Records Retention Standards often omit data provided in response to e-Discovery requests. Although media and communication protection policies govern the proper security of the data you provide to the requestor (media use, transmission and encryption rules), how often do legal documents specify the data retention, return or disposal guidelines?
Does our Retention Policy define rules for recovering data that was disclosed to an authorized, but contentious recipient? At the end of the litigation, audit or investigation, how do we instruct lawyers, auditors and forensics professionals to return, sanitize or otherwise destroy the data? How often do we require a certificate of data destruction upon closeout of a “review?” As much due care as we exercise to vet our business partners, we don’t get that same luxury with our adversaries.
Recovery of e-discovery data is an easily overlooked issue that leaves the organization susceptible to a potentially high risk exposure. In addition to possible accidental information spillage or leakage, we risk the potential for deliberate and malicious misuse by employees of an organization that (a) demanded our data under potentially contentious circumstances and (b) whom we can’t control. A data leak originating from a relatively unknown source may be very difficult to trace. A particularly litigious organization may even attempt to reuse our data in subsequent legal claims against us, without adequate restrictions on the use of the data.
As Information Security Professionals, we must work with our Legal, HR, Finance and Risk and Compliance colleagues to define e-discovery compliance policy and procedures that protect the sole ownership rights to our data. Prior to submitting the requested data, we must utilize all legal means to specify the use limitations of the data, and provide rules and specific instructions for return or sanitization of the data upon completion of the “review.” E-discovery requests are often mandated with short notice, so the organization must be prepared to respond quickly to execute the controls; simultaneous to the data retrieval and preparation tasks. Clearly defined protocols will help the organization respond appropriately.
Any time an InfoSec Manager releases data, an exact duplicate copy should be retained in a secure location, either on an encrypted and protected network file share or on encrypted media secured in the safest location the organization possesses (preferably, a fireproof safe). If the risks materialize, the clean copy of the data originally provided may help investigators track the source of the misappropriation and clear the organization that actually owns the data.
At the end of the “review,” the business must consult with legal counsel or the Information Security Manager to request return or destruction of the data. Although we may have indicated, at the onset of the matter, that the requestor must return the data, we maintain the responsibility to account for the data, and we may have to be diligent in our efforts to recover the data or the certificate of destruction.
Secure Compliance Solutions LLC provides a wide range of CISO Advisory consulting services to build or strengthen your Information Security and Data Privacy programs, based on industry-tested frameworks and standards. SCS applies its experience and subject matter expertise to help our customers wade through the complex specifications associated with information security requirements, so you can focus on your core businesses.