• United States



The Care and Feeding of Forensic Experts

Jul 10, 20073 mins
Data and Information SecurityIT Leadership

If your company is involved in a litigation in which electronic evidence will play a significant role, chances are you or your lawyers will engage a forensics expert to assist in the investigation.  Doing so is now considered a best practice. 

But what about the risks involved in having an outside expert accessing your systems, reviewing your data, and potentially storing your data at its offsite facilities for further analysis?  Computer and forensic experts will likely come in contact with highly sensitive information of parties to the litigation and, potentially, their customers.   Types of sensitive information include personally identifiable consumer information (financial records, healthcare records, employment records, transaction information from e-commerce sites, etc.), trade secrets, product development plans, and other proprietary information of the business. 

The duties assigned to the expert may require contact not only with the adverse party’s information, but also the information of the party for whom the expert is working.  The important point is that any mishandling or compromise of the security of that information may (i) cause extreme prejudice in the pending litigation; and/or (ii) expose the expert and the party who engaged the expert to potentially significant liability.  Given the foregoing, it is critical to ensure the expert has in place appropriate information security safeguards to protect the information entrusted to the expert.

The following are the types of questions that should be asked of any expert who will be handling highly sensitive information:

  • What safeguards does your company use to protect the security of the data entrusted to it?
  • Do you have an information security policy for your company?  If so, provide a copy.
  • Are your personnel specifically trained regarding information security issues?  What is the extent of that training and how often is it repeated?
  • Does your company subcontract or outsource any of its data review, analysis, or other services to a third party?
  • Does your company send any data offshore for processing?  This is a very significant issue.  If the expert intends to send highly sensitive data of either party offshore, this creates a significant information security risk.  All agreements with experts should include strict limitations on this activity, without the company or its lawyer’s express authorization.
  • Do you have strict policies regarding the protection of information stored on removable media?
  • Has your business experienced any compromise of security in the last two years, including the loss of project laptops or any removable media on which sensitive data was stored?

Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author