While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
In light of long-standing requirements to maintain a regular records-retention schedule for each agency’s mountains of paperwork, you might think federal organizations had a leg up on the rest of the world when it comes to handling legal discovery requests or a Freedom of Information Act inquiry.
Sadly, judges in a few U.S. government cases found otherwise. Fast-forward to the present world of e-discovery and the need to now comply with various amendments to the Federal Rules of Civil Procedure — it’s enough to make even the most stalwart CIO tremble as thoughts turn to IT preparedness for legal holds, preservation requests and the ongoing production and protection of a wealth of electronically stored information (ESI).
Where to start? What pitfalls to avoid? Experts offer some rules of thumb to minimize e-discovery’s impact on federal IT operations and running business as usual.
Surprisingly, many agencies have grown so accustomed to keeping their records in paper form, their first hurdle may be making the move to digital record-keeping. Jason Baron, director of litigation in the Office of the General Counsel for the National Archives and Records Administration, has come across this scenario more often than he’d like to admit in the talks on e-discovery and records management he gives around the Washington Beltway. “Many organizations’ records schedules are still based on paper. For e-discovery, that’s a terrible conundrum and places agencies at great risk for noncompliance,” he says.
Although Baron says that government now works in a “born-digital world,” the same cannot be said of agencies’ record-keeping policies. “The vast majority of federal agencies still have paper as their official record-keeping default,” he says. “That’s true for e-mail, word processing and many other applications on the desktop as well.”
The result? An agency ends up “six steps behind” the moment a request comes in for all the e-mail and associated metadata on a given subject, Baron says. He recommends that agencies check out NARA’s online resources and toolkits to help with the transition from paper to electronic record-keeping.
When it comes to navigating the realm of systems, databases, applications and e-mail messages, another e-discovery directive emerges: Before you can respond successfully to any legal request, you need to first get your own IT house in order. Increasingly, initial “meet and confer” discussions between opposing and defense counsels now rely on the availability of a content-rich (and context-sensitive) “data map” that describes not just where certain systems are, but also the type of data they contain, how often the data is backed up and the policies usually in place to automatically archive or delete data.
Think twice before you rely on a traditional IT architectural map or network topology diagram for the task, says Jonathan Redgrave, chairman of law firm Redgrave Daley Ragen & Wagner and editor-in-chief of The Sedona Principles, one of the Sedona Conference’s industry-leading works on e-discovery and the FRCP.
“You need to be able to pull together some type of mapping of applications, databases and systems most likely to be called upon or looked to in either FOIA requests or discovery proceedings,” he says. “Instead of having an IT architectural map, however, you need a description of each of the data sources so that a nontechnical person can understand what and where the data is, and if the data is subject to any auto-deletion.”
At the Federal Deposit Insurance Corp., Senior Counsel James Barker refers to it as a map or survey of data across the enterprise, which offers something akin to a layman’s “data dictionary” for each system. “The new [FRCP] rules prescribe that the parties to litigation meet and confer soon after the litigation commences. At that point, you should be able to exchange what amounts to data maps, including what you have stored and where it’s stored electronically.” Further details about data maps can be found at EDRM.net, an industry organization with ongoing development of an Electronic Discovery Reference Model.
Because no agency can do everything at once, experts suggest first getting a handle on an IT area that is often the source of most discovery activity: the e-mail systems in the organization. “E-mail is still the killer application. … With the growth of the Web, it’s become even more so,” says Baron.
At the FDIC, the enterprise infrastructure team began its multiphase e-discovery initiative by first establishing a policy-based e-mail archive, complete with a central repository. Using Symantec Enterprise Vault archiving software to help enforce the organization’s evolving protocols for e-mail, Deputy Director Russell Pittman in the FDIC’s Infrastructure Services Branch explains how the organization’s current technical requirements around e-discovery led to a number of new e-mail practices now being enforced:
Besides e-mail, risks lie in the disposition of backup tapes as well. “If you had to triage your problems, risks and things that get agencies into trouble, it’s e-mail, it’s backup tapes,” says Baron. Distinguishing between backup processes and those used for archiving is key. “Backup tapes shouldn’t be viewed as record-keeping systems. They should just be for disaster recovery.”
Redgrave shares this view, which is also discussed in Sedona Principle #8. “You really need to have a good handle on what is being done, both in the archiving of information for medium-to-long-term storage as well as [what’s being done in the area of] backup,” he says. “Data should be kept only as long as necessary for backup, and then those tapes and media should be truly destroyed or rewritten — unless there is a legal hold. A lot of times, people use backup tapes for archive and preservation.” In the area of information management programs and policies, the Electronic Discovery Reference Model shares criteria you can use to apply to data used for backup versus archiving.
Experts acknowledge that the process of “getting there” may seem unending, but maintain that agencies can accomplish much groundwork in the first nine months, simply by creating an interdisciplinary team of legal personnel, records managers and IT folks who meet regularly to hammer-out policy.
The key to success, says Redgrave, is to view the process as an opportunity instead of a challenge. “It’s an opportunity to say, ‘We have legal requirements in terms of preserving data and preserving it for an investigation. How can we do that well?’” The answer to that question, he says, may lead to putting new applications or tools in the budget stream for forensic collection, or even searching and analysis of data stored on desktop or notebook computers.
“IT is no longer an island,” Redgrave says. “You need to look at it as a process of three to five years before you get a good, solid marriage of business, legal and IT processes.”
Baron also would like to see IT include legal, record-keeping and preservation issues as part of its initial checklist and solicitation process at the front-end of the procurement cycle. “In terms of litigation risk, it would be quite unfortunate to build out a system that doesn’t have any type of record-keeping functionality,” he says.