Electronic Discovery (eDiscovery)
Chad Meyer & John VyhlidalConAgra Foods
Overview
• Background• Risks and Security Concerns• Effective eDiscovery program• Assurance Considerations• Wrap up
Background
• Discovery– The process of identifying, locating, securing and producing
information and materials for the purpose of obtaining evidence for utilization in the legal process
– Additionally the process of reviewing all materials that may be potentially relevant to the issues at hand and/or that may need to be disclosed to other parties, and of evaluating evidence to prove or disprove facts, theories or allegations
• What is eDiscovery:– The process of collecting, preparing, reviewing, and producing
electronically stored information (ESI) in the context of legal discovery
Background
• 2006 updates to Federal Rules of Civil Procedure (FRCP) by US Supreme Court
• Applies to all US enterprises, public or private• Set strict expectations that an enterprise must
be able to produce electronically stored information as evidence within a practical time frame
Litigation and eDiscovery are key driversfor enterprise records retention
Risks and Security Concerns
• Un/Intentional removal of records• Un/Intentional alteration of records• Privacy considerations• Inability to recover/identify records• Providing unnecessary/wrong records• Losing litigation cases (macro level risk)• Fines for non-compliance (macro level risk)
eDiscovery Program
Goals for an effective program
• Ability to provide any discovery-requested ESI– Regardless content type and storage location
• Responding to requests for discovery efficiently, effectively and completely
• Well documented process– Policies and procedures prior to discovery– Search methods in response to discovery
• Refraining from providing information not requested
Assurance considerations
Identify key risks
Consider the existing control
environment
Evaluate the design of current controls
as related to eDiscovery
Identify gaps
Consider cost benefit of
mitigating existing gaps
Select and implement solutions
Monitor
Identify key risks
• Risks vary based on size, industry or other unique factors
• Top down risk assessment• Involve key stakeholders– Legal– Records management– IT Security– System/Data owners
• Understand all potential sources/locations1 2
345
67
Consider existing control environment
• Existing controls may aid in mitigating risks associated with eDiscovery – SOX, HIPAA, PCI
• Review existing control libraries for applicable controls
• Conduct interviews with key members of legal, risk management, and IT
1 23
4567
Evaluate existing controls related to eDiscovery
• Consider purpose and scope of existing controls
• Many controls may aid an eDiscovery program, but not fully– Records retention policies– Backups– Logical Security
1 23
4567
Identify gaps
• Classify gaps by ERDM process and responsible function– Information Management, Identification,
Collection, Preservation, etc.
• Link gaps to existing controls (where applicable)
1 23
4567
Identify Gaps
Source: An EDRM White Paper – part of the EDRM White Paper SeriesSeptember, 2010 – Adam Hurwitz, BIA CIO, Business Intelligence Associates, Inc.
Cost/Benefit of risk treatment
• Typical risk treatment plans include options– Avoid– Reduce/Mitigate– Transfer– Accept
• Consider probability and magnitude• Factor ROI against noncompliance and/or
alternative methods (typically manual) 1 23
4567
Select and implement solutions
• Entity level controls• IT general controls• Other controls• Prepackaged solutions
1 23
4567
Select and implement solutions (cont.)
• Gartner classifies eDiscovery solutions into the following categories for analysis:– Information governance and archiving tools – Identification, collection, preservation and
processing – Analysis tools
1 23
4567
Monitor
• Maintained records retention and legal hold policies and procedures
• Clear ownership of each portion of the EDRM process
• Legal hold tracking process• Include selected solutions in enterprise risk
assessments and audits1 2
345
67
Recap
• Background• Risks and Security Concerns• Effective eDiscovery program• Assurance Considerations• Conclusion
ISACA White Paper
• Published 3/10/2011
(Link to ISACA download)