403 Blogs

E-Discovery - Overlooked Sources for Early Case Assessment

Whether you are experienced with electronic discovery (e-discovery) or new to the process, the presentation of a new legal hold can be an intimidating situation. Knowing the magnitude of the hold, the repercussions and the work effort can make anyone wonder, “How big is this case going to be?”

Early case assessment (ECA) is done to bring clarity to the situation. ECA is the first step in determining the size of the project.

ECA, for any good IT person, typically involves gathering data from three primary resources - the user’s PC, shared folders on the network and the email server. However, there are a few additional spaces that tend to be easily forgotten, but can be vital and, therefore, worth your time to check.

Data Loss Prevention (DLP) Logs

Data loss prevention tools are the devices that keep your employees from leaking data via email attachments or other file sharing means. These devices often sit beyond the email server and before the Internet. Depending on how they are implemented, they may be a quick and easy source from which to identify all inbound/outbound communication, including:

• Who the sender/receiver was, regardless of blind carbon copying (BCC)
• What documents were attached
• What the date/time of delivery was

If your organization has several email servers, or if the stability of extracting mail for ECA is “taking too long,” this logging may be a great resource.

Anti-Virus (AV) Gateways

Your PC may already have anti-virus software installed, but your company could have additional protection (at the “edge” of your network) serving as a second line of defense against viruses and malware. Similar to DLP, these devices often inspect ALL email as it passes to and from the company. While these devices may not have the full body of every message stored, they may still contain scoping-related details such as the quantity of messages, or even the subject and recipient data. Keep in mind that logs like this may be your safety net for detecting messages that might have been deleted from the mail server.

Both DLP tools and AV gateways are sources that should be discussed between IT, records management and legal teams. It’s important to realize the wealth of information they can bring (for good or bad) to the electronic discovery process. It’s also a good idea to make sure that the expiration of these logs is consistent with your data retention policies.

• Mark Shelhart
• • #anti-virus
  • #assessment
  • #av
  • #case
  • #data
  • #discovery
  • #dlp
  • #e-discovery
  • #eca
  • #electronic
  • #forensics
  • #infosec
  • #logs
  • #security
  • #submission
  • #pfi

• 21 September 2012