The more I learn about e-discovery, the less I think it's a security problem. The vast majority of e-discovery issues are pure Information Lifecycle Management (ILM) concerns. The one area where I think security has a role is countering the subject's utilization of anti-forensics and counter-forensics (defined previously as attacking evidence and attacking tools, respectively).
I was reminded of this opinion while reading Find What You're Looking For? in Information Security magazine. Take a look at these Evidence Sources, for example.
Given the data sources depicted in the figure, why should information security have anything to do with e-discovery? I'll answer that question: history and tradition. In the "old days," internal investigations primarily meant imaging hard drives, reviewing content for disgusting images or incriminating documents, and producing them for management. Only the security team had the necessary expertise for this exercise. Today, the age of thinner clients, centralized storage, remote outsourced backup, and so on, we need to image hard drives less and less. Those who support the IT infrastructure should be responsible for e-discovery. In fact, I've seen a lot of attention to e-discovery in the storage press (One year after FRCP, struggles continue with e-discovery, How to purchase an e-discovery tool, and so on). I think this is appropriate.
Note this is totally different from intrusion investigations. Analyzing what an intruder did (insider or outsider) is not the same as producing documents for opposing counsel, a regulatory agency, or another party. E-discovery is not about investigating violations of CIA -- it's a document production exercise.
I liked the following figure in the Information Security article.
It's probably easy to see where your organization falls on this continuum.
I think it's time to push the e-discovery issue to where it belongs -- with the data managers or at least the legal team. As the number of true security mandates increase the load of the security team, I suggest sending work where it should be done, not where it might traditionally have been done. (I could say the same thing about backup, by the way. Wait, isn't that an availability issue? No -- availability is a security responsibility when it is at risk due to attack, not because someone's hard drive died.)
Finally, I'd like to reproduce part of the article that is not online but which is very important in my opinion.
Spare the White Gloves: Electronic Evidence does not need to be handled with excessive care.
Organizations need to debunk a chain-of-custody myth that perseveres in security circles: that evidence must be handled with white gloves, plastic bags and forceps (metaphorically speaking). In other words, the assumption that electronically stored information (ESI) must have extreme tamper-proofing and virtuous handling procedures and be pure as the driven snow for presentation in court simply isn't true.
Enterprises are not law enforcement and the cases they are usually involved in are not criminal ones. ESI comprises business records, and as long as it is stored in accordance with policy and as part of the normal IT operation in support of the business, then it is adequate for e-discovery purposes.
The US Federal Rules of Evidence state that just because data can be manipulated doesn't mean it can't be used. Rather, an enterprise simply must show that methods used to collect and store the information are essentiallyl trustworthy. Although prudent integrity protections should be employed -- such as access controls and logs of the actions of administrators who can delete or modify information -- an elaborate digital signature infrastructure or cryptographic checksums is unlikely to be required.
This is a worthwhile matter to discuss with a legal team. Consider the email records of Microsoft senior executives that were used as part of multibillion-dollar antitrust investigations. There were no intricate antitampering mechanisms for the ESI in that case, yet the evidence stood and few cases have stakes so high.
This reflects my own opinion too. You don't want to act irresponsibly, but you don't have to approach every event like it's a criminal case and you're the investigating detective.