ADDRESSING E-DISCOVERY RELATED RISKS
The E-Discovery lifecycle
Each electronic discovery event follows a basic lifecycle. This lifecycle starts with (1) preparation, followed by the issuance of (2) a litigation hold order, which (if successful) ensures (3) preservation, which is followed by (4) searching / collection, and then (5) capture / extraction, which feeds into (6) production, followed by (7) closing processes. The lessons learned from the closing processes then feed into preparation for the next electronic discovery event, making this pattern a closed loop. Each step in the E-Discovery lifecycle will be discussed in turn. But before the facilitation of individual E-Discovery events can be examined, the initial establishment of the overall framework needs to be explored.
Establishing an E-Discovery framework
An E-Discovery framework is the foundation upon which E-Discovery facilitation processes are built. It includes the people, policies and tools that must be firmly in place before the first electronic discovery request is received. There are as many possible unique E-Discovery frameworks as there are organizations, as a one-size-fits-all approach leaves gaps that may fail to address the unique characteristics and requirements of a specific organization.
An organization’s E-Discovery framework should be ‘defensible’ and ‘auditable’. This means that it should be grounded in sound legal requirements, it should be well-documented and actual practice should essentially mirror documented procedures. The key elements of such a framework are described in the sections that follow.
E-Discovery task force
An E-Discovery task force should be chartered to oversee organizational readiness and litigation support efforts. Having the right mix of people is a critical success factor. This task force should include members of the legal department, IT experts, records management professionals, compliance officers, enterprise risk managers, and business leaders. If an organization is very large, it may make sense to designate ‘E-Discovery liaisons’ throughout its locations. Regardless of the size of the organization, however, a single ‘point person’ should be assigned to spearhead E-Discovery activities within the IT department.
The members of the task force should receive formal training to properly prepare them to carry out their responsibilities. Training topics should include an overview of the American legal system, E-Discovery basics, the FRCP, the organization’s E-Discovery framework and processes, proper ESI collection techniques, evidence handling, forensics, spoilage, privilege review, and the consequences of non-compliance.
Early warning system
Courts have established a duty to preserve all relevant documents once litigation is ‘reasonably foreseeable’. It is no longer adequate for organizations to wait until they have received a formal request before taking any action to preserve evidence. They need to be proactive, not reactive. To fulfil this duty, organizations should create an E-Discovery ‘early warning system’ so that stakeholders are aware of situations that may lead to litigation as soon as possible.
Examples of high-risk situations that should trigger ‘early warnings’ include employee dismissals, accidents, product malfunctions, financial restatements, takeover bids, and threats of litigation by employees, customers, or business partners. The benefit of having such a system in place is that it increases the amount of preparation time an organization has to fully execute its E-Discovery related responsibilities.
Because the deadlines laid out in the FRCP are tight, there is no time to waste on trivial tasks. Long before it is needed, an ‘E-Discovery toolkit’ should be assembled.10 This toolkit should contain the following items:
• ‘Litigation hold’ communications templates.
• Names and numbers of key technical experts (internally and third parties).
• E-Discovery procedural handbooks.
10 E-Discovery toolkit available at www.27001.com/products/47
This toolkit should be updated on a regular basis to reflect changes in personnel, technology, and the law.
Inventory of information
If an organization does not already have an inventory of its information, one should be created. What data exists, where that data is located, how it is stored, and how it can be retrieved should be recorded. The cost of restoring it should be estimated. Owners and custodians of information should be recorded (or named). Information that is no longer actively used must be included in the inventory, as well as that held by third party custodians. Given the volume of information that is likely to exist, a risk-based approach should be used when compiling the information inventory. Focus should be placed on the documents that are most likely to be called upon during litigation. By knowing where electronic evidence lies, an organization can minimize its search time and volume and dramatically reduce the materials passed on for legal review, as well as the subsequent costs of that review.
Records management policies
At the foundation of any effective E-Discovery framework lies the organization’s records management policies. If records management policies do not exist, they should be created. If they do exist, they should be revisited in the light of changes in the requirements. The policies should address all aspects of the document lifecycle, from creation to retention to destruction. They should outline when records may permissibly be destroyed either because the business need to retain them no longer exists or because all applicable litigation holds have expired. ESI that is kept when no longer needed only serves to create a dormant liability. Additionally, it is important to ensure that document management policies are signed off by senior management, supported by IT systems, and consistently followed.
Information systems usage policies
In addition to records management policies, the E-Discovery task force should review the organization’s information systems usage policies with E-Discovery in mind. Such a policy should encourage employees to save all work to a shared file server or other centrally maintained system where it can be easily tracked down in response to a discovery request. The policy should limit the use of non-IT provided services (such as public e-mail accounts) for business reasons. To assist in the evidence collection process, the use of descriptive filenames should be encouraged. These revisions (and their subsequent enforcement) will minimize the chance that users will generate additional E-Discovery risks.
With the E-Discovery framework in place, the organization is better prepared to handle individual litigation events. Attention will now be focused on addressing risks within the E-Discovery lifecycle.
Preparation for each individual case
Prior to ‘meet and confer’
Within 90 days after the appearance of the defendant before the court, the parties to the lawsuit must hold a pretrial conference, at which provisions for the disclosure or discovery of ESI must be made. The following is a list of items that should be generated by the E-Discovery point person in IT for the attorney handling the case, prior to this ‘meet and confer’ session:
• A list of people within the organization most knowledgeable about the systems that hold information that is likely to be relevant to the case.
• A list of any third-party custodians of relevant information.
• A list of each system that may contain relevant information.
• An estimation of the level of difficulty of accessing the relevant information.
• A list of relevant electronically-stored information that has been stored offsite or off-system.
• A description of any efforts undertaken to date to preserve relevant information.
• The form of production that is preferred by the custodians of the relevant information.
• Notice of any problems that can be reasonably anticipated in complying with discovery requests for relevant information.
The information that the E-Discovery point person in IT prepares for the ‘meet and confer’ session will enable the attorney to object to requests from opposing counsel for documents that are not ‘reasonably accessible’. According to the committee notes that accompany the amendments to the FRCP, ‘the requesting party has the burden of showing that its need for the discovery outweighs the burdens and costs of locating, retrieving, and producing the information’.11
Incoming discovery requests should target particular electronic information (those produced or received by key witnesses, specific documents or types of documents, search strings and timeframes, etc). The E-Discovery point person in IT should make sure that the requesting party has set reasonable collection parameters and should ask his or her legal team to object if that is not the case. If the E-Discovery point person in IT has provided the attorney handling the case with the information he needs to properly inform the judge, there is a greater chance that the organization’s discovery objections will be sustained.
11 ‘Amendments to the Federal Rules of Civil Procedure: E-Discovery Amendments and Committee Notes’, Administrative Office of the US Courts, 1 December 2006, p 16.
As soon as an organization has a reason to believe that litigation will arise, its legal team, with input from the E-Discovery point person in IT, should issue a ‘litigation hold’ notice. While the need to preserve relevant documents in a litigation hold is not new, the focus on electronic documents has increased since the adoption of the amendments to the FRCP. It is no longer okay to blast a memo out with boilerplate language that essentially says, ‘We’re being sued by X. Please hold all relevant documents’. A proper litigation hold must meet a number of requirements to be considered adequate.
A litigation hold notice should sufficiently describe the kinds of information that must be preserved. It should provide clear and detailed instructions to all potentially involved employees about what records must be kept, by subject and document type. The litigation hold notice should also state directly that electronic as well as paper documents must be preserved.
Any one who has an obligation in terms of the possession, custody , or control of relevant documents should receive a litigation hold notice. This includes departments that are responsible for maintaining the systems or files that have no particular owner but are within the scope of the litigation. Notices may also need to be sent to third parties – especially if business or IT processes are outsourced.
Litigation hold notices should be repeated periodically to remind all involved recipients of their preservation obligations. Personal follow-ups and compliance checks should be pursued with key employees to make sure that the memo was received, read, understood, and implemented.
The release of the litigation hold memo marks the beginning of the preservation phase of the E-Discovery lifecycle. In this phase, the organization takes steps to ensure that ESI that may be in-scope for the case is retained. Any delay in taking preservation steps increases the danger of claims that evidence was not properly preserved.
Locating relevant information
The first step of any preservation effort is to actually locate the ESI that should be preserved. IT plays a key role here because it is often the custodian of an organization’s information. Due to the pervasiveness and distributed nature of computing systems today, this can be a formidable task. In fact, ESI exploration is often the most resource-consuming component of the E-Discovery process, particularly in large, complex, and geographically distributed organizations.
Typical repositories of relevant ESI include:
• Records management systems
• E-mail servers
• E-mail archive systems
• File servers
• Databases / data warehouses
• Back-up systems
• Image scanning systems
• Personal computers
• Handheld devices
A responding party may satisfy its good faith obligation to preserve potentially responsive ESI by using electronic tools and processes, such as data sampling, searching, or the use of selection criteria, to identify data most likely to contain responsive information. The organization’s information inventory can also be leveraged to quickly narrow down potential data sources.
The scope of the search must be reasonable. It is not feasible or reasonable to look for all potential repositories of information. For instance, e-mail on a Blackberry may be relevant to a case, but if it is only duplicative of information stored in the employer’s e-mail system, then it probably isn’t necessary to collect information from it.
Once an organization identifies relevant ESI, it must be preserved. The most significant danger for IT with preservation is the existence of routines that automatically prune records on a periodic basis. According to the committee notes that accompany the amendments to the FRCP, ‘intervention in the routine operation of an information system is one aspect of a litigation hold’.12 It is therefore critical
It is important to remember that accessibility of information does not have a bearing on the duty to preserve it. As the committee notes to the amendments to the FRCP explain, ‘a party’s identification of sources of ESI as not reasonably accessible does not relieve the party of its common law or statutory duties to preserve evidence’.13
Special steps should be taken to capture the information maintained by relevant employees who depart the company or change jobs during litigation or when hardware is replaced. Laptops or PCs (or even just the hard drives within them) should be set aside (locked away – maintaining the chain of custody ) until they can be forensically imaged (if necessary).
An effort should be made to identify and preserve any data that is shared (for which there is no single owner who has the responsibility of carrying out a litigation hold order), such as that found in centrally maintained information systems.
Metadata may be critically important or completely irrelevant to a case, depending on the circumstances. The routine preservation of metadata is beneficial, however, as it affords the producer an additional opportunity to prove its authenticity.
Good faith destruction
Due to the complexity of modern computer systems, there exists a potential for good faith errors or omissions in the process of preserving electronic information. If destruction of ESI occurred in compliance with a ‘reasonable’ pre-existing records management policy, this is usually considered prima facie (Latin for ‘not needing proof unless evidence to the contrary is shown’) evidence of the ‘good faith’ of an organization.
As noted by Donald S Skupsky , a renowned expert in the legal aspects of records management, ‘in the absence of a duty to preserve records, courts have consistently refused to sanction parties who have destroyed records pursuant to a records management program’.14 This underscores the need to have a good records management policy in place and to ensure that it is being followed.
If, on the other hand, the litigant knows that information that is relevant to a case is scheduled to be destroyed according to a routine document retention policy and the party does not act to prevent that destruction, spoliation can occur. Spoliation is the improper alteration or destruction of data. If this happens, the court can infer that the missing information was probably damaging to that party ’s case. The court can levy sanctions, even if those documents still exist in another format.
Collection / extraction
Once the ESI that is relevant to the case has been identified and preserved, it must be captured in preparation for production. This phase of the E-Discovery lifecycle is often referred to as ‘collection’ or ‘extraction’.
Because ESI may be used in litigation and thus has the potential to become ‘evidence’, it must be treated as such. As with any type of evidence, its authenticity can be called into question by the opposing counsel or by the court. The use of forensically sound collection procedures can help the producing party prove the authenticity of that evidence. ‘Forensically sound’ means that the evidence has been collected in a manner that is scientifically objective. For ESI, this usually means taking a bit-by-bit mirror image of the medium the information was originally stored on.
Forensic imaging is preferred because: (1) the authenticity of the information can be verified using a one-way cryptographic hash function; (2) it captures all information on a medium (not just ‘active’ files); (3) it captures data without modifying it; and (4) it usually includes metadata, such as when it was last accessed and by whom.
To help demonstrate that the evidence has not been mishandled or altered in transport, a ‘chain of custody’ must be maintained. This is basically a log that accompanies the evidence, whereby the names of all handlers and the times of transfers are recorded from the point of collection to the present.
Forensic imaging requires special tools and expertise. If collection / extraction will be handled in-house, then personnel must be provided with the necessary tools to minimize the risk of data corruption during the collection process, instructed on the format in which data is to be collected, and counselled on proper chain of custody documentation. If an organization already has this skill-set in-house, then these resources can be leveraged. However, the objectivity of in-house personnel may be called into question, based on the perception of bias.
To eliminate the bias question (and because the shortage of experts in the forensics field makes in-house capabilities cost-prohibitive for all but the largest corporations), most organizations use the services of third-party forensics experts. Because discovery timeframes are tight, it is best to have experts in this area (internal or external) lined up before they are needed. This may involve signing retention contracts with forensic service vendors.
Because the cost of collecting ESI in a forensically sound manner can be very high, it does not make economic sense to extract all potential evidence in this manner. Instead, a ‘risk based’ approach should be used. Forensics should be leveraged whenever ESI is likely to be critical to the case or where there is a high probability that its authenticity will be called into question. Evidence can always be authenticated using non-scientific methods (for instance, through eyewitness testimony or through metadata such as access logs and file alteration data), so it doesn’t make sense to use forensics more frequently than needed. Also, forensic versus standard data collection is ‘negotiable’ between the parties (and / or can be left to the discretion of the court) in each case.
Whether or not forensically sound mechanisms are used, the data collection process should be well-documented. This documentation should describe what is being collected and the procedures used to validate the collection. If ESI has been found to have been tampered with, a court can render sanctions for spoliation, just as it could if the information had been destroyed in bad faith.
Although uncommon, the opposing party may seek a court order to directly inspect the organization’s computer systems. The counsel of the respondent should oppose such inspections. However, if the order is affirmed by the court, it is important for the organization’s IT department to fully cooperate with the court’s wishes.
Once the ESI related to a case has been collected, it must be reviewed for privilege before being produced for delivery to the opposing side. In legal terms, ‘privileged information’ refers to documents that are exempt from disclosure. Pre-production privilege reviews are important because, for the most part, privilege is waived upon disclosure, even if that disclosure was inadvertent (with some exceptions).
E-Discovery review protocol
E-Discovery projects are becoming bigger and more complex. This makes it increasingly necessary to adhere to a defined review protocol. Such a protocol helps an organization to reduce risk, manage costs, and ensure that best practices are followed.
The first step in an ESI review protocol is to set up repositories of collected information. These repositories should hold copies of the original documents, as accessing the originals would probably taint them as evidence.
Next, tools will need to be provided to reviewers to allow them to view the documents and to track their progress. These tools can be ‘home grown’ (native file readers and a spreadsheet) or commercial (specialized E-Discovery review software) in nature.
Finally, the legal department, in conjunction with an IT professional, should develop and distribute a handbook for legal reviewers. This handbook should both describe the process for performing the privilege review and give instructions for using the tools needed to accomplish the task.
Because of the quantity of information involved, and the time and cost required to review it, inadvertent disclosure of privileged information is difficult to avoid. Attorneys have a couple of tools available to them to limit this risk. These are known as ‘clawback’ and ‘quick peek’ agreements. Under such agreements, the producing party agrees to share discoverable information with the requesting party before a privilege review can be performed. The requesting party then agrees to return any documents that the producing party later identifies as privileged.
Such agreements may or may not offer significant protection. For this reason, pre-production privilege reviews are still preferable, even if the volume of information is large. The implication of this for IT is that it behoves them to have the infrastructure and tools in place to support the legal department’s expeditious review of materials.
Special masters or court-appointed experts
Under special circumstances, a court may appoint a ‘neutral’ person (a ‘special master’ or a court-appointed expert) to oversee E-Discovery issues. The benefit of using a neutral third party is the probable elimination of privilege waiver concerns. The downside of this arrangement is that the producing party loses a level of control over its discovery efforts (and their costs). The IT department may also have to adjust its protocols and procedures to the preferences of this third party.
Following the review of ESI for privilege, the organization must produce it. This step in the E-Discovery lifecycle essentially involves packaging information for delivery to opposing counsel.
The fundamental issue in production is the form it will be delivered in. According to the amendments to the FRCP, the form selected should be the format in which the information is normally maintained or in another form that is ‘reasonably usable’.15
15 ‘Amendments to the Federal Rules of Civil Procedure: E-Discovery Amendments and Committee Notes’, Administrative Office of the US Courts, 1 December 2006, pp 32-3.
For documents that are already in a format that is commonly used (for example, Microsoft Office document files), copies of the original files should be sufficient. For electronic data that is stored in a proprietary system or an uncommon format, the information may need to be converted to a form that the opposing party can use, such as a PDF document or a TIFF image file.
Remember that the format chosen should allow the parties to verify the authenticity of the documents for evidentiary purposes. In many cases, by providing the document in its original format, any metadata associated with a document will remain intact within the file (for example, authorship information, document change history, etc).
According to the committee notes that accompany the FRCP, ‘the requesting party may ask for different forms of production for different types of ESI’.16 However, ‘the same ESI ordinarily need be produced in only one form’.17 So asking the responding party to provide one set of documents in Word format and another set of documents as TIFF images will probably be okay, but asking for the same documents in both electronic and paper form would not be.
The ‘reasonably usable’ production format language should not be abused. Per the committee notes accompanying the FRCP, ‘the option to produce in a reasonably usable form does not mean that a
responding party is free to convert ESI from the form in which it is ordinarily maintained to a different form that makes it more difficult or burdensome for the requesting party to use’.18
In the final step of production, the document collection should be placed on a medium that is acceptable to the opposing party and / or the court (typically, burned to a CD or a DVD) and delivered.
Once discoverable ESI has been produced and delivered, the execution phases of the E-Discovery lifecycle are essentially over. At this point, the organization could declare ‘mission accomplished’ and wait for the next litigation event to come along.
Organizations that want to increase the maturity level of their E-Discovery processes, however, should hold an E-Discovery event ‘post mortem’. The objective of the post mortem meeting is to create a list of ‘lessons learned’ that can be leveraged to improve the process going forward. Discussion topics should include what went right, what can be improved, what actions will be taken to accomplish the suggested improvements, who is responsible for carrying out these tasks, and when they will be done. The progress of these action items should then be tracked to completion.
Governance and controls
E-Discovery tools often offer the potential for abuse. For instance, tools that have been implemented to assist the E-Discovery task force with finding case relevant information within e-mail databases and chat transcripts can be misused by IT personnel to monitor people’s communications in an unauthorized manner or to override access controls to view private information. For this reason, there must be controls over the use of these systems.
Whether collection is done by the end user, litigation support personnel, or IT personnel, it should be accomplished under a well-defined protocol. The number of people who have access to E-Discovery search and collection mechanisms should be minimized. Content searches should be limited to the selection criteria and search terms that have been authorized in a formal search request. A log of all E-Discovery related search and collection activities should be maintained. And the use of such systems should be audited periodically.
Continuous / ongoing
The previous section covered activities that should occur through the phases of an individual discovery event. This section recommends the activities that should be taking place in between E-Discovery events.
Rehearsing / testing E-Discovery processes
The strict time limits for discovery that have been laid out in the amendments to the FRCP mean that the level of preparedness and the speed of the response are now critical elements of E-Discovery process effectiveness. And like other processes where time sensitivity and preparedness are a significant factor (for instance, business continuity, disaster recovery, incident response, and crisis management), E-Discovery processes should be tested on a regular basis and should include observations of participants’ understanding of their roles and responsibilities, and the speed and accuracy of the execution of litigation holds, searches, privilege review, and production.
The E-Discovery landscape is constantly changing. It is evolving not only through changes in ‘black letter’ law (ie, statutes and written codes, such as through the amendments to the FRCP), but through changes in case law (new rulings) as well. An organization must continually update its E-Discovery processes to reflect these changes. To stay abreast of developments in this arena, organizations may find it useful to assign a member of its corporate litigation team with an ongoing responsibility for monitoring the legal landscape and discussing changes with the members of the E-Discovery task force.
Incorporating E-Discovery requirements into future projects
As any practised engineer knows, it is cheaper, faster, and easier to incorporate functionality into a system at the design stage than it is to ‘bolt it on’ later in the subsequent development stages. Keeping this in mind, E-Discovery considerations should be discussed early in the requirements planning stages of all future IT projects. Whether a new system is being built, an existing system is being upgraded, or a commercial off-the-shelf system is being implemented, basic information lifecycle management functionality should be considered.