Forensic Update

Reflections on information management within the legal and regulatory arena

Archive for July, 2010

ForensicUpdate Editor confirmed to speak at 2010 ACUA Conference…

Posted by Johnny Lee on July 14, 2010

ACUA 2010 Editor, Johnny Lee, will present session [G-2], entitled “Best Practices in Managing eDiscovery and Data Retention Risks” at this year’s annual conference of the Association of College and University Auditors (ACUA).  Below is the session write-up:

Electronic Discovery (“eDiscovery”) can be a time-consuming, burdensome, and costly undertaking for your company. Studies reveal that nearly 90% of U.S. corporations are engaged in lawsuits and that the average U.S. company faces 305 such suits at any given time. Corporate law departments are struggling to keep pace with the recent changes to the Federal Rules of Civil Procedure (“FRCP”) governing eDiscovery, increased regulatory compliance issues, and the sheer volume of data created in today’s digital environments. Despite these obstacles and the significant costs that result, studies indicate that almost 60% of organizations have no formal program in place to manage their legal discovery risks.

In this session, participants will learn how to:

  • Describe the eDiscovery Landscape.
  • Apply traditional maturity models and best practices to Data Retention concepts.
  • Understand the state of the art for Data Management / Discovery technologies.
  • Articulate the crucial role of Internal Audit in Data Retention compliance.

Knowledge Level: Intermediate
Advanced Preparation: None
Field of Study: Specialized Knowledge & Applications
Prerequisites: Education, Experience

Posted in Announcement | Comments Off on ForensicUpdate Editor confirmed to speak at 2010 ACUA Conference…

The potential eDiscovery nightmare of social networking…

Posted by Johnny Lee on July 14, 2010

Social Media eDiscovery NightmareA little over a year ago, The Nielsen Company issued the 2009 Global Faces and Networked Places report revealed that over two-thirds of the world’s Internet population (and 46% of American adults, according to the Pew Research Center) now use social media sites.  Indeed, Nielsen now reports that users now spend 22% of their Internet time on such networking sites, and they are navigating to these sites at over three times the rate of other sites.  This presents a unique set of issues to companies, regulators, and litigators as they seek to identify, quantify, and ultimately sift through these new media when disputes (or potential disputes) arise.

These issues are compounded by the fact that two-thirds of businesses harbor concerns about the eDiscovery risks posed by social networks.  Of these companies, 25% admit to being unprepared (with 33% only partially prepared) to meet the demands imposed by eDiscovery requests.   These findings come from a study released last month from the Economist Intelligence Unit.

Leaving aside the productivity impacts of these highly disruptive (and distracting) social networking sites, companies—and their counsel—are struggling with how to embrace and leverage this technology while recognizing that this is a new paradigm in content distribution.  Two unique issues arise in particular: (1) how to control information dissemination and (2) how to maintain accurate records for such dissemination when it is advisable to do so.

In some cases, the corporate world is “assisted” in this endeavor by regulatory agencies.  For instance, earlier this year FINRA released Regulatory Notice 10-06 in an attempt to provide guidance on what obligations might flow to companies embracing this technology (of so-called “interactive Web sites”).  This notice codifies FINRA’s view that the use of social media is tantamount to a “public appearance.”  Accordingly, the January update represents little more than an elaboration of prior guidance that established that subjected “a registered representative” in an Internet chat room “to the same requirements as a presentation in person before a group of investors.”

In cases where an organization does not have definitive regulatory guidance on the subject, it is often up to the company itself to govern acceptable dissemination—especially where advances in this technology continue to unfold at a break-neck pace (q.v., “Microsoft Connects Facebook, Windows Live to Outlook” as an example of the rapidly changing technology).  Often, such guidance loosely exists in the form of acceptable-use or code-of-conduct guidelines, so this can represent a non-trivial blind spot for companies trying to establish, after the fact, what the official party line is on the proper use of social media.  Indeed, more and more case law—ranging from discovery from an employee’s MySpace page to courts permitting the introduction of Facebook photos to schools taking disciplinary action based upon social media site updates—involves these technologies.  Accordingly, organizations concerned about their potential exposure in this arena should consult with counsel about the best way to establish unambiguous guidance and communication to address this blind spot.

Likewise, where companies are caught flat-footed on the topic of collecting potential evidence during a live-fire eDiscovery exercise, the bell is very difficult to un-ring.  Accordingly, a program should be developed to address how to identify and request information from content holders that are very often third parties.  Again, counsel should be involved with these discussions, as the advent of Web 2.0 technologies implicates both in-house technologies (e.g., team collaboration site, SharePoint project sites) as well as their more well know equivalents (e.g., Facebook, Twitter).

Simply put, organizations would do well to take stock of their potential exposure and to conduct an inventory of what technologies are in use to understand both what this potentially discoverable material may be and which rocks might need to be kicked over to get at those data stores.  Companies that do not create (and periodically refresh) such a data map / inventory will likely find it difficult to create one within the very limited time periods contemplated under the eDiscovery rules (certainly within the constraints of the American Federal Rules of Civil Procedure).  Only after identifying the at-risk data population can organizations reasonably address their exposure—whether that entails merely updating policy or deploying an entire enterprise social media program, including robust technology (e.g., social media archiving solutions like Arkovi).

From both an efficiency and a defensibility perspective, organizations should look carefully at their industry, their infrastructure, and their business model to identify how they can address both the dissemination and preservation issues discussed above.  In general, a careful analysis of risks in each of these areas will allow companies to avoid a boil-the-ocean approach toward building stronger awareness and compliance in this area.  After all, very few businesses exist solely to manage records.  Accordingly, it is important to adjust guidance (from policy setting to procedures to compliance monitoring) and to avoid creating work that cannot also benefit (or, at the very least, not negatively impact) the organization’s core mission.

Posted in Computer Forensics, ECM, eDiscovery, Investigations, Litigation Hold, Records Retention | Tagged: , , , , , , , , , , , , , , | Comments Off on The potential eDiscovery nightmare of social networking…

%d bloggers like this: