Yes, that is right - there are no standards. I catch myself saying "industry standard" this or "industry standard" that, when in fact not only are there no eDiscovery standards, there is no eDiscovery standard setting body. There are standards from other industries that we barrow and adopt voluntarily as quasi standards. The Reference Data Set (RDS), for example, is a list of the 28 million or so file signatures in the The National Software Reference Library (NSRL), which is maintained by The National Institute of Standards and Technology (NIST). The NSRL is designed to collect software from various sources and incorporate file profiles computed from the NIST approved cryptographic hash algorithm within the RDS of information and maintained by NIST. The RDS is used by law enforcement, government, and industry organizations to exclude files on a computer by matching file profiles in the RDS. We know this as the NIST list and in this industry and use the NIST list to remove "system" and related files that have no value in our world.
But wait!
There are multiple hash algorithms, so which one do we use? As many in this space know, most eDiscovery applications use the MD5 hash algorithm. There are also other algorithms because in 1996, cryptographers began to find flaws in the MD5 computation, and began recommending the SHA-1 designated by the NSA. Flaws found in MD5 hash algorithm reached the point that in 2007 the U. S. Department of Homeland Security said MD5 "should be considered cryptographically broken and unsuitable for further use". Yet here are still using a broken "standard". Flaws have also been found in SH-1 and SH-2, by the way, but that is an article for another day.
So, what about the Sedona Conference, EDRM and other such organizations that promote "standards"? Those organizations provide guidance and are not setting "industry standards". The ONLY organization in the legal space that can dictate standards that everyone must follow are the US Supreme Court and the various State Supreme courts. Those governmental entities set standards each year through amendments to the rules of evidence and rules of procedure. So far, there has been little to no guidance from either level of government directed specifically at eDiscovery standards. So what’s the point? We will not have standards such as a standard form of production, as an example, until the courts write standards into the rules. That won’t happen until the rules making leadership of the ABA and various State Bars get involved and make it happen. Please, get involved!!! We need standards. Until then, let's drop use of the term "industry standard" and instead refer to "best practices", shall we?
No comments:
Post a Comment