In the event a security compromise results from the potential actions of a third party (e.g., an employee exceeding the scope of their authority, hacker, competitor, etc.), it will likely become necessary to engage the assistance of forensic experts in marshalling and dealing with electronic evidence in the context of litigation.
Not all experts are suitable for all tasks. This is particularly true when talking about electronic evidence. There are many gifted computer experts that can provide critical assistance in identifying and recovering electronic evidence, that should never be placed before a jury. It takes a special kind of expert to be able to clearly explain to a jury the type of highly technical issues that may arise concerning electronic evidence. More than one case has been lost because a party’s technical experts simply could not explain the relevant issues. Any proposed expert should vetted thoroughly. Be cautious of engaging a forensics company without identifying the specific expert who will be working on your project.
In most larger organizations and, even, many smaller entities, there will be technical employees who have undergone some measure of forensic training. In the overwhelming number of instances the extent of that training extends to a single 2-3 day seminar or the review of a book or two on the subject. Almost invariably, the client will have already used this expert for the initial investigation and marshalling of evidence and will suggest the use of this person in connection with case preparation and trial. Unless the electronic evidence involved is minimal and litigation unlikely, the use of these individuals as the primary forensic expert should be avoided. They generally do not have the skill and training of a third party expert who has made these types of investigations the focus of their entire business. They certainly do not have the experience of preserving the “chain of evidence” or being deposed and testifying at trial. Internal experts are, however, extremely useful as adjuncts to a third party expert. The internal experts have in-depth knowledge of their employer’s systems and procedures. This information, particularly from the point of view of someone who has had even basic forensic training, can be invaluable to the third party expert and can reduce the overall costs of the investigation.
