Policy Workbook: E-Discovery

Q. What'll wake you up faster than a triple shot of espresso?

A. A process server with a subpoena waiting by your desk in the morning.

Litigation is fast becoming a cost of doing business for a growing number of companies; IT groups in the Fortune 500 deal with dozens, even hundreds of lawsuits every year. The legal system is catching up with the computer age, and many courts now require that information requested be supplied in digital format.

Prepare for the inevitable by developing an e-discovery policy and assigning an IT person as your group's legal/compliance officer. This person will serve as the main contact for the legal team, manage the collection process and provide testimony in court if necessary.

To build a policy to handle e-discovery, you must understand the process, which typically breaks down into several steps after a lawsuit is registered with the court. First is the prediscovery phase, where opposing sides meet to negotiate the scope of the information being requested and the format in which it will be produced. In the collection phase the defendant searches paper and digital archives for the agreed-on information and compiles it in a format suitable for defense council to begin analysis.

In this review phase many attorneys use litigation-support software tools, such as Dataflight Software's Concordance, to manage the processing, analysis and review of the massive quantities of disparate data they may receive for a case. These specialized software packages let legal researchers search text, number pages, make notes, add/modify metadata, remove unrelated documents from the collection, and redact sections of documents they believe to be privileged or protected. Only after careful review by defense council are the final documents produced for the presentation phase and given to opposing council in the agreed-on data format.For the IT manager, the challenge starts with locating, collecting and delivering the required information, and that's where policy should begin as well.

Once company information is subpoenaed for discovery purposes the data becomes evidence and should be placed on what's known as a "litigation hold" to protect it from loss or modification. At this point, a company is legally bound to supply that information accurately, on deadline and in a useful format. To answer these needs there is a growing interest in e-discovery-specific tools from major archive and storage vendors that are focused on improving the search, auditing and access control of the wide range of stored data that could become part of a legal battle. These products include PSS Systems' Atlas ERM and LCC, Renew Data's eDiscoveryNow, Symantec's Enterprise Vault and Zantaz's Introspect.

Relevant data must be kept meticulously intact and include metadata that verifies its authenticity and accuracy, such as time/date stamps, header information on e-mail, and attachments.

One of the dangers of e-discovery data collection revolves around the issue of spoliation, legalese for the destruction or alteration of evidence or the failure to preserve evidence in pending or "reasonably foreseeable" litigation. We all know that data regularly gets lost or damaged, but in the case of information requested in a lawsuit, the court will determine whether the data loss was accidental or intentional. This may result in court-imposed sanctions, and judges have broad discretion on ruling in evidentiary issues like these. There have been cases where such sanctions strongly contributed to the loss of multimillion dollar lawsuits. One notable example is Residential Funding Corp. v. DeGeorge Financial Corp., where a $96.4 million jury verdict hinged on the plaintiff's failure to produce requested e-mails. A longstanding policy dictating that certain e-mail stores be purged at specific intervals could demonstrate that deletion of a given document was not a deliberate attempt at obstruction, but part of your message-storage management.

Your policy should also spell out when it's time to call in an expert. Many companies choose to handle e-discovery collection in-house, and this can be done safely, provided the process is carefully managed and assigned to qualified, competent personnel using the correct tools and following documented procedures, which should be developed in concert with legal counsel.For companies without such resources, Electronic Evidence Discovery, Iron Mountain, RenewData, Zantaz and others offer consultation services that can assist in the creation of internal policies customized to your company and the legal compliance issues specific to your business area. These vendors also offer third-party legal-discovery services that include data collection from a variety of media, preservation of native data format, and conversion to standardized formats, such as PDF or TIFF.

Companies that would like to handle e-discovery in-house will find a number of new offerings from EMC, Mimosa, RenewData, Symantec, Zantaz and ZyLAB designed to augment existing archive systems or enable the creation of a new archive based on collected data combined with a "live capture and move forward strategy" that will support the collection of all new, relevant data from that point forward. E-discovery and legal compliance may become the primary financial driver spurring companies to finally adopt a searchable archive solution.

Despite legal complexities surrounding the e-discovery process, our research turned up three key points:

In some cases, policy building can be simplified by using a best-practices template. This isn't one of those times. We spoke with six attorneys regarding e-discovery and the only thing they all agreed on is that each case is different and that it's dangerous to overgeneralize.

Changing The E-discovery Rules

Although local jurisdictions have the authority to impose their own rules regarding legal discovery, the Federal Rules of Civil Procedure remains the gold standard for managing the process at the national level. Like most government documents, it's long, complex and subject to change on a regular basis. In fact, several modifications will become active in December. These are clarifications rather than hard changes to the e-discovery process and reflect the legal system's growing awareness of the challenges to maintain electronic data systems.

Changes to Rule 26 involve limits to the scope of a discovery request, and may let parties challenge a request for data if fulfilling it would cause "undue burden or cost." It also addresses some of the concerns surrounding protected or privileged information. But perhaps the biggest addition from IT's perspective is Rule 37(f), which states, "Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system." This amounts to a "safe harbor" clause that offers limited protections for a company unable to provide requested information, if the cause was beyond its control and appropriate procedures were in place.There's a great deal of debate in the legal community as to the long-term ramifications of these new rules, and though the wording is precise, there's still a lot of gray area to be explored. The document doesn't define "good faith," for example, so the courts have flexibility in interpreting a company's intentions when it comes to producing information. The best long-term protection remains a fully documented information management policy that's consistently followed and designed to protect data for the length of time dictated by any compliance rules appropriate for your business.

Steven Hill is an NWC technology editor. Write to him at [email protected].