The Care and Feeding of Forensic Experts

If your company is involved in a litigation in which electronic evidence will play a significant role, chances are you or your lawyers will engage a forensics expert to assist in the investigation.  Doing so is now considered a best practice. 



But what about the risks involved in having an outside expert accessing your systems, reviewing your data, and potentially storing your data at its offsite facilities for further analysis?  Computer and forensic experts will likely come in contact with highly sensitive information of parties to the litigation and, potentially, their customers.   Types of sensitive information include personally identifiable consumer information (financial records, healthcare records, employment records, transaction information from e-commerce sites, etc.), trade secrets, product development plans, and other proprietary information of the business. 



The duties assigned to the expert may require contact not only with the adverse party’s information, but also the information of the party for whom the expert is working.  The important point is that any mishandling or compromise of the security of that information may (i) cause extreme prejudice in the pending litigation; and/or (ii) expose the expert and the party who engaged the expert to potentially significant liability.  Given the foregoing, it is critical to ensure the expert has in place appropriate information security safeguards to protect the information entrusted to the expert.

 

The following are the types of questions that should be asked of any expert who will be handling highly sensitive information:

• What safeguards does your company use to protect the security of the data entrusted to it?


• Do you have an information security policy for your company?  If so, provide a copy.


• Are your personnel specifically trained regarding information security issues?  What is the extent of that training and how often is it repeated?


• Does your company subcontract or outsource any of its data review, analysis, or other services to a third party?


• Does your company send any data offshore for processing?  This is a very significant issue.  If the expert intends to send highly sensitive data of either party offshore, this creates a significant information security risk.  All agreements with experts should include strict limitations on this activity, without the company or its lawyer’s express authorization.


• Do you have strict policies regarding the protection of information stored on removable media?


• Has your business experienced any compromise of security in the last two years, including the loss of project laptops or any removable media on which sensitive data was stored?