One of the key priorities for technology investments in 2009 will be the need for information protection and control technologies. Data breaches rose significantly in 2008 and no let up is likely this year unless action is taken.
Increased concern over the security of data is now top of the mind for many executives leading to an increased focus on placing controls on the data itself – not just on security for the systems and networks on which that data is produced, stored and transmitted.
The technologies that will be increasingly in demand for providing this protection include those that monitor how data travels across networks, encryption, and monitoring, filtering and blocking technologies for data at rest, in motion and in use.
But it is not just security breaches that are placing a greater emphasis on improving information management. There has also been a spike in lawsuits related to e-discovery in the US – and this trend is now being repeated in Europe. In the US, automatic discovery laws were first added to the Federal Rules of Civil Procedure in the US in 1993, but it was revisions to those rules made in 2006 that opened up the way for this escalation in e-discovery cases.
E-disclosure laws vary across Europe by country and, as yet, no pan-European directive has been passed related to these processes – although it is rumoured that there is one in the pipeline. But that does not mean that European organisations should rest on their laurels. According to research undertaken by Cohasset Associates, annual e-discovery costs are the second largest uncontrolled expense for most large organisations, exceeded only by healthcare costs. In Europe, it is in the UK in particular that lawsuits are becoming increasingly common and the government’s standard body, the British Standards Institute (BSI), is taking action.
In an e-disclosure lawsuit, all forms of corporate information are potentially admissible as evidence – from structured databases to unstructured information in email and document stores and archives. And, since up to 90% of the information processed by an organisation is produced and stored electronically, the task of sifting through it all can be gargantuan and enormously expensive. Plus, electronic information can easily be altered or even deleted if the proper security controls have not been put in place to prevent this happening. What is needed is a highly secure, comprehensive information management system to ensure that all data is produced and stored securely and is easy to retrieve through enterprise search capabilities.
As e-disclosure lawsuits continue to rise in number in Europe, more and more organisations are putting in place plans for responding should they themselves be hit. As they do so, they should be aware that new standards are being developed regarding how data should be stored that will help them to understand the controls that they need to put in place to ensure that the information that they produce in response to a litigation request is admissible as evidence. For example, if an organisation cannot prove that vital emails have not been tampered with, a court might refuse to have them submitted as evidence.
In December 2008, the BSI published the BS 10008 standard, which is called the Evidential weight and legal admissibility of electronic information specification. This standard sets out requirements for the implementation and operation of electronic information management systems and aims to ensure that any electronic information required as evidence of a business transaction is afforded maximum evidential weight.
For example, to ensure that electronic information is admissible, it must be managed by a secure system throughout the lifetime of that document, which can be held in storage for many years. Requirements laid out in the standard cover the storage and transfer of information, with concerns related to issues around authenticity and integrity of information addressed, as well as those related to electronic identity verification. Issues included in the standard related to identity cover the use of electronic signatures and copyright systems, as well as the way that electronic identities are linked to documents.
While compliance with the standard will not be mandatory, organisations that can demonstrate that they have all the requirements covered will save themselves not only embarrassment, but potentially the high costs of paying fines for being unable to produce evidence deemed to be sufficiently secured and authenticated.
Further changes are in store that will affect the framework that organisations develop for information governance with the development of a further standard by the BSI, which is likely to be published in mid-2009. The new standard, BS 10012, will apply to any organisation, public or private, that stores information related to living human beings and is aimed at helping them manage personal information in compliance with the EU’s data protection directive.
This is something that organisations should incorporate into their information governance plans and policies as they develop them so that they will be in a position to prove that they are handling personal information responsibly. Another law that is rumoured to be in the works is a European version of security breach legislation that exists in other jurisdictions – at a state level in the US and in countries such as Japan. If, or rather when, this legislation becomes reality in Europe – which is expected during 2009 – compliance with the BS 10012 standard will be a clear differentiator for any organisation hit by a security breach. Further details will be available after the consultation period ends in March 2009.
Recent Comments