Understanding Electronically Stored InfoSeattle Deputy CISO Pens New Book on Hot Tech Topic
How can organizations improve their e-discovery efforts? According to David Matthews, deputy CISO for the City of Seattle, it comes down to building up the necessary skills.
Matthews, who recently published the book Electronically Stored Information: The Complete Guide to Management, Understanding, Acquisition, Storage, Search, and Retrieval, says one of the best allies for organizations in building up their e-discovery efforts it to include the information security office. "This is basically what we do," he says in an interview with Information Security Media Group's Tom Field [transcript below].
"Information security is based on confidentiality, integrity and accessibility," he says. "All those things really apply when you're talking about how to acquire data in a secure way and preserve it."
It's also important for organizations to include forensics capabilities into their e-discovery repertoire, along with having a team member with a good understanding of legal matters.
Matthews is seeing more paralegal programs including courses on computer forensics, so that paralegals "understand the acquisition of data, how data is created, where to find it and how to get it."
The only way to understand electronic evidence and electronically stored information is to "dig in and learn this stuff," Matthews explains. "[It's by] understanding better where the data lives, how it's created, how it's stored, how it can be acquired safely and how it can be managed."
In an exclusive interview in advance of his book's publication, Matthews discusses:
- Where organizations are missing the boat on ESI and e-discovery;
- Necessary tools and skill sets for successful e-discovery teams;
- Advice for organizations looking to improve how they handle ESI.
Matthews is currently the Deputy Chief Information Security Officer for the City of Seattle. He has worked in the Information Technology field since 1992. He began working for the City of Seattle as the Technology Manager for the Legislative Department (City Council) in 1998.
He is the winner of the West Region Information Security Executive of the Year award for 2008, and has presented at many conferences and organizations, including RSA, InfoSec World, and to the US Attorney's Office, REI and Starbucks.
Electronically Stored Information Guide
TOM FIELD: Tell us about this new book please? You've got so many themes there just on the cover alone. What are the key elements of this?
DAVID MATTHEWS: I really started thinking about this idea quite a while back when I was working with our law department here at the City of Seattle and recognized the fact that law department, the management in the city and other folks who work in IT and just anybody who basically lives in this world these days is dealing with electronically stored information all day long, every day, and more and more so as our lives become more and more intertwined with the electronic world. I started talking to people and I started doing presentations specifically to attorneys but then going more to other groups about electronically stored information and what it means, and where it is, and how you can locate it, how you can understand it, and how you can manage it.
It became a seminar and a webinar that I had done several times and was asked to write a book about it. That's kind of the theme of the book, to really help people understand, and I tried to write it in a way that anybody could understand it and really have some fun with it. I wrote it as stories and metaphors and really tried to make it easy to understand for anyone, because I really do think we're all sort of inundated with this tsunami of data that we create as we walk around and many of us don't realize what kind of an effect that can have on us, both legally and just in our history and in our reputation in so many ways. That was the intent of the book, and I really hope it gives everybody who reads it a much better understanding of the data we all swim around in these days.
FIELD: You've tried to make it accessible to multiple audiences. Who would you say are your primary audiences?
MATTHEWS: It started out as something for management and legal organizations, and I think those would be well served by it. I've also had several colleges contact me about using it as a textbook for people who are getting into either paralegal fields or information technology or computer forensics fields, just to better understand how they could assist their organizations as they move out into the workforce to work with electronically stored information and electronic discovery, which is a big issue now with any kind of litigation or any kind of legal issues.
I do spend a fairly large chapter there just talking about how the law has changed and case laws have changed to recognize electronically stored information now and how important that has become in the legal world. It's changing quickly. It's difficult for the legal world to get a handle on it because it's a different way of looking at evidence, but it's becoming very important in the courts. So I spend a lot of time talking about how the rules have changed and how the courts are now looking at electronic evidence.
E-Discovery: Missed Opportunities
FIELD: You spend a lot of time talking with different organizations. Where do you see them most missing the boat on ESI and e-discovery?
MATTHEWS: I think in many cases it's a resource issue; it's just difficult to get their hands around sometimes and that's understandable. I think that there's often a misunderstanding. People who work in litigation, or in legal, didn't go to school for IT. They don't speak the language of IT. So it's difficult sometimes to translate the geek if you will from a legal geek to an IT geek to the information technology geek. It's sometimes difficult to translate and I think that's where the biggest gap is most of the time.
That's one of the things I really try to address in this book, to give people kind of a lexicon of what's the language that you need to understand from IT if you're not in IT, or from the legal side if you're not in the legal side. For all of us, it's better to understand each other. I think that's where the biggest gap occurs, just this lack of understanding, lack of communication.
The first steps I always recommend to organizations when I talk to them is put together a group of stakeholders from legal, from your IT management positions, from your computer security positions, from your auditors, your business managers and of course you executive folks and get everybody in the room together and start looking at what needs to be in place for you to be able to collaborate with each other and for you to be able to help each other discover what needs to be discovered when you do need to find electronic evidence, whether it's for an audit, a legal issue or for some kind of regulatory problem. Get everybody in the room that needs to be there and start translating things with each other and finding somebody who would be a good liaison. I think that's really a key part, having a liaison person who understands all sides of it, or a department, a whole division. I've seen this in some mature organizations that they have a department of e-discovery or department of records management that actually is capable of speaking the language of the different organizations and all the different pieces and working together to coordinate and collaborate.
Getting E-Discovery Right
FIELD: Now flip side of that last question. Where do you see organizations most often getting ESI and e-discovery right?
MATTHEWS: I think where I'm seeing the best is in some of the larger organizations, especially some of the legal organizations and some of the big companies. Like I said, they create a department or a division of electronic discovery, whose job it is to be able to assist both the legal side and the IT side, the forensics people, the computer forensics people, the computer security folks, to coordinate with each other and to understand better how data works, where date lives and how it can be preserved safely and securely, how it can be acquired in a forensically sound manner. [It's] all those pieces getting put together in one place either under an organization, under a division within an organization or a specialist within a smaller organization, or possibly even going after third parties. There are some third-party organizations and vendors who are now specializing in electronic discovery. I think it's really something for every organization, every person really, to be aware of and look for solutions and be ready for them, because we're all basically subject to these same issues. We're all basically living in this same data fog, so I think everyone has a real responsibility to understand this and manage it.
Current Legal Trends
FIELD: Now you've talked a number of times about the legal profession. I know this has been a topic in a field you've worked in a lot. How do you see some of the current legal trends impacting how we work with ESI and of course e-discovery?
MATTHEWS: Well more and more I'm seeing that the courts are really beginning to understand electronic evidence, and [they] really call on and expect the parties in a legal case to be responsible about preserving electronic evidence. Where people are getting hurt in these cases is when they don't understand it themselves. They don't do the right thing to preserve it, letting their employees know that they have to preserve that data or letting the data get wiped in some way or cleaned up in some way, what's called spoliation in the legal field, [getting] somehow destroyed or lost. Those are often the times when the case will turn against someone because they [don't] understand that electronic data and all of the kinds of the electronic data might be evidence and relevant to a case. The courts are beginning to really understand this and you see more and more rules being changed around the country both on the federal level and the state and local level, and both civil and criminal courts, to address the fact that electronic evidence is absolutely required and expected to be a part of the discovery phase and a part of the evidence phase, so people have to be aware and have to understand.
More and more case law is showing that the judges are getting it and they're beginning to really call for this. It's changing all the time as technology tends to do, but everyone seems to be expected to understand how they need to manage it and that it does need to be managed and that has to be preserved carefully and acquired and secure and everything else. That's what I'm really seeing in case law lately.
FIELD: Let's talk a little bit about what organizations need in terms of technology tools. What are the most necessary ones for organizations that really want to get a handle on this?
MATTHEWS: There's a lot of new things out there for electronic discovery and archiving records management. I think really the record management tools are the ones that are becoming the most mature, as far as being able to archive your data carefully and index it in a way that you can get to. There are a lot of different organizations out there. It all really began with e-mail because e-mail tends to be the number one thing that everybody has wanted to look at in cases, but now it's expanding out and some of the tools and solutions I've seen out there are also working with documents that are created in a department or in a division in a business, and that all works around categorization of the data. Everyone needs to be able to somehow say this data belongs over here and classification of data.
Those are the ways the solutions are beginning to work, and I think as that area matures what we're going to begin to see is better ways to classify and categorize your e-mail and any documents you create, any data that you create, in a way that [this] meta data that exists along with that data directs it to the right place for archiving and preservation and for indexing for e-discovery or some other reason - an audit, etc. - you need to have that data, you have a fairly simple and easy way to look it up and find it and access it.
The ones that are out there right now mostly are e-mail and those are the ones I've seen the most of where there are e-mail archives and it's searchable and index-able so that things can be brought back. But more and more we're seeing other types of messaging, document creation and other types of data all being put into the same archival programs.
Needed Skill Sets
FIELD: What are the individual skill sets that organizations need to be able to handle this information, to present it properly when it's time to present the results of e-discovery?
MATTHEWS: I think one of their best allies is the information security office. I say that not just because I work in an information security office but because this is basically what we do. Information security is based on confidentiality, integrity and accessibility. All those things really apply when you're talking about how to acquire data in a secure way and preserve it in a secure way. You have to preserve the integrity of the data. You have to have confidentiality around the data and accessibility is all about classification of data, so all those things that we live as information security professionals really fit right into this, so that's one of the big skill sets.
Forensics and the ability to acquire the data in a forensically sound manner is another good one, and I think also understanding of legal things. Good paralegals - I'm meeting [and] seeing a lot more paralegal programs that are putting forensics, computer forensics, courses in with it and so the paralegals understand the acquisition of data, how data is created, where to find it and how to get to it. I think more and more those things are kind of melting together and all three of those I think are the big ones. The understanding of the electronic evidence and what the legal rules around it [are] - that's again more of a paralegal kind of place; the information security office or someone in that kind of realm of IT; and then somebody gets more into the bits and bytes in the forensic level because a lot of times that evidence can be difficult to get to. It may have been deleted [or] it may have been lost, and sometimes the forensic folks are the ones who can find it when nobody else can or acquire it when nobody else can. In any case, they're the ones who have the skills, the knowledge and the tools to acquire data in a way that maintains its integrity.
FIELD: For organizations that aren't prepared to bring this function in house internally, what would be some of the risks and rewards of outsourcing e-discovery?
MATTHEWS: There are risks because your data is possibly exposed. Something that's important to you, something that's private, something that's intellectual property or information - credit card information - is exposed to a third party. I think that's always going to be the risk when you're working outside of your own organization for any services.
However, as I've talked about in some of the things we've done around cloud, it's all about the contract. Again, you've got to have a good contract in place, something that if you're going to go into that with some third party, there needs to be some very good language in there about non-disclosure and they should have a really good reputation. You want to have somebody that you can have a good trusting relationship with, at least vetted, someone has recommended them to you or somebody you trust has recommended them to you, or you have really good contract language that restricts the kind of access they have and is very specific about what they're going to do and how they're going to do it, and how much time they're going to spend, and how things are going to be stored and if their people are backgrounded and that kind of thing. These are just the same kind of rules you would do any kind of services where you're sharing your data with an outside source. The risks are the same as usual but the way to mitigate those risks is to really get contracts and really get the relationships with the vendor that you're using.
Advice to Organizations
FIELD: Just a couple more questions about your book, please. If you were to sum it up, what advice would you offer to organizations so they can get a better handle on ESI and e-discovery?
MATTHEWS: I think that the whole point of the book and the answer to the question really is that the way to avoid the risks that come by not understanding electronic evidence and electronically stored information is by understanding better where that data lives, how it's created, how it's stored, how it can be acquired safely and how it can be managed. The only way to do that is really to dig in and learn this stuff. The book that I wrote is a good starting place. It's a good place and it has a ton of references in the back for people who want to get into it deeper, but there is a good starting place.
It's a good way to kind of get a feel for what kind of data might be surrounding you, what kind of data you or organization might be creating and a good checklist for if we've got some reason to have to acquire electronic evidence or electronically stored information, where do we start? What do we look for? What are the different places this could be? There are a lot of places that you might not consider right up front so it's just important to have that overall understanding and be able to manage it in a secure way.
FIELD: Last question for you. We've talked about a bunch of different audience segments. How should they best use this book?
MATTHEWS: I wrote it in a way that I think you can use it either as a reference where you can pick it up and look at the table of contents and say, "Okay, I'm really specifically interested in the case law around this," and go to the case law chapter. "I'm really specifically interested in all the different types of electronically stored information," so I can go to that chapter and it's broken down into all of them so you can kind of pick and choose, or I also wrote it in a way that's fun enough to read I think and interesting enough that you could read it cover to cover and really get a lot out of it, and kind of move through it in a way that as you're reading it, it builds on itself.
You start out with basics, how do things work, and that's how it really starts. How do these things work? Then you start getting into some of the legal issues and how it applies to you and then how the legal issues apply, and then more into what you can do with it, what kind of things you can do to manage it better and to acquire it and the legal issues and the forensically sound means of preserving data and securing data. I think it's written in a way that you can either use it as a reference book or use it to really work your way through from beginning to end - what is electronic information, where is it, how is it stored and what should I be doing to better manage it.