e-discovery 2.0

There have been several recent press releases from enterprise software companies proclaiming FRCP “compliance,” which certainly sounds appealing.  But, the use of that term begs the question:  how does a search technology (or methodology) become FRCP “compliant” and is that goal even possible?

IBM launched the first salvo:

“The software will allow companies to move from scattered, point-solution approaches to a disciplined approach that controls electronic information, helps support Federal Rules of Civil Procedure (FRCP) compliance,…”

And, Autonomy quickly followed suit:

“The Autonomy pan-enterprise search platform automates the retrieval, processing, and management of all information throughout a global organization irrespective of languages, operating systems, and file types, avoiding non-FRCP compliant search techniques.”

I’m more than tolerant of both puffery and marketing-speak (though woe to those who forward such releases to Monica Bay), but this notion of “FRCP compliance” seems to take advantage of an already bombarded buying public, who have likely grown weary of FRCP articles, CLEs, and maybe even blogs posts.  Nevertheless, it seems useful to really tease out what the FRCP means and does not mean in relationship to e-discovery and enterprise search.

So, in an attempt to debunk this “compliance” myth, I thought I’d devote this blog post to demystifying some of the inaccurate notions about the FRCP.

Federal First

Initially, it’s important to note that the Rules only apply to litigation within the United States Federal court system.  State court litigation, international lawsuits, arbitrations and administrative actions (just to name a few) aren’t under the aegis of the Rules.  While it’s true that certain state courts (Minnesota for example) have selectively adopted the new discovery provisions, most have not.  So, the first step is to check your venue.  Then, assuming the Rules do apply because your organization is in Federal litigation, the impact, while still not crystal clear, does take on more definition.

Relevancy Filters

As a starting place, the discovery process (as part of litigation) is fundamentally limited by Rule 26 to information (electronic and otherwise) that is “relevant” to the case at hand (i.e., “relevant to the claim or defense of any party”).  This distinction is critical because for the most part it prevents the responding party from having to cast a company wide net for all data, a task envisioned by many content management systems.   Certainly, the ability of certain systems to access all user created data is valuable when searching for relevant data, but there are many ways to skin that cat.

No Express Retention or Preservation Duties

Legions of articles proclaim that the amended Rules create wholly new duties to retain information in general, as well as infusing new duties to preserve electronic data once litigation is anticipated.  Instead however, the new Rules expressly disavow creating truly new retention or preservation duties.  While it is undoubtedly a good practice to have a retention policy, given the welter of statutes and regulations that do create retention duties, the Rules do not mandate that a company create one ahead of litigation.

What is true, however, is that the new Rules have powerful implications for preservation once litigation is likely because of the requirements to understand, negotiate and produce relevant information early in the litigation process.  Under the new Rules, it is critical to be able to identify and retain potentially relevant data once litigation is filed (or is “reasonably likely”).  And yet, the burden of placing a legal “hold” on data, while often significant, certainly can be achieved without a formal document retention/deletion policy.  Again, the litigation “trigger” is key.

“Records” Aren’t the Focus

Continuing on this theme, but in a slightly different vector, there are differing opinions about the impact that the Rules have on “business records.”  This issue is nebulous since it is easy to confuse potentially relevant data corresponding to litigation with “business records,” which are often used in two different contexts.  Initially, there is the “business records” exception to the hearsay rule, which is quite specific and affects the admissibility of evidence in court.

The second, broader definition applies to organizations as they attempt to define a records management program to meet the numerous state, local and Federal mandates.  Commonly, as part of this complex initiative, companies will create records retention programs that specifically define official “records,” unofficial “records,” “non-records,” as well as specific retention periods for certain types of records.  Once the company’s records protocol is put into place there may be some downstream nexus with the Rules, but it won’t manifest itself until Federal court litigation arises, as described above.   The most common intersection occurs when a records retention policy prescribes a deletion event that contradicts the legal “hold” requirements for a record that is likely to be relevant to litigation.

In sum, the foregoing describes the role the FRCP plays in Federal court litigation.  It should be clear that the important, yet relatively narrow, use cases do not include any general compliance mandate in the absence of specific litigation.  I think it’s important to separate myth from reality when it comes to understanding how and when the revised Rules really do come into play.  Failure to do so can create an unpleasant scenario where your organization will either under- or over-prepare for these important litigation guidelines.

For those in regulated industries like financial services, where data retention policies are mandated, every keystroke is tracked and every phone call recorded, the question of how long you should keep data is moot: you keep it for as long as regulations demand.

But for the rest of us in manufacturing, media, technology, government, and elsewhere, it remains an open question. The answer to “what should our email and document retention policy be?” is often a political hot potato, pitting legal and IT’s goal of lower costs against the broader population’s desire to hang on to all their email, just in case they need it later. In fact, the only thing harder than agreeing a retention policy is enforcing it afterwards, as corporate users habitually keep more data than allowed, unless physically prevented from doing so.The reason this matters is that many people believe creating a data retention policy is a key part of implementing an e-discovery solution. I too used to think this way, viewing retention-policy-creation as a necessary rite of passage for legal, IT, and information security people who want to lower e-discovery costs. After all, if the #1 cause of higher e-discovery costs is too much data, then a policy reducing the amount of data looks like a low cost, no-brainer solution.

But life just does not work that way. Outside of the command-and-control environment of regulated industries, retention policies simply do not work. You cannot fight human nature and force people to delete information they want to keep – especially when Gmail, Yahoo Mail, Hotmail and others are training them to do precisely the opposite (i.e., never delete, keep everything) in their personal email accounts.

So, I have changed my mind: to anyone engaged in implementing an e-discovery solution in a non-regulated industry, I say: forget data retention policies, it is a red herring. Too much data is a fact of life that will only get worse. You can no more get people to delete email and documents than you can stop someone writing them in the first place. Instead, focus on the battle you can win by putting in an e-discovery solution that enables you to do two things:

1. Collect data efficiently, so that you have a reliable (defensible) way of getting the data you need. Implementing an email archive from HP, Symantec or others is a great way of approaching this, as is leveraging forensics tools from Guidance or Access Data.

2. Analyze the data up front, so that you can cull it down to only those documents relevant to the case before a human being has to review them. Clearwell’s e-discovery solution is one approach which has worked for a large number of enterprises.

If your experiences, or conclusions, differ from mine, then feel free to post a comment. I am particularly interested to hear about successful examples of data retention policies at non-regulated companies, since I have yet to see one.