TORONTO — Security issues and internal network breaches are an inevitable part of doing business, so limit the damage in advance with a records management policy.
That was the consensus of experts speaking at Tuesday’s E-Evidence and Computer Forensics Forum. “”Admit that at some point you will
become embroilled in an investigation,”” said Steve Rogers, national director of H+A Computer Forensics Inc., based in Toronto.
E-mail is the biggest security liability and one of the most common forms of electronic evidence involved in today’s corporate lawsuits. H+A’s president Oleh Hrycko refered to e-mail as “”the window into the corporate soul. It’s the digital smoking gun in most of our investigations.””
The problem with e-mail is its ubiquity, according to Rogers. “”Do you ever really think about where that e-mail goes after you hit the send button?”” he said. Not only is copy of the message stored on the sender’s hard drive, the recipient’s hard drive and any person the message is forwarded to, but possibly every server connection in-between. It could also be on a personal digital assistant (PDA) or other wireless devices used to access e-mail.
Rene Hamel, senior manager at Royal Bank of Canada‘s corporate investigation services, agreed but noted that investigators also have to prove that the e-mail was written by the person that owns the address. “”You can have a smoking gun file, but at the end of the day, you still have to put a person behind the keyboard,”” he said. “”You’re going to need a lot more . . . Courts are asking for a lot more than a Word document or an e-mail file (in order to convict.)””
To make that connection, Hamel, who has also worked for KPMG and the RCMP, corroborates e-mail files with other forms of evidence such as phone records, security card records and even security cameras.
In the course of his investigations, Hamel said he had to seize 30 hard drives just to locate one document. In another case, a more severe solution was required. A client experienced a security incident right before the company upgraded its network from Macintosh to Windows. Hamel had to recreate the old network in order to find out what happened. “”Keeping old equipment is a good thing to do,”” he said.
The legal ramifications of file storage and e-mail are coming to a head. Canada’s Personal Information and Protection and Electronic Documents Act (PIPEDA) will take full effect on Jan. 1, 2004, and it’s up to companies to make sure their records management policy is coherent, said Shaun Devine, assistant vice-president and senior counsel of Sun Life Financial. He pointed out that section 37 of PIPEDA will require that electronics documents must be stored in an original format or a format that is unchanged from the original. They must also be readable and time-stamped.
Sun Life is in the middle of updating its own records management policy, not only for legal reasons but because it makes good fiscal sense. Devine provided the example of DuPont, which recently discovered through an internal audit that half of the documents it had stored weren’t even necessary — a mistake that cost the company an estimated $10 to $12 million, he said.
“”Defining the scope of a record can be a very important step in setting up a program,”” said Devine. “”What is a record and what do you want to retain?””
Sun Life has completed the retention schedule portion of its policy overhaul and is still working on the broader implications and any necessary technology upgrades.
The company has determined that most of its records will remain on file for seven years, depending on the source and category of the record.
It took more than 400 hours for Sun Life to reduce 3,500 document types down to less than 200, but the company was able to distill its retention policy down to a 30-page booklet. Devine emphasized that a records policy should encompass paper-based as well as electronic records, but the end result “”will make sure you get the right records to the right person at the right time and in the right format.””
It’s important that every person who has access to information be notified of any policy change, added Devine. He suggested that company members be asked to sign off on the policy.
An “”acceptable use”” document is also an important step in handling records management, according to H+A’s Rogers. “”It’s important for employees to understand that they have no reasonable expectation of privacy,”” he said. The firm was contracted by Sun Life to assist in policy management.
Sun Life may have completed its records retention policy, but “”we haven’t yet got comfortable with our own program to export that elsewhere,”” said Devine. Sun Life’s American operations are in the midst of their own policy change independently. Devine recognized that may be a duplication of effort, but an inevitable one.