Risk
11/29/2006
11:42 AM
Patricia Keefe
Patricia Keefe
Commentary
Connect Directly
RSS
E-Mail
50%
50%

The Ripple Effects Of E-Discovery

When I last tread this space, it was to alert readers who weren't already aware, of the Dec. 1rst launch of new federal rules regarding electronic discovery. By the way, there's no new law. The new requirements are just an extension of existing rules, which you can find here.

When I last tread this space, it was to alert readers who weren't already aware, of the Dec. 1rst launch of new federal rules regarding electronic discovery. By the way, there's no new law. The new requirements are just an extension of existing rules, which you can find here.The issues surrounding electronic discovery, and its wide-ranging impact, are lot more interesting, and more varied, than you might think. It may seem that we're just talking about data retention, preservation and management policies. Big deal, right? But that barely scratches the surface, according to attorney John F. McCarrick, a partner with Edwards Angell Palmer & Dodge LLP, and a specialist in risk management and corporate governance issues. (You can read his white paper(PDF) on the subject for more detailed information. It's targeted at insurers, but don't let that stop you.)

And you might be thinking this is nothing more than another pain-in-butt process. Wrong again, says McCarrick and one reader, both of whom say the thought processes and policies required by these new rules will be a boon, both to IT and the corporations they serve. For one thing, having such a system in place is helpful to a company from both a compliance standpoint (think Sarbanes Oxley certification) and a risk management perspective. For another, it forces serious thinking about the risks tied to data retention policies. Maybe sales wants to hang onto meta data, but is it worth the legal exposure? It might not be.

Also, up until now - most companies have dealt with legal discovery by hiring third parties to search their data and pull all the threads together. Every case brought in another vendor. There were no cost savings as the wheel was reinvented over and over, according to McCarrick. But now that user companies will have to build these systems, the benefits are multifold: greater control of data (more of which is kept inside of the firewall); vendors will likely be forced to offer more sophisticated and nuanced services; and very probably, we'll see some consolidation and standardization of the services performed by those vendors.

The most important, and you might say, priceless, impact, though, involves the ability to sway a jury, no matter how weak a case, and the ever popular question of who is paying for this settlement anyway? No matter how strong your defense, if your company fails to meet its obligations to preserve and produce relevant data, a judge could (and they have) slap you with a charge of "adverse inference," which gives the jury carte blanche to assume all the information you did not produce was incriminating. This can turn a jury, as it did in the Coleman v. Morgan Stanley case, resulting in staggering damages.

And it gets worse. As noted in my earlier post, the insurance companies are not going to stand idly by and absorb this. McCarrick says there is widespread discussion over whether incurring such a charge would trigger the cooperation clause that is standard in most corporate insurance. In short: if you make matters worse through your own incompetence, or negligence, then they might not have to pay. There is a bright side: those same insurers are tossing around the idea of categorizing companies by risk factors, which means a solid e-discovery policy could get you better rates, along with peace of mind.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3345
Published: 2014-08-28
The web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 does not properly check authorization for administrative web pages, which allows remote attackers to modify the product via a crafted URL, aka Bug ID CSCuq31503.

CVE-2014-3347
Published: 2014-08-28
Cisco IOS 15.1(4)M2 on Cisco 1800 ISR devices, when the ISDN Basic Rate Interface is enabled, allows remote attackers to cause a denial of service (device hang) by leveraging knowledge of the ISDN phone number to trigger an interrupt timer collision during entropy collection, leading to an invalid s...

CVE-2014-4199
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, allows local users to write to arbitrary files via a symlink attack on a file in /tmp.

CVE-2014-4200
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, uses 0644 permissions for the vm-support archive, which allows local users to obtain sensitive information by extracting files from this archive.

CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.