A third edition of “Digital Evidence, Digital Investigation and E-Disclosure: A Guide to Forensic Readiness,” by Peter Sommer, has been published by the Information Assurance Advisory Council (IAAC). The IAAC is a not-for-profit research organization based in the United Kingdom that specializes in strategic level information assurance issues, and enjoys the sponsorship of major UK and international corporations as well as partnership with government organizations. While the guide is mainly targeted at readers in the UK, the principles are global in scope and will be of use to American readers as well.
Mr. Sommer begins his guide by emphasizing the distinction between a Disaster Recovery Plan and a Forensic Readiness Plan. Disaster Recovery Plans typically address how to respond when business is impacted by a natural disaster or other catastrophic event; the main focus of such plans is to minimize the damage done to the business and resume normal operations as soon as possible. To put it another way, Disaster Recovery Plans are responsive or reactive. In contrast, Forensic Readiness Plans focus on what to do before a crisis situation, specifically one with legal dimensions, is actually at hand. These plans are also broader in scope, and frequently cover events that are less severe; Mr. Sommer delineates between issues with high impact/low frequency and those with low impact/high frequency.
The main goal of a Forensic Readiness Plan is to anticipate litigation and the corresponding requirements for preservation and discovery (known as disclosure in the UK) of ESI. Legal proceedings can be as mundane as a dispute with an employee over their contract, or as serious as criminal charges or investigation for fraud. In either case, ESI still needs to be handled appropriately. As Mr. Sommer notes, it is imprudent and nigh impossible to try to develop an action plan for ESI in the middle of litigation. This needs to be done well in advance, so that business is not significantly interrupted or compromised when requirements to preserve and discover ESI are triggered. Senior executives, lawyers, and IT experts all need to be involved in creating a Forensic Readiness Plan, which will support the efforts of lead decision makers during litigation.
Preservation and collection of ESI needs to be done in an efficient, cost effective, and low impact way. Businesses should also be sensitive to the privacy issues surrounding preservation of data, especially where clients and employees are concerned. However, the main concern is to meet obligations to customers and clients as well as to debtors, employees, and the public. With this in mind, Mr. Sommer spends a significant portion of the guide familiarizing readers with the lifecycle of an incident that would necessitate the legal use of ESI, as well as with types of evidence.
The lifecycle is divided into: detection, reporting, initial diagnosis, initial actions, evidence collection, mature diagnosis, mature actions, recovery activity, remedial activity, civil legal activity, law enforcement activity, and criminal and regulatory proceedings. “Evidence collection” is actually an early part of the cycle, and needs to happen before formal discovery requests are made; this will help businesses to avoid sanctions because of improper discovery or preservation, and will also streamline the discovery process. Collection of evidence also assists in the maturation of diagnosis and action, so even if no legal proceedings actually occur, the business still benefits. In terms of types of evidence, Mr. Sommer’s list is extremely comprehensive. A few sources that deserve mention here are PDAs, outsourced data, and data in the cloud; these have all come under increased scrutiny in the US.
Mr. Sommer provides an extensive corporate action plan at the end of the guide – pages 34 through 37 –, which walks the reader through the response to an incident. Specific actions are given for each step of the process, which include continuous updates to existing procedures and policies. Also included are details on organizing a team or teams to deal with the incident, and the identification of key personnel. Overall, the guide provides an excellent case for the development and implementation of a Forensic Readiness Plan, and includes the information that a business would need to begin this process. Readers in the UK and in the US will find it to be of great use.