E-discovery should be the thing which causes IT departments to break out their cub scout books and remember what it means to “be prepared.” A recent article posted by the Wisconsin Technology Network discusses the meanings of emerging trends in electronic discovery:

A CIO who is on top of things will have frequent meetings with staff attorneys, review e-discovery processes, and map out what the organization’s infrastructure looks like - essentially knowing where data “lives” so the organization can react to litigation. The number of hours spent on e-discovery is growing, but the time investment depends largely on a company’s litigation profile.

This will sound familiar to frequent readers. The article notes some general trends:

Even for complacent companies, Phelps said e-discovery case law is providing more answers in three specific areas: litigation holds, obligations to preserve data, and the determination of what information is reasonably accessible.

Of course, sometimes the guidance is conflicting and ambiguous, but what is clear is that indifference to the rules won’t be excused by courts.

Two articles (ht: EDD Blog Online) I’ve just read illustrate the need for corporate legal and IT departments to be proactive with respect to the effects of litigation on everyday IT decisions. Mark Apicello has penned an article that suggests your lawyer accompany you when you buy storage hardware:

[Choosing hardware] used to be relatively simple: Research your requirements; conduct a critical analysis of how your current infrastructure meets those needs; and then make Draconian decisions on what to toss, what to buy, and what can be reasonably integrated with new systems.

And when it came to requirements, they traditionally boiled down to balancing capacity and speed. Thanks in large part to regulations such as the FRCP (Federal Rules of Civil Procedures), however, that is no longer the case. These days, choosing a storage system without knowing your company’s legal obligations can cost you dearly.

Hmmm. Considering how well attorneys and technology mix, this thought seems unlikely to make the typical IT pro’s day.

A second article, suggests that IT will be blamed if something goes wrong during e-discovery:

In a survey conducted by Canvasse Opinion among in-house legal departments at 200 of the Fortune 500 companies, 18 percent of the attorneys said that IT has primary responsibility for the development of an ESI [Electronic Storage Information], aka e-discovery, strategy/policy within their organization.

Let me add that FRCP covers only litigation. Government regulations and ensuing investigations would more than likely make an even greater demand on e-discovery than the new Federal Rules, according to Kristin Nimsger, Kroll Ontrack president, the company for whom the survey was conducted.

Okay, well 18 percent is far from a consensus, but this will nevertheless irritate those in IT. Ultimately, the lesson that should be gleaned, is that corporations need to address the issue before major disputes erupt. Being proactive is the key. And, as Ralph Losey might suggest in one of his well-written articles, obtaining a bit of technical competence might not be a bad place to start:

[P]laintiff’s position was basically that since the email was not reasonably accessible to plaintiff’s counsel, it did not have to be produced. After all, he argued, there could be privileged materials in there. Apparently it never occurred to him to hire someone with technical competence to open and read the emails for him.

The court doesn’t usually buy incompetence, and such an argument might very well establish an attorney’s violation of Model Rules requiring diligent and competent representation. Be careful there, buddy.

Again…e-discovery is part of every-day litigation. Follow the example of the Boy Scouts, and be prepared.

A recent post of ours cautioned readers to be careful on formulating, and to use some method of verifying, their initial assumptions. We refer to initial assumptions with respect to EDD as assumptions on keywords, effective date ranges, and data sources that must be preserved for an electronic discovery project.
Law.com has posted an article discussing keyword searches, and calls attention to one danger of not carefully considering the formulation of search criteria:

The results of a recent e-discovery keyword search should have come as no surprise. Working on a case related to a specific transaction, the attorneys requested production of all documents containing the word “buy.” Despite being cautioned against this broad search, they were reluctant to heed the warnings, and many unrelated documents were incorrectly deemed responsive. Unfortunately, it takes a $750,000 mistake like this one for some people to understand the benefits of using a strategic approach to keyword selection.

If this had been my project…well, never mind. As I have said repeatedly, it is essential for the initial assumptions used in extracting data for review to be thoroughly vetted, because the filter ultimately determines what documents the reviewer sees. Searches that are too broad cost time and money. Searches that are too narrow will miss vital data, and could cost the client even more in the long term (by skipping over helpful information or by landing them in hot water with the judge). The importance of the process of building a verifying a list should not be underestimated.

That said, keywords are not the panacea. New technologies, using concept-based ontologies and techniques continue to evolve, and will move us beyond the era of the boolean keyword search.

Doesn’t sound like a good idea to me, nevertheless, it seems to be a recommended approach suggested by an article on data governance by DM Review.

Like all governance efforts, IT and the business must work in tandem to identify responsibilities as they pertain to content vulnerabilities. Just as executive management and legal personnel need IT’s help in realistically understanding retention technology capabilities, IT will require clear guidance on what system controls to implement per corporate document retention policy. Companies must have the collective will to discuss and prioritize email governance issues and be proactive in addressing retention policies before a legal action or unauthorized dissemination of classified information puts the enterprise at a competitive disadvantage. Most importantly, employees company-wide must be familiar and comfortable with general email and document retention policies if such directives are to achieve uniform success across the enterprise.

On the face of it, I don’t disagree with the passage above, however, I do feel that by depending upon individual employees for compliance is a recipe for disaster. Any document management system must be able to take the responsibility of compliance-based retention (whether it be for regulatory or legal reasons) out of the hands of individuals, and into a process-based system that is strictly followed (whether by automation or policy). Such a system is easier to defend and produces better results.

Computer Technology Review posts an article by Fios’ Brad Harris on data collection. Actually, it discusses both custodian identification and collection:

The first consideration in improving an organization’s litigation readiness is to identify where and how personal data is being created and stored. What applications are used to create messages and/or documents throughout the organization? Are application programs centrally managed to limit the types or versions being used?
[...]
Once an employee’s personal data repositories has been identified as potentially relevant to a particular matter, there are a variety of methods used to preserve or copy source files for electronic discovery. Typical collection methodologies range from user discretion, where the employee chooses which files are appropriate, to full forensics imaging that use investigative software to preserve an entire hard drive. Different methodologies have differing cost and risk impacts and, therefore, vary in their applicability.

The article is nicely done, and Brad created a neat matrix comparing the various methods of collection.

[HT: EDD Blog Online]

Ahh…a favorite topic (likely…not)! And the second installment on our series on effectively managing e-discovery.

The first item of business is to determine why (or even if) you need a vendor. Vendors fill niches from pre-dispute planning (document management, records management, providing a litigation hold plan) to data collection, to pre-review filtering and searching, to EDD processing, to providing Web-based review platforms for attorney review, for production, and for running Trial presentation systems, and for a hundred things in between. Some projects, especially smaller ones, are completely handled by outside counsel. A few corporations have processing capabilities in-house as well. In looking at large e-discovery projects, the management team (whoever is making the decision) has various models of vendor selection from which to choose.

First, there is an approach similar to that of hiring a general contractor. A knowledgeable and experience person is hired for the position of coordinator, or project manager who manages the project, on behalf the client company. This could be an attorney specializing in e-discovery law and related areas, or could be an expert who concentrates on the technical processes involved. One of the advantages of this approach is that allows some insulation for both the client and outside counsel with regard to liability for improper methodologies and approaches. The other main advantage is the one most hoped for: that the project is run expertly and competently, and is therefore free of any errors that might result in any substantial inefficiencies during the project itself, or (worse) deficiencies in production. Disadvantages include a lack of control over the process, and the requirement of fashioning an effective method of hiring the right manager. Also, that insulation that might be provided is certainly not absolute, as the hiring decision, and any progress monitoring program should be conducted with the thought of them holding up to a court’s scrutiny down the road. More often, either outside counsel or in-house counsel, or one of the litigation support professionals attached to the law firm or client end up managing the project. Disadvantages to this approach include the exposure to liability for the manner in which the project was managed and for any defects in the production.

No matter who manages the project, someone will have to collect, process, cull, house, review, and produce the documents. This can be a one-vendor solution (usually except for the “review” portion, often the domain of contract attorneys) or it may be broken down by segment and divvied up to vendors based on criteria such as price, competence, relationships, or some combination of such factors. A one vendor solution may reduce problems associated with communication and different technologies, capacities, and methodologies. Multiple vendors working together on large projects often are forced to reconcile incompatibilities in data formats, and must communicate clearly and frequently to avoid undue inefficiencies during the project. Personality differences and natural competitiveness must also be put aside for the sake of the common good. I’ve seen examples where minor mistakes were blown out of proportion by vendors who, upon discovering the issue, sent e-mails to everyone in the project team trumpeting their discovery. On the other hand, there is a level of quality checking that is accomplished by this arrangement.

It is my view that the process used to select a vendor (or vendors) is one of those key points of time in the litigation, with respect to discovery. A thorough vetting of a vendor’s capabilities, technology, experience and reputation is essential to defending that decision in the future should the need arise. Both law firms and corporate legal departments should request extensive information from candidates that outline their qualities necessary to the tasks they will be eligible perform. Preferred vendor lists should be built, examined periodically, and modified according to ever-changing circumstances. The primary purpose of the process is to select capable vendors. An important secondary purpose, however, is to craft a process that can be defended should something go wrong.

Although acknowledging that there exist no perfect solutions, the blogger behind Datakos lists items that may help to control e-mail rention issues. Many are sensible, straightforward suggestions. In describing an open source solution (which remains unnamed in the post), he describes the process for implementing litigation holds:

Through a basic, web-accessible interface, lawyers with permission-based access could run queries based on criteria derived from the legal or regulatory matter that required a hold. The query process had an audit trail. A hold, or multiple holds would attach to an email in the repository following the finalization of the query. Everything else not subject to hold had a limited shelf life in the repository and was purged periodically (e.g., every 90, 120, 180 days). The system is not perfect, but it worked.

Interestingly, this item mentions multiple holds, which was the central theme in one of the comments we’ve received on the subject of litigation holds.

DataKos blog has posted an article seeking to persuade organizations to develop a litigation hold database:

Effective compliance with the Federal Rules of Civil Procedure and the Federal Obstruction of Justice Law is unattainable without the existence of an enforceable records and information management program.

The blogger says that initially excel or access could be used to do the job, but that ultimately an organization should look for a solution that is accessible to in-house personnel and outside counsel for both review and update. He suggests MS Sharepoint as an option.

The presence of such a tool is important for many reasons. It allows e-discovery team members and others to track the various collection and processing projects, while helping out in the resource management end by indicating to IT or Records Management when a hold is released and document retention policies can be resumed (and deletion of old records can finally occur-freeing up space). Furthermore, if the database tracks individual projects, you can also insure that vendors who have possession of what may be very important information, destroy the data in a timely fashion. This helps minimize the possibility that sensitive information could be accidentally released.

Government Computer News has an article describing the findings of an e-discovery working group for state CIO’s:

State chief information officers need to better prepare for electronic discovery as they take on more responsibility for proper management of their states’ information assets, a new briefing from the National Association of State CIOs states.

E-discovery is an important issue for the public and private sectors as more critical business information is moved into electronic form, NASCIO officials said, adding that successful location and retrieval of electronic information can be critical to the outcome of a lawsuit.

The brief suggests that e-discovery “stakeholders” include such parties as “state archivists, legal counsel, records managers and agency business leaders.” It goes on to recommend that strengthen solutions for e-mail archiving and searching, and content management:

CIOs must also boost efforts to automate e-mail capture and federated search, which involves the simultaneous search of multiple online databases, said Peter Berkel, global solutions leader for the public sector at EMC, a leading storage and information management company. Berkel is also a member of NASCIO’s E-Discovery Working Group.

In addition, CIOs must better manage content and deploy flexible strategies to accommodate new rules, legislation and technology related to e-discovery, he added.

Pre-dispute preparation, while not the most exciting thing in the world, is far less painless than learning on the fly after a dispute has already occurred.

Personal Injury attorney Steven Klearman has posted an article on the dangers of, what he calls, “rogue email practices”:

Not too startling was the fact that the average employee sends and receives an average of 170 e-mails per day at work and that nearly a third of the respondents use their personal e-mail accounts (e.g. AOL, Yahoo mail, Hot Mail etc.) for business purposes at least twice a week. More startling is the fact that 17% of the respondents use their personal e-mail accounts for business every day.

He describes the “potential for legal liabilities” as “off the charts” because of these relatively common place practices. We have already posted about the the potential for harm to employees as well.

I have spoken to groups on subjects discussing the need to have a plan for litigation holds and data management once litigation can be “reasonably anticipated.” One of the functions of such preparations should be to minimize the growth of discoverable data sources beyond the company’s IT infrastructure. Mixing business with personal activities expands the potential data universe of discovery.

But that is countered by the fact that employees are often asked to sacrifice personal time for work, and the growth of e-commerce and online financial institutions. It is easier and quicker for an employee to pay a bill online than to take 30 minutes or more to do so in person. Greater variety in the types of data sources, and a higher level of integration of these devices into our personal life make commingling activities effortless. Drawing a line in the sand is not only difficult, but the very trends of technological progress may ultimately make it impractical.