The goal: to preserve, collect, review, manage and produce any electronic evidence relevant to a court case. For Greg Thompson, vice president of enterprise security services at Scotia Bank, Canada's third-largest institution, eDiscovery has become a top concern because of the rising litigation caseload. Failure to comply with an eDiscovery request could result in fines or other penalties.
The main reasons for establishing an internal eDiscovery team, versus outsourcing it: huge cost savings, increased control of data and a better understanding of the litigation process.
"Satisfying a court order is heavy lifting," Thompson says. "The cost and risks of outsourcing this service with regards to the number of litigations we are dealing with has skyrocketed. If you send your data to an external party for investigations, you can expect to pay somewhere around $2,000 per day compared to internal expertise, where we spend around $800 per day."
Scotia Bank's choice is increasingly common among private and public sector organizations worldwide. The expansion of litigations, electronically stored information and the risk of sending data to third parties are pushing these organizations to develop their own eDiscovery capabilities.
"eDiscovery is becoming a big deal," says David Matthews, deputy chief information security officer for the City of Seattle in the U.S., and author of a forthcoming book called "Electronically Stored Information: The Complete Guide to Management, Understanding, Acquisition, Storage, Search, and Retrieval." "Every bit of infrastructure and activity generates electronic data, so organizations and individuals are expected to understand by law where their electronic evidence is and how it's accessed and produced in court."
In Australia, a growing number of forensics and IT security practitioners are moving in-house into eDiscovery roles with larger firms, says Jill Slay, professor of forensic computing at the University of South Australia. "It is more cost-effective today for companies to purchase eDiscovery software and do it in-house rather than outsource it as they used to in the past, and as a result save hundreds of thousands in litigation costs."
Dr. George Weir, a forensics professor at the University of Strathclyde, Glasgow, Scotland, finds large financial institutions and big consultancies in the U.K. tasking their IT security and forensics team with eDiscovery requirements. "The push to the cloud has raised a lot of concerns and confusion in this area," he says. "Organizations now want to have direct access and jurisdiction of their data and are creating their own specialized expertise to address these issues."
The eDiscovery Team
But developing an internal eDiscovery capability is challenging. Organizations need to establish a cross-functional team of legal, IT security and forensics professionals who know where the data is, understand how to handle investigations, maintain data integrity and analyze information that is important - and be familiar with the eDiscovery workflow.
"Information security practitioners are uniquely qualified to assist in eDiscovery because of their perspective and subject matter expertise in managing and protecting data," Matthews says. "They are the ones that come with the background of confidentiality, integrity and availability- that's really how you get to the eDiscovery process."
In most cases, the data for an eDiscovery matter needs to be collected in a forensically sound manner, so forensics practitioners are typically involved with the collection, processing and retrieval of data and handling of evidence.
Legal personnel understand the eDiscovery workflow and law requirements, so they collaborate with IT security and forensics to accomplish the work from a broader perspective.
"Jobs in eDiscovery are growing as a lot of people are beginning to think it's important, well understood and relevant in their broader job responsibilities," Matthews says. "eDiscovery is becoming an interesting career choice for professionals grounded in IT security, forensics and law enforcement."
Moving forward, more information security and forensics professionals will get absorbed in eDiscovery as organizations address their policies on data mapping, collection, record management, storage and retention.
"Basically, if practitioners want to earn big dollars, they may have to move in to a senior eDiscovery role," Slay says. eDiscovery work often involves tape restorations or extractions of data from e-mail repositories such as MS Exchange, and the team typically handles investigations like employee misconduct, fraud and other criminal activity, all of which at some point may end up in court.
In the case of Scotia Bank, transitioning from outsourced eDiscovery to establishing an in-house team resulted in dramatic cost savings, Thompson says, as internally the investment only included the salaries of three full-time professionals and appropriate deployment of eDiscovery software. Outsourcing is usually a good option for mid-sized companies with lighter litigation volume, Thompson says. "In our case, the heavy litigation workload, potential for huge cost savings and availability of court-ready analysts that could stand up in court to provide expert testimony with regards to the evidence convinced business leaders to build an internal capability."
Key Skills, TrainingThe role of eDiscovery requires an understanding of data, authentication, chain of custody and handling of evidence. Here are few critical skills required for today's eDiscovery professionals:
- Legal Knowledge: A good understanding of the legal process is very crucial, says Dean Gonsowski, eDiscovery attorney at Symantec Corp. "Practitioners need to be aware that any piece of information they touch may be an exhibit at a trial going forward, and the opposing attorney may challenge their evidence in the case," Gonsowski says. For example, an IT security or forensics professional may find a critical file on sharepoint in the cloud. How they collect the file is crucial for eDiscovery purposes, as it may change the meta data such as last access date and show the investigator as the owner. "This is something an eDiscovery expert doesn't want because this may alter the evidence they need."
Also, professionals need to know the electronic evidence law specific to their jurisdiction to understand how digital evidence is allowed and used in courts, how cases are being settled and how judges are ruling based on electronic evidence. "They need to understand how the law applies to electronic evidence, the rules and what's new in this realm," Gonsowski says.
- Chain of Custody: Practitioners often must prove in court that the integrity of data is maintained by their organizations from collection through production of digital evidence. Professionals must be skilled to ensure that they effectively retrieve, copy, transport and store the data in a way that has not altered the evidence. The generally accepted stages of electronic discovery are identification, preservation, collection, processing, review, analysis, production and, finally, presentation as evidence during trial. The requirement to maintain the chain of custody applies to all stages of the electronic discovery process, Weir says. "An information's admission as electronic evidence is only possible with a properly documented and maintained chain of custody."
- Records Management: includes classifying, storing, securing, archiving and destroying multiple content types dispersed throughout the organization. Here the practitioner must know how to classify data, identify sensitive data and locate all the data repositories within the company. One must be up-to-date with data-retention policies of an organization and understand how to access each repository. "Effective record management can dramatically improve the eDiscovery process", Matthews says. "Archiving, retaining and managing the procedures for record management are the foundation for eDiscovery."
- Soft Skills: including collaboration and communication are also crucial, as professionals routinely need to work with numerous departments, including IT security, compliance and legal among others and often are required to act as a bridge between the technical and legal teams. For example, at Scotia Bank one of the eDiscovery members works three-quarters of the time with the legal group to understand the eDiscovery process and articulate complex technical terms and situations to a non-technical audience.
Experts agree that certification and training are both very significant aspects in hiring practitioners for eDiscovery roles. At Scotia Bank, Thompson hires academically trained candidates in forensics from local community colleges and prefers them to have the credentials of a Certified Forensic Computer Examiner (CFCE) offered by the International Association of Computer Investigative Specialists (IACIS), an organization of current and former law enforcement members. Thompson suggests leaders hire practitioners by reaching out to associations like IACIS and independent consulting firms specializing in these services.
Gonsowski further recommends practitioners become members of the Sedona Working Group, a U.S. think tank that engages in dialogue about eDiscovery issues and the Electronic Discovery Reference Model (EDRM) that provides details on how the eDiscovery process flows for more in-depth training. Also, specific certificate courses on eDiscovery offered, for instance, from the University of Washington are great avenues for specializing in the field.
A half-year into development of Scotia Bank's internal eDiscovery team, Thompson is pleased with the results.
"We're still in the early days," he says, "but huge financial savings and ability to leverage our internal capability to better control data and meet compliance requirements have so far been on the upside, as opposed to going outside and dealing with expensive third parties."