Preserving Evidence
Overview
Cybersecurity professionals are often required to participate in electronic discovery (e-discovery) efforts when legal actions involve their organizations. These efforts focus on preserving, collecting, and producing evidence relevant to disputes.
Legal Hold
Also known as a litigation hold, legal hold is a formal notice requiring an organization to preserve all relevant information and data for potential or ongoing litigation, investigations, or legal proceedings.
- Prevent evidence loss or tampering.
- Initiated when litigation is anticipated or pending, or when an investigation is underway.
- Notify relevant individuals to ensure preservation compliance.
- Document all communications and actions related to the legal hold.
- Ensures continued preservation throughout the legal process.
Most litigation holds remain in the preservation and collection phases without progressing to production. A few cases reach a point where evidence must be presented in court, with many disputes being settled or not proceeding further.
Lifting the Hold
Lifting the Hold refers to the process of removing a hold. This action typically occurs when the legal proceedings or investigation have concluded or reached a resolution. It allows previously restricted activities or information to resume normal operation or accessibility.
Electronic Discovery
Electronic Discovery, or eDiscovery, is the process of identifying, collecting, reviewing, and producing electronically stored information (ESI) for legal or investigative purposes.
- Involves emails, documents, databases, social media, etc.
- Utilizes eDiscovery tools to handle large data sets
- Follows legal guidelines for evidence management
- Requires coordination between IT, legal, and compliance teams
- Ensures proper documentation of evidence for court use
The key steps in eDiscovery are preservation, collection, and production.
Preservation
The goal of preservation is to maintain the integrity of the electronic information, which is essential for building a strong case or responding to legal requests. During this step:
- Issue a litigation hold to notify relevant parties to preserve records
- Halt automated data deletion processes, such as log purges
- Ensure all related information is maintained intact for legal use
Preservation could include:
- Making backup copies
- Isolating critical systems
- Implementing access controls
Collection
Collection involves gathering the preserved data for legal review.
- Retrieve data from servers, personal devices, emails, and cloud systems
- Cybersecurity teams support in retrieving and organizing data
- Use eDiscovery tools to manage the collected information
Production
Production is when relevant data is shared with the opposing party in legal disputes.
- Attorneys review and select relevant data not protected by legal privileges
- Create an electronic file with selected records to share with the other side
- Most cases do not reach this phase due to settlements or other resolutions