Conducting effective internal investigations and even thorough incident response requires a robust Governance Strategy. Just ask Morgan Stanley about it's $1.45 billion verdict in a default judgement when the bank failed to respond plaintiff's discovery requests for computer-based information.
An outsourced process for eDiscovery is quickly becoming a real board room issue. Not only because of the financial impact, $7K to $12K per hard drive but also the number of cases that are settled prematurely. Outside counsel handles the eDiscovery process on a per-case basis and is not typically interested in what the company must do internally to create and establish a long-term governance and risk management strategy.
The CISO who directs a system of consistent Information Security Risk Management will have the foundation for an in-house eDiscovery team and who can work side-by-side General Counsel for compliance and incident response.
Paul French is a computer forensics consultant with a few TIPS:
A good digital document retention policy is, of course, only as good as the method in which it is implemented. Here a few compliance guidelines you should have your clients consider:
* Establish a records compliance task force, so there are easily identifiable “go-to” people regarding retention activities.
* The compliance task force should create detailed logs of record-purging and back-up activities.
* Archiving procedures should be periodically reviewed and tested. More times than your clients would care to admit, electronic record back-ups are not properly performed or aren’t being performed at all. Incompetence is not a sound defense strategy! If back-up tape hardware is updated, be sure that there’s a back up plan for accessing data on old tapes--these likely will not work with newer hardware. Old back-up tapes stored in a seldom visited closet could pose an unpleasant surprise if they appear suddenly in discovery proceedings, particularly if your client is unable to find the hardware needed to review them.
* Make certain that all media are considered and accounted for in the purging policy. This includes not only servers, desktops, and laptops, but also PDAs, BlackBerries, and various removable media devices.
* It’s a good idea to have an objective third party periodically review and validate that policies are being followed. In doing so, the vendor should interview key personnel and review a sampling of data using forensic tools.
CISO's are seeing their budgets and powerbase grow yet the goal remains the same, Enterprise Risk Management. The Board of Directors now recognizes the significance of having a CISO with an established team for eDiscovery, no matter who may be asking for the timely information.