After more than three years of development, the Canadian General Standards Board Thursday released a standard that outlines how to ensure records generated from electronic information systems are reliable, authentic and trustworthy.
The CGSB standard on electronic records as documentary evidence was created to help public and private organizations maximize the admissibility of electronic documents in a courtroom setting. To guide companies, the standard outlines policies, procedures, practices and documentation required to establish the integrity and authenticity of electronic records.
“The essential ingredient to demonstrate you have a good electronic records management program is to maintain your records accurately and demonstrate the integrity of your records- keeping practices,” said CGSB standards committee chair Vigi Gurushanta.
The standards committee is made up of approximately 24 volunteers like Burushanta who meet regularly. Gurushanta is also principal of Toronto-based consulting firm Imerge Consulting Inc.
The push towards global e-commerce and the creation of statutes, standards and legal requirements such as the Personal Information and Electronic Documents Act (PIPEDA) drove the introduction of the standard. The adoption of an electronic evidence section in both federal and provincial evidence acts, including the Canada Evidence Act in 2003, have also paved the way for its creation.
“Over the last 10 years, governments across the country and federally have done a really good job at amending their evidence laws to make it much more comfortable to keep records electronically,” said George Takach, partner with Toronto-based law firm McCarthy Tetrault. “As you move from the paper-based world to the electronic, the law has had a difficult time keeping up.”
Takach added the standard is akin to a set of best practices that businesses should follow when it comes to managing electronic records. He said businesses of all sizes, particularly small to mid-sized businesses, should invest in good record keeping systems so that if they do find themselves in a legal bind, they are able to quickly and easily access their records.
“There’s a double-edged sword to it,” said Takach. “On the positive side it gives you now really good guidance as to how you create a record management system. The downside is from this day forward if you don’t have this gold-plated policy and you don’t comply with the standard it’s now possible that somebody’s going to stand up in court against you and say you didn’t comply.”
Data recovery firm ActionFront, which has an office in Toronto, does recovery work for various police organizations including the RCMP, the OPP, the FBC and local state departments in the U.S. Data recovery and forensic computing, which is offered by such firms as Deloitte, are often lumped together but are quite different, according to ActionFront president Ron Austin.
“Electronic forensics is to go and find data on an electronic media and to be able to produce it as reliable evidence so you can show who created it and that it hasn’t been modified by anybody since that time record,” explained Austin. “Data recovery is providing access to that data that is on inaccessible media.”
Austin added that some data recovery companies that are looking for ways to increase their bottom line will sometimes also pose as forensic experts. That could spell disaster for a company if they couldn’t prove the contents of the data weren’t modified when the data was recovered.
“We have to do that while showing that we haven’t modified the contents of the data at all,” said Austin. “There’s a chain of custody process that proves who’s worked on it and what conditions they’ve worked on it under.”
In some cases, law enforcement agencies bring the problem media to ActionFront’s labs where they can safely and securely follow through with all of the necessary operations to recover the data.
While many businesses may not even know about the standard or don’t want to spend the money on a records management system, Takach strongly advises against that. Last year, the federal privacy commissioner released her first report on PIPEDA since it was introduced. She found that an overwhelming number of businesses have yet to comply with the act.
“If you want to do business electronically you need to play by the rules,” said Takach. “If you’re a small Web site e-tailer if you want to collect debts and you don’t have the standard working for you, you run the risk the other side is going to dispute what you show in court and say we can’t rely on that because they didn’t comply with the standard.”
The standard has also been endorsed by the Canada Revenue Agency (CRA) as a means to ensure the reliability, integrity and authenticity of electronic records as guidance to electronic business systems users and those who are required to keep electronic records to assist in establishing the legal validity of an electronic record.