Top Five Compliance Risks Regarding e-Discovery

The very word can strike fear into the heart of every in-house lawyer.  The costs can be astronomical and the price of mistakes can be fatal to a case.  What can you do to minimize risk?  As with many things in life, the keys are preparation and follow-through.  Particularly for companies that are regularly involved in litigation, in-house counsel and compliance personnel can reduce uncertainty by understanding their information systems and staying on top of technological changes.  When litigation is imminent or a government investigation strikes, companies with well-oiled processes will be in a better position to minimize costs and  reduce the risk of devastating sanctions resulting from spoliation or incomplete compliance.  While the details of the e-discovery process will be different for every company, attention to these five critical points will reduce the risks of a calamity with respect to electronically stored information (ESI).

1)  Litigation Hold Notices

  • When litigation or a Government investigation is reasonably anticipated, a party must distribute a written litigation hold notice to all custodians who could conceivably have relevant data, and to IT personnel.  The hold notice should require recipients to put their normal records destruction policies and practices on hold and preserve all potentially relevant information and data.  The notice should require a compliance acknowledgement by each recipient and identify an individual (usually an in-house lawyer or compliance person) to whom questions can be directed.
  • If a sensitive government investigation or certain types of litigation are involved, there may be resistance to disseminating a notice widely.  Companies may do well to hold a meeting of those who receive the notice in order to emphasize its importance, respond to any questions, and stress confidentiality.
  • Be sure those non-legal personnel (especially IS/IT staff) fully understand the entire hold notice, so that they not only know “what” they are supposed to do as specifically outlined in the hold notice, but also “why” – in case there are additional ESI sources, data types, etc. that they may be aware of (beyond what the lawyer and custodians have identified).  As part of this, be sure all systems that automatically delete data at predefined intervals are properly disabled while the hold notice is in place.
  • Companies should issue updates/reminders on a regular basis – but especially when outside counsel is brought on – making sure to add custodians, subject matter topics, or data types/sources, as needed.

2)  Document/Data Retention Policy

  • Companies should have data retention policies, and employees should be trained on them and reminded periodically of their importance.  Be sure the policy is thoroughly documented and note both what is to be retained and why it is to be retained.  The rationale needs to be sound and reasonable – and it needs to be defensible.  That data has been destroyed pursuant to the policy but before the hold notice has gone into effect is less likely to result in a sanction.
  • Define exactly what is to be retained (either individual data types or groups of data) – do not use general terms, or that will promote non-compliance.
  • Consider whether to allow exceptions, such as for non-business email (if permitted), but be careful since, as always, exceptions can be a slippery slope.
  • Define exactly how long each data type/group is to be retained. You can’t reasonably have one retention schedule that applies to all data types/data groups.  (How long is it needed for business purposes?  Are there any Fed/State/Local laws/rules/regulations that require specified retention periods?)
  • Define in what format each data type is to be retained.
  • Be sure to review the policy at least annually and update it as the needs of the company or the laws change.
  • Document all changes made to the retention policy and/or the retention schedule and provide the rationale for those changes.
  • There is no such thing as a static volume of ESI.  Always plan for data growth and be sure the retention policy has the necessary provisions in place to adapt to an ever-growing data volume, which can often bring new data storage methods not previously used into play (e.g. – cloud storage as a new example or back-up tapes for a more traditional example).
  • Develop a policy for enforcement.  The only thing worse than not having a document/data retention policy in place is having one and not enforcing it.
  • Be sure to test the retention policy.  Try running your team through a mock litigation hold notice or other targeted data hold procedure for a known set of data, to see if all data was properly preserved.
  • Courts are less likely to impose sanctions or other penalties when data is deleted pursuant to an active records retention policy that has been properly implemented and enforced.

3)  Litigation Readiness

  • Companies should develop internal processes and protocols as a part of their routine compliance processes in order to be adequately prepared for e-Discovery issues.
  • Identify appropriate resources (internal personnel and outside vendors) who can be called upon quickly to handle preservation and collection of ESI  (including, but not limited to, the acquisition and use of litigation hold and forensic data collection software).
  • Maintain an updated data map that describes in detail what types of ESI data a company has (such as text, images, audio, video, etc.) and exactly where it is stored.  It is imperative that this map cover everything from large network resources—including  databases, document management systems, and common drives/servers—all the way down to local resources that may only be known by the custodians, such as individual computers, external hard-drives, flash-drives, DVD’s, CD’s, etc.  It should also note whether custodians are permitted to maintain such storage devices and whether any documents/data are stored in sources such as email and social media that are not maintained elsewhere.  Don’t forget about archive/back-up data storage!
  • The idea is to determine exactly what the entire universe of data involved is and how secure it is.

4)  ESI Collection/Review/Production

  • It does no good to issue proper litigation hold notices, implement and enforce a document retention policy, and maintain an adequate level of litigation readiness, if after all of that, you collect, review, and/or produce the ESI improperly.
  • A decision has to be made whether there are sufficient internal personnel, as well as the necessary software in place, to perform proper data collection in-house, or if a vendor needs to be retained.  Getting a handle on whether in-house personnel can properly handle this crucial step is critical if the company is to have a defensible collection process.
  • If internal collection is performed, are those personnel qualified and properly trained?
  • If external, be sure to evaluate several e-Discovery vendors, paying attention to their qualifications and experience, not just their rates.
  • Negotiate an E-Discovery Plan with opposing counsel (get it approved by the court, if possible) or with government investigators, as the situation dictates.  The plan should define scope, custodians, search terms and any other appropriate considerations.  Leave room for edits/adjustments, but don’t include general catch-all provisions, as that will only cause inevitable discovery disputes.
  • Is forensic collection necessary and/or required?  It can be much more difficult and costly to perform a forensic collection.  However, it won’t be as costly or reliable to collect forensically at the outset as it will be to do it after you have discovered that non-forensic approaches have been inadequate.
  • Be aware of how both parties intend to produce the data (with or without metadata), since whether you performed a forensic collection or not will directly impact the accuracy of the metadata.  For some cases (particularly trade secret / non-compete / etc.), metadata can be extremely important.
  • Consider whether, based on the types of data involved and the over-all data volume, Technology-Assisted Review (TAR) is desirable (perhaps for prioritizing the data to be reviewed, if not for full-on substantive review) – or whether a traditional human review is required.  Where data volumes are large, TAR may be cost-effective, but you must get either agreement from the opposing party or government investigator (or court approval) to use TAR.

5)  Data Security

  • Take all necessary precautions to ensure the data that is collected is being maintained in a secure environment, from a data breach and theft perspective, as well as from a forensic integrity perspective.
  • More and more companies are moving to cloud-based data storage (and some ESI vendors are storing data for review this way too).  Investigate all security measures taken by the hosting vendor to ensure the forensic integrity of the data is maintained and access to that data is properly restricted.
  • If social media is used by the company (especially if it is used to create, convey, or otherwise use substantive ESI), be sure all personnel are trained on what should and should not be used on social media.  Also, as with cloud-based systems, be sure to explore the security protocols of the given social media host.
  • At every step in the process, document what you have done.

One final note that applies throughout any e-discovery process: Appoint a single person within the company to be in charge.  Be prepared to have that person be subjected to a deposition or testimony in court to explain and defend your process.

E-discovery is never simple and few would ever regard it as fun.  But attention to these steps, and incorporation of as many of them as possible into your regular compliance program, will help control your costs and minimize the risks of missteps along the way.

________________________

Jeffrey R. Moore is an attorney in the Business Litigation and Product Liability Litigation practice groups.

About the Author

David A. Wilson

About the Author David A. Wilson is partner-in-charge of the Washington, D.C. office of Thompson Hine LLP. He focuses his practice on complex civil litigation, internal and government investigations, and securities enforcement matters. He has led or otherwise been involved in many internal corporate investigations, including audit committee and special committee investigations.