Data Security | Features
An E-Discovery Primer
According to attorney Seth Gilbertson, understanding the basics of e-discovery will help you prepare for the rare day when you might have to turn up in court to explain the forensics of an email message.
- By Dian Schaffhauser
For better or worse, it's frequently the job of the director of information security on a campus to manage the IT aspects of e-discovery. Or, as Seth Gilbertson, associate counsel for the State University of New York refers to it, it's just plain "discovery," to illustrate how the concept is neither new nor limited to the digital era. Discovery is the process of saving and producing records and other evidence pertaining to an activity that may be the subject of litigation.
More times than he can recount, Gilbertson has received a panicky message from a campus manager who has just been sent a nasty letter from somebody's attorney, threatening to sue the university. That could be a "triggering event," as he called it, and may start a discovery chain reaction in which IT is deeply involved.
More Than a Simple Search
No more do attorneys exchange stacks of banker boxes full of evidence. Now they're just as likely to exchange hard drives, CDs, or flash drives full of files. While that may sound more streamlined, the digital nature of campus records has exponentially increased the hassle of the discovery. So has the fact that so much of IT operations are decentralized. It used to be, Gilbertson said, that a paper file would be pulled out of a file cabinet and handed over, for example, to the attorney for the employee who was suing the institution and that would be that. "It's a lot more complicated now because of the way we store information."
The tendency for IT is to provide almost limitless storage capacity to end users on campus, without necessarily educating them on good records management, he noted. The major problem with that is that "our storage capabilities have greatly outpaced our searching capabilities." The result is an "unmanageable amount of data," including multiple drafts of documents and ever-multiplying email that "shouldn't be kept at all but are because it's so easy to hit save."
If a member of the staff or faculty or even a student is accused of malfeasance, IT is expected to find every last file that currently exists relevant to the litigation the campus faces. If a file has been properly and legitimately expunged from IT systems as part of a good records management program, he said, nobody has to waste time reviewing it for relevancy. Discovery can then be limited to records that still exist at the time the initial legal complaint was received by the school. "However, you can't really determine what's relevant unless you search everything you have," Gilbertson pointed out. The better the records management program on campus, the less time spent tracking down files.
The file cabinet approach was easy, Gilbertson noted, because "you knew where something was, and more often than not, you had one custodian of every important record. When people were sending letters, you knew who sent the letter and received it, and chances were, there were only one or two copies of the letter." Now, he added, "It could have been sent, received, and saved in three folders--a sent folder, deleted items folder, and a specific item folder. All three folders of the receiver plus anybody they forwarded it onto could be on a backup tape somewhere. So you end up with 13 copies of this one email instead of one copy. You have to search through all of them to determine which ones are relevant and which ones are 'discoverable' by the other side."
Gilbertson referred to the dilemma of file proliferation as "a spiraling problem. It's almost unmanageable, until we're forced to manage them in the course of discovery."
A second problem with email is that often messages are "carelessly written and subject to being misconstrued in the context of litigation," Gilbertson said. That means that email isn't something "you want to be keeping. From an institutional perspective, rarely do you find the email that proves you didn't discriminate or that tends to show you didn't commit a tort of some sort. But generally the plaintiffs will be very good at finding something that they can paint in the negative light." Because it's often difficult to go back and explain things in the context of litigation, he added, "It's much better if you just don't have those careless things lying around to begin with."
A Record vs. a Document
According to Gilbertson, 99.9 percent of emails "are not a record, which means it doesn't have to be kept." He defines a record as "something that has a legal, operational, or historical value."
In higher education, records show up in lots of obvious places, he explained, such as documents related to financial aid law or records pertaining to Clery Act regulations, but rarely in email.
That's why a solid records retention schedule structured by the legal office is a must for campuses. That schedule prevents individual departments--including IT--from having to do the research themselves to figure out what needs to be archived. "We've already done that for them," Gilbertson observed. "We've said, 'You have to keep these particular documents for four years based on this law," or "We need to keep these for three years because of this operational need."
Although most campuses maintain a records retention schedule, what's less common is the linkage between that and the school's technological capabilities--ensuring that records are destroyed or preserved as the situation may call for it.
Many applications used at a college or university have functions to specify date periods on which destruction of digital files will take place automatically. But an important part of discovery is halting any routine destruction of records. As Gilbertson pointed out, "If you have a system that destroys certain academic records or student judicial records after a certain period and you're facing a lawsuit where those records could be relevant, you have to immediately halt the destruction of those records, to make sure that if you get sued in July 2008 but you don't make it to court until 2010, that in the intervening period the system doesn't destroy records that might be relevant."
Records Management: A Team Effort
That's why Gilbertson recommends that whenever new key IT people join the staff, they meet with the institution's general counsel--the attorneys--to get the rundown on discovery. When he notifies them about a matter requiring discovery, "They shouldn't say, 'What are you talking about? What does this mean? What does it require me to do?'" he explained. "We should have talked ahead of time."
Likewise, he added, the technology people should be willing to communicate at a fairly high level to the attorneys how the IT infrastructure is mapped out, "because I know there are things stored on servers that they control that I need help with."
Gilbertson declared that only rarely does a legal threat actually turn into a case that goes to trial. But when it does, IT staff should be prepared to explain in court to lawyers, judges, and members of a jury the significance of the way that data has been stored or maintained.
With email it's easy, he said. "You can tell when an email was sent or deleted. All the metadata is right there for everyone to see. But there can also be hugely sophisticated programs storing data. That data doesn't often make a lot of sense to a lay person until there's somebody that can explain it."
At that point, Gilbertson observed, "They're almost like a forensic technician, coming in and telling you how they removed the DNA from the handle of the knife."
Gilbertson advised cyber security chiefs to work with other teams on campus--general counsel, of course, as well as records managers and other IT groups--to develop a robust records management plan and policies regarding email and other documents--and then to educate users on the particulars so that they understand the reasoning behind the rules.
In some cases it's purely operational--limiting the amount of email storage allotted to any one person, for instance. In other cases, policy will encompass the topic of data privacy, such as directing personnel never to email sensitive student information that could violate FERPA or HIPAA rules. Or it may cover export control restrictions, limiting the kind of information that can be transmitted to people outside of the country through an institution's EDU mail account.
In the event that email or file storage is maintained by a cloud provider, it's possible that the service provider won't grant IT access to relevant data without a court order, which is a level of complexity few schools will want to be forced into. To avoid that situation, the institution may want to redirect messages and official files to an IT-accessible enterprise archiving system. Or it may simply determine that discovery only applies to that email or those files that it has ready access to on somebody's computer.
In order to explore those decisions, Gilbertson added, "You should be on a first name basis with your attorney." That's how the best partnerships start.