Risk
11/29/2006
11:42 AM
Patricia Keefe
Patricia Keefe
Commentary
Connect Directly
RSS
E-Mail
50%
50%

The Ripple Effects Of E-Discovery

When I last tread this space, it was to alert readers who weren't already aware, of the Dec. 1rst launch of new federal rules regarding electronic discovery. By the way, there's no new law. The new requirements are just an extension of existing rules, which you can find here.

When I last tread this space, it was to alert readers who weren't already aware, of the Dec. 1rst launch of new federal rules regarding electronic discovery. By the way, there's no new law. The new requirements are just an extension of existing rules, which you can find here.The issues surrounding electronic discovery, and its wide-ranging impact, are lot more interesting, and more varied, than you might think. It may seem that we're just talking about data retention, preservation and management policies. Big deal, right? But that barely scratches the surface, according to attorney John F. McCarrick, a partner with Edwards Angell Palmer & Dodge LLP, and a specialist in risk management and corporate governance issues. (You can read his white paper(PDF) on the subject for more detailed information. It's targeted at insurers, but don't let that stop you.)

And you might be thinking this is nothing more than another pain-in-butt process. Wrong again, says McCarrick and one reader, both of whom say the thought processes and policies required by these new rules will be a boon, both to IT and the corporations they serve. For one thing, having such a system in place is helpful to a company from both a compliance standpoint (think Sarbanes Oxley certification) and a risk management perspective. For another, it forces serious thinking about the risks tied to data retention policies. Maybe sales wants to hang onto meta data, but is it worth the legal exposure? It might not be.

Also, up until now - most companies have dealt with legal discovery by hiring third parties to search their data and pull all the threads together. Every case brought in another vendor. There were no cost savings as the wheel was reinvented over and over, according to McCarrick. But now that user companies will have to build these systems, the benefits are multifold: greater control of data (more of which is kept inside of the firewall); vendors will likely be forced to offer more sophisticated and nuanced services; and very probably, we'll see some consolidation and standardization of the services performed by those vendors.

The most important, and you might say, priceless, impact, though, involves the ability to sway a jury, no matter how weak a case, and the ever popular question of who is paying for this settlement anyway? No matter how strong your defense, if your company fails to meet its obligations to preserve and produce relevant data, a judge could (and they have) slap you with a charge of "adverse inference," which gives the jury carte blanche to assume all the information you did not produce was incriminating. This can turn a jury, as it did in the Coleman v. Morgan Stanley case, resulting in staggering damages.

And it gets worse. As noted in my earlier post, the insurance companies are not going to stand idly by and absorb this. McCarrick says there is widespread discussion over whether incurring such a charge would trigger the cooperation clause that is standard in most corporate insurance. In short: if you make matters worse through your own incompetence, or negligence, then they might not have to pay. There is a bright side: those same insurers are tossing around the idea of categorizing companies by risk factors, which means a solid e-discovery policy could get you better rates, along with peace of mind.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio