Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

LJN NewslettersNewsSections

IT's Importance in Proper ESI Management

By Regina A. Jytyla and Kelly D. Kubacki
January 29, 2010

Traditionally, corporations have relied upon the advice of outside counsel to ensure that legally sound procedures were in place to properly identify, preserve, review and prepare corporate data for litigation or an investigation. However, times have changed and these responsibilities no longer rest solely with outside counsel ' if at all. Due to the economic pressures of the past year, the law and technology concerning electronically stored information (“ESI”) have developed at warp speed, allowing corporations to manage their data and litigation response differently. Corporations are increasingly taking more control of the e-discovery process, particularly in the early stage of information management, launching an evolution in the roles IT professionals and corporate attorneys play. Consequently, IT and legal must participate in a carefully choreographed dance in order to respond successfully to ESI requests. This entails developing an ESI strategy (in addition to a document retention policy), while utilizing tightened resources efficiently. Attention must also be paid to emerging technology that mandates routine updates to company policies, while safeguarding sensitive corporate data.

ESI Strategy

Electronic data proliferation is economically neutral ' it grows exponentially in good times or bad. Since the vast majority of information is digitally created and stored, it is important for organizations to plan ahead and create an ESI strategy prior to litigation. However, less than 50% of corporations that responded to Kroll Ontrack's Third Annual ESI Trends Report indicated having an ESI discovery readiness strategy in place. (The ESI Trends Report is based on an independent survey conducted by Research Plus on behalf of Kroll Ontrack. A total of 461 (231 U.S. and 230 UK) online interviews were conducted among IT personnel and in-house counsel at commercial businesses. Survey questioning was completed between July and August 2009.)

Despite the low percentage of corporations that have an ESI strategy in place, a large majority reported having a document retention policy. This disparity suggests a lack of knowledge between the concepts of document retention and discovery readiness, and perhaps a false sense of security that the existence of a document retention policy is comprehensive enough to protect an organization when it must respond to a legal inquiry. While a document retention policy is certainly important, this alone does not adequately position a corporation to properly respond to a request for ESI that is related to an investigation or litigation. Having an ESI litigation strategy in place prior to litigation or an investigation will ultimately save the organization time and money.

Who is responsible for creating and enforcing the company's ESI litigation strategy? Of the respondents to the ESI Trends Report, 35% believe the responsibility for developing and enforcing the ESI strategy is shared between IT and in-house counsel. This trend is a testament to the technical nature of ESI and marks the importance of a marriage between the two departments to ensure that company policy is adequate, all encompassing, and feasible when a legal crisis breaks. The good news: 85% of organizations believe that IT and legal teams are working together effectively when responding to requests. While these relationships are strengthening, they are not without their challenges. These include role confusion and “language” barriers. After all, legal's strength lies with “legalese,” while IT's strength lies with charts, processes and technical language. Corporations should continue to focus on ways to bridge the IT-legal gap to foster a productive working environment in which both departments can draw from one another's expertise.

Creating and implementing an ESI strategy requires allocating resources. Indeed, 42% of survey respondents felt the effort to institute an ESI strategy creates “a lot of extra work for IT.” The truth is, an ESI strategy will allow for a quicker, more efficient response that will be less disruptive to corporations' already strained IT resources. It is human nature to believe “this won't happen to me,” but if a huge crisis occurs, the reactionary response usually proves to be significantly more costly and requires more IT resources to respond to than if investments were made upfront via an ESI readiness strategy.

Corporate Resources

As referenced in the ESI strategy discussion, a significant barrier many companies continue to face is tighter resources. According to the ESI Trends Report, the top challenges to responding to ESI requests were lack of time and human resources, lack of correct technology and unmanageable volumes of ESI. These challenges present the need to adopt proactive corporate data management policies (in addition to an ESI readiness strategy) that allow for more efficient uses of time, while easing the burden presented by growing data volumes.

Technology is the key to efficiency that will help ease strain on IT resources. One solution is data archiving. For instance, consider this sample request from legal to IT: “We need all e-mails from 2001-2002 for X, Y, Z custodians.” Prior to implementing an archiving system, IT personnel would have to restore e-mails contained on backup tapes, save the e-mails to a PST (personal storage folder), then save the data to a CD and mail that CD to the person who submitted the request.

Now, IT has options for more efficient records management through archiving. Records compliance management archival systems should be utilized by IT departments to manage the storage of all business records (not just e-mail), ensuring compliance with all regulatory and legal requirements. Archiving also allows IT to efficiently enforce the document retention policy. A litigation hold can quickly be put into place when the need arises, and fewer human resources are required. Properly implementing a litigation hold is vital to fulfilling e-discovery obligations, and shortcomings may lead to sanctions. For example, in KCH Services, Inc. v. Vanaire, Inc., 2009 WL 22166014 (W.D.Ky July 21, 2009), the Western District of Kentucky granted the plaintiff's motion for adverse inference sanctions, finding the defendant's failure to preserve ESI evinced a “continued unwillingness to place a meaningful litigation hold” on potentially responsive data. In addition, many archiving systems will allow users to search through potentially responsive data, effectively minimizing the volume of data that ultimately will need to be restored.

In addition to tighter human resources, budgeting is an issue for IT departments and corporations in general. According to the ESI Trends Report, IT personnel believe their organization spends roughly $400,000 more on ESI management policies than legal does. One reason for the discrepancy may be due to the fact that implementing ESI policies often requires money to be spent from IT budgets, although this certainly is not true for every company.

Regardless of what department's budget funds ESI management, proper funding for legal and regulatory needs is essential. The amount of money devoted to the creation, implementation and management of these policies may depend on the risk posed by the company's industry. For example, pharmaceutical and financial companies have a higher risk and experience more frequent litigation than many other industries. This makes investment and budget protection for ESI readiness even more important for these at-risk corporations. While it may seem tempting to make budgetary deductions for ESI-involved processes, doing so may decrease the company's ability to effectively respond to e-discovery requests and may result in more money being spent in the courtroom.

Policy Updates and Data Security

Your company has now implemented a properly funded ESI readiness strategy and thus is prepared to handle all future requests ' right? Unfortunately not. Document retention policies and ESI discovery strategy plans should be treated the same way as disaster recovery and business continuity policies. Each policy should be examined, tested and updated on an annual basis to ensure the plan continues to meet the risk management needs of the company.

Tweaks to the policy must be made to account for emerging technologies, such as mobile devices and social networking sites. According to the ESI Trends Report, corporations are more likely to revisit ESI readiness policies to include mobile devices than instant messaging, cloud computing and virtualization, or social networking sites. The failure to account for changes in technology and new sources of potentially responsive data can lead to the failure to properly preserve and produce all pertinent data. Courts are unwilling to provide a “free pass” to companies who fail to address these issues, as evidenced by a recent ruling by the Middle District of Florida, Southeastern Mechanical Services v. Brody, 2009 WL 2883057 (M.D.Fla. Aug. 321, 2009). In this case, a computer forensics expert testified that the defendant intentionally wiped all data from BlackBerry' smart phones. Given the nature of the destroyed evidence (personal e-mails, telephone records, text messages and calendar entries), the court determined the evidence was likely unfavorable to the defendants and therefore issued an adverse inference instruction.

Be Proactive

Updating ESI policies to account for technological advancements is also important for corporate data security. According to the ESI Trends Report, corporations experience almost two data breaches annually that can present several legal and technical issues. Overwhelmingly, corporations cite IT as the “go-to” when a breach occurs, which again raises the problem of tight resources and the need for proactive data management. One way to proactively approach data security breaches is to implement an incident response plan. A response plan should identify:

  • Possible sources of electronically stored information to investigate;
  • The person(s) who will be conducting that investigation; and
  • The person(s) who will have decision-making authority in the event of a data breach.

In addition, it is important to remember that any computer investigation of a data breach incident must be conducted in a forensically sound manner in order to ensure that the results of the investigation will hold up in court, if necessary.

One way to proactively approach data management is to create an application inventory and data map. This will identify key sources of ESI and important human resources that will provide organization to IT environments that are often an “uncharted morass” of individual hard drives, servers and removable media. Implementing a data map will allow for policy updates to be made more easily to reflect emerging technologies (such as those discussed above), and will also decrease the often time-consuming and expensive task of searching for information when confronted with a lawsuit or data investigation. A data map will also help the corporation's security incident response team defend against possible infections and identify the effects of an infection should one occur. Responding to a security breach properly and quickly matters, as it may help keep breaches out of the news spotlight, saving the company's reputation and goodwill. (For more on creating a data map, see, “X Marks the Spot: Lessons Learned from the Data Map Process,” in the Sept. '09 issue of LJN's Legal Tech Newsletter, available at www.ljnonline.com/issues/ljn_legaltech/27_6/news/152676-1.html.)

Conclusion

Everything learned from the Third Annual ESI Trends Report suggests that awareness of ESI has reached a pinnacle. Corporations must now refocus and implement defensible practices and strategies that will effectively manage currents risks and future costs. A company's failure to prepare for e-discovery increases the vulnerability to shortcomings that could cost the organization significantly in the form of sanctions, as well as playing “catch-up” when an unexpected request for ESI occurs. Increased collaboration between IT and legal departments will aid in all phases of information management from properly securing critical business data to establishing effective litigation hold procedures. This working relationship is also vital to ensure reasonable care is exercised when providing complete and efficient responses to ESI requests.

Regina A. Jytyla, Esq. is a managing staff attorney at Kroll Ontrack. She tracks and reports on the evolving law and technology in the areas of litigation readiness and management of ESI, electronic discovery, and computer forensics. Kelly D. Kubacki, Esq. is lead law clerk for Kroll Ontrack.

 

For Twitter and LinkedIn followers, subscribe to LJN's Legal Tech Newsletter at a special introductory rate. Click here: http://www.lawjournalnewsletters.com/subscribe/ltn309_landing.html. This offer is valid for new subscribers only.

Traditionally, corporations have relied upon the advice of outside counsel to ensure that legally sound procedures were in place to properly identify, preserve, review and prepare corporate data for litigation or an investigation. However, times have changed and these responsibilities no longer rest solely with outside counsel ' if at all. Due to the economic pressures of the past year, the law and technology concerning electronically stored information (“ESI”) have developed at warp speed, allowing corporations to manage their data and litigation response differently. Corporations are increasingly taking more control of the e-discovery process, particularly in the early stage of information management, launching an evolution in the roles IT professionals and corporate attorneys play. Consequently, IT and legal must participate in a carefully choreographed dance in order to respond successfully to ESI requests. This entails developing an ESI strategy (in addition to a document retention policy), while utilizing tightened resources efficiently. Attention must also be paid to emerging technology that mandates routine updates to company policies, while safeguarding sensitive corporate data.

ESI Strategy

Electronic data proliferation is economically neutral ' it grows exponentially in good times or bad. Since the vast majority of information is digitally created and stored, it is important for organizations to plan ahead and create an ESI strategy prior to litigation. However, less than 50% of corporations that responded to Kroll Ontrack's Third Annual ESI Trends Report indicated having an ESI discovery readiness strategy in place. (The ESI Trends Report is based on an independent survey conducted by Research Plus on behalf of Kroll Ontrack. A total of 461 (231 U.S. and 230 UK) online interviews were conducted among IT personnel and in-house counsel at commercial businesses. Survey questioning was completed between July and August 2009.)

Despite the low percentage of corporations that have an ESI strategy in place, a large majority reported having a document retention policy. This disparity suggests a lack of knowledge between the concepts of document retention and discovery readiness, and perhaps a false sense of security that the existence of a document retention policy is comprehensive enough to protect an organization when it must respond to a legal inquiry. While a document retention policy is certainly important, this alone does not adequately position a corporation to properly respond to a request for ESI that is related to an investigation or litigation. Having an ESI litigation strategy in place prior to litigation or an investigation will ultimately save the organization time and money.

Who is responsible for creating and enforcing the company's ESI litigation strategy? Of the respondents to the ESI Trends Report, 35% believe the responsibility for developing and enforcing the ESI strategy is shared between IT and in-house counsel. This trend is a testament to the technical nature of ESI and marks the importance of a marriage between the two departments to ensure that company policy is adequate, all encompassing, and feasible when a legal crisis breaks. The good news: 85% of organizations believe that IT and legal teams are working together effectively when responding to requests. While these relationships are strengthening, they are not without their challenges. These include role confusion and “language” barriers. After all, legal's strength lies with “legalese,” while IT's strength lies with charts, processes and technical language. Corporations should continue to focus on ways to bridge the IT-legal gap to foster a productive working environment in which both departments can draw from one another's expertise.

Creating and implementing an ESI strategy requires allocating resources. Indeed, 42% of survey respondents felt the effort to institute an ESI strategy creates “a lot of extra work for IT.” The truth is, an ESI strategy will allow for a quicker, more efficient response that will be less disruptive to corporations' already strained IT resources. It is human nature to believe “this won't happen to me,” but if a huge crisis occurs, the reactionary response usually proves to be significantly more costly and requires more IT resources to respond to than if investments were made upfront via an ESI readiness strategy.

Corporate Resources

As referenced in the ESI strategy discussion, a significant barrier many companies continue to face is tighter resources. According to the ESI Trends Report, the top challenges to responding to ESI requests were lack of time and human resources, lack of correct technology and unmanageable volumes of ESI. These challenges present the need to adopt proactive corporate data management policies (in addition to an ESI readiness strategy) that allow for more efficient uses of time, while easing the burden presented by growing data volumes.

Technology is the key to efficiency that will help ease strain on IT resources. One solution is data archiving. For instance, consider this sample request from legal to IT: “We need all e-mails from 2001-2002 for X, Y, Z custodians.” Prior to implementing an archiving system, IT personnel would have to restore e-mails contained on backup tapes, save the e-mails to a PST (personal storage folder), then save the data to a CD and mail that CD to the person who submitted the request.

Now, IT has options for more efficient records management through archiving. Records compliance management archival systems should be utilized by IT departments to manage the storage of all business records (not just e-mail), ensuring compliance with all regulatory and legal requirements. Archiving also allows IT to efficiently enforce the document retention policy. A litigation hold can quickly be put into place when the need arises, and fewer human resources are required. Properly implementing a litigation hold is vital to fulfilling e-discovery obligations, and shortcomings may lead to sanctions. For example, in KCH Services, Inc. v. Vanaire, Inc., 2009 WL 22166014 (W.D.Ky July 21, 2009), the Western District of Kentucky granted the plaintiff's motion for adverse inference sanctions, finding the defendant's failure to preserve ESI evinced a “continued unwillingness to place a meaningful litigation hold” on potentially responsive data. In addition, many archiving systems will allow users to search through potentially responsive data, effectively minimizing the volume of data that ultimately will need to be restored.

In addition to tighter human resources, budgeting is an issue for IT departments and corporations in general. According to the ESI Trends Report, IT personnel believe their organization spends roughly $400,000 more on ESI management policies than legal does. One reason for the discrepancy may be due to the fact that implementing ESI policies often requires money to be spent from IT budgets, although this certainly is not true for every company.

Regardless of what department's budget funds ESI management, proper funding for legal and regulatory needs is essential. The amount of money devoted to the creation, implementation and management of these policies may depend on the risk posed by the company's industry. For example, pharmaceutical and financial companies have a higher risk and experience more frequent litigation than many other industries. This makes investment and budget protection for ESI readiness even more important for these at-risk corporations. While it may seem tempting to make budgetary deductions for ESI-involved processes, doing so may decrease the company's ability to effectively respond to e-discovery requests and may result in more money being spent in the courtroom.

Policy Updates and Data Security

Your company has now implemented a properly funded ESI readiness strategy and thus is prepared to handle all future requests ' right? Unfortunately not. Document retention policies and ESI discovery strategy plans should be treated the same way as disaster recovery and business continuity policies. Each policy should be examined, tested and updated on an annual basis to ensure the plan continues to meet the risk management needs of the company.

Tweaks to the policy must be made to account for emerging technologies, such as mobile devices and social networking sites. According to the ESI Trends Report, corporations are more likely to revisit ESI readiness policies to include mobile devices than instant messaging, cloud computing and virtualization, or social networking sites. The failure to account for changes in technology and new sources of potentially responsive data can lead to the failure to properly preserve and produce all pertinent data. Courts are unwilling to provide a “free pass” to companies who fail to address these issues, as evidenced by a recent ruling by the Middle District of Florida, Southeastern Mechanical Services v. Brody, 2009 WL 2883057 (M.D.Fla. Aug. 321, 2009). In this case, a computer forensics expert testified that the defendant intentionally wiped all data from BlackBerry' smart phones. Given the nature of the destroyed evidence (personal e-mails, telephone records, text messages and calendar entries), the court determined the evidence was likely unfavorable to the defendants and therefore issued an adverse inference instruction.

Be Proactive

Updating ESI policies to account for technological advancements is also important for corporate data security. According to the ESI Trends Report, corporations experience almost two data breaches annually that can present several legal and technical issues. Overwhelmingly, corporations cite IT as the “go-to” when a breach occurs, which again raises the problem of tight resources and the need for proactive data management. One way to proactively approach data security breaches is to implement an incident response plan. A response plan should identify:

  • Possible sources of electronically stored information to investigate;
  • The person(s) who will be conducting that investigation; and
  • The person(s) who will have decision-making authority in the event of a data breach.

In addition, it is important to remember that any computer investigation of a data breach incident must be conducted in a forensically sound manner in order to ensure that the results of the investigation will hold up in court, if necessary.

One way to proactively approach data management is to create an application inventory and data map. This will identify key sources of ESI and important human resources that will provide organization to IT environments that are often an “uncharted morass” of individual hard drives, servers and removable media. Implementing a data map will allow for policy updates to be made more easily to reflect emerging technologies (such as those discussed above), and will also decrease the often time-consuming and expensive task of searching for information when confronted with a lawsuit or data investigation. A data map will also help the corporation's security incident response team defend against possible infections and identify the effects of an infection should one occur. Responding to a security breach properly and quickly matters, as it may help keep breaches out of the news spotlight, saving the company's reputation and goodwill. (For more on creating a data map, see, “X Marks the Spot: Lessons Learned from the Data Map Process,” in the Sept. '09 issue of LJN's Legal Tech Newsletter, available at www.ljnonline.com/issues/ljn_legaltech/27_6/news/152676-1.html.)

Conclusion

Everything learned from the Third Annual ESI Trends Report suggests that awareness of ESI has reached a pinnacle. Corporations must now refocus and implement defensible practices and strategies that will effectively manage currents risks and future costs. A company's failure to prepare for e-discovery increases the vulnerability to shortcomings that could cost the organization significantly in the form of sanctions, as well as playing “catch-up” when an unexpected request for ESI occurs. Increased collaboration between IT and legal departments will aid in all phases of information management from properly securing critical business data to establishing effective litigation hold procedures. This working relationship is also vital to ensure reasonable care is exercised when providing complete and efficient responses to ESI requests.

Read These Next
Major Differences In UK, U.S. Copyright Laws Image

This article highlights how copyright law in the United Kingdom differs from U.S. copyright law, and points out differences that may be crucial to entertainment and media businesses familiar with U.S law that are interested in operating in the United Kingdom or under UK law. The article also briefly addresses contrasts in UK and U.S. trademark law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

Legal Possession: What Does It Mean? Image

Possession of real property is a matter of physical fact. Having the right or legal entitlement to possession is not "possession," possession is "the fact of having or holding property in one's power." That power means having physical dominion and control over the property.

The Anti-Assignment Override Provisions Image

UCC Sections 9406(d) and 9408(a) are one of the most powerful, yet least understood, sections of the Uniform Commercial Code. On their face, they appear to override anti-assignment provisions in agreements that would limit the grant of a security interest. But do these sections really work?