Whether in the wake of IP theft, data breach, litigation or harassment, digital investigations are a fact of life for many organisations.
IT departments are increasingly involved in the collection and data management stages of an investigation process and required to work closely with legal teams. Digital investigations can be outsourced, or managed in-house – which many organisations are now considering as a result of recent high-profile incidents, namely News International's phone-hacking scandal.
Regardless of how the process is conducted, there are key issues IT directors need to address early on to minimise reputational damage as well as disruption to ‘business as usual'.
Before any digital investigation takes place, an organisation needs to get its house in order from a data standpoint. This means knowing where all data resides and conducting regular and thorough audits to minimise further time and effort when they are involved in an investigation or litigation.
However, the rise of consumerisation and BYOD is creating new challenges and mean an ever-increasing number of new devices are entering corporate networks and blurring the distinction between personal and corporate data, which complicates the auditing process.
In a digital investigation, an organisation is legally obligated to present any data that's applicable to the case. Even if an employee was to take a photograph of a work-related document on their private BlackBerry, this device may have to be declared to the investigator if it contains any relevant information.
If the data resides on the network, it belongs to the organisation. However, with a lack of suitable policies, this may be disputed. Therefore as part of suitable policies for using personal devices for business purposes, IT directors need to be clear on what devices are allowed and who are allowed to use them.
Creating a policy that provides complete visibility of new and existing devices on the network, and giving employees clear guidelines as to what privileges they have, are crucial.
The growth in volume of stored data also needs to be taken into consideration when enforcing policies, as well as the amount of data an employee might store privately – such as personal photos and videos on a work laptop – all of which can significantly complicate the e-disclosure process.
Ten years ago, 2GB of data was perceived as a large amount, whereas now it's not unusual for users to exchange as much as 100GB of data, thanks to cloud storage applications like Dropbox. For those carrying out an investigation, this means more time and cost must be allocated to collecting, processing and reviewing the data.
Since many legal cases are time-critical and require minimal disruption to an organisation's normal business operations, digital investigations must be efficient. It is therefore imperative that organisations are aware of where data resides on their network. Putting in place a data retention policy that establishes clear parameters around what data needs to be retained and for what length of time not only limits the amount of information that would need to be searched in a digital investigation, but also reduces storage costs.
To add further layers of complexity, the move away from in-house data management, where all of an organisation's data is housed in its own data centre, is creating new challenges. With in-house IT infrastructures, a digital investigation generally meant imaging a hard drive or using a USB key to acquire the relevant data.
When moving to more complex systems (the cloud is an example) the investigation process becomes far more challenging, as there is less control over what data users are transferring between networks and what they are accessing on a daily basis. Therefore IT directors need to know what cloud applications and other storage devices are being used, and adjust policies accordingly.
Since IT departments have to work closely with legal teams during a digital investigation, there needs to be clearly communicated objectives from the start. However, a common challenge is that, due to the sensitive nature of cases, IT departments sometimes receive minimal information, causing a disconnection between what lawyers require and what IT can deliver.
It is preferable in these situations to make use of experienced e-discovery consultants who understand both the details of the case as well as the technical aspects. However, it's imperative that those consultants receive the necessary access to relevant people and systems to carry out their responsibilities.
All too often, consultants are brought in and the organisation's IT teams have not been made aware of this. This significantly slows down the process, as the consultant's access is restricted until the information is passed to the correct person.
In a time-critical digital investigation, this scenario can mean significant delays, and to avoid it happening, there should either be an experienced e-disclosure consultant who understands the needs of both parties, or explicit communication between legal and IT. In the end, both parties must understand what needs to be done, and it should be carried out in a cost-effective way.
There are now more efficient ways of conducting digital investigations, far removed from old-style methods of having to shut down a laptop and make an entire image of the hard drive, which would typically take around a day.
Sophisticated remote imaging tools that sit on a single server and covertly scan multiple devices on the network cause no impact at all to the user's working day; therefore gathering information over the network in this way is a far less obtrusive and quicker method of obtaining data.
Acquisition methods such as these allow the investigator to capture only the data that is needed for the particular investigation, which substantially reduces the time and cost required to complete the investigation or litigation.
The task of conducting a digital investigation in any organisation has changed significantly. IT directors should take control of the data and devices that exist on their networks early on, before they are required to go through an investigation or litigation.
Whether they opt to spend additional expense and training to bring e-disclosure in-house – which has its benefits from a data control and cost point of view – or outsource to an external provider, they need to understand the challenges involved and implement effective policies to make the process as cost-effective as possible, without compromising the results.
Leonora Placks is director of professional services EMEA at Guidance Software