ISO PUBLISHES THE ELECTRONIC DISCOVERY STANDARD.
Author | Teppler, Steven W. |
INTRODUCTION
After almost a decade of work, the final part of the international standard on electronic discovery was published in April, 2021. (1) This multi-part standard, known as the ISO/IEC 27050 Information technology--Electronic discovery series, is intended to "help organizations plan for and meet their electronic discovery objectives and obligations, if any, commensurate with the needs of each particular matter." (2) These matters can be of a legal, investigatory, records management, etc. nature; and, in such matters, ISO/IEC 27050 is not intended to supersede or override legal, statutory, regulatory, or other obligations.
I. ISO/IEC BACKGROUND
ISO/IEC 27050 is the product of the International Organization for Standardization (ISO), (3) in conjunction with the International Electrotechnical Commission (IEC) (4) and Joint Technical Committee 1 (JTC 1), Information Technology, Subcommittee 27 (SC 27). SC 27 develops and publishes standards in the areas of information security, cybersecurity, and privacy protection, (5) and it is best known for the ISO/IEC 27000 family of standards that provide guidance and requirements on information security management.
ISO is the world's largest developer of voluntary international standards, and it is an independent, non-governmental organization made up of members from the national standards bodies of 167 countries and 3,368 technical bodies. Since its founding in 1947, ISO has published over 24,000 International Standards covering almost all aspects of technology, business, and manufacturing (e.g., from food safety to computers, and agriculture to healthcare). (6)
Founded in 1906, the IEC is a global, not-for-profit membership organization that brings together 173 countries and coordinates the work of 20,000 experts globally in its International Standards (over 10,000 published) and conformity assessment activities. IEC facilitates electricity access, and verifies the safety, performance and interoperability of electric and electronic devices and systems, including, for example, consumer devices such as mobile phones or refrigerators, office and medical equipment, information technology, electricity generation, and much more. (7)
ISO and IEC are two of the three global sister organizations (International Telecommunication Union, or ITU, being the third) that develop International Standards for the world. When appropriate, some or all of these standards development organizations cooperate to ensure that International Standards fit together seamlessly and complement each other. (8) Joint committees (e.g., JTC 1) ensure that International Standards combine all relevant knowledge of experts working in related areas.
"All [ISO/]IEC International Standards are fully consensus-based and represent the needs of key stakeholders of every nation participating in [ISO/]IEC work." (9) "Every member country, no matter how large or small, has one vote and a say in what goes into an [ISO/]IEC International Standard." (10)
II. ISO/IEC 27050 OVERVIEW
-
Purpose
SC 27 initiated development on the international electronic discovery standard to harmonize terminology, describe core concepts, offer guidance in several key areas (e.g., electronic discovery governance, processes, readiness), and identify relevant requirements. (11) While ISO/IEC 27050 is not intended to contradict or supersede local jurisdictional laws and regulations, it can have an impact because ISO International Standards play an important role in crossborder issues. If nothing else, it can help address the "reasonableness" of one's actions.
As more electronic records and data (or "ESI") are created, modified, manipulated, used, and ultimately destroyed without ever taking on a physical form (e.g., a printed document), the predominance and importance of electronic discovery has correspondingly increased. (12) The emergence of ESI as the preferred representation of information introduces new challenges associated with locating ESI, handling massive quantities of data, preservation and retention of ESI, authenticity, data integrity, data confidentiality, and data or media sanitization, etc. While electronic discovery needs and responses will vary by matter, failure to appropriately handle the electronic discovery process in view of the context of a particular matter can result in rework, unnecessary costs, possible sanctions, and legal liabilities.
ISO/IEC 27050 purports to addresses these challenges (13) by:
* promoting a common approach, understanding, and language for electronic discovery;
* encouraging practical and cost-effective discovery by those tasked with managing ESI through the process;
* identifying competency areas for those involved in electronic discovery;
* promoting consideration of the proactive use of technology, in reducing costs and risks, while increasing efficiencies throughout the discovery process; and
* suggesting ways of avoiding inadvertent disclosures of potentially privileged, confidential, or sensitive ESI.
-
Organization of ISO/IEC 27050
As of this writing, the ISO/IEC 27050 series standard consists of the following parts: (14)
* ISO/IEC 27050-1:2019 (2nd Edition), Information technology - Electronic discovery - Part 1: Overview and concepts, which addresses general electronically stored information (ESI) and electronic discovery terminology and concepts as well as describing the electronic discovery process elements. It is intended to serve a broad audience and to be a foundational source of information on electronic discovery. It does not include any guidance or requirements. (15)
* ISO/IEC 27050-2:2018 (1st Edition), Information technology - Electronic discovery - Part 2: Guidance for governance and management of electronic discovery, which focuses on the governance and management aspects of electronic discovery that are relevant to the governing body or senior management of an organization. (16)
* ISO/IEC 27050-3:2019 (2nd Edition), Information technology - Electronic discovery - Part 3: Code of practice for electronic discovery, which provides requirements and guidance for "personnel involved in some or all of the electronic discovery activities." Supplemental materials are included to help practitioners understand the objectives of each electronic discovery process element and the associated considerations, which can help these individuals determine the relevance of each process element and to assist in avoiding failures that can increase risks and expenses. (17)
* ISO/IEC 27050-4:2021 (1st Edition), Information technology - Electronic discovery - Part 4: Technical readiness, which provides guidance on the ways an organization can be better prepared to address electronic discovery from the perspective of both technology and processes. (18)
Figure 1 shows the inter-relationship of the various ISO/IEC 27050 parts. It is worth noting that Part 1 lays the foundation for all the other parts and Part 4 addresses issues from the other parts that can help organizations be better prepared to deal with electronic discovery.
An Ave Maria Law Review article published in 2014 chronicled the early work on ISO/IEC 27050 as well as described why and how the project was undertaken. (20) This Article focuses on the final publications, describing the contents of each part and providing additional insight on how they are and can be leveraged.
III. PART 1--OVERVIEW AND CONCEPTS
ISO/IEC 27050-1 (Part 1) outlines the overall structure of ISO/IEC 27050 (21) as well as provides terminology, (22) concepts, (23) and descriptions of other issues (24) that span the various parts. Part 1 does not include guidance/recommendations (often denoted by the verbal form "should") or requirements (denoted by the verbal form "shall"), so it is an informative document that helps with the understanding of materials covered in the other parts.
The first edition of ISO/IEC 27050-1 was published in November 2016, (25) under the title: Information technology--Security techniques--Electronic discovery--Part 1: Overview and concepts. (26) Changes were made to the ISO Directives wherein document titles could have no more than three elements. (27) This created a problem because Parts 2 and 4 were not published at the time this change went into effect, so following the new directives resulted in inconsistent naming within the series. SC 27 rectified this situation by undertaking a minor revision of Parts 1 (28) and 3 (29) with the sole intention of updating the titles to what they are now. Unfortunately, other directives-based changes were applied to Part 1, resulting in all references to Part 4 being removed, as well as removing a figure that was similar to Figure 1 in this article.
-
Electronic Discovery Objectives
Part 1 identifies some or all the following as objectives of electronic discovery: (30)
* comply with confidentiality, data privacy, and other restrictions on data access, use, handling, or transfer imposed by applicable laws, regulations, rules, and expectations;
* identify potentially relevant sources of ESI;
* properly preserve and retain potentially relevant ESI;
* process relevant ESI into a format that facilitates its efficient searching or review;
* minimize the potential of failing to designate as responsive ESI that is responsive;
* minimize the potential of designating as responsive ESI that is not responsive;
* minimize the potential of failing to designate for withholding or special treatment responsive ESI that qualifies for withholding or special treatment;
* minimize the potential of designating for withholding or special treatment responsive ESI that does not qualify for withholding or special treatment;
* produce responsive ESI in a form that is useable by the requesting party;
* consider the proportionality of the response in the context of the matter and the costs;
* utilize technology in order to reduce risks and costs throughout the project.
Part 1 acknowledges that these objectives...
To continue reading
Request your trialCOPYRIGHT GALE, Cengage Learning. All rights reserved.