I was in Germany last week giving a talk on Unified Communication (UC) Security. UC involves the convergence of lots of different types of communication over IP (and thus, the Internet): voice, video, email, instant messaging, and so forth. It also creates new types of interesting sensitive data, such as presence—where users are located, what types of devices they use and their capabilities, and online status. Clearly, security teams need to think about the security implications of UC, including protecting the confidentiality and integrity of these channels.
They also
have to think very carefully about the electronic discovery of information that
flows through these channels. In the past, instant messages and voicemail were
considered short-lived. They were rarely saved for a significant period of time
and weren’t treated as essential records for doing business. In the world of
UC—where many different types of communication can be sent, saved, forwarded,
archived, and otherwise be endlessly manipulated—suddenly these assumptions change.
Executive voicemail messages with terms of a pending merger may be forwarded
via email; customer service interactions with clients may be recorded over
instant messages; a videoconference with the new sales manager may be saved on
the corporate portal. Each of these may be construed as critical business communications,
and under U.S. law may need to be preserved for evidence in court. (Certain
regulated industries may have already recognized such messages as business
communication and taken steps for retention and protection.)
The problem is a fundamental conflict between the data preservation requirements of electronic discovery and the privacy protection requirements of EU laws. Speaking with a German audience, we all nodded in agreement about the dizzying array of Scandinavian, French, German, Swiss, and other privacy requirements surrounding business data. To comply with privacy law, many organizations choose to de-identify personal information in some way: mask, anonymize, alias, redact, or otherwise obscure data records to ensure that personal details can’t be linked to specific users (whether customers or employees). Often this applies to metadata—logs, message envelopes, etc.—rather than the content of a message, although it could be either. Generally, de-identification satisfies privacy requirements, but it raises all sorts of interesting complications for discovery. Once records or messages have been saved in this modified state—with many details changed or removed—what’s their status as evidence in court? Can the records be submitted to opposing counsel “as-is” (de-identified)? Must they be reconstructed to include private details? Or do they have to be originally saved in an unaltered state (re-introducing the privacy problems we tried to avoid in the first place)?
The Sedona Conference (www.thesedonaconference.org) is working on this problem. There’s acknowledgement in the legal community of the issues, but there’s not enough precedent for security teams to know how to proceed at this point.
What’s the next step? I shall fall back on the last refuge of a security scoundrel with this advice: talk to your lawyers. However, some of these issues were discussed at the 2009 Conference on Cross Border Data Flows, Data Protection and Privacy. A panel discussion on Cross-Border Discovery Conflicts highlights some practical steps that organizations can take to tackle the problem. The Georgetown E-Discovery Law Blog nicely summarizes at www.law.georgetown.edu.
Comments