Electronic discovery (also called e-discovery or ediscovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it for internal company use or as evidence in a civil or criminal legal case. E-discovery can be carried out offline on a particular computer or it can be done in a network.  Court-ordered or government sanctioned hacking for the purpose of obtaining critical evidence is also a type of e-discovery.

The nature of digital data makes it extremely well-suited to investigation. For one thing, digital data can be electronically searched with ease, whereas paper documents must be scrutinized manually. Furthermore, digital data is difficult or impossible to completely destroy, particularly if it gets into a network. This is because the data appears on multiple hard drives and because digital files, even if deleted, can be undeleted. In fact, the only reliable way to destroy a computer file is to physically destroy every hard drive where the file has been stored.

In the process of electronic discovery, data of all types can serve as evidence. This can include text, images, calendar files, databases, spreadsheets, audio files, animation, Web sites and computer programs. Even malware such as viruses, Trojans and spyware can be secured and investigated. Email can be an especially valuable source of evidence in civil or criminal litigation, because people are often less careful in these exchanges than in hard copy correspondence such as written memos and postal letters.

Computer forensics, also called cyber forensics, is a specialized form of e-discovery in which an investigation is carried out on the contents of the hard drive of a specific computer. After physically isolating the computer, investigators make a digital copy of the hard drive. Then the original computer is locked in a secure facility to maintain its pristine condition. All investigation is done on the digital copy.

E-discovery is an evolving field that goes far beyond mere technology. It gives rise to multiple legal, constitutional, political, security and personal privacy issues, many of which have yet to be resolved.

Important considerations in compliance tool selection

Storage isn’t just a matter of placing data on media. Organisations are now obliged to comply with data storage and retention requirements. Today, storage is about placing the data on storage platforms that can provide appropriate performance levels while still being cost effective for the enterprise. Data must then be stored for retention periods that are often unique to each data type, and then located quickly when the data is needed. Storage administrators have to satisfy the requirements of users, as well as address the demands of compliance auditors and litigators.

Most storage administrators use management software tools to organise and track email and other data types, helping them locate data in the proper storage locations, move aging data between storage systems and search for relevant data as required. Archiving systems accommodate long-term data storage, preserving important records on disk or other media. Archiving software provides the retention and search capabilities that allow administrators to locate records that may be years or even decades old. E-discovery tools offer specialised search mechanisms designed to quickly locate and secure files needed for litigation. This short guide covers the criteria involved in selecting these kinds of products. Our intention is to help readers identify prospective management tools, archive platforms, archive software and e-discovery tools. Let’s start by identifying the concerns behind compliance purchases.

Understand the data in your organisation.
Before you can bring your storage into compliance with industry or government regulations, it’s important to know exactly what data and data types exist in the data centre. This is not a task that should be addressed by IT alone. Instead, involve the principle stakeholders in your organisation, including human resources, legal, accounting and other major departments. Solicit their input to identify the key applications and file types that your business units rely on. Conversely, you can also identify file types that are unnecessary or inappropriate for your organisation.

Understand the data that you need to keep.
Businesses with different compliance needs will have different storage requirements. Once you identify important applications and data types, understand what data must be kept to satisfy industry and government regulations.

Understand how long important data should be kept.
Once you understand the data that you have and know what data is important to the enterprise, decide how long each data type should be kept. Attaching a retention period and deletion scheme to each data type allows you to set up retention and deletion policies for stored data. Again, this is not solely an IT task, but an enterprise-wide task involving principals from each department. In many cases, data retention is based on retention requirements for similar paper records. For example, if paper employment records must be kept for seven years, the electronic equivalent often must be kept for the same period. Also, it is important to identify an acceptable means of deletion. Do not keep data past its accepted deletion date, and ensure that you can confirm that the data was deleted in an acceptable manner.

Employ technology to lower costs and automate processes.
Now that you have a handle on the data you have, the data you need to keep and how long that data needs to be kept, you can employ tools to reduce storage demands and automate migration, retention and deletion tasks. Data deduplication technologies can significantly reduce storage costs. Policy managers can help organise data storage, move data to lower storage tiers as the data ages, prevent premature data deletion, secure data under litigation hold and then securely delete the data when its retention period expires. Policy managers, as well as written company policies, can also help reduce inappropriate data, like employee photos and music files. Capacity planning tools can help manage capital storage investments, reducing money wasted in unnecessary storage purchases.

Evaluate licensing and maintenance costs.
Compliance and e-discovery product costs typically do not end with the initial purchase. Hardware will require regular service or repair and software will involve periodic updates or bug fixes. Budget for maintenance contracts that will add to each product’s total cost of ownership (TCO).

Use audit trails and access controls.
Compliance requires regulated access: ensuring that only authorised personnel access files and any changes to data are closely tracked. When evaluating a compliance product, consider audit and access features that prevent unauthorised changes or deletions. Even the activities of authorised users should be closely monitored and recorded, so an activity trail will evolve for every file. Auditors and lawyers can then follow the trail to ensure compliance or handle litigation.

E-discovery Product Considerations

As data volumes grow, it’s increasingly difficult to locate relevant data. Data must be retained longer, and storage users cannot be counted upon to intuitively locate documents, spreadsheets or other data. This is a problem when dealing with electronic discovery (e-discovery) requests that impose a legal obligation to locate relevant data in a timely manner or face fines and possibly adverse judgments. Today, e-discovery tools provide powerful search capabilities that can quickly process and index billions of files based on keywords and other common metadata. The tools can also present search results in forms that are easy to understand and often deliver results in a form that is directly compatible with litigation management tools.

As with any type of search tool, it’s important to test the product in your own environment before purchase. Discovery tools are useless if they can’t locate your data and deliver it for litigation.

Test your search criteria and metadata.
Use the search function to perform discovery drills and see that the tool will actually find mail, documents or other files based on your queries. For example, try locating all Word memos related to a recent company project or initiative. The search tests should return useful and relevant results based on common criteria, such as keywords, sender, file dates and even the context within documents, spreadsheets, email and instant message logs.

Evaluate the search scope and supported file types.
A key attribute of discovery tools is their ability to process a wide variety of file types stored on a range of storage hardware across the enterprise. Before purchasing a discovery tool, verify that the tool will work with file types that are most relevant and important to your organisation, such as Word documents, Outlook .pst files, database files, images and .pdfs. Also, consider the search scope of the tool and ensure that it can search storage systems, servers, desktops/workstations, and even corporate laptops or remote sites to locate files of interest.

Consider search performance.
As data volumes grow and corporate information proliferates into the fringes of the organisation (e.g. laptop or remote users), discovery tools must be able to respond to discovery requests in ever-shorter timeframes. Since failing to meet discovery requests can result in fines or judgments, performance can also have an important financial impact for your company. Note the time required to perform each request. Some tools can process terabytes of storage per day.

Evaluate any e-discovery storage requirements.
The results of your searches need to be stored somewhere. Search results and indexes take anywhere from 4% to 10% of your total file storage utilisation. Smaller organisations or businesses operating with very little extra storage capacity may get blindsided by unforeseen storage needs.

Consider logging and reporting features.
Discovery tools should include logging and reporting features that identify the individuals making requests, criteria used for each search and the results obtained from each search. The tool should also track the disposition of any results, noting any files that are moved, held or copied, establishing a chain of custody that can demonstrate appropriate compliance with discovery requests and verify the authenticity of documents or other files.

Consider integration with litigation tools.
Discovery tools should interface with standard litigation tools, such as ProLaw from Thomson Elite, AXS-One Case Management or LexisNexis. This allows counsel to organise and process the results. In many cases, discovery tools will export to some common text, image or other file formats.

Evaluate any network overhead.
Pay particular attention to the discovery tool’s deployment. Discovery products that rely on agents or other software deployed across the infrastructure can cause interoperability and maintenance issues. Agents and network crawlers can add unwanted network traffic overhead, placing additional load on the network and possibly slowing performance-sensitive applications. Discovery tools that avoid the use of agents and network crawlers are preferable.

Consider support for offline tape indexing.
Organisations that rely on long-term archival tape storage should consider a discovery tool that includes offline tape indexing features. This type of function is available in appliances like those from Index Engines, allowing archive tape contents to be processed into indexes with metadata. Without this type of feature, tapes would need to be restored first and then searched, but this feature can read and index tapes without needing to actually restore the content.