Top Tips for Staying Legal

E-discovery, compliance, regulation, liability: Storage managers are becoming nearly as expert in these topics as they are in technology. In many organizations, data growth has been matched by a surge of legislation that forces IT pros to educate themselves about the responsibilities that come with storing sensitive information.

So just what are those responsibilities? There is no easy answer. Laws about data preservation are still evolving, so what seemed to be established yesterday may not be airtight tomorrow. But industry sources have some basic tenets that might help storage pros to get into the right mindset:

Get organized. "Get your electronic house in order," was a key piece of advice from George J. Socha Jr. Esq., a lawyer and consultant who has organized a methodology for e-discovery called the Electronic Discovery Reference Model. Speaking on a virtual roundtable discussion sponsored by Symantec last month, Socha said, "The better you can do at this, the easier everything that follows will be for you, and the less expensive and lower risk everything that follows will be."

When in doubt, save it. Getting organized doesn't necessarily mean getting bogged down in self-made rules. "We don't bother to try to classify the records," admitted Gregg Davis, CIO of high-rise construction company Webcor Builders of San Mateo, Calif., during Symantec's roundtable.

In his litigious industry, Davis says there's so much that might find its way into a legal document that it doesn't make sense for IT to take the time to pick and choose. "For us to write rules and to try and automate rules, to eliminate certain things based on generic rules, it was way too broad and we could not get it narrowed down to where we were comfortable with not saving... records. We in essence save everything if it's in an email record... for us to not produce something, to say we autopurged it, the risks and penalties... are way too high... Even something like a lunch meeting may be construed as [important]."There are folk who strongly disagree with the "pack rat" approach. However, if you can afford it, it may be better to be safely in possession of key records than to be caught without them.

Get to know your lawyer(s). Talk to the people in your organization who know the law when it comes to data management. "Make sure you know your company's legal liability on stored data protection," says analyst Richard Ptak of Ptak, Noel & Associates, in an email. "Make sure you know your company's policies on protection of stored data in general as well as specifically for special types of data. Regularly check and review that your policies are being followed and enforced."

Make no assumptions about your personal liability. Ignorance of the law, as they say, will be no excuse in court. "Do not ever, ever assume anything is being done with respect to defining, enforcing, or managing any policy," Ptak warns. "Do not ever, ever assume you are not responsible for identifying, enforcing, and managing the application of any policy. Do not ever assume you have no or minimal liability for data on your devices." Ptak suggests not only talking to the company lawyer about accountability for data protection -- but talking to your own lawyer as well.

Keep those logs turned on. Keeping an electronic trail of access to company systems and devices is now the equivalent of the old paper trail. This means that data stored in corporate servers, workstations, and even in unexpected places like USB drives and copiers can become part of an e-discovery project.

Ian Miller, CIO of New York-based law firm Weil, Gotshal, and Manges, told Byte and Switch in an interview earlier this year that firms can address the legal aspects of RAM by switching on the logs that record data as it passes through memory. If an IT pro fails to do this, "a jury can make 'adverse inference,'" Miller explained.Make use of what's out there. Even as storage managers are getting more savvy about legal matters, so are their suppliers and consultants. The Internet is glutted with suggestions and counter-suggestions. While much of this input is arguably driven by marketing motives, there are enough PowerPoints, Podcasts, and white papers out there to serve as a handy basis for planning a strategy. SMBs in particular can at least get the lay of the legal land simply by searching the Web for an hour or so. Filling in the specifics, of course, calls for more serious help.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Byte and Switch's editors directly, send us a message.