March 29, 2017

What Do Wikileaks and E-Discovery Have in Common?

I may be going out on a limb. My guess is that people reading this blog are interested in e-discovery and might find this post a little off the mark. However, as the CEO of a company that does a ton of e-discovery business, I have made it a personal goal to get people to start thinking of e-discovery as little more than a purpose-driven investigation. This is problematic for many people, because a huge percentage of those in the e-discovery field are only in that field and believe e-discovery is somehow truly unique⎯and that, technically, it is so different from other investigative problems that it has to be viewed in isolation. That perspective is, at least in my view, far from reality and an examination of the Wikileaks case will illustrate my point. Now I am well aware of the fact that the workflow of investigating Wikileaks and the workflow of responding to discovery in a legal case aren’t exactly the same, but the overall similarities are much more significant than many people realize. In fact, these similarities can create powerful value propositions for companies. Let’s take a look:

As everyone knows, the Wikileaks story is a situation in which someone’s sensitive information (in this case the Department of State’s) was compromised and is now out in the wild. While the Wikileaks case is by far the most prominent and serious example of this I’ve ever heard of, it is not at all unique. In fact, it happens all too often that a company finds some of its sensitive information has made it into the hands of a competitor or the public. These information security problems can be disastrous for a company, can compromise key intellectual property and, as a result, a company’s future. While this is clearly a far different premise from that of a civil discovery case, the premise is where the differences end.

To illustrate, let’s now walk through the likely response to the Wikileaks case. The first step is always to figure out exactly what happened and what information was compromised. This is not that different from some of the key questions at work during litigation. For example, the key question at the beginning of any litigation is “what actually happened?” Both the defense and the prosecution have a view of certain facts, but at the onset of litigation neither side is 100% sure of what actually happened, and determining that is a large part of determining the ultimate case strategy. In the case of litigation, the starting puzzle pieces may include information, such as likely custodians or cast of characters, date ranges for events, key documents and a basic idea relative to the topic of interest. In the case of Wikileaks, or any sensitive information loss, the situation is extremely similar; you have an idea of what information was compromised, when it was likely compromised and who might have had access to it.

The next step in both scenarios is to conduct a search to locate information reactive to the criteria. The technical dynamic of the search conducted in an e-discovery matter is almost exactly the same as the dynamic in a classified spillage/IP audit or even a PII (credit card) audit. In both cases, it is necessary to audit multiple machines across the enterprise to find all responsive data, and because that dynamic is the same, so are the challenges⎯large networks, multiple data repositories, active email accounts, mobile workers, bad connections, bad machines… the list goes on. The time requirements for the search are also identical in that you never have enough time, lawyers always want the answer yesterday, and no one understands why the information isn’t available already.

If there is any meaningful difference between a garden variety e-discovery investigation and the Wikileaks investigation, it is that in the case of the classified spillage/IP issue, deleted data is as relevant and likely more relevant than non-deleted data. But even that distinction is becoming less marked as civil cases embrace the searching of deleted data. In fact, for some organizations, the distinction doesn’t exist at all. For example, in State ex rel. Toledo Blade Co. v. Seneca County Board of Commissioners, the Ohio Supreme Court ruled in a 7-0 decision that the Seneca County Board of Commissioners had to, “make reasonable efforts to recover and provide the Toledo Blade newspaper with emails that had been deleted in violation of the County’s records retention policy and disposition schedule.” Further, the court ruled that, “the fact that these emails had been deleted did not relieve the County from its obligation to produce this information, because deleted computer files are still discoverable.”

Back to our comparison: Once the Wikileaks or e-discovery evidence is collected, it is processed and reviewed. It is true that the processing phase may be different between the two situations, but the review and the intent of the review is extremely similar. The goal is to search the collected data and use the search results to guide the investigation and determine the actual facts. Tools utilized during this analysis phase are also similar between the two types of investigations; email threading, data clustering and document relationships are all key capabilities for both groups of investigators.

So why does it matter that a Wikileaks investigation and an e-discovery investigation are so similar? The answer is that companies can use these similarities to their advantage. Instead of buying separate solutions for conducting e-discovery investigations, HR investigations, PII investigations and IP investigations, companies should take a step back and try to determine what their core investigative needs are. Firms that take a higher level view before diving headlong into buying point solutions are likely to quickly realize that many of their needs actually overlap, and that single solutions exist to cover all of these needs in a more comprehensive and intelligent way. That way when you’ve purchased your e-discovery solution and you end up with your own little Wikileaks, you will have the tools in place to respond, instead of having to open up the wallet and hit the red emergency button.

Tim Leehealey

Tim Leehealey is Chairman and CEO of AccessData. Prior to joining AccessData he was VP of Corporate Development at Guidance Software. Prior to that he was an investment banking analyst covering the security market at Wedbush Morgan.

More Posts

Speak Your Mind