Risk
11/29/2006
11:42 AM
Patricia Keefe
Patricia Keefe
Commentary
Connect Directly
RSS
E-Mail
50%
50%

The Ripple Effects Of E-Discovery

When I last tread this space, it was to alert readers who weren't already aware, of the Dec. 1rst launch of new federal rules regarding electronic discovery. By the way, there's no new law. The new requirements are just an extension of existing rules, which you can find here.

When I last tread this space, it was to alert readers who weren't already aware, of the Dec. 1rst launch of new federal rules regarding electronic discovery. By the way, there's no new law. The new requirements are just an extension of existing rules, which you can find here.The issues surrounding electronic discovery, and its wide-ranging impact, are lot more interesting, and more varied, than you might think. It may seem that we're just talking about data retention, preservation and management policies. Big deal, right? But that barely scratches the surface, according to attorney John F. McCarrick, a partner with Edwards Angell Palmer & Dodge LLP, and a specialist in risk management and corporate governance issues. (You can read his white paper(PDF) on the subject for more detailed information. It's targeted at insurers, but don't let that stop you.)

And you might be thinking this is nothing more than another pain-in-butt process. Wrong again, says McCarrick and one reader, both of whom say the thought processes and policies required by these new rules will be a boon, both to IT and the corporations they serve. For one thing, having such a system in place is helpful to a company from both a compliance standpoint (think Sarbanes Oxley certification) and a risk management perspective. For another, it forces serious thinking about the risks tied to data retention policies. Maybe sales wants to hang onto meta data, but is it worth the legal exposure? It might not be.

Also, up until now - most companies have dealt with legal discovery by hiring third parties to search their data and pull all the threads together. Every case brought in another vendor. There were no cost savings as the wheel was reinvented over and over, according to McCarrick. But now that user companies will have to build these systems, the benefits are multifold: greater control of data (more of which is kept inside of the firewall); vendors will likely be forced to offer more sophisticated and nuanced services; and very probably, we'll see some consolidation and standardization of the services performed by those vendors.

The most important, and you might say, priceless, impact, though, involves the ability to sway a jury, no matter how weak a case, and the ever popular question of who is paying for this settlement anyway? No matter how strong your defense, if your company fails to meet its obligations to preserve and produce relevant data, a judge could (and they have) slap you with a charge of "adverse inference," which gives the jury carte blanche to assume all the information you did not produce was incriminating. This can turn a jury, as it did in the Coleman v. Morgan Stanley case, resulting in staggering damages.

And it gets worse. As noted in my earlier post, the insurance companies are not going to stand idly by and absorb this. McCarrick says there is widespread discussion over whether incurring such a charge would trigger the cooperation clause that is standard in most corporate insurance. In short: if you make matters worse through your own incompetence, or negligence, then they might not have to pay. There is a bright side: those same insurers are tossing around the idea of categorizing companies by risk factors, which means a solid e-discovery policy could get you better rates, along with peace of mind.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-3636
Published: 2014-10-25
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.