Risk

11/29/2006
11:42 AM
Patricia Keefe
Patricia Keefe
Commentary
50%
50%

The Ripple Effects Of E-Discovery

When I last tread this space, it was to alert readers who weren't already aware, of the Dec. 1rst launch of new federal rules regarding electronic discovery. By the way, there's no new law. The new requirements are just an extension of existing rules, which you can find here.

When I last tread this space, it was to alert readers who weren't already aware, of the Dec. 1rst launch of new federal rules regarding electronic discovery. By the way, there's no new law. The new requirements are just an extension of existing rules, which you can find here.The issues surrounding electronic discovery, and its wide-ranging impact, are lot more interesting, and more varied, than you might think. It may seem that we're just talking about data retention, preservation and management policies. Big deal, right? But that barely scratches the surface, according to attorney John F. McCarrick, a partner with Edwards Angell Palmer & Dodge LLP, and a specialist in risk management and corporate governance issues. (You can read his white paper(PDF) on the subject for more detailed information. It's targeted at insurers, but don't let that stop you.)

And you might be thinking this is nothing more than another pain-in-butt process. Wrong again, says McCarrick and one reader, both of whom say the thought processes and policies required by these new rules will be a boon, both to IT and the corporations they serve. For one thing, having such a system in place is helpful to a company from both a compliance standpoint (think Sarbanes Oxley certification) and a risk management perspective. For another, it forces serious thinking about the risks tied to data retention policies. Maybe sales wants to hang onto meta data, but is it worth the legal exposure? It might not be.

Also, up until now - most companies have dealt with legal discovery by hiring third parties to search their data and pull all the threads together. Every case brought in another vendor. There were no cost savings as the wheel was reinvented over and over, according to McCarrick. But now that user companies will have to build these systems, the benefits are multifold: greater control of data (more of which is kept inside of the firewall); vendors will likely be forced to offer more sophisticated and nuanced services; and very probably, we'll see some consolidation and standardization of the services performed by those vendors.

The most important, and you might say, priceless, impact, though, involves the ability to sway a jury, no matter how weak a case, and the ever popular question of who is paying for this settlement anyway? No matter how strong your defense, if your company fails to meet its obligations to preserve and produce relevant data, a judge could (and they have) slap you with a charge of "adverse inference," which gives the jury carte blanche to assume all the information you did not produce was incriminating. This can turn a jury, as it did in the Coleman v. Morgan Stanley case, resulting in staggering damages.

And it gets worse. As noted in my earlier post, the insurance companies are not going to stand idly by and absorb this. McCarrick says there is widespread discussion over whether incurring such a charge would trigger the cooperation clause that is standard in most corporate insurance. In short: if you make matters worse through your own incompetence, or negligence, then they might not have to pay. There is a bright side: those same insurers are tossing around the idea of categorizing companies by risk factors, which means a solid e-discovery policy could get you better rates, along with peace of mind.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8142
PUBLISHED: 2018-05-21
A security feature bypass exists when Windows incorrectly validates kernel driver signatures, aka "Windows Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1035.
CVE-2018-11311
PUBLISHED: 2018-05-20
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
CVE-2018-11319
PUBLISHED: 2018-05-20
Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to ...
CVE-2018-11242
PUBLISHED: 2018-05-20
An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.
CVE-2018-11315
PUBLISHED: 2018-05-20
The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a ho...