According to the old cliché, content is king. For many
organisations today, the content that they produce could be considered as the
crown jewels of the business, including highly sensitive and valuable data such
as financial records, intellectual property and databases of customer records.
There are many that would like to get their hands on those gems of information
and preventing this data from leaking out of an organisation is of prime
concern to governments, enterprises and small businesses alike.
But it is not just data leakage that organisations today
fear. Most entities face some kind of regulation and many of those rules
mandate that information produced by or received by the organisation, such as
in the form of emails, must be kept for a specified period of time and that its
integrity must remain intact. For example, by placing controls on who can
access what information and what they can do with it so that records cannot be
altered by an unauthorised person.
Most of those regulations mandate that all information must
be recoverable so that it can be handed over to authorities should there be
suspicions of non-compliance or illegal activity. And this is also occurring in
private cases as well. Electronic discovery (e-discovery) lawsuits are now
fairly commonplace in the US and are growing in importance in Europe, particularly
in the UK. This means that organisations must be able to produce any
documentation that could be relevant to the lawsuit—and in any format, from
word processing documents and emails, to product designs on CAD-CAM systems.
An organisation that has taken steps to secure and
effectively govern its information may think that it can prevent its
information gems, or even dregs, such as derogatory comments made by an
employee, from falling into the wrong hands. Or they may think that they are in
a good position to answer regulatory or e-discovery demands with the minimum of
However, there is one common mistake that has scuppered a
fair few organisations to date, but which is only just beginning to get the
attention that it deserves. That is the failure to consider metadata. Metadata
is defined as "data that provides information about other data". This can
include information about who created a document and when, and who has made
what modifications to it at which point. Essentially it is the digital
fingerprint or DNA that identifies all activity related to a document and
provides an audit trail of that activity.
Lawsuits demanding the production of metadata along with the
documents to which they refer have been brought to court since the mid-1990s
and are becoming increasingly common. High profile cases where metadata has
been used to provide key evidence include WorldCom, Enron and the Martha
Stewart investigations, mainly in the form of emails. In some cases, metadata
has been used to reconstruct evidence in disputes over timelines, such as an
accusation that someone has backdated documents.
Other gaffes involving metadata have included a report
released by the UK Prime Minister's office regarding its contentions that Iraq
was amassing weapons of mass destruction. Used by Colin Powell to make the case
for war in an address to the United Nations, a search for metadata in the
document revealed that parts of it had been copied from work produced the
previous year by a graduate student. And pharmaceutical giant Merck suffered
embarrassment when metadata revealed that it had deleted a story about the
causal relationship between its drug Vioxx and heart attacks.
Although the problems with metadata have long been known
about by technologists, today's highly regulated environment and the sensitive
nature of much of the information produced by organisations are elevating the
issue to the business level. Now more than ever there is a need for
organisations to ensure that they have systems in place to control the
information that they hold—including metadata that can be used to prove when
documents were created, stored, searched and retrieved. In practice, the best
defence is a layered strategy, including employee education, technology tools
such as metadata cleaning or mining software, and policies defining the
responsibilities of staff when handling documents.
For those organisations that have such processes in place,
the benefits that they reap may be more than just the avoidance of negative
publicity or a large fine. Although less publicised, there are cases where
organisations have been able to use metadata attached to business documents to
prove that an allegation was false. For example, in one case, an organisation
in the UK faced a lawsuit from another firm which claimed that it had certain
information at its disposal. Through forensic investigation, however, the
organisation facing the lawsuit was able to prove through examination of
metadata, including that attached to previously deleted documents, that it had
never been party to that information and thus it won its day in court.
Just as fingerprints left at a scene of a crime are
regularly used to secure convictions or to prove that a person could not have
been there, the digital DNA of documents, or metadata, can be used as evidence
of wrongdoing or can be used to prove innocence. The importance of metadata
cannot be understated and should be a key consideration in the development of
an effective system of information governance.