Initially, we started at ground zero with the notion that defensibility is in most instances equated with the “reasonableness” standard, which is pervasive across many areas of the EDRM spectrum… from preservation to production.  Instances include:

• Preservation — “[a]s soon as a potential claim is . . . identified, a party is under a duty to preserve evidence which it knows, or reasonably should know, is relevant to the future litigation.”
• FRE 502 (b) – the disclosure does not operate as a waiver in a Federal or State proceeding if the (2) the holder of the privilege or protection took reasonable steps to prevent disclosure;
• General Privilege Waiver — In SEC v. Badian, 2009 WL 222783 (S.D.N.Y. Jan. 26, 2009)(link), “there is no basis … to conclude that there were precautions [to prevent the disclosure], let alone whether they were reasonable.”
• FRCP 37(e) — Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.

While the foregoing isn’t exhaustive it does highlight the persistent nature of the reasonableness standard as practitioners seek a defensibility sanctuary.  The good news is that the law doesn’t require perfection and there are also a number of ways to obtain reasonable defensibility:

• Demonstrable acceptance by the opposition – here the notion is that collaboration with the opposition allows the parties to comfortably move ahead with their discovery process and even if it’s not objectively reasonable, the parties consent to the protocol will in most instances carry an imprimatur of reasonableness.
• Auditing / process transparency.  Similar to the first bullet, auditing the process and giving the opposition visibility into the process steps will often make it hard for them to lodge successful downstream challenges.
• Adherence to Local Rules (See 7th Circuit Pilot Program) or judicial order.  Another avenue than can provide some degree of safety is compliance with a discovery protocol mandated by local rules, although that compliance may ultimately be challenged.
• Statistical confidence intervals / sampling – the use of statistics as a way to bolster process defensibility is starting to come to maturity and in the future I think that detailed precision, recall and other statistical indicates will play a large role in e-discovery defensibility.

None of these steps can be guaranteed to really get you off the hook from a rapid opposing party calling foul, but using them in a “belt and suspenders” fashion will certainly help buttress any discovery process.

For more illumination on the topic please see the following video of my interview with John Loveland, who’s waxing poetically about discovery defensibility.

Citing mysterious budgetary concerns (which still elude me), The Governator initially vetoed Assembly Bill No. 5.  But as of July 1^st, California’s new electronic discovery provisions were finally made law.  Interestingly enough, California (which tends to more progressive than most) was way behind the times in terms of adopting the new framework of the FRCP…

“The California Discovery Act hadn’t really been revised or amended since the mid-1980s,” said Patrick O’Donnell, the supervising attorney for the Judicial Council’s Office of the General Counsel who led efforts to write the state’s e-discovery law. “This is really a major step to address the changes in the world of electronic data since then. … This gives a lot more clarity and certainty in how the issue will be focused on.”

Instead of the alleged budgetary concerns it appeared that California had (and still has) bigger fish to fry and needed some extra cycles to get lawmakers, attorneys, Silicon Valley leaders and court administrators all on the same page.

The new California provisions pretty closely mirror the FRCP language with a few minor exceptions, called out by Joshua M. Briones and Anahit Tagvoryan in their recent article…

• Minor tweaks to the Rule 37 language around the safe harbor provisions broadening slightly (beyond “loss”) the California language to also preclude sanctions where ESI is “lost, damaged, altered, or overwritten.”
• No corresponding meet & confer provisions in the California statute similar to the Rule 16 and 26 sections in the FRCP.
• Inaccessibility provisions of FRCP 26(b)(2)(B) changed slightly to require producing party to file a protective order for ESI it believes is not reasonably accessible due to “undue burden or expense.”

While a long time in the offing, these provisions (despite the minor tweaks) should be a refreshing change for California practitioners who’ve been waiting too long for the other shoe to drop.  Now, case law can start to develop, which will continue the honing-in process…

It is certainly true that any policy that enforces the deletion of documents that might otherwise be discoverable should reduce electronic discovery costs.  Thus, document retention policies, just like enforced mailbox size limits, can absolutely help reduce e-discovery costs.  However, implementing a retention policy is not easy.  A recent article in the New York Law Journal by Adam Rosman is very insightful in this regard when he says, “the rub is implementation.”   Mr. Rosman outlines a conversation between a hypothetical company’s Associate General Counsel and the CTO that demonstrates that the major challenge with retention policies is not designing one.  Rather, the challenge is implementing a policy that effectively balances the needs for litigation readiness and e-discovery, regulatory compliance and knowledge management and can be cost-effectively enforced throughout a company’s IT organization and user community.  Given this, it’s not surprising that a 2006 study by Nextpage and CXO research found that “while two-thirds of the companies surveyed have a document retention policy in effect, almost half of them don’t actively enforce it” and why 39% of respondents cited implementing a standard policy and 34% percent said user compliance were major weaknesses in implementing retention policies.

Because of these implementation challenges, retention policies are not a quick way to reduce your e-discovery costs.  They are also not going to reduce enough data to solve an organization’s e-discovery cost “problem.”  First, due to the implementation challenges, retention policies are not going to delete all the electronically stored information (ESI) they should.  Second, HIPAA, Sarbanes-Oaxley (SOX) and FINRA regulations require that many documents must be retained for several years.  Finally, business users will demand many exceptions: emails, loose files, collaboration content, financial records, contracts, etc. that they want to save beyond the retention period for important business reasons.  As a result, even companies with retention policies are going to have a substantial and growing amount of discoverable ESI and the electronic discovery costs that go with that.

Document retention policies thus are a bit like taking vitamins.  They are likely going to help reduce the amount of time you are sick – although you’ll probably find some “studies” that say they do help and some that don’t.  But when you get sick, they aren’t going to make you better.  For that, you need a remedy that directly targets the specific problem.  Similarly, document retention policies, and you can say the same thing about all information management solutions to e-discovery, will help reduce e-discovery costs, but they won’t solve the e-discovery cost problem.  Specific e-discovery solutions are necessary to do that.  We’ll discuss many of these specific e-discovery solutions in the next set of posts in this series.

Lately, the electronic discovery blogosphere has been, well, a-twitter about twitter and other social media as they relate to electronic discovery. While twitter struggles to find a business model, enterprises and law firms are racing to understand the implications of this latest boomtown of user-generated content that’s being built in out on the frontier of the World Wide Web (or is that Wild Wild West?).

There’s talk of intellectual property being cast out, irrevocably, onto the Internet for all to see. Or slanderous things being uttered for which your company may be held liable. But, hold on a second: is there really anything new here? Anyone heard of e-mail? Web pages? Peer-to-peer? Google? Instant messaging? As Debra Logan astutely points out in her recent post on the topic, “everything that exists is discoverable (at least pretty much).” If you haven’t already, take a look at the FRCP’s definition of ESI and you’ll get her point. So, yes, it’s obviously important to have a common sense corporate policy around what’s appropriate and what’s not for the public Internet, but it shouldn’t be any different from the policy that you should have already had in place regarding blogs, web pages, and email.

What about the other side of the electronic discovery coin: finding information that’s responsive to a request? If anything, social media are more easily discoverable than just about any other form of user-generated content (though admittedly in some cases they can be more transient, which can post unique challenges). And, while it’s not universally true, the argument can be made that the more easily something can be discovered, the lower the cost and risk of that content to you. Worried if anyone on twitter is stealing your new idea for a router architecture? How about the top-secret approach to making coffee you were thinking about patenting? Well, if anyone twittered about it, tracking it down is a snap. Just keep in mind that because of the public nature of social media, it’s likely that the more important the information is to your company in the context of electronic discovery, the less likely it is to live out on the public Internet. Obviously, there will be exceptions. But when there are those exceptions, tracking down the relevant information will likely be a fairly straightforward and relatively inexpensive process.

However, before we dismiss social media as nothing new and something that can largely be addressed through already-existing policies and discovery techniques, let’s consider one aspect of social media that is on the upswing, but often out of the blogging limelight: enterprise applications.

Increasingly, companies are moving to advanced enterprise social media platforms such as Jive or SocialText as a way of improving internal collaboration and making projects run more smoothly and effectively. Because such enterprise platforms are often used on a company’s most important and strategic projects, having robust e-discovery capabilities to allow internal blog, wiki, and discussion content to be captured and placed into a format that can be seamlessly searched along with other more traditional documents is becoming critical to forward-thinking enterprises.

For example, I recently came across a large financial institution that uses Jive SBS as its wiki and Clearwell as its e-discovery solution. What surprised me is that this company has created its own Jive/Clearwell “adapter” that feeds Jive discussions directly into Clearwell as a conversation thread. This is just one example, but I’m sure more will follow. Over time, it will become a requirement for e-discovery platforms to integrate with enterprise social media products. And, rest assured, as that happens, we’ll be sure to tweet about it!

UPDATE: Whit Andrews of Gartner was kind enough point out his (prescient) research note on the subject of e-discovery and social networking from November, 2007. He points out that there is in fact a very important “new new thing” about social networks, which is that they may be able to be leveraged in an e-discovery context to find out more about the people relevant to an investigation. By tapping these publically-available sources of information, investigators may be able to gain better insight into private (i.e. enterprise) information stores to guide the e-discovery process. More detail on this and other insights can be found at http://www.gartner.com/DisplayDocument?id=543110&ref=g_forward&call=email.

Aside from those overarching themes I was struck by how polarizing the discussion was around one recent case in particular.  While many notable commentators have already made this the most talked about cases of the year, Phillip M. Adams & Assoc., LLC v. Dell, Inc., 2009 WL 910801 (D. Utah Mar. 30, 2009) continues to stimulate discussion.   Adams v. Dell is a patent infringement case where the plaintiff, alleged that one of the defendants (ASUS) destroyed critical pieces of evidence and should be sanctioned accordingly.

The underlying facts and timelines are fairly complex, but in summary the dispute centered around the alleged infringement of several patents developed to resolve defects in floppy disks during in the late 80’s.  What makes this decision so vexing is that it starts out as a preservation case, but quickly confuses that concept with data retention and information management practices/policies.

So, starting with the preservation angle…  Both sides fortunately agreed about the definition for the duty to preserve evidence, which in the 10^th circuit begins when a party “knows or should know [it] is relevant to imminent or ongoing litigation.”  The triggering of the preservation duty was not surprisingly much more complicated and ASUS (the responding party) claimed that its duty to preserve wasn’t triggered until early 2005, when they received a letter warning it of potential litigation because of the alleged patent infringement.  But, the Magistrate held that “counsel’s letter is not the inviolable benchmark” and the duty to preserve was triggered much earlier (in the 1999-2000 time frame) because similar litigation was rampant in the industry, highlighted by a late 1999 suit where Toshiba paid billions of dollars in a class action settlement related to similar floppy disk issues.

Leaving the murky preservation issue by the wayside for a bit, the Magistrate then moved into ASUS’ claims that FRCP 37(e) provided a safe harbor for its alleged destruction.

“ASUS claims it can find a safe harbor against sanctions because of the recently adopted rule that sanctions may not be generally imposed for ‘failing to provide electronically stored information lost’ if a party can show the loss was ‘a result of the routine, good-faith operation of an electronic information system.’”

Nice try, but strike two for ASUS…

“ASUS provided an extensive declaration from an experienced consultant in e-discovery. While he stated the reasons for and history of ASUS’ ‘distributed information architecture,’ he did not state any opinion as to the reasonableness or good-faith in the system’s operation. And while he says ‘ASUSTeK’s data architecture relies predominantly on storage on individual user’s workstations,’ his 31-page declaration does not show he is familiar with the precise practices pointed out in the declarations of employees. Those employees’ declarations describe the practice of ASUS’ email system to overwrite old data regardless of its significance; ASUS’ reliance on employees for all email and data archiving; and the process of replacement of computers, which also relies on employees to transfer data from their old to their new computers. Neither the expert nor ASUS speak of archiving ‘policies;’ they speak of archiving ‘practices.’

The court’s distinction between “policies” and “practices” seems like a convenient (perhaps “Deus ex machina”) way to discount ASUS’ data retention activities and prevent the use of the FRCP 37(e) safe harbor.  Since in most instances, “bona fide, consistent and reasonable” document retention “policies” have been found to be presumptively valid by everyone ranging from Sedona (Guideline 3) to Carlucci v. Piper Aircraft Corp. and Arthur Andersen LLP v. United States, 125 S.Ct. 2129 (2005).  It’s not clear how he draws the important “practices” distinction and why said practices are exponentially different from presumptively valid “policies.”

It’s precisely this line of thinking that confuses the alleged failure of the duty to preserve (discussed at the outset of the opinion) with the duty to retain information.  The court seems to think it’s an “unreasonable” practice to have custodians responsible for compliance with data retention and this deficiency made the safe harbor unavailable.

“ASUS has explained that it has no centralized storage of electronic documents, email or otherwise, and relies on individual employees to archive email (which will be deleted if left on the server) and electronic documents (which reside only on individual workstations).”

Not only is this custodian-based retention practice, in and of itself, reasonable; it’s probably the most common form of data retention practices seen at corporations today.  While a number of vendors have promised intelligent retention systems that work without any significant human intervention, for the most part those solutions are still in their infancy.  Additionally, there are significant technical challenges to have an application manage *all* ESI (Electronically Stored Information) that exist for a given custodian (including desktop files, instant messaging, text messaging, social media, etc.) As such, most companies must inherently rely upon their custodians to both retain and preserve data pursuant to company policies.  The court not only seems to miss this point, but also attempts to impose an obligation that corporations must prevent the “loss of data” above and beyond specific preservation obligations.

“ASUS’ practices invite the abuse of rights of others, because the practices tend toward loss of data. The practices place operations-level employees in the position of deciding what information is relevant to the enterprise and its data retention needs. ASUS alone bears responsibility for the absence of evidence it would be expected to possess. While Adams has not shown ASUS mounted a destructive effort aimed at evidence affecting Adams or at evidence of ASUS’ wrongful use of intellectual property, it is clear that ASUS’ lack of a retention policy and irresponsible data retention practices are responsible for the loss of significant data.”

Although the exact rationale was unclear, the court held that ASUS violated their duty to preserve and that the loss of evidence could not be excused as a “routine, good faith operation of electronic information systems.” While the court ruled that sanctions were appropriate, it reserved final sanctions pending the close of discovery.   Depending on what those ultimate sanctions look like, it seems pretty likely that this decision will be subject to appellate review.  Until then, it’s probably too soon to treat this questionable holding as gospel.  Wary corporations however should continue to bolster the “reasonableness” of their information management/retention/destruction policies and practices so that in hindsight a court won’t be able to take away the FRCP 37(e) safe harbor by casting those “practices” as being unreasonable.