e-discovery 2.0

It’s no surprise that the first industry to be heavily regulated regarding social media use was the financial services industry. The predominant factor that drove regulators to address the viral qualities of social media was the fiduciary nature of investing that accompanies securities, coupled with the potential detrimental financial impact these offerings could have on investors.

Although there is no explicit language in FINRA’s Regulatory Notices 10-06 (January 2010) or 11-30 (August 2011) requiring archival, the record keeping component of the notices necessitate social media archiving in most cases due to the sheer volume of data produced on social media sites. Melanie Kalemba, Vice President of Business Development at SocialWare in Austin, Texas states:

“Our clients in the financial industry have led the way, they have paved the road for other industries, making social media usage less daunting. Best practices for monitoring third-party content, record keeping responsibilities, and compliance programs are available and developed for other industries to learn from. The template is made.”

eDiscovery and Privacy Implications. Privacy laws are an important aspect of social media use that impact discoverability. Discovery and privacy represent layers of the Rubik’s cube in the ever-changing and complex social media environment. No longer are social media cases only personal injury suits or HR incidents, although those are plentiful. For example, in Largent v. Reed the court ruled that information posted by a party on their personal Facebook page was discoverable and ordered the plaintiff to provide user name and password to enable the production of the information. In granting the motion to compel the Defendant’s login credentials, Judge Walsh acknowledged that Facebook has privacy settings, and that users must take “affirmative steps” to keep their information private. However, his ruling determined that no social media privacy privilege exists: “No court has recognized such a privilege, and neither will we.” He further reiterated his ruling by adding, “[o]nly the uninitiated or foolish could believe that Facebook is an online lockbox of secrets.”

Then there are the new cases emerging over social media account ownership which affect privacy and discoverability. In the recently filed Phonedog v. Kravitz, 11-03474 (N.D. Cal.; Nov. 8, 2011), the lines between the “professional” versus the “private” user are becoming increasingly blurred. This case also raises questions about proprietary client lists, valuations on followers, and trade secrets  – all of which are further complicated when there is no social media policy in place. The financial services industry has been successful in implementing effective social media policies along with technology to comply with agency mandates – not only because they were forced to by regulation, but because they have developed best practices that essentially incorporate social media into their document retention policies and information governance infrastructures.

Regulatory Framework. Adding another Rubik’s layer are the multitude of regulatory and compliance issues that many industries face. The most active and vocal regulators for guidance in the US on social media have been FINRA, the SEC and the FTC. FINRA initiated guidance to the financial services industry, and earlier this month the SEC issued their alert. The SEC’s exam alert to registered investment advisers issued on January 4, 2012 was not meant to be a comprehensive summary for compliance related to the use of social media. Instead, it lays out staff observations of three major categories: third party content, record keeping and compliance – expounding on FINRA’s notice.

Last year the FTC issued an extremely well done Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.  Three main components are central to the report. The first is a call for all companies to build privacy and security mechanisms into new products – considering the possible negative ramifications at the outset, avoiding social media and privacy issues as an afterthought. The FTC has cleverly coined the notion, “Privacy by Design.” Second, “Just-In-Time” is a concept about notice and encourages companies to communicate with the public in a simple way that prompts them to make informed decisions about their data in terms that are clear and that require an affirmative action (i.e., checking a box). Finally, the FTC calls for greater transparency around data collection, use and retention. The FTC asserts that consumers have a right to know what kind of data companies collect, and should have access to the sensitivity and intended use of that data. The FTC’s report is intended to inform policymakers, including Congress, as they legislate on privacy – and to motivate companies to self-regulate and develop best practices. 

David Shonka, Principal Deputy General Counsel at the FTC in Washington, D.C., warns, “There is a real tension between the situations where a company needs to collect data about a transaction versus the liabilities associated with keeping unneeded data due to privacy concerns. Generally, archiving everything is a mistake.” Shonka arguably reinforces the case for instituting an intelligent archive, whether a company is regulated or not;  an archive that is selective about what it ingests based on content, and that has an appropriate deletion cycle applied to defined data types/content according to a policy. This will ensure expiry of private consumer information in a timely manner, but retains the benefits of retrieval for a defined period if necessary.

The Non-Regulated Use Case­. When will comprehensive social media policies, retention and monitoring become more prevalent in the non-regulated sectors? In the case of FINRA and the SEC, regulations were issued to the financial industry. In the case of the FTC, guidance had been given to companies regarding how to avoid false advertisement and protect consumer privacy. The two are not dissimilar in effect. Both require a social media policy, monitoring, auditing, technology, and training. While there is no clear mandate to archive social media if you are in a non-regulated industry, this can’t be too far away. This is evidenced by companies that have already implemented social media monitoring systems for reasons like brand promotion/protection, or healthcare companies that deal with highly sensitive information. If social media is replacing email, and social media is essentially another form of electronic evidence, why would social media not be part of the integral document retention/expiry procedures within an organization?

Content-based monitoring and archiving is possible with technology available today, as the financial sector has demonstrated. Debbi Corej, who is a compliance expert for the financial sector and has successfully implemented an intensive social media program, says it perfectly: “How do you get to yes? Yes you can use social media, but in a compliant way.” The answer can be found at LegalTech New York – January 30 @ 2:00pm.

It’s already a few weeks into the new year and it’s easy to spot the big lines at the gym, folks working on fad diets and many swearing off any number of vices.  Sadly perhaps, most popular resolutions don’t even really change year after year.  In the corporate world, though, it’s not good enough to simply recycle resolutions every year since there’s a lot more at stake, often with employee’s bonuses and jobs hanging in the balance.

It’s not too late to make information governance part of the corporate 2012 resolution list.  The reason is pretty simple – most companies need to get out of the reactive firefighting of eDiscovery given the risks of sloppy work, inadvertent productions and looming sanctions.  Yet, so many are caught up in the fog of eDiscovery war that they’ve failed to see the nexus between the upstream, proactive good data management hygiene and the downstream eDiscovery chaos.

In many cases the root cause is the disconnect between differing functional groups (Legal, IT, Information Security, Records Management, etc.).  This is where the emerging umbrella concept of Information Governance comes to play, serving as a way to tackle these information risks along a unified front. Gartner defines information governanceas the:

“specification of decision rights, and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archiving and deletion of information, … [including] the processes, roles, standards, and metrics that ensure the effective and efficient use of information to enable an organization to achieve its goals.”

Perhaps more simply put, what were once a number of distinct disciplines—records management, data privacy, information security and eDiscovery—are rapidly coming together in ways that are important to those concerned with mitigating and managing information risk. This new information governance landscape is comprised of a number of formerly discrete categories:

• Regulatory Risks – Whether an organization is in a heavily regulated vertical or not, there are a host of regulations that an organization must navigate to successfully stay in compliance.  In the United States these include a range of disparate regimes, including the Sarbanes-Oxley Act, HIPPA, the Securities and Exchange Act, the Foreign Corrupt Practices Act (FCPA) and other specialized regulations – any number of which require information to be kept in a prescribed fashion, for specified periods of time.  Failure to turn over information when requested by regulators can have dramatic financial consequences, as well as negative impacts to an organization’s reputation.

• Discovery Risks – Under the discovery realm there are any number of potential risks as a company moves along the EDRM spectrum (i.e., Identification, Preservation, Collection, Processing, Analysis, Review and Production), but the most lethal risk is typically associated with spoliation sanctions that arise from the failure to adequately preserve electronically stored information (ESI).  There have been literally hundreds of cases where both plaintiffs and defendants have been caught in the judicial crosshairs, resulting in penalties ranging from outright case dismissal to monetary sanctions in the millions of dollars, simply for failing to preserve data properly.  It is in this discovery arena that the failure to dispose of corporate information, where possible, rears its ugly head since the eDiscovery burden is commensurate with the amount of data that needs to be preserved, processed and reviewed.  Some statistics show that it can cost as much as $5 per document just to have an attorney privilege review performed.  And, with every gigabyte containing upwards of 75,000 pages, it is easy to see massive discovery liability when an organization has terabytes and even petabytes of extraneous data lying around.

• Privacy Risks – Even though the US has a relatively lax information privacy climate there are any number of laws that require companies to notify customers if their personally identifiable information (PII) such as credit card, social security, or credit numbers have been compromised.  For example, California’s data breach notification law (SB1386) mandates that all subject companies must provide notification if there is a security breach to the electronic database containing PII of any California resident.  It is easy to see how unmanaged PII can increase corporate risk, especially as data moves beyond US borders to the international stage where privacy regimes are much more staunch.

• Information Security Risks – Data breaches have become so commonplace that the loss/theft of intellectual property has become an issue for every company, small and large, both domestically and internationally.  The cost to businesses of unintentionally exposing corporate information climbed 7 percent last year to over $7 million per incident.  Recently senators asked the SEC to “issue guidance regarding disclosure of information security risk, including material network breaches” since “securities law obligates the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive advantage in the marketplace, affect corporate earnings, and potentially reduce market share.”  The senators cited a 2009 survey that concluded that 38% of Fortune 500 companies made a “significant oversight” by not mentioning data security exposures in their public filings.

Information governance as an umbrella concept helps organizations to create better alignment between functional groups as they attempt to solve these complex and interrelated data risk challenges.  This coordination is even more critical given the way that corporate data is proliferating and migrating beyond the firewall.  With even more data located in the cloud and on mobile devices a key mandate is managing data in all types of form factors. A great first step is to determine ownership of a consolidated information governance approach where the owner can:

• Get C-Level buy-in
• Have the organizational savvy to obtain budget
• Be able to define “reasonable” information governance efforts, which requires both legal and IT input
• Have strong leadership and consensus building skills, because all stakeholders need to be on the same page
• Understand the nuances of their business, since an overly rigid process will cause employees to work around the policies and procedures

Next, tap into and then leverage IT or information security budgets for archiving, compliance and storage.  In most progressive organizations there are likely ongoing projects that can be successfully massaged into a larger information governance play.  A great place to focus on initially is information archiving, since this one of the simplest steps an organization can take to improve their information governance hygiene.  With an archive organizations can systematically index, classify and retain information and thus establish a proactive approach to data management.  It’s this ability to apply retention and (most importantly) expiration policies that allows organizations to start reducing the upstream data deluge that will inevitably impact downstream eDiscovery processes.

Once an archive is in place, the next logical step is to couple a scalable, reactive eDiscovery process with the upstream data sources, which will axiomatically include email, but increasingly should encompass cloud content, social media, unstructured data, etc.  It is important to make sure  that a given  archive has been tested to ensure compatibility with the chosen eDiscovery application to guarantee that it can collect content at scale in the same manner used to collect from other data sources.  Overlaying both of these foundational pieces should be the ability to place content on legal hold, whether that content exists in the archive or not.

As we enter 2012, there is no doubt that information governance should be an element in building an enterprise’s information architecture.  And, different from fleeting weight loss resolutions, savvy organizations should vow to get ahead of the burgeoning categories of information risk by fully embracing their commitment to integrated information governance.  And yet, this resolution doesn’t need to encompass every possible element of information governance.  Instead, it’s best to put foundational pieces into place and then build the rest of the infrastructure in methodical and modular fashion.

On November 28, 2011, The White House issued a Presidential Memorandum that outlines what is expected of the 480 federal agencies of the government’s three branches in the next 240 days.  Up until now, Washington, D.C. has been the Wild West with regard to information governance as each agency has often unilaterally adopted its own arbitrary policies and systems.  Moreover, some agencies have recently purchased differing technologies.  Unfortunately,  with the President’s ultimate goal of uniformity, this centralization will be difficult to accomplish with a range of disparate technological approaches.

Particular pain points for the government traditionally include retention, search, collection, review and production of vast amounts of data and records.  Specifically, these pain points include examples of: FOIA requests gone awry, the issuance of legal holds across different agencies leading to spoliation, and the ever present problem of decentralization.

Why is the government different?

Old Practices. First, in some instances the government is technologically behind (its corporate counterparts) and is failing to meet the judiciary’s expectation that organizations effectively store, manage and discover their information.  This failing is self-evident via  the directive coming from the President mandating that these agencies start to get a plan to attack this problem.  Though different than other corporate entities, the government is nevertheless held to the same standards of eDiscovery under the Federal Rules of Civil Procedure (FRCP).  In practice, the government has been given more leniency until recently, and while equal expectations have not always been the case, the gap between the private and public sectors in no longer possible to ignore.

FOIA.  The government’s arduous obligation to produce information under the Freedom of Information Act (FOIA) has no corresponding analog for private organizations, who are responding to more traditional civil discovery requests.  Because the government is so large with many disparate IT systems, it is cumbersome to work efficiently through the information governance process across agencies and many times still difficult inside one individual agency with multiple divisions.  Executing this production process is even more difficult if not impossible to do manually without properly deployed technology.  Additionally, many of the investigatory agencies that issue requests to the private sector need more efficient ways to manage and review data they are requesting.  To compound problems, within the US government there are two opposing interests are at play; both screaming for a resolution, and that solution needs to be centralized.  On the one hand, the government needs to retain more than a corporation may need to in order to satisfy a FOIA request.

Titan Pulled at Both Ends. On the other hand, without classification of the records that are to be kept, technology to organize this vast amount of data and some amount of expiry, every agency will essentially become their own massive repository.  The “retain everything mentality” coupled with the inefficient search and retrieval of data and records is where they stand today.  Corporations are experiencing this on a smaller scale today and many are collectively further along than the government in this process, without the FOIA complications.

What are agencies doing to address these mandates?

In their plans, agencies must describe how they will improve or maintain their records management programs, particularly with regard to email, social media and other electronic communications.  They must also move away from such a paper-centric existence.  eDiscovery consultants and software companies are helping agencies through this process, essentially writing their plans to match the President’s directive.  The cloud conversation has been revisited, and agencies also have to explain how they will use cloud-based services and storage solutions, as well as identify gaps in existing laws or regulations that presently prevent improved management.  Small innovations are taking place.  In fact, just recently the DOJ added a new search feature on their website to make it easier for the public to find documents that have been posted by agencies on their websites.

The Office of Management and Budget (OMB), National Archives and Records Administration (NARA), and Justice Department will use those reports to come up with a government-wide records management framework that is more efficient, maintains accountability by documenting agency actions and promotes “appropriate” public access to records.  Hopefully, the framework they come up with will be centralized and workable on a realistic timeframe with resources sufficiently allocated to the initiative.

How much will this cost?

The President’s mandate is a great initiative and very necessary, but one cannot help but think about the costs in terms of money, time and resources when considering these crucial changes.  The most recent version of a financial services and general government appropriations bill in the Senate extends $378.8 million to NARA for this initiative.  President Obama appointed Steven VanRoekel as the United States CIO in August 2011 to succeed Vivek Kundra.  After VanRoekel’s speech at the Churchill Club in October of 2011, an audience member asked him what the most surprising aspect of his new job was.  VanRoekel said that it was managing the huge and sometimes unwieldy resources of his $80 billion budget.  It is going to take even more than this to do the job right, however.

Using conservative estimates, assume for an agency to implement archiving and eDiscovery capabilities as an initial investment would be $100 million.  That approximates $480 billion for all 480 agencies.  Assume a uniform information governance platform gets adopted by all agencies at a 50% discount due to the large contracts and also factoring in smaller sums for agencies with lesser needs.  The total now comes to $240 billion.  For context, that figure is 5% of what was spent by Federal Government ($4.76 trillion) on the biggest bailout in history in 2008. That leaves a need for $160 billion more to get the job done. VanRoekel also commented at the same meeting that he wants to break down massive multi-year information technology projects into smaller, more modular projects in the hopes of saving the government from getting mired in multi-million dollar failures.   His solution to this, he says, is modular and incremental deployment.

While Rome was not built in a day, this initiative is long overdue, yet feasible, as technology exists to address these challenges rather quickly.  After these 240 days are complete and a plan is drawn the real question is, how are we going to pay now for technology the government needed yesterday?  In a perfect world, the government would select a platform for archiving and eDiscovery, break the project into incremental milestones and roll out a uniform combination of solutions that are best of breed in their expertise.

Just like Marilyn Monroe stopped traffic in her white dress in The Seven Year Itch, enterprises are being stopped dead in their tracks by the data explosion, lack of information governance policies and overstuffed IT infrastructures.  During the 2004-05 timeframe, a large number of enterprises began migrating to an archive, and this trend has kept steady pace since.  Archiving historically began with email, but has been recently extended to many other forms of information, including social media, unstructured data and cloud content.  This adoption was somewhat related to the historic Zubulake ruling, that required preservation to attach upon “reasonable anticipation of litigation.”  Another significant driver behind the archive need is the ability to comply with a range of statutes and regulations.  The reality is it is difficult to preserve efficiently and defensibly without an archive and other automatic classification technologies.  Some companies still complete the information management and eDiscovery processes manually, but not without peril.

Currently, there is a sudden upsurge in corporations finally starting to shrink the archives that they implemented to manage email, legal preservation requirements and regulatory compliance.  After roughly seven years, over which time there have been many advances in technology, a shift in thinking is taking place with regard to information governance and data retention.  Change has been borne out of necessity, as infrastructures are suffering with the amount of data they are retaining and the pains associated with searching that data.  This shift will enable companies to delete with confidence, clean up their backup tapes, shrink their archives, and manage/expire data on a go-forward basis effectively.  Collectively, this type of good information governance hygiene allows organizations to minimize the litigation risk that’s attendant with bloated information stores.

One reason many archives have become so bloated is because many enterprises purchased archiving software, but did not properly enable expiry procedures according to a  defensible document retention policy.  This resulted in saving everything for the past seven or so years.  Another reason for retaining all data in the archive was because enterprises were afraid to delete anything fearing being accused of spoliation and/or the inability to retrieve data that should have been on legal hold.  These two reasons combined have resulted in companies being forced to address the impact of having to search this massive amount of data in the archive each time a matter arises.  The resulting workflow for data collection is time consuming and expensive, especially for companies that still employ third party vendors for data collection.  For many organizations, the situation has become unsustainable from both a legal and IT perspective.

In recent years, backup has been given less attention as archives have become more common, storage has become more affordable, and most lawyers argue that tapes are “inaccessible” – making restoration less common.  However, there is still an area of concern with regard to over-retention of backup, especially when organizations do not have an archive.  They may be required to produce backup tapes as much of the relevant information to a matter could be contained therein.  This has led to saving large numbers of backup tapes with no real knowledge of what data is on the tapes and no one wanting to be accountable for pulling the trigger on deletion.  When forced to restore backup tapes it can be expensive and an eDiscovery nightmare.

For example, in Moore v. Gilead Sciences (N.D. Ca. Nov. 16, 2011), the plaintiff sought production of “all archived emails” that he sent or received during his five-year tenure with the defendant pharmaceutical company.  The company objected to the request as being unduly burdensome.  The company argued that:

1. The emails were exclusively stored on its disaster recovery backup tapes;
2. It would cost $360,000 to index those tapes, exclusive of processing and review costs;
3. Many of the requested emails would not be retrieved since the company conducted its backups on monthly (not daily) intervals; and
4. Over 25,000 pages of the plaintiff’s emails had already been produced in the litigation.

It is common for the inaccessibility and unduly burdensome arguments to be made with regard to backup tapes to combat indexing and restoration.  However, where a discovery dispute has merit, courts routinely reject projected cost estimates (such as the company’s $360,000 figure) as being unfounded/speculative and order production nevertheless.  [See Pippins v. KPMG and Escamilla v. SMS Holdings Corp.]  Had the judge gone the other way on restoration in Moore, the outcome could have easily been different, expensive and detrimental to the company.

What does this mean for organizations keeping seven years or more of legacy content?  Firstly, take inventory on where backup tapes reside and determine if they need to be saved or if they can be deleted.  Most corporations have amassed many tapes that are only a legal liability at this point.  Technology exists today that can index and search what is on the tapes, enabling educated decisions to then be made about whether to delete and/or transfer to the archive for legal hold.  Essentially, new technology can give sight to the blind.  Those decisions must be made according to a plan and documented.  Backup should only be for disaster recovery.

Secondly, purchase an archive if the company does not yet have one and configure the archive to expire data according to the document retention policy that can protect the company’s data decisions under Safe Harbor laws.

Is the company experiencing what many others are right now, which is an archive that is bursting at the seams? If the company does have an archive, check to see if expiry has been properly deployed according to the company’s policy.  If not, initiate a project to free up the archive from information retention that is unnecessary and that should not be subject to discovery.  Again, this must be documented.  Archives are for discovery and they need to be lean, efficient, and executing the information management lifecycle.

Avoid the request for backup tapes in litigation by having a sufficient archive and clearly stating that backup tapes are solely for disaster recovery. Delete tapes when possible by analyzing what is on them with appropriate technology and through a documented process that will eliminate the possibility of them being discoverable in litigation.

In sum, it is very helpful to examine the EDRM model and carve out what technologies and policies will apply to each aspect of the continuum.  For the challenges addressed in this blog, backup tapes fall under information management as does an archive all the way to the left of the model.  Backup tapes need search and expiry in order to retain only what is necessary for legal hold and should be ingested into an archive;  then, the company’s disaster recovery policies should be enforced on a go-forward basis.  Similarly, the archive needs search and expiration according to document retention policies so it does not become overgrown. From left to right, the model logically walks through the lifecycle of data, and many of the responsibilities associated with the data can be automated.  This project will require commitment, resources and time, but in light of the fact that data is only growing, there aren’t any other options.

As 2011 comes quickly to a close we’ve attempted, as in years past, to do our best Carnac impersonation and divine the future of eDiscovery.  Some of these predictions may happen more quickly than others, but it’s our sense that all will come to pass in the near future – it’s just a matter of timing.

1. Technology Assisted Review (TAR) Gains Speed.  The area of Technology Assisted Review is very exciting since there are a host of emerging technologies that can help make the review process more efficient, ranging from email threading, concept search, clustering, predictive coding and the like.  There are two fundamental challenges however.  First, the technology doesn’t work in a vacuum, meaning that the workflows need to be properly designed and the users need to make accurate decisions because those judgment calls often are then magnified by the application.  Next, the defensibility of the given approach needs to be well vetted.  While it’s likely not necessary (or practical) to expect a judge to mandate the use of a specific technological approach, it is important for the applied technologies to be reasonable, transparent and auditable since the worst possible outcome would be to have a technology challenged and then find the producing party unable to adequately explain their methodology.
2. The Custodian-Based Collection Model Comes Under Stress. Ever since the days of Zubulake, litigants have focused on “key players” as a proxy for finding relevant information during the eDiscovery process.  Early on, this model worked particularly well in an email-centric environment.  But, as discovery from cloud sources, collaborative worksites (like SharePoint) and other unstructured data repositories continues to become increasingly mainstream, the custodian-oriented collection model will become rapidly outmoded because it will fail to take into account topically-oriented searches.  This trend will be further amplified by the bench’s increasing distrust of manual, custodian-based data collection practices and the presence of better automated search methods, which are particularly valuable for certain types of litigation (e.g., patent disputes, product liability cases).
3. The FRCP Amendment Debate Will Rage On – Unfortunately Without Much Near Term Progress. While it is clear that the eDiscovery preservation duty has become a more complex and risk laden process, it’s not clear that this “pain” is causally related to the FRCP.  In the notes from the Dallas mini-conference, a pending Sedona survey was quoted referencing the fact that preservation challenges were increasing dramatically.  Yet, there isn’t a consensus viewpoint regarding which changes, if any, would help improve the murky problem.  In the near term this means that organizations with significant preservation pains will need to better utilize the rules that are on the books and deploy enabling technologies where possible.
4. Data Hoarding Increasingly Goes Out of Fashion. The war cry of many IT professionals that “storage is cheap” is starting to fall on deaf ears.  Organizations are realizing that the cost of storing information is just the tip of the iceberg when it comes to the litigation risk of having terabytes (and conceivably petabytes) of unstructured, uncategorized and unmanaged electronically stored information (ESI).  This tsunami of information will increasingly become an information liability for organizations that have never deleted a byte of information.  In 2012, more corporations will see the need to clean out their digital houses and will realize that such cleansing (where permitted) is a best practice moving forward.  This applies with equal force to the US government, which has recently mandated such an effort at President Obama’s behest.
5. Information Governance Becomes a Viable Reality.  For several years there’s been an effort to combine the reactive (far right) side of the EDRM with the logically connected proactive (far left) side of the EDRM.  But now, a number of surveys have linked good information governance hygiene with better response times to eDiscovery requests and governmental inquires, as well as a corresponding lower chance of being sanctioned and the ability to turn over less responsive information.  In 2012, enterprises will realize that the litigation use case is just one way to leverage archival and eDiscovery tools, further accelerating adoption.
6. Backup Tapes Will Be Increasingly Seen as a Liability.  Using backup tapes for disaster recovery/business continuity purposes remains a viable business strategy, although backing up to tape will become less prevalent as cloud backup increases.  However, if tapes are kept around longer than necessary (days versus months) then they become a ticking time bomb when a litigation or inquiry event crops up.
7. International eDiscovery/eDisclosure Processes Will Continue to Mature. It’s easy to think of the US as dominating the eDiscovery landscape. While this is gospel for us here in the States, international markets are developing quickly and in many ways are ahead of the US, particularly with regulatory compliance-driven use cases, like the UK Bribery Act 2010.  This fact, coupled with the menagerie of international privacy laws, means we’ll be less Balkanized in our eDiscovery efforts moving forward since we do really need to be thinking and practicing globally.
8. Email Becomes “So 2009” As Social Media Gains Traction. While email has been the eDiscovery darling for the past decade, it’s getting a little long in the tooth.  In the next year, new types of ESI (social media, structured data, loose files, cloud context, mobile device messages, etc.) will cause headaches for a number of enterprises that have been overly email-centric.  Already in 2011, organizations are finding that other sources of ESI like documents/files and structured data are rivaling email in importance for eDiscovery requests, and this trend shows no signs of abating, particularly for regulated industries. This heterogeneous mix of ESI will certainly result in challenges for many companies, with some unlucky ones getting sanctioned because they ignored these emerging data types.
9. Cost Shifting Will Become More Prevalent – Impacting the “American Rule.” For ages, the American Rule held that producing parties had to pay for their production costs, with a few narrow exceptions.  Next year we’ll see even more courts award winning parties their eDiscovery costs under 28 U.S.C. §1920(4) and Rule 54(d)(1) FRCP. Courts are now beginning to consider the services of an eDiscovery vendor as “the 21st Century equivalent of making copies.”
10. Risk Assessment Becomes a Critical Component of eDiscovery. Managing risk is a foundational underpinning for litigators generally, but its role in eDiscovery has been a bit obscure.  Now, with the tremendous statistical insights that are made possible by enabling software technologies, it will become increasingly important for counsel to manage risk by deciding what types of error/precision rates are possible.  This risk analysis is particularly critical for conducting any variety of technology assisted review process since precision, recall and f-measure statistics all require a delicate balance of risk and reward.

Fulbright & Jaworski has conducted their Litigation Trends survey for nearly the past decade and the results are always interesting since they tend to capture the mindset of inside counsel and litigators as they anticipate the upcoming year.  In their 8th Annual Litigation Trends Survey, Fulbright noted that 92% of U.S. respondents predict that litigation will either increase or stay the same in the upcoming year.  This trend bodes well for players in the litigation services and eDiscovery sectors, and confirms the counter cyclical nature of the industry.  Breaking down the perceived increases across industry verticals, the Survey noted that the biggest anticipated jumps were in the technology, financial services, healthcare and insurance sectors.  Meanwhile energy (the leading sector from the prior year) was one of the few that predicted a decrease.

Going behind the scenes, there were a number of factors that caused respondents to predict litigation increases.  First and foremost, respondents indicated that “stricter regulation was the number one reason” for the increases, particularly with insurance, financial services, health care and retail sectors.  These concerns around regulatory compliance have been increasingly keeping GCs and corporate boards awake as the governance climate continues to heat up.  This regulation driver showed a demonstrable increase with 46% of all respondents having retained outside counsel to assist with regulatory proceedings, up from 37% in the prior year.  The Survey noted that U.S. companies facing a regulatory investigation were most likely to be under pressure from the DOJ (27%), State Attorney General (24%), OSHA (18%), the EPA (16%) and U.S. Attorney (13%).  Also on the regulatory front, U.S. respondents have increasingly begun to recognize the potential jurisdictional reach of the U.K. Bribery Act, with 25% of U.S. companies stating that they have already conducted a review of existing procedures in preparation for implementation.

In addition to managing risk, most in-house counsel are keenly concerned with controlling litigation costs.  The good news here is that associated costs are predicted to be generally flat.  Yet, eDiscovery remained the largest category targeted for increased spending, with 18% of respondents making this their top priority.  Interestingly, though, large enterprises seem to have been doing a good job of getting eDiscovery expenses under control (likely by taking expensive elements of the EDRM in-house), with these expenses declining among the largest companies, from 42% last year to 24% this year.

The Survey noted that the use of cloud computing has gained speed, with 34% of all public companies using the cloud.  And yet, only 40% of those companies using cloud computing have had “to preserve and/or collect data from the cloud in connection with actual or threatened litigation, disputes or investigations.”  This number appears curiously light, and it should definitely rise during the upcoming year as the plaintiff’s bar gets more savvy about this relatively new source of responsive electronically stored information (ESI).

On the narrower eDiscovery front, the Survey honed in on newer issues like cooperation.  Here, the Survey noted that this Sedona-sponsored concept still hasn’t completely taken hold, with nearly 40% of all respondents claiming that “their company has not made the effort to be more transparent or cooperative” due to a litigation strategy of “defending on all fronts.”  This area appears particularly muddled, with one third saying their previous attempts haven’t been reciprocated and another quarter feeling that their company was already transparent.

All in all,  the 2011 Fulbright Litigation Trends Survey notes trends that appear to be largely in line with the primary drivers of (1) managing risk and (2) lowering litigation costs.  On the risk side, compliance with an increasingly complex regulatory environment is offsetting any potential lull in the litigation environment.  And, on the cost side, eDiscovery continues to be a hot button issue, particularly with the relatively new challenges associated with ESI distributed on social media, cloud computing and mobile sources.

The data explosion that has burdened organizations across the globe for the past decade has become increasingly expensive to manage.  Many experts point to storage as the most obvious culprit for higher information governance costs.  There are, however, other factors driving those costs.  For example, demands for electronically stored information in legal and regulatory proceedings have significantly increased expenses surrounding data management.  Those demands have forced organizations to meet the high expectations that courts and regulatory bodies have for how they address their information or face the consequences.

Those consequences include sanctions and regulatory fines for groups that fail to account for how they store, manage and discover their information.  The $919 million verdict rendered in the E.I. du Pont de Nemours v. Kolon Industries case is paradigmatic of this trend.  That verdict was inextricably intertwined with the court’s instruction to the jury that executives and employees for defendant Kolon Industries deleted key evidence after the company’s preservation duty was triggered.

Going to Cloud Services for Data Archiving and eDiscovery

These rising data costs – and the risks they pose – are driving organizations to explore new technologies and methods for managing their data.  The latest alternative to traditional on-premise solutions involves leveraging cloud-based services.

The hype surrounding the cloud has generally focused on the opportunity for cheap and unlimited storage.  While cost effective data storage is important, that factor alone should not be determinative for selecting a cloud service provider.  Organizations must have the actual – not theoretical – ability to retrieve their data and do so in real time.  Otherwise, they may not be able to satisfy legal or regulatory requests, let alone the day-to-day demands of their operations.

In an analogous context, courts have traditionally compelled paper document productions even though the requested materials may be buried in a messy warehouse.  In one such case from this year, a U.S. district court in New York ordered a company to turn over decades-old records that were commingled with other materials in poorly labeled, shrink-wrapped boxes.  The court reasoned that disorganized record-keeping should not excuse an organization from producing relevant information.  See Brooks v. Macy’s (S.D.N.Y. May 6, 2011).

The rationale from the Brooks case is equally applicable to cloud-based services.  Cloud-based data must be intelligently organized so that companies can retrieve data in a timely fashion for business and legal purposes.  Otherwise, the savings achieved through cheap storage will be negated by the resulting legal quagmire.

Paring Back Superfluous and Duplicative Information

To facilitate the data retrieval process, the right cloud service provider should have the capacity to implement and observe applicable company retention policies.  An effective retention policy will generally help a company retain information that must be kept for business, legal or regulatory purposes – and nothing else.  The service provider should enable automated retention rules to ensure that information is kept only for a designated time period.  This will allow data to be expired once it reaches the end of that period.  And by expiring that data, the company will limit the amount of potentially relevant information available for follow-on litigation.

The pool of information can also be decreased through single instance storage.  This deduplication technology eliminates redundant data by preserving only a master copy of each document placed into the cloud.  This will reduce the amount of data that needs to be identified, collected and reviewed as part of the electronic discovery process.  For while unlimited data storage may seem ideal now, reviewing unlimited amounts of data will quickly become a logistical and costly nightmare.

Tools to Facilitate Discovery

A cloud service provider should ideally have eDiscovery functionality.  At a minimum, the service provider should be able to deploy legal holds to prevent users or automated policies from overwriting and destroying data.  Advanced search capabilities should also be included within the cloud-based service to reduce the amount of data that must be analyzed and then reviewed.  Moreover, the provider should support compatible load formats for export to third party review software.

Another key discovery issue is whether the cloud service provider can establish a clear audit trail for transmissions of company data.  Since information could be modified in transit by the routine operation of a service provider’s computer systems, an audit trail is necessary to prove that company documents and their metadata were not affected or otherwise compromised during transmission.  Without this assurance, a company may not be able to demonstrate the authenticity of its data before a tribunal or comply with key regulations.

A cloud server provider that can quickly retrieve and efficiently discover data has the potential to help organizations address their legal and regulatory demands in a cost effective manner.  Such a provider may be just the solution for organizations that are looking to properly address their runaway information governance costs.

The Advisory Committee on Civil Rules recently announced that a “mini-conference” has been scheduled to discuss potential amendments to the Federal Rules of Civil Procedure (FRCP) that could change the way preservation and sanction issues are handled throughout the federal court system today.  The mini-conference is scheduled for September 9^th in Dallas, Texas and will be led by the Discovery Subcommittee – a committee appointed by the Advisory Committee.

The mini-conference is important because it is part of a seven step process that could ultimately lead to new rule amendments affecting all litigators and the organizations they represent.  Any new rule proposals developed by the subcommittee at the September mini-conference will be considered by the Advisory Committee this November in Washington D.C.   The proposals, in one form or another, could ultimately become law.  Both Supreme Court and Congressional approval are ultimately required, so don’t expect any rule changes to go into effect before 2013.

A key focus of the meeting is to investigate whether or not new preservation or sanctions amendments are necessary.  Some, including former US Magistrate Judge Ronald Hedges, feel that it’s too early to consider changing the rules on the heels of the 2006 amendments.  If the Subcommittee decides rule amendments are necessary to address current issues, then the question becomes what rule changes should be made.  Given the controversy surrounding the preservation of electronically stored information (ESI) and an increasing number of eDiscovery-related sanctions, the discussion is likely to create plenty of healthy debate about when the duty to preserve evidence should be triggered and when sanctions are warranted.

In the words of the Subcommittee, “anxiety bordering on anguish” has resulted from uncertainty related to the beginning, scope and duration of the duty to preserve evidence and the concomitant risk of sanctions for spoliation.  In other words, organizations routinely exposed to the possibility of sanctions are crying out for language that clarifies when the duty to preserve ESI is triggered, what must be preserved, and when the duty expires.  One challenge the Subcommittee faces if they decide to propose rule changes, is figuring out how to address these cries for more specific guidelines without sacrificing fairness.

For example, some may favor a rule amendment stating that the duty to preserve evidence is triggered only after a complaint has been served.  Although this bright line rule provides certainty in terms of when the duty to preserve evidence is triggered, it could certainly lead to unfair results where bad actors simply delete damaging evidence as soon as they anticipate being served.  This approach would also likely lead to a race to the courthouse and more lawsuits in an already heavily burdened court system, since filing a complaint would be required to trigger preservation requirements for opponents.

The inherent conflict between the desire for bright line rules and the need for flexibility in a fact-driven profession is likely to test the mettle of the Subcommittee in September.  To help frame the discussion, attendees have been asked to consider a number of questions related to the nature and scope of the problem, technology related issues, and possible solutions.  A complete list of attendees and the questions they have been asked to consider are contained in the Advisory Committee’s June 29, 2011 memorandum.  Some of the questions below provide a glimpse into the complexity of the issues to be discussed:

To what extent are you finding that preservation of ESI is a problem in your organization or practice?

Has technology helped you reduce review costs?  How?

What implications will cloud computing have for civil litigation?

How would a rule help reduce some of the costs you are incurring?

Although no formal rule amendments have been proposed, the mini-conference will consider three possible approaches crafted in April of this year.  Stay tuned for my next blog post discussing the differences between these proposals and what it means if they are adopted.

Clearwell just announced major enhancements to our Identification and Collection Module that together usher in a new generation of targeted collection capabilities for e-discovery. Why are we excited about this? Because it promises to provide our customers with a dramatic increase in their ability to perform quick and efficient collections across the enterprise with a small fraction of the cost and effort traditionally required.

Before Clearwell, vendors could only rely on building their own indexes when attempting to collect content by keyword from unstructured document sources. They did this in one of two ways.

The first method was to build one-off indexes with each collection, indexing content and then discarding the index after collection is complete. This minimized the amount of infrastructure required to maintain the index, but was painfully slow and wasteful of computing and network resources. These sorts of solutions came from vendors who originally focused on the forensic investigation side of the world, whose tools had been designed around small-scale collection from individual devices and hard drives. Unfortunately, they simply don’t scale to meet the demands of today’s large enterprises with their ever-increasing data volumes.

The second method was to attempt to create an uber-index of all of the information in an enterprise and keep it continually updated so that it would be ready at a moment’s notice for your collection needs. This approach proved to be incredibly challenging to implement, required a huge amount of infrastructure to maintain, and, worst of all, didn’t really work: creating the uber-index, as it turns out, was uber-difficult.

In talking with hundreds of customers over the last couple of years, we realized that there was a better “third way,” which combined the lightweight nature of the first method with the comprehensiveness of the second. How? By leveraging the indexes that enterprises already have in place. From comprehensive, robust archiving solutions like Symantec Enterprise Vault to the fully-searchable indexes found on Microsoft SharePoint, Exchange, and file servers, the way of finding the information you need quickly for e-discovery is, by and large, already out there. It’s simply a matter of building an e-discovery platform sophisticated enough to leverage those indexes and, when necessary, be intelligent enough to build its own when not available from another source. That’s exactly what we’ve done with Clearwell’s targeted keyword collection feature.

One of the most exciting things about this approach is that, while it works great for today’s enterprise information infrastructure, it is perhaps even more powerful in tomorrow’s. As your company’s information stores gradually shift toward the cloud, leveraging the indexes in the cloud becomes essential to being able to access the information that lives there in a fast and efficient manner. It’s simply not feasible to be able to use the “one-off” or “uber-index” approaches when data is living in a cloud infrastructure, since data access rates are often slower because they are occurring over a wider-area network.  Last year, Clearwell was the first e-discovery platform to support direct access of cloud Exchange and SharePoint environments, and now with keyword collection we have made another great stride forward in achieving our customer’s vision for next generation e-discovery. And there’s still more to come as we accelerate our product development by integrating with Symantec’s world-class information management team. Stay tuned!

In a prior post a few months ago, I wrote about the electronic discovery challenges that the duty to preserve electronically stored information (ESI) imposed on a cloud-based computing environment. Following that post, we will continue to examine another area that the Federal Rules of Civil Procedures (FRCP) requires with respect to document production. As stated, the FRCP Rule 34 (a) (1) offers guidelines on the duty to:

“…produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control.”

The key phrase “possession, custody or control” is something to be examined more closely in the context of Cloud Computing environments, where typically the cloud customer is the party in control and the cloud service provider is the party in possession and custody. In cases where the cloud customer is the party in litigation, it is natural to serve pre-trial a discovery request under Rule 26 (b) to the cloud customer and expect that since they are the party in control, and can therefore instruct the cloud provider to perform at least some form of collections. Now the question that remains is whether the same request can be made of the cloud provider, since they are the party in possession and/or custody. It is evident that requesting the cloud provider to perform a discovery request on behalf of their customers is impractical since any assertion of privilege or confidentiality would require the cloud customer to be involved in the discovery request. Besides, the cloud provider producing documents without consent from the customer of the cloud would run afoul of the Stored Communications Act (SCA). For these reasons, the broader three-pronged test of “possession, custody or control” embodied in Rule 34 (a)(1) should be revised to mean only “party in control”.

This view is supported in the seminal decision on Flagg v. City of Detroit, Slip Copy, 2008 WL 787061 (E.D.Mich.) . A great analysis of this case by Timothy Ackermann is available in The Federal Lawyer, November/December 2009 article, titled Consent and Discovery under the Stored Communications Act . As stated, when it comes to the application of “possession, custody or control”, the most significant test for cloud based deployments is “control”. For the cloud customer, “possession and custody” are not relevant, because in a strict sense, it is the cloud provider that can claim possession and custody. However, the cloud customer is clearly in “control” of the data, as evidenced by pretty much every service contract that gives the customer “the legal right to obtain the documents on demand”. Also, the cloud customer has the right to give “consent” to the cloud service provider to make the documents available. Thus, a cloud customer cannot claim that since they did not have “possession or custody”, the e-discovery obligations cannot be waived.

From the cloud provider’s perspective, the mere fact they have “possession or custody” does not require them to produce documents, unless the cloud customer gives lawful consent per the Stored Communications Act. Yet again, for the application of FRCP electronic discovery34(a)(1) , we find that the party in control over the data is the one that determines discoverability of data in the cloud. In contrast, the third party that is merely in possession or custody is not required to produce responsive ESI, given the provisions of the SCA. As noted in Flagg v. City of Detroit, the district court did not find the need to consider the issue of having a subpoena issued to the cloud provider (SkyTel Communications), since the required evidence was more easily acquired by an e-discovery request to the cloud customer (City of Detroit). A similar argument is made in the Crispin v. Audigier Inc., a case involving postings on familiar social networking sites, Facebook and MySpace. Here, District Judge Margaret M. Morrow goes to great lengths explaining why the provider is not required to produce documents based on protections offered by the SCA.

In summary, the nature of cloud deployments and their usage redefines the scope of ESI to those that the customer has control. Regardless of the interpretation of Rule 34, common sense dictates that the cloud provider and cloud user cooperate when it comes to e-discovery requests. Of course, one of the challenges with cloud deployments is the SCA and its interpretation for cloud-resident ESI. This will be the subject of my next post.

Learn More Litigation Software & Electronic Discovery Litigation