It is only a matter of time before a company encounters its first court case, whether or not the company engages in punishable offenses. After the total depreciation of this ticking clock you will find it much more favorable to be in compliance with all rules and regulations Federal and State law demand. Such responsibility often begs the question “Can my IT employee handle digital evidence?“.
The truncated answer is a suggested “no”. Despite the many possible skill levels and extended knowledge of an IT professional at any company or organization, it is still best practice to protect yourself to the highest degree. One of the biggest concerns with any court case is the possibility of dismissal of evidence based on improper collection/preservation of materials. It is highly likely that the IT professionals under your employ may not be fully knowledgeable of, or keep up-to-date on, digital legal rulings and proper evidence collection procedures. Therefore, it is generally suggested that at the moment of realization that litigation may occur, a professional digital forensic resource should be introduced.
Situations can arise when an IT professional unknowingly “stumbles” into a legal matter. Perhaps an employee notices an anomaly on a computer or receives an unusual email, then passes it off to someone in IT to determine what is happening. Instances like these or where immediate IT action is necessary, can be justifiable in court settings as long as it is performed in proper/ethical manners. After all, the IT staff have authority to manipulate or even dispose of their own digital property when there is an “absent notice of a governmental investigation, probable or pending litigation, or another source of a duty to preserve evidence”, according to the American Bar Association. These actions may only be held as being justifiable and ‘responsible’ until this status changes. The ABA goes on to explain that “the duty to preserve potentially relevant evidence may arise before the commencement of a lawsuit if it is reasonably foreseeable that a lawsuit will be filed”.
Proper preservation of digital evidence often includes meticulous documentation and use of specified tools that prevent any original data manipulation. Such tools include the use of write blockers and linux-based live-boot systems. Since a typical IT approach does not prioritize preservation with every task, there is more room for unintentional data alteration. Opposing counsel are likely to highlight any IT mistakes, claiming these alterations were actually intentionally done to disrupt any incriminating evidence. It is very easy for irreversible actions to be performed, resulting in tainted data. Therefore, an optimal solution will most likely arrive from an immediate transfer of duties over to individuals who are properly trained and experienced with handling such experiences.