Firms without dedicated IT staff can have administrators research where evidence may exist and how to preserve it ahead of time so they don’t have to research these things on the fly. Firms without around-the-clock technology support can prepare “cheat sheets” for what to do in the event that technology staff are unavailable for prolonged periods of time.
Typically, a larger organization might prefer a formal, documented process for initiating these types of activities, but smaller organizations may have a culture where documented processes are not the norm. While a documented process in this case might be preferable, it’s better to have an undocumented and informal process than no process at all. Just like the large enterprise, SMBs can productively spend time thinking about this topic ahead of time so as to decrease exposure (and give themselves more leverage) in the event that this ever does become an issue for them.
Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner ofSecurity Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.