Electronic Discovery's Impact: Policies, Technology and Security

This was the decade of electronic discovery. Rapid development of technology, law and business processes, both in and out of the courtroom, brought legal and technical issues involving electronically stored information (ESI) to the fore. Although the General Counsel's office was the primary recipient of this uninvited wake-up call, legal is not the only department impacted by this change. IT departments across organizations must now understand the impact of ESI discovery obligations and regulations. Collaboration with legal is needed to create and implement new policies, while altering existing policies to keep pace with the rapidly evolving data storage and communication methods coinciding with the rising tide of ESI.

As a result of this role evolution, IT can no longer afford to lag behind legal with regard to knowledge of ESI policies and technology any more than legal can avoid assessing the impact of planned technology implementations inside the organization. A common theme that emerged from the Fourth Annual ESI Trends Report, a survey commissioned by Kroll Ontrack, was the growing gap between IT and legal's awareness of implemented company technologies, such as an archiving platform, legal hold tool and early case assessment (ECA) technology. The report also revealed a knowledge gap in terms of the existence of an ESI discovery strategy ' whether it had been tested, and how repeatable and defensible the policy appeared to be. Encouragingly, the survey revealed that legal and IT are cooperating and sharing responsibility for managing ESI for discovery requests now more than ever. [Note: The report is based on an independent survey conducted by Echo Research Inc. on behalf of Kroll Ontrack. A total of 203 online interviews were conducted among IT and in-house counsel at commercial businesses in the United States. Survey questioning was completed in June 2010.]

Policies, Testing and Defensibility

A majority of survey respondents indicated that they have a systematic policy
in place for retaining and disposing of an organization's print and electronic
documents in accordance with a designated retention schedule. This is one finding where legal (85%) outpaced IT (72%) in knowledge. Document retention policy implementation and enforcement is typically managed by IT, so the knowledge gap is somewhat surprising. Although it is the responsibility of legal to craft a policy that satisfies legal and business obligations, IT professionals must enforce the document retention policy as defined and developed by the orginization's legal and record management departments, as it is critical to successful and optimized data storage and essential for litigation preparedness and response, regulatory compliance and investigations.

Similar to document retention policy enactment, companies are increasingly implementing an ESI discovery strategy ' a pre-defined process for managing ESI in preparation for, or in response to, litigation, investigations or regulatory matters. Fifty-two percent of companies indicate they have this strategy in place, representing an increase from 46% from 2009. Unlike the document retention policy finding, a higher percentage of legal respondents (27%) are less knowledgeable about whether a policy exists than their IT counterparts (18%). However, IT and legal are sharing an increasing responsibility (44%) to develop and enforce the company's ESI discovery strategy, as compared with 35% in 2009. Thus, legal and IT (and often other key groups such as records management) must get on the same page in order to address the complexities posed by ESI and collaborate effectively.

Finally, simply implementing these policies is never enough ' companies must conduct tests to ensure the policies are achieving the intended effects. Despite the importance of testing, only 38% of companies have tested their ESI discovery strategy, yet 63% either tend to agree or strongly agree that their policy is repeatable and defensible. Are companies simply being too optimistic? Without conducting the necessary tests and modifying policies where necessary, companies should not be confident in policy effectiveness. Many organizations feel that their response policies and procedures are repeatable, simply because “that is the way we have always done it” or because their policies have not been subjected to challenge. While the process may have been repeated in various matters, it may not have been tested as truly defensible. The next case with a more sophisticated plaintiff, or the next investigation by a zealous regulator, may expose inadequacies in the overall process.

Archiving and Legal Hold Technology

In the ESI Trends Report, roughly three in five companies indicated that they possess an archiving platform. Although that number appears high, experience suggests that not everyone is on the same page regarding what makes an archiving solution efficient and effective. Is IT simply purchasing a solution without considering the legal reasons why an archive is necessary? An effective archiving solution allows multiple content types to be archived and stored, fully indexes the data contained therein, efficiently stores the archived data (e.g., single-instance storage, or data de-duplication), and has an efficient and effective output/search/retrieval mechanism. Legal should work with IT to define requirements for it wants to be archived, and define requirements for speed of output. Often, the attorneys do not realize how long it may take to search for and extract data from an archive when large, sweeping searches need to be performed in response to a litigation matter or regulatory inquiry.

Archiving platforms can also contain automated legal hold functionality. Only 53% of the companies surveyed have a mechanism in place to suspend their document retention policy, while 24% do not possess a legal hold tool and a further 23% are unsure whether a tool exists. The ability to suspend an automated document retention protocol when litigation or an investigation is reasonably anticipated is critical to any ESI discovery readiness program. Companies must identify what information is needed for a legal matter and preserve potentially relevant material immediately. Suspending the entire document retention policy is not a wise strategy as often the policy never gets turned back on, which may cripple an organization in terms of data storage and presents risks in relation to overpreservation. Therefore, a more sophisticated and targeted suspension mechanism is preferred.

Preservation and collection presented the number one discovery concern among survey respondents (24%). After recent court decisions, such as Victor Stanley, Inc. v. Creative Pipe, Inc., 2010 WL 3703696 (D. Md. Sept. 9, 2010), in which the defendant company's president was ordered to be imprisoned for a period of two years or until the plaintiff's attorney's fees were paid for preservation failures, it is clear that courts are losing patience with companies that struggle with proper preservation techniques. Possessing an archiving tool with legal hold functionality will help companies better fulfill their preservation obligations and avoid the court's wrath.

Another consideration when choosing an archiving system is the space allocated to both sending the e-mails into the archive and retrieving them. Having 32 servers allocated to process and capture e-mails into the archive, but only one server to retrieve the e-mails when needed, will render the search functions contained within an archiving tool relatively useless. Legal and IT should collaborate on these types of concerns and evaluate tools accordingly. Investing in an archive without choosing the proper system for the company's needs is a poor investment.

Similar to the document retention policy and ESI discovery strategy, organizations must test their archiving tool to ensure it is functioning properly. Is all of the data that is meant to be archived actually being captured? When searching for material via keyword, is it finding all instances of that word effectively (i.e., are the indices functioning properly)? If the answer to either of those questions is “no,” then the tool is not functioning as it should. In order to certify to a court that the archive is capturing relevant data in a reasonable manner, companies should perform audits and conduct tests. Best practices call for checking the tool at least every six months to a year to verify that information was in fact being archived and checked for indexing, corruption, etc. By conducting these tests, a company can certify that the system appeared to be functioning normally; however, companies should not certify that all data is in the archive as there are too many opportunities for a user to fail to archive data properly, or for the archive capturing system to fail.

Data Mapping as an Offensive Litigation Response Tool

Another important tool is a data map, which outlines a company's information systems and processes, allowing for the quick identification of important sources of potential ESI. Not surprisingly, IT (53%) is more aware of the existence of a data map than legal (35%).

However, despite the benefits presented by a data map, more than half of the companies surveyed do not have or do not know if their organization has an inventory of where all data is stored. Given the increasing complexity and risk associated with ESI, organizations must take proactive measures to understand where data is stored ' and how. Otherwise, a company may be faced with the task of producing ESI for an extended period, which occurred in Takeda Pharmaceutical Company v. Teva Pharmaceuticals USA, Inc., 2010 WL 2640492 (D.Del. June 21, 2010). In that case from the District of Delaware, the court ordered the plaintiffs to produce ESI for an 18-year period, despite the demonstration that the requested information was not reasonably accessible and would cost between $1 million and $1.5 million to retrieve. An up-to-date data map would have allowed the plaintiffs to more easily determine where the data existed and devise a smart strategy to retrieve it. In the formulation of a burden argument, they could have had more accurate information to define and predict the potential glut of data (and associated costs of reviewing and producing that data) that may have been required in this case. This could have allowed them to argue more effectively for sampling or cost sharing/shifting that may have reduced their costs.

Safeguarding Security

In addition to implementing policies and technology, safeguarding sensitive company information is a key aspect of corporate governance in an age where information is often a company's most valuable asset. Implementing security measures and policies will bring a significant return on investment by reducing the chance of a costly data breach. According to the ESI Trends Report, companies experience at least one data breach on an annual basis. Security threats to sensitive information are pervasive, and proactive risk management is required to reduce the likelihood of these costly incidents, whether they are internal or external, malicious or benevolent. Threat identification and ongoing system risk evaluation are imperative to developing plans and procedures to prevent data breaches. Unfortunately, these tasks are far more challenging as emerging technologies, such as cloud computing, social networking and mobile technology, add a new layer of potential targets to the traditional corporate IT landscape.

Despite an organization's best efforts, security breakdowns can ' and do ' occur. Any time a breach occurs, or an organization believes a breach has occurred, time is of the essence. Corporations must therefore assess their risks, develop and implement policies to prevent breaches, and establish plans to quickly respond to incidents when they occur. These plans should include the responsibilities of the response team and protocols to identify, preserve and collect evidence of the breach.

Conclusion

The past decade of high activity and change in the area of ESI discovery has had a “maturing effect” on companies with respect to preparedness and policy enactment. Organizations now understand the value of defining how they will manage ESI for discovery requests. Justifying expenditures for preventative measures and proactive policies may be difficult in a tough economy, but the costs are quantifiable, predictable and can be budgeted. Investing up front to mitigate risks in the future is a smart strategy for any organization. After all, good companies manage costs; great companies manage risk.

This was the decade of electronic discovery. Rapid development of technology, law and business processes, both in and out of the courtroom, brought legal and technical issues involving electronically stored information (ESI) to the fore. Although the General Counsel's office was the primary recipient of this uninvited wake-up call, legal is not the only department impacted by this change. IT departments across organizations must now understand the impact of ESI discovery obligations and regulations. Collaboration with legal is needed to create and implement new policies, while altering existing policies to keep pace with the rapidly evolving data storage and communication methods coinciding with the rising tide of ESI.

As a result of this role evolution, IT can no longer afford to lag behind legal with regard to knowledge of ESI policies and technology any more than legal can avoid assessing the impact of planned technology implementations inside the organization. A common theme that emerged from the Fourth Annual ESI Trends Report, a survey commissioned by Kroll Ontrack, was the growing gap between IT and legal's awareness of implemented company technologies, such as an archiving platform, legal hold tool and early case assessment (ECA) technology. The report also revealed a knowledge gap in terms of the existence of an ESI discovery strategy ' whether it had been tested, and how repeatable and defensible the policy appeared to be. Encouragingly, the survey revealed that legal and IT are cooperating and sharing responsibility for managing ESI for discovery requests now more than ever. [Note: The report is based on an independent survey conducted by Echo Research Inc. on behalf of Kroll Ontrack. A total of 203 online interviews were conducted among IT and in-house counsel at commercial businesses in the United States. Survey questioning was completed in June 2010.]

Policies, Testing and Defensibility

A majority of survey respondents indicated that they have a systematic policy
in place for retaining and disposing of an organization's print and electronic
documents in accordance with a designated retention schedule. This is one finding where legal (85%) outpaced IT (72%) in knowledge. Document retention policy implementation and enforcement is typically managed by IT, so the knowledge gap is somewhat surprising. Although it is the responsibility of legal to craft a policy that satisfies legal and business obligations, IT professionals must enforce the document retention policy as defined and developed by the orginization's legal and record management departments, as it is critical to successful and optimized data storage and essential for litigation preparedness and response, regulatory compliance and investigations.

Similar to document retention policy enactment, companies are increasingly implementing an ESI discovery strategy ' a pre-defined process for managing ESI in preparation for, or in response to, litigation, investigations or regulatory matters. Fifty-two percent of companies indicate they have this strategy in place, representing an increase from 46% from 2009. Unlike the document retention policy finding, a higher percentage of legal respondents (27%) are less knowledgeable about whether a policy exists than their IT counterparts (18%). However, IT and legal are sharing an increasing responsibility (44%) to develop and enforce the company's ESI discovery strategy, as compared with 35% in 2009. Thus, legal and IT (and often other key groups such as records management) must get on the same page in order to address the complexities posed by ESI and collaborate effectively.

Finally, simply implementing these policies is never enough ' companies must conduct tests to ensure the policies are achieving the intended effects. Despite the importance of testing, only 38% of companies have tested their ESI discovery strategy, yet 63% either tend to agree or strongly agree that their policy is repeatable and defensible. Are companies simply being too optimistic? Without conducting the necessary tests and modifying policies where necessary, companies should not be confident in policy effectiveness. Many organizations feel that their response policies and procedures are repeatable, simply because “that is the way we have always done it” or because their policies have not been subjected to challenge. While the process may have been repeated in various matters, it may not have been tested as truly defensible. The next case with a more sophisticated plaintiff, or the next investigation by a zealous regulator, may expose inadequacies in the overall process.

Archiving and Legal Hold Technology

In the ESI Trends Report, roughly three in five companies indicated that they possess an archiving platform. Although that number appears high, experience suggests that not everyone is on the same page regarding what makes an archiving solution efficient and effective. Is IT simply purchasing a solution without considering the legal reasons why an archive is necessary? An effective archiving solution allows multiple content types to be archived and stored, fully indexes the data contained therein, efficiently stores the archived data (e.g., single-instance storage, or data de-duplication), and has an efficient and effective output/search/retrieval mechanism. Legal should work with IT to define requirements for it wants to be archived, and define requirements for speed of output. Often, the attorneys do not realize how long it may take to search for and extract data from an archive when large, sweeping searches need to be performed in response to a litigation matter or regulatory inquiry.

Archiving platforms can also contain automated legal hold functionality. Only 53% of the companies surveyed have a mechanism in place to suspend their document retention policy, while 24% do not possess a legal hold tool and a further 23% are unsure whether a tool exists. The ability to suspend an automated document retention protocol when litigation or an investigation is reasonably anticipated is critical to any ESI discovery readiness program. Companies must identify what information is needed for a legal matter and preserve potentially relevant material immediately. Suspending the entire document retention policy is not a wise strategy as often the policy never gets turned back on, which may cripple an organization in terms of data storage and presents risks in relation to overpreservation. Therefore, a more sophisticated and targeted suspension mechanism is preferred.

Preservation and collection presented the number one discovery concern among survey respondents (24%). After recent court decisions, such as Victor Stanley, Inc. v. Creative Pipe, Inc., 2010 WL 3703696 (D. Md. Sept. 9, 2010), in which the defendant company's president was ordered to be imprisoned for a period of two years or until the plaintiff's attorney's fees were paid for preservation failures, it is clear that courts are losing patience with companies that struggle with proper preservation techniques. Possessing an archiving tool with legal hold functionality will help companies better fulfill their preservation obligations and avoid the court's wrath.

Another consideration when choosing an archiving system is the space allocated to both sending the e-mails into the archive and retrieving them. Having 32 servers allocated to process and capture e-mails into the archive, but only one server to retrieve the e-mails when needed, will render the search functions contained within an archiving tool relatively useless. Legal and IT should collaborate on these types of concerns and evaluate tools accordingly. Investing in an archive without choosing the proper system for the company's needs is a poor investment.

Similar to the document retention policy and ESI discovery strategy, organizations must test their archiving tool to ensure it is functioning properly. Is all of the data that is meant to be archived actually being captured? When searching for material via keyword, is it finding all instances of that word effectively (i.e., are the indices functioning properly)? If the answer to either of those questions is “no,” then the tool is not functioning as it should. In order to certify to a court that the archive is capturing relevant data in a reasonable manner, companies should perform audits and conduct tests. Best practices call for checking the tool at least every six months to a year to verify that information was in fact being archived and checked for indexing, corruption, etc. By conducting these tests, a company can certify that the system appeared to be functioning normally; however, companies should not certify that all data is in the archive as there are too many opportunities for a user to fail to archive data properly, or for the archive capturing system to fail.

Data Mapping as an Offensive Litigation Response Tool

Another important tool is a data map, which outlines a company's information systems and processes, allowing for the quick identification of important sources of potential ESI. Not surprisingly, IT (53%) is more aware of the existence of a data map than legal (35%).

However, despite the benefits presented by a data map, more than half of the companies surveyed do not have or do not know if their organization has an inventory of where all data is stored. Given the increasing complexity and risk associated with ESI, organizations must take proactive measures to understand where data is stored ' and how. Otherwise, a company may be faced with the task of producing ESI for an extended period, which occurred in Takeda Pharmaceutical Company v. Teva Pharmaceuticals USA, Inc., 2010 WL 2640492 (D.Del. June 21, 2010). In that case from the District of Delaware, the court ordered the plaintiffs to produce ESI for an 18-year period, despite the demonstration that the requested information was not reasonably accessible and would cost between $1 million and $1.5 million to retrieve. An up-to-date data map would have allowed the plaintiffs to more easily determine where the data existed and devise a smart strategy to retrieve it. In the formulation of a burden argument, they could have had more accurate information to define and predict the potential glut of data (and associated costs of reviewing and producing that data) that may have been required in this case. This could have allowed them to argue more effectively for sampling or cost sharing/shifting that may have reduced their costs.

Safeguarding Security

In addition to implementing policies and technology, safeguarding sensitive company information is a key aspect of corporate governance in an age where information is often a company's most valuable asset. Implementing security measures and policies will bring a significant return on investment by reducing the chance of a costly data breach. According to the ESI Trends Report, companies experience at least one data breach on an annual basis. Security threats to sensitive information are pervasive, and proactive risk management is required to reduce the likelihood of these costly incidents, whether they are internal or external, malicious or benevolent. Threat identification and ongoing system risk evaluation are imperative to developing plans and procedures to prevent data breaches. Unfortunately, these tasks are far more challenging as emerging technologies, such as cloud computing, social networking and mobile technology, add a new layer of potential targets to the traditional corporate IT landscape.

Despite an organization's best efforts, security breakdowns can ' and do ' occur. Any time a breach occurs, or an organization believes a breach has occurred, time is of the essence. Corporations must therefore assess their risks, develop and implement policies to prevent breaches, and establish plans to quickly respond to incidents when they occur. These plans should include the responsibilities of the response team and protocols to identify, preserve and collect evidence of the breach.

Conclusion

The past decade of high activity and change in the area of ESI discovery has had a “maturing effect” on companies with respect to preparedness and policy enactment. Organizations now understand the value of defining how they will manage ESI for discovery requests. Justifying expenditures for preventative measures and proactive policies may be difficult in a tough economy, but the costs are quantifiable, predictable and can be budgeted. Investing up front to mitigate risks in the future is a smart strategy for any organization. After all, good companies manage costs; great companies manage risk.