Pretty much all digital information is vulnerable when it comes to e-discovery requests.
Most IT and legal departments are aware that during litigation, corporate e-mail is going to be requisitioned by the adversary. That's because e-mail inevitably contains juicy details that can help prove a case.
What many enterprises may not realize, however, is that pretty much any digital information is vulnerable--including data in wikis and blogs, and files and documents stored in collaborative environments.
"Knowing how we use the wiki, there are conversations that are just as dangerous as conversations that happen over e-mail," says Jeff Brainard, director of product marketing at Socialtext.
The problem for today's enterprises is that users may have set up accounts to create wikis and blogs and share corporate data without the knowledge or involvement of IT or in-house counsel. And that can get everyone in trouble: During litigation, companies have a responsibility to produce any material requested by the opposition that may be relevant to the case. This process, often called e-discovery, can be hideously complex and requires close cooperation between legal and IT departments. It can lead to protracted searches through a variety of data stores, including file systems, NAS appliances, archives, individual user hard drives, backup tapes, and online services.
Failure to produce relevant information may have serious consequences. Companies have been fined. Other penalties include an adverse inference ruling, in which the jury is allowed to assume that the information that wasn't produced was bad for the party that didn't deliver it.
An even more damaging consequence is a preclusion order, in which the party is prevented from raising certain defenses and making certain arguments; this may result in the company losing the case entirely, says Michael Sands, a partner in the litigation group at Fenwick & West. Sands counsels enterprises in legal discovery.
"We tell clients, the first thing is to get a handle on what you have and where you have it," Sands says. He adds that IT typically starts talking about servers and local drives, and then mobile devices. "Then we say, 'What about wikis and blogs? Or Facebook?' Their faces go blank."
Sands says courts generally don't accept "We didn't know it was there" as an excuse for not producing information. "Stuff can be put in new remote areas and is harder to access, but it's still part of the discovery process, and that's something companies are struggling to understand."
So what to do? First, construct an enterprise policy for the use of collaboration tools, and any nonenterprise storage in general. Problem is, any policy that forbids the use of such tools is all but unenforceable. It also won't provide legal cover or relieve the company of its discovery obligations.
"I'm not sure the courts would be terribly impressed with an argument that says, 'We had a policy that says you shouldn't do that,'" Sands says.
A better option is to create a policy that gives the enterprise the right to access any online tools that contain corporate data, retrieve that data, and shut down the employee's access to the site if necessary. Of course, IT must follow up that policy with real technological options. As discussed in the story "Holy Web 2.0 Herding Nightmare", employees are flocking to online collaboration tools. IT can provide sanctioned options, including traditional software deployments and SaaS applications, that provide some measure of control and monitoring while also providing users with the capabilities they need to do their jobs.