Copyright The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination or other use of or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. Proprietary and Confidential Information shall include, but not be limited to, performance, sales, financial, contractual and special marketing information, ideas, technical data and concepts originated by the disclosing party, its subsidiaries and/or affiliates, not previously published or otherwise disclosed to the general public, not previously available without restriction to the receiving party or others, nor normally furnished to others without compensation, and which the disclosing party desires to protect against unrestricted disclosure or competitive use, and which is furnished pursuant to this document and appropriately identified as being proprietary when furnished. Copyright 2011 FishNet Security, Inc. All rights reserved. The FishNet Security logo is a registered trademark of FishNet Security. All other products and company names mentioned herein are trademarks or registered trademarks of their respective owners. Version Control Incident Response Document Issue Number Document Creator 1.0 (Draft) David Buckley Delivery Date 6.21.2011 Data Classification Public
Table of Contents...1 What is ESI?...1 Major Types of ESI Include...1 ESI and the FRCP...2 ESI Changes the FRCP...2 Data Retention and Written Policies...3
What is ESI? is defined by the Federal Rules of Civil Procedure (FRCP) as information created, manipulated, communicated, stored and or best utilized in digital format. For something to be considered ESI, it requires the use of computer hardware and software. In 2006, the term ESI became a legally defined phrase for use with the FRCP. When ESI is requested in litigation, a form of discovery known as Electronic Discovery (ediscovery) is used to access and collect the data requested. In its most basic form, ediscovery is the collection of electronically stored information that can be used in civil litigation. It is important to understand what both ESI and ediscovery are and the distinctions between the two. Individuals who are typically involved with ediscovery and ESI are IT employees and managers, lawyers, forensics investigators and law enforcement officers. Major Types of ESI The major types of ESI are as follows: Voicemail and voice recordings Email Instant messages MP3 files Web pages Databases Internet or phone logs Deleted Files Cached Files Internet Stored Cookies
ESI and the FRCP In 2006, several high-profile lawsuits mandated changes within the FRCP regarding the way ESI is discovered and admitted into court, and how the costs of such discovery is to be controlled by the parties involved. ESI is admitted into court on the basis of its level of accessibility and monetary cost. The level of recoverable and presentable ESI falls into five major categories: 1. Online Data, including hard disks 2. Near Line Data, including optical disks 3. Offline Storage, such as magnetic tapes 4. Backup Tapes 5. Fragmented, Erased and Deleted data Of these five categories, only the first three are considered to be easily and cheaply produced or presented in court. In simple terms, the courts have decided that if the cost of restoring the data outweighs its worth as evidence, then it will most likely not need to be recovered. However, depending on the type of case that is in litigation, digital forensics may be required or requested to recover fragmented or lost data. This form of ESI falls into the fifth level of data accessibility, which is fragmented, erased and deleted data. Since it is the most difficult, costly and time- consuming form of evidence to reproduce or recover, it is only used when absolutely necessary. ESI Changes the FRCP In 2006, there were several major changes to the FRCP in regards to ESI and ediscovery. Understanding and recognizing these changes is important because it affects how future litigation will be handled and how it will be admitted into court. In summary, the changes have to do with the acceptance of ESI and the time it takes for ediscovery to be completed. Below is a list of the rules that were recently altered: Rule 16 - Establishes the processes for the parties and court to address early issues pertaining to the disclosure and discovery of ESI. Rule 26 - Requires parties to discuss issues of electronic evidence at the discovery and planning conference, including an inadvertent waiver of privilege, preservation of evidence, and the form of production required. Rule 33 - Calls for a search of ESI in answer to interrogatories involving review of business records. Rule 34 - Adds a new category of discoverable information called electronically stored information and gives options for the form of production. Rule 37 - Creates a safe harbor for ESI, should electronic evidence be lost because of routine operation of a company s computer systems. Rule 45 - Outlines conditions for non-party production of ESI.
Data Retention and Written Policies In this day and age it is nearly impossible to not store data electronically. Electronic data can be stored automatically or manually by corporations or individuals who wish to retain the data for future use, archiving, or duplication; this is referred to as static data. Logical (active) data is present on all electronic devices people use, such as computers, cell phones, MP3 players and GPS units. Many other types of devices store both active and static data. IT managers and lawyers must understand what types of data retention policies are implemented by their company and how those policies are controlled. Established data retention policies should exist in every business and are incredibly important documents to have. The policy should define what types of information are stored, how they are stored, where they are stored, and for how long before they are overwritten or deleted. This type of document may be the best defense a company has against claims of deleting data in opposition to prosecution. If data is called into litigation but has been deleted, there must be an established reason why. A data retention policy is excellent proof as to why data was deleted. It is imperative that a data retention policy be kept up-to-date and referenced as a standard operating procedure. As the storage and acceptance of electronic data continues to grow, there will be additional changes made to documents like the FRCP, as well as changes in the litigation of ediscovery and acceptance of ESI in the court room. Technology is still growing by leaps and bounds, so it is important to follow the trends in technology and be prepared for the changes that they may bring. As people continue to incorporate technology into their everyday lives, it will likewise be incorporated into our society and legal system. Individuals, such as IT managers, lawyers, forensic investigators and even law enforcement officers must be aware of the ever-changing laws surrounding technology. Now is the optimal time to gain knowledge in this field, as it is arguably still in its infancy. About FishNet Security We focus on the threat so you can focus on the opportunity. Committed to security excellence, FishNet Security is the #1 provider of information security solutions that combine technology, services, support, and training. FishNet Security solutions have enabled 5,000 clients to better manage risk, meet compliance requirements, and reduce cost while maximizing security effectiveness and operational efficiency. For more information on FishNet Security, Inc., visit www.fishnetsecurity.com