| Rapidly responding to data breaches, performing data audits in a pristine evidentiary manner, and preserving volatile digital evidence are essential in an increasingly litigious society; therefore, data custodians must respond to breaches of organizational information not only in a technically competent manner, but in a legally prudent one as well. The escalation of identity theft and online fraud is of major concern to industry leaders. The legal, regulatory, and privacy mandates of the Health Insurance Portability and Accountability Act, the Family Educational Rights and Privacy Act, the Sarbanes-Oxley Act, and the Gramm-Leach-Bliley Act have resulted in data custodians reevaluating methodologies for maintaining organizational data securely. This qualitative multi-case study was designed to explore the lack of forensically sound incident response procedures employed by disparate organizations experiencing similar regulatory and legal challenges. The purpose of the study was to explore problems that are created by the absence of an in-house data forensics capability and the consequences of delayed investigations, investigational delays that could result in opportunities for digital evidence alteration, spoliation, and destruction. The participants interviewed for this study were 10 managers from five organizational categories: industry, healthcare, financial, municipal, and education. Data distillation and cross-case synthesis of the coded dialogue transcribed verbatim from interview field notes led to the creation of six key categories. Aggregation of the key categories revealed two major themes, motivators for an in-house forensics capability and inhibitors to an in-house forensics capability. Recommendations resulting from this study include: developing a data forensics incident response capability, implementing supportive written policy, training internal Information Technology staff to perform basic digital forensics functions, proactively deepening relationships with third party forensics providers, and leveraging human capital by adopting new enterprise forensics technologies. Analysis of the resultant data from this study can be beneficial in providing foundational information that could be utilized in conducting further research with wider geographical boundaries. Considering the proliferation of national and international regulations concerning data security, a longitudinal study could provide valuable insight and guidance into the changing legal environment and its effect on the role of the Information Technology data custodian. |
