Information and communication systems are now breeding grounds for electronic-evidence (e-evidence) in audits, investigations, or litigation. Increasingly organizations are being ordered by law or lawsuit to preserve, retrieve, and hand-over relevant electronic records (e-records) because "the courts are uniformly recognizing the discoverability of electronic communication and documents" [Nimsger and Lange, 2002]. This trend is an outgrowth of aggressive tactics by regulators to ensure corporate accountability and deter fraud.

In cases ranging from Securities and Exchange Commission probes of corporate malfeasance and insider trading to employment lawsuits, e-records are subpoenaed. Investigations conducted by the National Association of Security Dealers, Department of Justice, and Department of Homeland Security routinely require companies, their business partners, or third parties to preserve and disclose e-records, including internal e-mail and instant messages (IM). A high-profile example is the probe into alleged White House leaks of a covert CIA agent's identity in which White House employees received e-mail stating: ''You must preserve all materials that might in any way be related to the department's investigation.'' E-mail, telephone logs, and other electronic documents were mentioned specifically.

Any communication or file storage device is subject to computer forensic searches to identify, examine, and preserve potential e-evidence—the electronic equivalent of a "smoking gun." Preserving e-records and then restoring them so that they can be searched can seriously disrupt IS and over-burden Information Systems staff. What's more, a preservation order might specify not only the type of e-records (data files or email), but also stipulate that processes that over-write data be suspended, or that backup tapes be retained for unspecified duration. These stipulations are very disruptive to IS operations. That disruption depends largely on whether the company had an e-record management (ERM) system to systemically review, retain, and destroy e-records received or created in the course of business.