e-discovery 2.0

The legal battles during the discovery phase of the Oracle v. Google Java licensing and patent infringement complaint are now well documented. Just search for “Lindholm email” and you’ll find pages and pages of opinions and blog posts on the case. Why so much fuss over a piece of email? Well, as Judge Alsup aptly describes, this is the type of smoking gun email that has the potential to “turn the case on its head.”  More importantly, this inadvertent email never needed to happen, if the parties had better leveraged existing eDiscovery technologies.

The eDiscovery battle over admissibility of this email, as well as whether it can be a public record, is natural and to be expected, especially in such a high profile dispute. Google has already made five attempts to either claw back these documents or protect them under seal. Besides the question of whether privilege waiver is in fact granted simply by adding an “Attorney Work Product” annotation to email, which Judge Alsup has eloquently addressed in the filing here, there is another interesting question to be considered. In addition to the two email copies that had the above designation, there were nine other sequential drafts, created within a five minute period. These drafts were generated by the “auto save” capability of the email software, possibly as a way to prevent the author of the email from losing partial work. Don’t we all love that feature, since despite all the technological advances computers crash, networks fail, and software freezes, and in those times we’re thankful that our work was indeed automatically saved? However, if these are indeed present, are these drafts discoverable, especially if they have not been shared with anyone?

Although in this instance the intent of these drafts is made evident by the final email, which included the recipients, none of the nine drafts of the email have a TO:, CC: or BCC: address field filled in. So technically, the drafts in their “pre-final” form were never communicated to anyone else. If so, should they even be considered electronically stored information (ESI) that needs to be produced? Let’s say that these emails were never sent and merely existed as drafts, perhaps capturing a person’s train of thought. Are they discoverable?

Of course, determining whether such partial and non-evidentiary ESI exists among your millions and millions of documents to be examined for production becomes increasingly the purview of powerful search and analysis software. In this instance, Google and their legal team would have been well-served by email analytical software that can isolate drafts and offer them for removal from production. Also, using a capability such as Near Duplicate Identification would have identified these drafts as similar to the final ones that were marked as privileged. After all, if the legal team had known of their existence prior to production, they would not have been surprised by the opposing team producing them as key documents.

I invite your comments, especially on the notion that partially completed drafts are admissible as evidence.

In the first settlement of its kind, FINRA settled with the SEC on October 27, 2011 due to allegations over a 2008 incident where a regional Kansas City office of FINRA doctored documents.  The alleged doctored documents were from three internal staff meetings, where information was either edited or deleted and then provided to the SEC with the “inaccurate and incomplete” changes. Mary Shapiro, currently the Chairman of the SEC, is in an interesting spot as she was Chief Executive of FINRA at the time of the alleged wrongdoing.  She apparently had no direct involvement with the decision to take action against FINRA.

The motives for doctoring the documents are unclear, and so is whether or not the alterations of the documents led to any material damage other than FINRA’s diminished credibility.  Ironically, the SEC has had its own struggles in recent months with a slew of articles published in various newspapers highlighting their own challenges with document retention and the improper destruction of documents. Both of these scenarios have been called to light by whistleblowers within their respective agencies.

These antics certainly pose the question: Is it a good use of taxpayer money to have regulatory agencies fighting each other over document retention and record keeping practices? The answer is probably no. But the first question begs the second: If they don’t do it, who will?  While information management is not the sexiest part of the SEC and FINRA’s responsibilities, it certainly is an important one and the foundation of their information intelligence.  Without proper document retention and information governance, the probability of connecting the dots to discover insider trading or other malfeasance is low.  Moreover, in order for agencies to retain credibility they need to be able to locate documents with ease and speed and those documents must be truthful and accurate.

Because FINRA is a self-regulatory firm for securities and is overseen by the SEC, it seems appropriate that they investigate matters like the one at hand.  According to the SEC, the 2008 incident is the third instance in the past eight years where an employee of FINRA, or its predecessor, the National Association of Security Dealers, has provided altered or misleading documents to the SEC.  It remains to be seen if this is intentional on the part of FINRA to conceal undesirable facts or to promote an item on their agenda, or if in fact they are simply negligent with regard to their record keeping policies.  Either way, it is a problem for the SEC and the government in general as it undermines agency credibility and compromises the ability to intelligently leverage information.   This settlement also does no favors for FINRA at a time when they aim to expand their 4,600 base of supervisory authority to include 10,000 more investment advisory firms.

So, what can be done about this behavior and the risks it poses? Corporations and governments are facing the same issues that information governance poses due to the data explosion and the growing complexity of data sources today.  At a minimum, there needs to be a policy in place that governs how data, regardless of form, is handled and disposed of in the information lifecycle.  It also makes sense to form an audit committee within the government that can inspect and assess the information management practices of each agency, as well as serve as a  third party mediator between agencies when these challenges arise.  This is a good idea for two reasons.  One, agencies can focus on their responsibilities instead of getting sidetracked with issues they are not expert in, like document retention or record management.  Next, this problem has reached a point that it’s necessary to appoint an independent group to audit the government due to the data explosion and pace of technology today.  We have the SEC and FINRA to watch the financial industry and provide us with assurance that business is being conducted in a lawful manner.  We don’t need the SEC or FINRA to take up document retention as another responsibility, as there are other professionals that can do that more effectively and independently.

While expansion of government is not the goal of forming yet another committee, this committee could potentially free up agencies to do more of the work they are charged with.  This would also promote standardization across agencies and regulatory bodies, which would be a giant step in the right direction as data volumes grow.  The actions that resulted in this settlement were remedial in nature.  FINRA took decisive action to air a podcast about document integrity and scheduled an agency-wide town hall meeting addressing the same for all current and new employees.  They also hired an independent outside consultant to provide additional staff training on document retention and integrity.  This will be a continual educational process for the private and public sector, and employee training and auditing the process will be the lynchpins for success.  The element of deflection is also at work here, as the SEC is not a model example of best practices for document retention and the moment.

The SEC is working through allegations of document destruction, FINRA is accused of document doctoring, but all these assertions circle back to the central theme of having a document retention policy and compliance with that policy.  This naturally leads to the need for education and training, and the ultimate auditing of the process for compliance.  In this rare case of watchdog bites watchdog, three points become clear: 1) The SEC has a higher and best use other than policing these issues; 2) information management has reached a point that it requires a separate and independent body to monitor and regulate allegations of misconduct; and 3) sometimes it takes a dog biting a dog to truly illustrate the magnitude of a problem.

Fulbright & Jaworski has conducted their Litigation Trends survey for nearly the past decade and the results are always interesting since they tend to capture the mindset of inside counsel and litigators as they anticipate the upcoming year.  In their 8th Annual Litigation Trends Survey, Fulbright noted that 92% of U.S. respondents predict that litigation will either increase or stay the same in the upcoming year.  This trend bodes well for players in the litigation services and eDiscovery sectors, and confirms the counter cyclical nature of the industry.  Breaking down the perceived increases across industry verticals, the Survey noted that the biggest anticipated jumps were in the technology, financial services, healthcare and insurance sectors.  Meanwhile energy (the leading sector from the prior year) was one of the few that predicted a decrease.

Going behind the scenes, there were a number of factors that caused respondents to predict litigation increases.  First and foremost, respondents indicated that “stricter regulation was the number one reason” for the increases, particularly with insurance, financial services, health care and retail sectors.  These concerns around regulatory compliance have been increasingly keeping GCs and corporate boards awake as the governance climate continues to heat up.  This regulation driver showed a demonstrable increase with 46% of all respondents having retained outside counsel to assist with regulatory proceedings, up from 37% in the prior year.  The Survey noted that U.S. companies facing a regulatory investigation were most likely to be under pressure from the DOJ (27%), State Attorney General (24%), OSHA (18%), the EPA (16%) and U.S. Attorney (13%).  Also on the regulatory front, U.S. respondents have increasingly begun to recognize the potential jurisdictional reach of the U.K. Bribery Act, with 25% of U.S. companies stating that they have already conducted a review of existing procedures in preparation for implementation.

In addition to managing risk, most in-house counsel are keenly concerned with controlling litigation costs.  The good news here is that associated costs are predicted to be generally flat.  Yet, eDiscovery remained the largest category targeted for increased spending, with 18% of respondents making this their top priority.  Interestingly, though, large enterprises seem to have been doing a good job of getting eDiscovery expenses under control (likely by taking expensive elements of the EDRM in-house), with these expenses declining among the largest companies, from 42% last year to 24% this year.

The Survey noted that the use of cloud computing has gained speed, with 34% of all public companies using the cloud.  And yet, only 40% of those companies using cloud computing have had “to preserve and/or collect data from the cloud in connection with actual or threatened litigation, disputes or investigations.”  This number appears curiously light, and it should definitely rise during the upcoming year as the plaintiff’s bar gets more savvy about this relatively new source of responsive electronically stored information (ESI).

On the narrower eDiscovery front, the Survey honed in on newer issues like cooperation.  Here, the Survey noted that this Sedona-sponsored concept still hasn’t completely taken hold, with nearly 40% of all respondents claiming that “their company has not made the effort to be more transparent or cooperative” due to a litigation strategy of “defending on all fronts.”  This area appears particularly muddled, with one third saying their previous attempts haven’t been reciprocated and another quarter feeling that their company was already transparent.

All in all,  the 2011 Fulbright Litigation Trends Survey notes trends that appear to be largely in line with the primary drivers of (1) managing risk and (2) lowering litigation costs.  On the risk side, compliance with an increasingly complex regulatory environment is offsetting any potential lull in the litigation environment.  And, on the cost side, eDiscovery continues to be a hot button issue, particularly with the relatively new challenges associated with ESI distributed on social media, cloud computing and mobile sources.

Google has publicly released the number of U.S. Government requests it had for email productions in the six months preceding December 31, 2009.  They have had to comply with 94% of these 4,601 requests.  Granted, many of these requests were search warrants or subpoenas, but many were not.  Now take 4,601 and multiply it by at least 3 for other social media sources for Facebook, LinkedIn, and Twitter.  The number is big – and so is the concern over how this information is being obtained.

What has becoming increasingly common (and alarming at the same time) is the way this electronically stored information (ESI) is being obtained from third party service providers by the U.S. Government. Some of these requests were actually secret court orders; it is unclear how many of the matters were criminal or civil.  Many of these service providers (Sonic, Google, Microsoft, etc.) are challenging these requests and most often losing. They are losing on two fronts:  1) they are not allowed to inform the data owner about the requests, nor the subsequent production of the emails, and 2) they are forced to actually produce the information.  For example, the U.S. Government obtained one of these secret orders to get WikiLeaks volunteer Jacob Applebaum’s email contact list of the people he has corresponded with over the past two years.  Both Google and Sonic.net were ordered to turn over information and Sonic challenged  the order and lost.  This has forced technology companies to band together to lobby Congress to require search warrants in digital investigations.

There are three primary laws operating at this pivotal intersection that affect the discovery of ESI that resides with third party service providers, and these laws are in a car wreck with no ambulance in sight.  First, there is the antiquated Federal Law, the Electronic Communications Privacy Act of 1986, over which there is much debate at present.  To put the datedness of the ECPA in perspective, it was written before the internet.  This law is the basis that allows the government to secretly obtain information from email and cell phones without a search warrant. Not having a search warrant is in direct conflict with the U.S. Constitution’s 4th Amendment protection against unreasonable searches and seizures.  In the secret order scenario, the creator of data is denied their right to know about the search and seizure (as they would if their homes were being searched, for example) as it is transpiring with the third party.

Where a secret order has been issued and emails have been obtained from a third party service provider, we see the courts treating email much differently than traditional mail and telephone lines.  However, the intent of the law was to give electronic communications the same protections that mail and phone calls have enjoyed for some time. Understandably, the law did not anticipate the advent of the technology we have today.  This is the first collision, and the reason the wheels have gone off the car, since the standard under the ECPA sets a lower bar for email than that of the former two modes of communication.  The government must only show “reasonable grounds” that the records would be “relevant and material” to an investigation, criminal or civil, compared to the other higher standard.

The third law in this collision is the Freedom of Information Act (FOIA).  While certain exceptions and allowances are made for national security and in criminal investigations, these secret orders are not able to be seen by the person whose information has been requested.  Additionally, the public wants to see these requests and these orders, especially if they have no chance of fighting them.  What remains to be seen is what our rights are under FOIA to see these orders, either as a party or a non-related individual to the investigation as a matter of public record.  U.S. Senator Patrick Leahy, (D-VT), the author of the ECPA, acknowledged in no uncertain terms that the law is “significantly outdated and outpaced by rapid changes in technology.”   He has since introduced a bill with many changes that third party service providers have lobbied for to bring the ECPA up to date. The irony of this situation is that the law was intended to provide the same protections for all modes of communication, but in fact makes it easier for the government to request information without the author even knowing.

This is one of the most important issues now facing individuals and the government in the discovery of ESI during investigations and litigation.  A third party service provider of cloud offerings is really no different than a utility company, and the same paradigm can exist as it does with the U.S. Postal Service and the telephone companies when looking to discover this information under the Fourth Amendment, where a warrant is required. The law looks to be changing to reflect this and FOIA should allow the public to access these orders.  Amendments to the Act have been introduced by Senator Leahy, and we can look forward to the common sense changes he proposes that are necessary.  The American people don’t like secrets. Lawyers, get ready to embrace the revisions into your practice by reading up on the changes as they will impact your practices significantly in the near future.

The data explosion that has burdened organizations across the globe for the past decade has become increasingly expensive to manage.  Many experts point to storage as the most obvious culprit for higher information governance costs.  There are, however, other factors driving those costs.  For example, demands for electronically stored information in legal and regulatory proceedings have significantly increased expenses surrounding data management.  Those demands have forced organizations to meet the high expectations that courts and regulatory bodies have for how they address their information or face the consequences.

Those consequences include sanctions and regulatory fines for groups that fail to account for how they store, manage and discover their information.  The $919 million verdict rendered in the E.I. du Pont de Nemours v. Kolon Industries case is paradigmatic of this trend.  That verdict was inextricably intertwined with the court’s instruction to the jury that executives and employees for defendant Kolon Industries deleted key evidence after the company’s preservation duty was triggered.

Going to Cloud Services for Data Archiving and eDiscovery

These rising data costs – and the risks they pose – are driving organizations to explore new technologies and methods for managing their data.  The latest alternative to traditional on-premise solutions involves leveraging cloud-based services.

The hype surrounding the cloud has generally focused on the opportunity for cheap and unlimited storage.  While cost effective data storage is important, that factor alone should not be determinative for selecting a cloud service provider.  Organizations must have the actual – not theoretical – ability to retrieve their data and do so in real time.  Otherwise, they may not be able to satisfy legal or regulatory requests, let alone the day-to-day demands of their operations.

In an analogous context, courts have traditionally compelled paper document productions even though the requested materials may be buried in a messy warehouse.  In one such case from this year, a U.S. district court in New York ordered a company to turn over decades-old records that were commingled with other materials in poorly labeled, shrink-wrapped boxes.  The court reasoned that disorganized record-keeping should not excuse an organization from producing relevant information.  See Brooks v. Macy’s (S.D.N.Y. May 6, 2011).

The rationale from the Brooks case is equally applicable to cloud-based services.  Cloud-based data must be intelligently organized so that companies can retrieve data in a timely fashion for business and legal purposes.  Otherwise, the savings achieved through cheap storage will be negated by the resulting legal quagmire.

Paring Back Superfluous and Duplicative Information

To facilitate the data retrieval process, the right cloud service provider should have the capacity to implement and observe applicable company retention policies.  An effective retention policy will generally help a company retain information that must be kept for business, legal or regulatory purposes – and nothing else.  The service provider should enable automated retention rules to ensure that information is kept only for a designated time period.  This will allow data to be expired once it reaches the end of that period.  And by expiring that data, the company will limit the amount of potentially relevant information available for follow-on litigation.

The pool of information can also be decreased through single instance storage.  This deduplication technology eliminates redundant data by preserving only a master copy of each document placed into the cloud.  This will reduce the amount of data that needs to be identified, collected and reviewed as part of the electronic discovery process.  For while unlimited data storage may seem ideal now, reviewing unlimited amounts of data will quickly become a logistical and costly nightmare.

Tools to Facilitate Discovery

A cloud service provider should ideally have eDiscovery functionality.  At a minimum, the service provider should be able to deploy legal holds to prevent users or automated policies from overwriting and destroying data.  Advanced search capabilities should also be included within the cloud-based service to reduce the amount of data that must be analyzed and then reviewed.  Moreover, the provider should support compatible load formats for export to third party review software.

Another key discovery issue is whether the cloud service provider can establish a clear audit trail for transmissions of company data.  Since information could be modified in transit by the routine operation of a service provider’s computer systems, an audit trail is necessary to prove that company documents and their metadata were not affected or otherwise compromised during transmission.  Without this assurance, a company may not be able to demonstrate the authenticity of its data before a tribunal or comply with key regulations.

A cloud server provider that can quickly retrieve and efficiently discover data has the potential to help organizations address their legal and regulatory demands in a cost effective manner.  Such a provider may be just the solution for organizations that are looking to properly address their runaway information governance costs.

Outcry from many in the legal community has caused a number of groups to consider whether the Federal Rules of Civil Procedure (FRCP) should be amended.  The dialogue began in earnest a year ago at the Duke Civil Litigation Conference and picked up speed following an eDiscovery “mini-conference” held in Dallas last month (led by the Discovery Subcommittee –  appointed by the Advisory Committee on Civil Rules).  The rules amendment topic is so hot that the Sedona Conference (WG1) spent most of its two day annual meeting discussing the need for amendments and evaluating a range of competing proposals.

During this dialogue (which I can’t quote verbatim) a number of things became clear to me…

1.  This rules amendment quandary is a bit of a chicken and egg riddle — meaning that it’s hard to cast support wholeheartedly for a rules change if there isn’t a good consensus for what a particular change would accomplish and what the long term consequences might be as technology quickly morphs.  As an example, if there was a redefined preservation trigger that started the duty to preserve when there was a reasonable “certainty” of litigation (versus a mere “likelihood”), would this really make a material impact?  Or, would this inquiry still be as highly fact specific as it is today?  Would this still be similarly prone to the 20/20 hindsight judgment that’s inevitable as well?

2. While it is clear that preservation has become a more complex and risk laden process, it’s not clear that this “pain” is causally related to the FRCP.  In the notes from the Dallas mini-conference, a pending Sedona survey was quoted, referencing the fact that preservation challenges were overwhelmingly increasing:

“[S]ome trends can be noted. 95% (of the surveyed members) agreed that preservation issues were more frequent. 75% said that development was due to the proliferation of information.”

3. Another camp of stakeholders complain that the existing rules (as amended in 2006) aren’t being followed by practitioners or understood by the judiciary.  While this may be the case, it then begs the critical question: If folks aren’t following the amended rules (utilizing proportionality, leveraging FRE 502, etc.) is it really reasonable to think that any new rules would be followed this time around?

4. The role of technology in easing the preservation burden represents another murky area for debate.  For example, it could be argued that preservation pains (i.e., costs) are only really significant for organizations that haven’t deployed state of the art information governance solutions (e.g., legal hold solutions, email archives, records retention software, etc.) to make the requisite tasks less manual.

5. And finally, even assuming that the FRCP is magically re-jiggered to ease preservation costs, this would only impact organizations with litigation in Federal court. This leaves many still exposed to varying standards for the preservation trigger, scope and associated sanctions.

So, in the end, it’s unclear what the future holds for an amended FRCP landscape.  Given the range of divergent perspectives, differing viewpoints on potential solutions and the time necessary to navigate the Rules Enabling Act, the only thing that’s clear is that the cavalry isn’t coming to the rescue any time soon.  This means that organizations with significant preservation pains should endeavor to better utilize the rules that are on the books and deploy enabling technologies where possible.

As a proxy for risk assessment, many legal practitioners are simply asked, “What keeps you up at night?”  Aside from (i) small children and (ii) spicy Thai food, it’s becoming increasingly clear that eDiscovery is moving to the head of this inauspicious list, particularly for corporate boards, which now view risk management and regulatory compliance as their top concerns.

In a recent survey, BDO queried more than 100 directors at public companies with revenues between $250 million and $750 million and found that risk management factored heavily into the survey’s findings.  Over half of respondents identified managing risk as the topic they should be spending more time on, with 61% saying that their liability risk has increased during the financial downturn.

“In recent years, the responsibilities of corporate boards have grown considerably and much of their time has been dedicated to responding to new regulatory requirements,” says Wendy Hambleton, a partner in BDO’s corporate governance practice, in a statement about the survey. “What we are seeing in this study is a willingness of boards to take a more proactive role in risk management and it seems to be related to the risk they face as directors.”

On a similar risk management theme, another survey queried general counsel about what keeps them up at night.  Of these nearly 500 directors and GCs, 56% cited electronic discovery for litigation and investigation, which represented a marked increase since 2007, when only 36% of general counsel said they had the same nightmares.

This increasing concern around compliance and information governance isn’t surprising giving that the regulatory environment (FCPA, UK Bribery Act, Dodd-Frank, etc.) is much more rigorous than it was even a few years ago.  And, the fears are that this supercharged regulatory environment will only increase in fervor, with the majority of GCs feeling strongly that it will be the single biggest contributor to their workload through the rest of this year and leading into 2012.

What is interesting about these concerns is the disconnect between the very real fears and the lack of action – since many practitioners simply aren’t taking proactive steps to mitigate their information governance risks.  In an extension of the nightmare analogy, it’s like repeatedly watching scary movies right before bedtime and then being surprised when Freddy Kruger shows up in their dreams.

As noted previously, Symantec’s recent Information Retention and eDiscovery Survey revealed how blissfully ignorant some enterprises are about their shoddy information governance hygiene. Despite the numerous risks that are keeping so many up at night, the survey found nearly half of the respondents did not have an information retention plan in place, and of this group, only 30% were discussing how to do so.  Most shockingly, 14% appear to be ostriches with their heads in the sand and have no plans to implement any retention plan whatsoever.  When asked why folks weren’t taking action, respondents indicated lack of need (41%), too costly (38%), nobody has been chartered with that responsibility (27%), don’t have time (26%) and lack of expertise (21%) as top reasons.

While it is important to get a good night’s sleep, it isn’t wise to slumber through the night with an army of ESI zombies ravaging your house, particularly when it’s possible to implement even the most basic information governance plans.  It’s beyond blissfully ignorant to ignore real risks and snooze away during what is assuredly an escalating regulatory climate.  Instead, put the best possible people, processes and technology in place, and start again, well rested, in the morning.

The Ninth Circuit unequivocally extended the protections of the Electronic Communications Privacy Act (“ECPA”) to foreign citizens yesterday.  In Suzlon Energy Ltd. v. Microsoft Corp. — F.3d — (9th Cir. 2011), the court held that the ECPA protects the emails of non-citizens that are stored in the United States from disclosure.

At issue were various emails belonging to an Indian citizen that were stored in his Microsoft Hotmail account.  Relying on the plain language of the statute, the district court rejected the plaintiff energy provider’s request that Microsoft turn over the emails for use in an Australian-based legal proceeding.  The Ninth Circuit agreed, finding that the protections of the ECPA expressly encompassed “any person” whose emails were stored “on a domestic server, by a domestic corporation.”

The Suzlon Energy opinion has three additional noteworthy points.  First, the Ninth Circuit declined to create by judicial fiat a “civil litigation” exception that would allow the production of the emails.  Such an exception would have eviscerated the privacy concerns regarding electronically stored communications that Congress specifically invoked in enacting the statute.

The court also refused to find that the defendant’s status as a party to litigation constituted “implied consent” to the production of his Hotmail emails.  Such a finding is consistent with other jurisprudence holding that participation in legal proceedings does not waive the protections of the ECPA.

Last but not least, the court’s holding applies only to emails stored in the United States.  It does not apply to information maintained or acts that occurred beyond the United States.

The Suzlon Energy case represents a growing chorus of opinions that have toughened the privacy protections of the ECPA.  As more courts follow the lead of the Ninth Circuit on the ECPA, the clamor for Congress to enact amendments that would modernize the statute will undoubtedly increase.  Stay tuned; the fight over privacy on the internet is just beginning.

In the eDiscovery universe, hot trends and evolving technologies tend to capture the attention of the legal community.  Discoverable data sources have been the focus in the courtroom for quite some time, and just like the “popular kids” from high school, email has held the crown of eDiscovery darling.  Not surprisingly, the more time end-users spend in a specific medium (on Facebook, for example), the more likely data will be created – and as that data multiplies, it has the potential to become compelling in discovery.  It seems that many U.S. organizations are electing to allow social media use at work and for work, rather than blocking access.  For obvious reasons, granting this access is culturally desirable, but from an eDiscovery perspective social media use introduces new complications.  However, don’t be mystified.  There is nothing that new here.

Recently, Symantec issued the findings of its second annual Information Retention and eDiscovery Survey, which examined how enterprises are coping with the tsunami of electronically stored information.  Having lost some popularity, email came in third place (58%) to files/documents (67%) and database/application data (61%) when respondents were asked what type of documents were most commonly part of an eDiscovery request.  The new kid on the block for data sources is social media, reported by 41% of those surveyed.  Social media is in essence no different than any other data type in the eDiscovery process, it’s just the newest.  Said another way; social media is the new email.

Of course, it’s no longer news to proclaim that communications from social networking sites are discoverable.  What is newsworthy is the question of how to effectively store, manage and discover these communications which come in such varying forms, making the logistics of doing so for social media different than for traditional mediums.  Like email, social media is used by everyone (ubiquitous), is viral (fast), has mixed uses (professional and personal) and there is a lot of it (high volume).  Unlike email, social media comes in many different forms (Facebook, LinkedIn, Twitter, etc.), is not controlled within an organization’s firewalls (custody, possession and control issues), and has more complex requirements within the information governance lifecycle (technology is needed to ingest social media into an archive).

The two main areas to examine in relation to social media use and an organization’s policies are: 1) the legal issues that apply specifically to the organization, and 2) the logistical and technical requirements for preservation and collection.  Essentially, what is the organization’s policy surrounding social media use, and how can the information be accessed if need be? Luckily, technology exists that is nimble enough to be able to ingest social media and archive it in accordance with an organization’s policy, should one exist.  Organizations that have recognized social media as the newest kid on the block have, ideally: developed a social media policy, purchased (or deployed) collection and retention technology, and instituted training for their employees.  They have also integrated social media into their information governance strategy and document retention policy. Remember, not all organizations will have to archive social media, but all should address social media with a policy and training.

Other organizations have not accepted social media as part of the evolutionary process of eDiscovery.  They proceed at their own peril – as did the organizations that did not control their email some ten years ago!

These organizations will be in crisis when they need to collect social media for litigation and will most likely have a large lesson in damage control, as well as an equally large bill.  They will be uneducated, ill-prepared and overwhelmed about how to discover social media.  Without a policy, they will have to over collect by default, which will drive up the costs for collection and possibly for downstream review.  Given that the aforementioned survey found nearly half of the respondents did not have an information retention policy in place, and of this group, only 30% were discussing how to do so, it is likely that many of these organizations do not yet have a social media policy either.

With this background in mind, organizations should evaluate which laws and regulations apply to their organization, develop a policy and train their employees on that policy.  Plus ça change, plus c’est la même chose.

For more information about how IT and Legal can manage the impact of social media on their organization and to learn how archiving social media can be accomplished, please join this webcast from Symantec.

It is axiomatic that the law helps those who help themselves.  Perhaps nowhere is that truism more applicable than in the context of electronic discovery.  The organization that implements an effective information governance strategy – including developing reasonable data retention policies – will likely avoid court sanctions and reduce its legal costs.  This was confirmed in a recent industry survey, which found that organizations “help themselves” when they develop information retention policies.  According to the survey, better retention practices drive dramatically better outcomes in litigation, particularly in the context of retention and preservation.

Such a finding is echoed by a recent case issued from the District of Indiana.  In Haraburda v. Arcelor Mittal U.S.A., Inc. (D. Ind. June 28, 2011), the court tied a litigant’s preservation duty to its document retention efforts.  In order to discharge its duty to reactively preserve evidence, the court reasoned that enterprises must proactively create “a ‘comprehensive’ document retention policy that will ensure that relevant documents are retained.”  Failing to implement a retention policy often results in a loss of key information.  And this, opined the court, may result in sanctions.

Such a finding is not limited to an isolated case.  Court decisions from across the United States in 2011 have found the same connection; better data retention practices yield more successful document preservation results.  For example, in the E.I. du Pont de Nemours v. Kolon Industries (E.D. Va. April 27, 2011), the plaintiff manufacturer defeated a sanctions motion due to its effective information retention procedures.   The manufacturer implemented a document retention policy that typically kept emails from former employee accounts for 60 days, after which the emails were overwritten and deleted.   Among the emails deleted pursuant to that policy were several that the defendant argued were relevant to its counter-claims.  The DuPont court declined to impose sanctions, however, since the emails in question were overwritten before the duty to preserve was triggered.  Instead, the court lauded the manufacturer’s preservation efforts, finding that it “took positive steps reasonably calculated to ensure that information . . . was preserved for litigation.”  Because the manufacturer faithfully observed its established retention policy, it reduced a stockpile of email, made relevant documents unavailable for discovery and was still protected from court sanctions.

Similarly, in Viramontes v. U.S. Bancorp (N.D.Ill. Jan. 27, 2011), the defendant bank relied on its data retention protocols to stave off a sanctions motion after deleting several years of email.  Because those emails were destroyed pursuant to a neutral retention policy before a preservation duty attached, the bank was protected from sanctions under the Federal Rule of Civil Procedure 37(e) safe harbor for the destruction of electronic information.

The converse, of course, is also true.  Those organizations that failed to implement effective retention policies have fared poorly in discovery because they have not preserved relevant ESI.  Take the defendant, for instance, in Northington v. H & M International (N.D.Ill. Jan. 12, 2011).  The court issued an adverse inference jury instruction against that company because it spoliated significant emails and other data.  The genesis of this spoliation was the company’s failure to establish a formal document retention policy.  Instead of having a thoughtful, top-down approach, “data retention . . . was evidently handled on an ad hoc, case-by-case basis.”  The company’s failure to develop a pre-litigation information retention policy eventually led to the loss of key information and the court’s sanctions award.

These recent cases and others confirm the correlation between retention and preservation.  Simply put, proactive retention leads to better preservation in eDiscovery.  Anything less could be disastrous in litigation.