Winter 2011: Password security standards and trendsA recent survey confirms that many companies face a major revamp of the way they store and manage data, following the introduction of new rules governing the use of electronic documents as evidence in legal disputes.
Social networking, cloud and virtualisation will change where your data is stored and how easy it is to get to when you need to present it.
Martin Carey
Managing DirectorKroll Ontrack Ltd.
Requires Free Membership to View
SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!
Michael S. Mimoso, Editorial Director
The new rules were introduced in October by the Ministry of Justice, and, for the first time, make firm recommendations about how electronic documents could be called as evidence in court cases.
The changes come in the Civil Procedure Rules, which govern the way the legal process operates, and they are outlined in Practice Direction 31B -- Disclosure of Electronic Documents.
The Ministry specifies that companies need to be able, if required, to produce relevant electronic records in whatever form they occur. This could include email records, as well as instant messages, voicemails, social networking messages and data held on USB sticks and mobile phones. It also includes documents stored on servers and back-up systems and documents that have been deleted, as well as metadata and other embedded data that is not typically visible on screen or on a printout.
As the guidelines make clear, the aim of the rules is partly to streamline the process of litigation and thereby cut costs. They strongly recommend that "technology should be used in order to ensure that document management activities are undertaken efficiently and effectively."
The direction also places a responsibility on organisations to deliver information in a form that can be easily processed by the opposing party. "Electronic Documents should generally be made available for inspection in a form that allows the party receiving the documents the same ability to access, search, review and display the documents as the party giving disclosure," the briefing article said.
But a new survey shows that companies will have some work to do in order to comply with the new rules, and they will probably need to carry out a major review of the way they store and manage electronic information.
The study, sponsored by investigations company Kroll Ontrack Ltd., interviewed 403 companies -- 200 in the UK and 203 in the US -- between July and September 2010 about their strategies for handling electronically stored information (ESI).
More than half of the UK and US companies have an ESI strategy in place, but very few of those organisations have reviewed existing policies to cover new communication methods, such as social networking (30% in the UK and 21% in the US) and new storage technologies such as cloud computing (28 % in the UK and 16%in the US).
While 45% of the UK companies have tested their policies, 32% do not know if their policies have ever been tested.
"It is important for companies to know where their information is located and to be able to properly search and identify potentially relevant data to comply with disclosure obligations," said Tracey Stretton, legal counsel for Kroll Ontrack. "The best way to do that is by having a disclosure response strategy in place that is periodically tested and updated."
She added that, even before the latest rules came into force, the UK courts had already begun to take account of the way disputing parties cooperate and provide information. For instance, last year Barclays Bank Plc won a case to recover costs, but had its award cut because the judge considered its failure to produce telephone records and other case-critical records during pre-trial disclosure a "gross omission."
"The judge could have run the trial much faster if he'd had access to the records," said Stretton. "Barclays was punished because it didn't handle the disclosure process as efficiently as it could have."
Martin Carey, managing director of Kroll Ontrack said: "Companies need to start thinking about their security policies and their disclosure policies. Not many have updated their policies. Social networking, cloud and virtualisation will change where your data is stored and how easy it is to get to when you need to present it."