Enterprise employees frequently use social networking tools, most notably Web-based applications. It's no surprise more organizations are wondering what happens if social networking data becomes relevant to an e-discovery investigation.
How does an enterprise go about discovering and assessing Web 2.0 data? How responsible is an organization, legally speaking, for the information that's out there in the Web 2.0 world? What risks arise from e-discovery as it relates to Web 2.0 data, and how can you mitigate them? In this tip, we will look at e-discovery as it relates to Web 2.0 and consider the strongest options for minimizing risks to the organization.
E-discovery basics
We begin with a quick look at what e-discovery is and how it can create risk. Essentially, e-discovery is the electronic extension of the legal process of discovery, which Wikipedia defines as "the pre-trial phase in a lawsuit in which each party through the law of civil procedure can request documents and other evidence from other parties or can compel the production of evidence by using a subpoena or through other discovery devices, such as requests for production and depositions."
If you're an IT person, not a lawyer, it's important to note that the rules governing the discovery process now require plaintiffs to address all electronically stored information or ESI. In other words, if your organization faces litigation, it will have to deal with the issue of e-discovery, which will entail a whole lot more than turning over some old emails.
Depending upon your role in the organization, the first you may hear of this is a "notice of litigation" with perhaps a "litigation hold directive" containing a "preservation directive." Here is a generic e-discovery request below. Apart from a few limiting factors, such as subject matter, named persons and a specified time period, the scope of such a notice is likely to be broad; blame standard procedure, not some high-powered attorney pushing his or her luck. If handling such a request seems daunting today, just wait, it won't be long until lawyers attempt to expand the definition of ESI to include Web 2.0.
Notice of Litigation
Acme Inc. recently received notice of litigation regarding the acquisition of Widget, LLC. As you can appreciate, electronic data contained in Acme's computer systems may be very important as a source of discovery and evidence in this case. Acme is required by law to take steps to ensure that all electronic data that is potentially relevant to this litigation is preserved. To satisfy Acme's legal obligations, your assistance is necessary and required for the preservation of Acme's electronic data as described in the following:
Directive Regarding Preservation of Electronic Data
Effective immediately, all Acme personnel must preserve and retain any electronic information or data that is or may be relevant to the litigation. We are required not to alter, delete or otherwise modify any such electronic information. For your information, relevant information and data includes [brief description of general categories of potentially relevant records]:
All communications to or from [witnesses, other relevant or key players];
All information about [identify opposing parties, their claim and any other key issues];
[Provide a description of any additional categories of information likely to be relevant]
Any question about the relevance of a particular file, email or other electronic data should be addressed to the Office of General Counsel and resolved in favor of preserving and retaining information. Failure to preserve relevant information may result in significant penalties against Acme.
In identifying and preserving electronic data, please keep in mind that "electronic data" includes, but is not limited to:
All text files (including word processing documents and presentations), spreadsheets, email, databases, calendars, computer system activity logs, Internet usage files, and network access information. The company's computer systems include, but are not limited to, all workstations, laptops, network servers, removable media, handheld devices, voicemail and backup tapes. Again, any questions as to the scope of this directive should be resolved in favor of preservation and retention.
At individual work stations, this directive requires you to preserve and retain all potentially relevant files stored on your hard drive and all potentially relevant email contained in your [Lotus Notes or Outlook] Inbox and Folders. [Provide specific instructions on email retention, i.e. creation of litigation folder]. Any email "janitorial" functions, such as automatic deletion of email after a certain number of days, must be disabled.
At the network and systems administration level, this directive requires you to preserve and retain all potentially relevant files stored on Acme servers and to refrain from doing any administrative work that has any potential to destroy potentially relevant files. Any "janitorial" functions must be disabled. All back up tapes must be preserved and pulled from recycling rotation. [Insert instruction regarding any date restrictions]. One full back up or snapshot of [key players/company] mailboxes, hard drives and network drives should be created upon receipt of this directive.
If you have any questions, please contact the Office of General Counsel.
[Source: Michael D. Sermersheim, AVP and Deputy General Counsel Emeritus, University of Akron, used with permission]
If you're wondering what legal harm could come from employees using Wikipedia, LinkedIn, FaceBook or Del.icio.us, examine how judges have defined ESI in the past. They lack sympathy for those claiming that ESI is difficult to locate, accidentally erased, onerous to maintain, or anything else that might appear to be an excuse to withhold information relevant to a case.
The 2003 case of Coleman Holdings Inc. vs. Morgan Stanley & Co. set the tone. Morgan Stanley agreed to search its oldest backup tapes for information regarding 36 employees involved in the matter, review all emails for a critical two-month period in 1998, and search all emails using 29 specific search terms. Morgan Stanley certified that it had complied, but in March 2005 the court found that the company had failed to disclose or search more than 2,000 backup tapes, failed to disclose the existence of a historical email archive that would have allowed quick and inexpensive searches, and failed to review at least 7,000 additional responsive documents due to an error in the company's search program. The result was a $1.5 billion jury verdict against Morgan Stanley. Although the figure was reduced on appeal, the company's e-discovery failures were undoubtedly a major factor in deciding the outcome.
A Web 2.0 risk scenario
Consider a risk posed by wikis and other Web 2.0 collaboration tools that comes not from what employees are saying or posting on the Web -- although that can also be a risk factor -- but from their employers' lack of awareness. Suppose you're the CIO of a company that dominates its market to the point where competitors are grumbling about monopolistic practices. Some of your employees decide to "help" by going on the offensive, denigrating these grumbling competitors in off-site blog posts and wiki entries, tagging negative stories on the Web, posting slanted questions on LinkedIn, fostering criticism on Facebook, and so on. Then the company is hit with a lawsuit by its competitors for engaging in an alleged smear campaign. Your general counsel proclaims innocence and tries to limit the scope of discovery, but is compelled by law to agree to hand over all relevant ESI.
Is anyone going to point out that some relevant data, namely Web 2.0 data, was created by Acme computer systems, but is not stored on those systems? If you know this to be the case, do you speak up or stay silent? What if you don't know about the Web 2.0 data? Will ignorance be a viable defense? It's more likely that when the courts evaluate your ESI, the judge would find it lacking because your opponents have been trolling the social networks for the information you missed or excluded. Worse still, precedent does not excuse ignorance or exclusion (in addition to Coleman Holdings vs. Morgan Stanley, see Disability Rights Council of Greater Washington vs. Washington Metropolitan Area Transit Authority, Ryan vs. Gifford, and Orrell vs. Motorcarparts of America Inc.).
Reducing Web 2.0 e-discovery risk
Reducing Web 2.0-related risk must begin with a clear set of policies and related controls governing the use of off-site tools. The policies should spell out which tools can be used, by whom and for what purposes. Strict guidelines about what can and cannot be said need to be issued, understood and followed.
Despite the risks, if your organization chooses to allow the use of Web 2.0 tools, mechanisms to detect violations should also be put in place. When violations are detected, violators must be punished. These steps will ensure the company knows where to look for ESI in the event of discovery, and mount a reasonable defense if employees place relevant data on unsanctioned sites. Failure to follow all the steps will leave the organization open to risk.
Conclusion
Web 2.0 technology offers great possibilities, but the cutting edge is not without risks. The law typically lags behind technology, so we don't yet know how the courts will deal with the numerous issues raised by Web 2.0 data. What we do know is that ignorance about what employees are doing with company resources is always dangerous and should be reduced as much and as soon as possible.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
