eDiscovery - Could the obvious approach put too much private information into one spot?

Electronic Discovery, or eDiscovery, is the digital analog to a court request for documents and files pertaining to a proceeding. As with anything digital, the courts expect discovery times in days and weeks, versus the months (years) given for paper files. Punishments for failure to produce could be regulatory, legislative, or may even include court based consequences such as contempt charges. In a recent survey by Information Security Magazine, only 28 percent of respondents knew how they would handle an eDiscovery request. Even knowing where to look seems a daunting task. I have trouble at times finding a matching pair of socks in a 2′ x 3′ drawer.

Well prepared companies develop policies. Some buy eDiscovery or search software. Even better prepared Configuration Managed CMMI level companies define procedures. They begin data inventories. This is where I see it becomes interesting…

A typical company has a lot more data lying around than they really expect. Think about a day in the life of an enterprise. Email, IM, network file shares, database records, log files, security devices, executive summary reports, backup tapes, the list goes on. That’s not even considering end workstations, laptops or PDAs (where the majority of people I know do their work) or decommissioned hardware (there’s still data on those things), CD-R/DVD-Rs or other removable media. I’m sure you see the point; there are a ton of sources. That’s only half the problem.

If you ever learn about government data classification, there are three reasons something’s classified. It contains important information, the source of the information is important, or the information amalgamated from various parts into one location makes it important. This is why identity thieves hack corporate databases; it’s the proverbial ‘where the money is’ or until now the most consolidated repository.

So now let’s offer them a juicier target! Put the map to Curly’s Gold, and the Lost Dutchman’s mine, and all the rest of them In one location. Insiders and outsiders alike should be clambering for it, with the idea that you can pick and choose what’s most interesting. Want the network architecture diagrams? IT admin’s machine, here’s the IP address. Customer Personally Identifiable Information (PII) database? Oracle server’s on the fourth floor, want the table configs. Corporate strategy or yet to be released financials, aisle 12…

This is why most government documents become classified. Someone did the hard research and heavy lifting. Anyone that can put their hands on it just has to cite the paragraphs they want to look omniscient, or at least very well informed. A perfect example is an enterprise firewall rule set; the outgoing Port Allows from one site don’t provide much; couple the complete configs of all of the boundary protections and you have something someone may do harm with.

To counteract the centralized data repository threats from an infosec standpoint, we will put in place perimeter protections, audit the systems for hackers & insiders alike, instantiate policies as far as who should access what information with what sorts of separation of duties, etc… 10 years ago this was all pretty cutting edge and wild west gunslinger-esque. Today, it’s called industry best practices.

My question becomes one of Information Privacy and Policy: who’s keeping the snoops from browsing the celebrity hospital records? Or placing obviously needed controls prior to simply supplying all information available? Or when it’s just flat out wrong?

Seriously, who should have access? One of the better known companies that had to tackle this problem: Google. Every search made with Google winds up in a very big database with information such as IP addresses, search terms, etc. (ever read the privacy policy?). This much data in one spot is tempting, but it’s somewhat anonymized (recently), and according to Google security folks I’ve talked to, very well controlled by corporate policy and enforced with security protections. Only a handful of people have access, physical and logical. I would say Google may be the exception. Obviously, the end court will receive a redaction: if it’s pertinent to the case, they’re entitled to it by law. But someone has to do the sorting. Is it the attorneys, the IT staff, the management? Current Insider threats are hampered somewhat by the hard work of inventory and cataloging; they target the low-hanging fruit. Now, the most accessible jobs, probably interns and juniors, may be sorting the records considered for evidence.

What happens when the collected information comes from a company you worked for the past 20 years, and it comprises your whole life story, laid out on a silver hard drive platter? If they get parts of it wrong, producing inaccurate reports that slander your good name by opening lines of question well outside the original case? The Fair Credit Reporting Act legislation protects your credit info with the credit bureaus. Nothing right now controls eDiscovery accuracy. That’s not that big of a deal, with the idea being this info will ONLY be used in judicial proceedings or congressional hearings (steroids in baseball), and in those you start down the witness credibility path (I guess data creator credibility would be more accurate).

Do we need more legislation for protecting these huge information stores and location roadmaps, or can we rely even more heavily on information security professionals to instantiate further best practices? I’m a smaller government kind of guy, so I’d prefer industry policing. Unfortunately with the exception of the Payment Card Industry’s (PCI) work, the government has stepped in to clean up most of the debaucherous messes self regulatory models let through. Typically, once laws are enacted, industry conforms to the letter, doing the bare minimum to comply rather than what would be in the best interest of their customers. Just think of how far HIPAA falls short.

Obviously, there’s a great deal of work to be done with eDiscovery. Maybe the attorneys will make sure it’s done in the right way?

Hey, I found that black and grey argyle I was looking for…


No comments yet to eDiscovery – Could the obvious approach put too much private information into one spot?

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>