Hostile eDiscovery happens when a party that is adversarial to the management of an enterprise conducts a search for records, without the cooperation of management. Examples of adversaries might be:
- Law enforcement like FBI or the Royal Canadian Mounted Police
- Tax collector like the Internal Revenue Service, Revenue Canada, or a state tax authority
- A regulator like the Environmental Protection Agency or the Food and Drug Administration
- A fraud investigator hired by the board of directors of a public company to investigate whether management is stealing from the company
Hostile eDiscovery Scenario
In each case, the target enterprise does not prepare in advance for the search. But the adversary shows up unexpectedly with legal authority like a search warrant. The adversary brings IPRO, and installs it on the target’s network. Then the adversary searches for evidence of wrong-doing, such as crime, tax evasion, or embezzlement.
IPRO can locate data in many different formats, such as email, PDFs, office documents, and unstructured data. It can search through different platforms, whether they be on-premise or in a third-party cloud. These platforms can include Exchange, Sharepoint, PC hard drives, Box, Office 365, and more. IPRO creates an audit trail to show what was searched when it was searched and what the results were.
Compare the Take Everything Approach
Historically, hostile eDiscovery was often executed as the “take everything” approach. The investigator grabbed computers, imaged hard drives, seized control of data centers, and made wholesale copies of data from network storage.
But the copy everything approach sounds like the caveman approach. It takes too much and looks at too much.
Many investigations do not justify the take everything approach. If the Internal Revenue Service, for example, marched into a company and just literally copied everything on the infrastructure of that company, the public would howl. What the heck is the IRS doing with absolutely all the data of a private company?
As information systems accumulate more and more data, the take everything approach becomes a bigger and bigger task. When judges and other authorities come to understand that there is an alternative to the take everything approach, they may demand the IPRO alternative as a way of limiting the scope of the investigation, protecting privacy and otherwise preventing overreach by the government. A tailored search is performed on-site, and might even keep the relevant discovered data on-site.
If Investigator Takes Less Data, There Is Less Data to Steal from Investigator
When the FBI, for example, copies all the data from a corporation, what assurances are there that all the personally identifiable information (of innocent bystanders) that just happens to be in there is protected? Is the FBI allowed to rummage through all that data and look for unrelated crimes committed by employees who have nothing to do with the topic the FBI is originally investigating? What if outside hackers steal the personal data from the FBI and then commit identity theft? (That’s not such an outlandish scenario given that hackers have stolen secrets from the likes of NSA and CIA). The retention of all that data by the FBI is actually a liability on the part of the FBI.
When the Archive & Search alternative is deeply understood, hostile eDiscovery becomes a less risky and less invasive route to uncovering the truth in an authorized investigation.
Benjamin Wright is a practicing attorney based in Dallas, Texas, and an instructor at the SANS Institute teaching a 5-day course titled “Law of Data Security and Investigations.” http://benjaminwright.us