eDiscovery: The Next Big Compliance Nightmare
Compliance is on the radar of just about every information security practice. Regulations such as Sarbanes-Oxley (SoX), the Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Gramm-Leach-Bliley (GLB), Basel II, the European Union Privacy Act, and many others have security-related provisions that require a considerable amount of planning, implementation and documentation effort.
Unfortunately, information security professionals too often get so immersed in attempting to comply with the plethora of information security-related regulations that they lose sight of what is on the horizon. A good example is a piece of pending legislation, H.R. 4127, the Data Accountability and Trust Act. In a nutshell, among other things this proposed legislation would require that organizations that have information needed for legal or investigatory purposes must retrieve and hand over this information to authorities within a specified period of time. Failure to do so would result in a large fine to be assessed every day the organization cannot produce the information.
The emergence of H.R. 4127 is due in large part to a series of incidents that have occurred over the last five years. One of the largest securities firms had to pay $15 million to settle a Securities and Exchange Commission (SEC) investigation of inadequate preservation of email. The same firm later had to pay $12.5 million because it withheld email messages needed in arbitration cases by asserting that they were lost in the Sept. 11, 2001 attacks against the World Trade Center. In 2002 the SEC and other regulators once again fined this firm for destroying email messages and backup tapes needed as evidence in a lawsuit against this company.
In simple terms, eDiscovery means the ability to locate information stored in electronic form. If signed into law, H.R. 4127 would in effect require that organizations implement adequate eDiscovery capabilities so that information needed in an investigation or court case could be readily located. eDiscovery is, however, in reality anything but simple, in large part due to the fact that in the so-called age of information the amount of information possessed by organizations is both voluminous and extremely distributed. Add to these problems the every ubiquitous probability of human error and the challenge of eDiscovery becomes disproportionately complicated.
If H.R. 4127 does not pass this time, something like it will inevitably pass and be signed into law sometime in the future. Organizations must not be allowed to escape justice by simply and conveniently destroying information or by being unable to find it. But creating an adequate eDiscovery capability is bound to be one of the most difficult tasks facing an organization. Tools designed to facilitate eDiscovery are available, but the ones I have seen do not appear to adequately deliver needed capabilities. In their defense, eDiscovery is a recent issue; it will take time for vendors of these products to grow and improve the capabilities of their products.
So what I am trying to say is that eDiscovery looms on the proverbial horizon of information security practices. When eDiscovery becomes law, organizations will have to invest a considerable amount of resources, more than they have had to achieve compliance in most other areas, to achieve eDiscovery compliance. So here is a word to the wise–be proactive. Now is the time to start investigating the requirements and how to meet them. Don’t be part of an information security practice that gets caught by surprise when eDiscovery is required by law.