IT managers should be used to playing cops. Sometimes they’re good cops, fighting viruses or other bugs by deploying patches and getting users back into a system by resetting passwords.
On other occasions they’re forced to play bad cop, cracking down on excessive bandwidth use or removing illegal applications. Now they’re being asked to set up an entire CSI-style crime lab — for crimes that may never take place. Ever since new e-discovery rules were introduced in the United States late last year, IT departments have been faced with a compliance project like no other. Sarbanes-Oxley and Bill 198 are complex enough, but at least businesses are usually able to figure out which accounting regulations apply to them. As London, Ont.-based Info-Tech Research Group noted in a recent report, e-discovery rules are causing a lot of confusion about what data needs to be saved and what can be eliminated.
“The top driver for enterprise adoption of e-mail archiving solutions is the fear, uncertainty and doubt surrounding potentially costly electronic ‘paper trails’ for e-discovery,” the report said. Info-Tech cited the case of Morgan Stanley, which had to pay $15 million to regulators after failing to disclose thousands of e-mail messages in a timely fashion.
Buy your way out?
Info-Tech suggested buying an e-mail archiving product, but that will only go so far. Late last month, the Storage Networking Industry Association hosted a seminar in Toronto where a consultant urged the audience to start taking more handwritten notes as part of a “chain of command of IT processes.” He also said IT managers should expect to be involved in at least one forensic investigation during their career.
E-mail is only the short-term star of e-discovery rules. More enterprises are making use of instant messaging, content management systems and social networking tools to communicate. All of these tools will become repositories of potential evidence. It may not make sense, therefore, to come up with a specific e-discovery policy but to weave e-discovery into existing security and storage policies. In the long term, security and storage will be managed much more cohesively, which is why companies like Symantec buy Veritas and companies like EMC buy RSA. They will be working on more comprehensive platforms that incorporate e-discovery, and their customers will have to do the same with their workflow related to those platforms.
All for nothing (maybe)
The most challenging part of e-discovery is that it might be a lot of work for nothing if you never get sued. Much like planning for disaster recovery, it’s hard to make it a high priority until an incident occurs. It may also require more legal expertise than most IT managers have, and more technology expertise than most legal counsel have. It could even lead to the creation of a new position in large enterprises, much as privacy issues gave birth to chief privacy officers. Until standard practices are developed, e-discovery may be a full-time job in itself.
As a risk management challenge, e-discovery rules mean IT not only has to provide technology to make business processes run more effectively, but to capture a record of those processes to prove they were executed within the bounds of the law. It means IT managers move from acting like a cop to acting more like a detective. For most IT departments, it won’t feel like a promotion.