24h-payday

Posts Tagged ‘email archive’

Conducting eDiscovery in Glass Houses: Are You Prepared for the Next Stone?

Monday, August 27th, 2012

Electronic discovery has been called many names over the years. “Expensive,” “burdensome” and “endless” are just a few of the adjectives that, rightly or wrongly, characterize this relatively new process. Yet a more fitting description may be that of a glass house since the rights and responsibilities of eDiscovery inure to all parties involved in litigation. Indeed, like those who live in glass houses, organizations must be prepared for eDiscovery stones that will undoubtedly be thrown their way during litigation. This potential reciprocity is especially looming for those parties who “cast the first stone” with accusations of spoliation and sanctions motions. If their own eDiscovery house is not in order, organizations may find their home loaded with the glass shards of increased litigation costs and negative publicity.

Such was the case in the blockbuster patent dispute involving technology titans Apple and Samsung Electronics. In Apple, the court first issued an adverse inference instruction against Samsung to address spoliation charges brought by Apple. In particular, the court faulted Samsung for failing to circulate a comprehensive litigation hold instruction when it first anticipated litigation. This eventually culminated in the loss of emails from several key Samsung custodians, inviting the court’s adverse inference sanction.

However, while Apple was raising the specter of spoliation, it had failed to prepare its own eDiscovery glass house from the inevitable stones that Samsung would throw. Indeed, Samsung raised the very same issues that Apple had leveled against Samsung, i.e., that Apple had neglected to implement a timely and comprehensive litigation hold to prevent wholesale destruction of relevant email. Just like Samsung, Apple failed to distribute a hold instruction until several months after litigation was reasonably foreseeable:

As this Court has already determined, this litigation was reasonably foreseeable as of August 2010, and thus Apple’s duty to preserve, like Samsung’s, arose in August 2010. . . . Notwithstanding this duty, Apple did not issue any litigation hold notices until after filing its complaint in April 2011.

Moreover, Apple additionally failed to issue hold notices to several designers and inventors on the patents at issue until many months after the critical August date. These shortcomings, coupled with evidence suggesting that Apple employees were “encouraged to keep the size of their email accounts below certain limits,” ultimately led the court to conclude that Apple destroyed documents after its preservation duty ripened. To address Apple’s spoliation, the court issued an adverse inference identical to the instruction it levied on Samsung.[1]

While there are many lessons learned from the Apple case, perhaps none stands out more than the “glass house” rule: an organization that calls the other side’s preservation and production efforts into doubt must have its own house prepared for reciprocal allegations. Such preparations include following the golden rules of eDiscovery and integrating upstream information retention protocols into downstream eDiscovery processes. By making such preparations, organizations can reinforce their glass eDiscovery house with the structural steel of information governance, lessening the risk of sanctions and other negative consequences.



[1] The district court modified and softened the magistrate’s original instruction issued against Samsung given the minor prejudice that Apple suffered as a result of Samsung’s spoliation. The revised instruction against Samsung, along with the matching instruction against Apple, were ultimately never read to the jury given their offsetting nature.

FOIA Matters! — 2012 Information Governance Survey Results for the Government Sector

Thursday, July 12th, 2012

At this year’s EDGE Summit in April, Symantec polled attendees about a range of government-specific information governance questions. The attendees of the event were primarily comprised of members from IT, Legal, as well as Freedom of Information Act (FOIA) agents, government investigators and records managers. The main purpose of the EDGE survey was to gather attendees’ thoughts on what information governance means for their agencies, discern what actions were being taken to address Big Data challenges, and assess how far along agencies were in their information governance implementations pursuant to the recent Presidential Mandate.

As my colleague Matt Nelson’s blog recounts from the LegalTech conference earlier this year, information governance and predictive coding were among the hottest topics at the LTNY 2012 show and in the industry generally. The EDGE Summit correspondingly held sessions on those two topics, as well as delved deeper into questions that are unique to the government. For example, when asked what the top driver for implementation of an information governance plan in an agency was, three out of four respondents answered “FOIA.”

The fact that FOIA was listed as the top driver for government agencies planning to implement an information governance solution is in line with data reported by the Department of Justice (DOJ) from 2008-2011 on the number of requests received. In 2008, 605,491 FOIA requests were received. This figure grew to 644,165 in 2011. While the increase in FOIA requests is not enormous percentage-wise, what is significant is the reduction in backlogs for FOIA requests. In 2008, there was a backlog of 130,419 requests and was decreased to 83,490 by 2011. This is likely due to the implementation of newer and better technology, coupled with the fact that the current administration has made FOIA request processing a priority.

In 2009, President Obama directed agencies to adopt “a presumption in favor’” of FOIA requests for greater transparency in the government. Agencies have had pressure from the President to improve the response time to (and completeness of) FOIA requests. Washington Post reporter Ed O’Keefe wrote,

“a study by the National Security Archive at George Washington University and the Knight Foundation, found approximately 90 federal agencies are equipped to process FOIA requests, and of those 90, only slightly more than half have taken at least some steps to fulfill Obama’s goal to improve government transparency.”

Agencies are increasingly more focused on complying with FOIA and will continue to improve their IT environments with archiving, eDiscovery and other proactive records management solutions in order to increase access to data.

Not far behind FOIA requests on the list of reasons to implement an information governance plan were “lawsuits” and “internal investigations.” Fortunately, any comprehensive information governance plan will axiomatically address FOIA requests since the technology implemented to accomplish information governance inherently allows for the storage, identification, collection, review and production of data regardless of the specific purpose. The use of information governance technology will not have the same workflow or process for FOIA that an internal investigation would require, for example, but the tools required are the same.

The survey also found that the top three most important activities surrounding information governance were: email/records retention (73%), data security/privacy (73%) and data storage (72%). These concerns are being addressed modularly by agencies with technology like data classification services, archiving, and data loss prevention technologies. In-house eDiscovery tools are also important as they facilitate the redaction of personally identifiable information that must be removed in many FOIA requests.

It is clear that agencies recognize the importance of managing email/records for the purposes of FOIA and this is an area of concern in light of not only the data explosion, but because 53% of respondents reported they are responsible for classifying their own data. Respondents have connected the concept of information governance with records management and the ability to execute more effectively on FOIA requests. Manual classification is rapidly becoming obsolete as data volumes grow, and is being replaced by automated solutions in successfully deployed information governance plans.

Perhaps the most interesting piece of data from the survey was the disclosures about what was preventing governmental agencies from implementing information governance plans. The top inhibitors for the government were “budget,” “internal consensus” and “lack of internal skill sets.” Contrasted with the LegalTech Survey findings from 2012 on information governance, with respondents predominantly from the private sector, the government’s concerns and implementation timelines are slightly different. In the EDGE survey, only 16% of the government respondents reported that they have implemented an information governance solution, contrasted with the 19% of the LegalTech audience. This disparity is partly because the government lacks the budget and the proper internal committee of stakeholders to sponsor and deploy a plan, but the relatively lows numbers in both sectors indicate the nascent state of information governance.

In order for a successful information governance plan to be deployed, “it takes a village,” to quote Secretary Clinton. Without prioritizing coordination between IT, legal, records managers, security, and the other necessary departments on data management, merely having the budget only purchases the technology and does not ensure true governance. In this year’s survey, 95% of EDGE respondents were actively discussing information governance solutions. Over the next two years the percentage of agencies that will submit a solution is expected to triple from 16%-52%. With the directive on records management due this month by the National Archives Records Administration (NARA), the government agencies will have clear guidance on what the best practices are for records management, and this will aid the adoption of automated archiving and records classification workflows.

The future is bright with the initiative by the President and NARA’s anticipated directive to examine the state of technology in the government. The EDGE survey results support the forecast, provided budget can be obtained, that agencies will be in an improved state of information governance within the next two years. This will be an improvement for FOIA request compliance, efficient litigation with the government and increase their ability to effectively conduct internal investigations.

Many would have projected that the results of the survey question on what drives information governance in the government would be litigation, internal investigations, and FOIA requests respectively. And yet, FOIA has recently taken on a more important role given the Obama administration’s focus on transparency and the increased number of requests by citizens. While any one of the drivers could have facilitated updates in process and technology the government clearly needs, FOIA has positive momentum behind it and seems to be the impetus primarily driving information governance. Fortunately, archiving and eDiscovery technology, only two parts of information governance continuum, can help with all three of the aforementioned drivers with different workflows.

Later this month we will examine NARA’s directive and what the impact will be on the government’s technology environment – stay tuned.

The Demise of The News of the World: An Analysis of “Hackgate” Through an eDiscovery Lens

Friday, June 1st, 2012

The events surrounding the troubled News Corporation media empire, under investigation for the illegal seizure of electronic evidence (ESI), are seemingly never-ending. The Australian billionaire Rupert Murdoch is chairman of the New York-based parent company, News Corporation, and as a U.S. based company with subsidiaries abroad, the litigation exposure for the company is vast. News International, a U.K. subsidiary of News Corporation, shut down one of their oldest running publications, The News of the World, in July last year amid the monumental phone hacking scandal known as Hackgate. Although the paper was dissolved, allegations beginning as early as 2002 detail unethical media practices, email/phone (voicemail)/text hacking, police bribery, and the recent Leveson inquiry. This firestorm continues to plague the company and has created one of the most complex legal debacles of the modern era.

A myriad of reasons are responsible for these legal complexities that continue to unfold, including: active civil/criminal actions in both U.S. and U.K jurisdictions, questions about how evidence has been obtained and the subsequent admissibility in differing jurisdictions, public inquiries in the U.K., as well as investigations by the Federal Bureau of Investigation (FBI) and the U.S. Department of Justice under the Foreign Corrupt Practices Act (FCPA). Under the FCPA, American companies are prohibited from compensating representatives of a foreign government for a commercial advantage. This is particularly poignant given the recently released text messages uncovered in the Leveson inquiry, which expose alleged illegal communications between Frederic Michel, a lobbyist for News Corporation and Jeremy Hunt, the Secretary of State for Culture, Olympics, Media and Sport, during News Corporation’s bid to acquire BSkyB during 2010-11. The bid has since been abandoned and so have Murdoch’s attempts to create the largest media empire in the world.

eDiscovery and Hackgate

To date, there have been more than 60 civil claims brought in the U.K. derived from Hackgate (many have been privately settled), not including any U.S. litigation, Operation Weeting, the Leveson inquiry, and other various concurrent investigations. Several key disclosure orders from the High Court in these civil cases have resulted in extensive discovery that points to not only a conspiracy, but to the willful destruction of evidence. The High Court judge presiding over the civil lawsuits, Geoffrey Vos, was shocked by the company’s “startling approach” to e-mail, particularly because subsequent to receiving formal requests for documents, the company still failed to preserve relevant emails. In fact, the company inquired with its email provider about how to delete those emails. Vos is quoted as saying that News International should be “treated as deliberate destroyers of evidence.”

A hard copy of an email from 2008 addressed to Mr. Murdoch’s son, James Murdoch, who at the time was a top executive of News International, is of particular interest regarding his level of knowledge about Hackgate. The email is from a thread between News Corporation’s in-house counsel to the then-editor, Colin Myler, informing James that the legal fallout from phone-hacking was imminent.  James and his father later testified that they had no knowledge of the emails and that they failed to appreciate any illegal activity regarding phone hacking at the newspaper. Apparently, the electronic copy of the email was deleted on Jan. 15, 2011 during an “e-mail stabilization and modernization program.”

As frequently discussed in the U.S., having a document retention policy is crucial to the defensible deletion of data in a corporation. That deletion must be suspended and relevant data must be place on legal hold once litigation is reasonably anticipated. Moreover, it should not be instituted in the midst of a company-wide international crisis.  What is troublesome in this scenario is that no such policy seems to have existed regarding document retention or legal hold.  If a properly deployed retention schedule existed, then the emails would have been deleted prior to 2011 as part of the normal course of business. Conversely, if there was reasonable anticipation of litigation, then given the proper issuance of legal hold, the emails surely would not have been deleted. In the U.K., case law does exist to support the need for preservation and an ESI management system that would allow for full disclosure of relevant information.

The News Corporation has both the U.S. and U.K. to contend with regarding the defensibility of their information management systems and potential sanctions. However, in either scenario, the intentional deletion of relevant evidence is an obstruction of justice (in a criminal sense). News Corporation is a prime example of a multinational corporation that is not only suffering from the repercussions of bad behavior, but one that could not mitigate these risks at the highest level due to poor information management. The need for a comprehensive information governance plan and in-house technology would have been key to any internal investigations to research and monitor alleged illegal activities of employees, as well as to responding to litigation and regulatory inquiries. A proper information management system might have obviated much of News of the World’s troubles, provided for more transparency, and potentially prevented this never-ending downward spiral.

Breaking News: Court Clarifies Duty to Preserve Evidence, Denies eDiscovery Sanctions Motion Against Pfizer

Wednesday, April 18th, 2012

It is fortunately becoming clearer that organizations do not need to preserve information until litigation is “reasonably anticipated.” In Brigham Young University v. Pfizer (D. Utah Apr. 16, 2012), the court denied the plaintiff university’s fourth motion for discovery sanctions against Pfizer, likely ending its chance to obtain a “game-ending” eDiscovery sanction. The case, which involves disputed claims over the discovery and development of prominent anti-inflammatory drugs, is set for trial on May 29, 2012.

In Brigham Young, the university pressed its case for sanctions against Pfizer based on a vastly expanded concept of a litigant’s preservation duty. Relying principally on the controversial Phillip M. Adams & Associates v. Dell case, the university argued that Pfizer’s “duty to preserve runs to the legal system generally.” The university reasoned that just as the defendant in the Adams case was “sensitized” by earlier industry lawsuits to the real possibility of plaintiff’s lawsuit, Pfizer was likewise put on notice of the university’s claims due to related industry litigation.

The court rejected such a sweeping characterization of the duty to preserve, opining that it was “simply too broad.” Echoing the concerns articulated by the Advisory Committee when it framed the 2006 amendments to the Federal Rules of Civil Procedure (FRCP), the court took pains to emphasize the unreasonable burdens that parties such as Pfizer would face if such a duty were imposed:

“It is difficult for the Court to imagine how a party could ever dispose of information under such a broad duty because of the potential for some distantly related litigation that may arise years into the future.”

The court also rejected the university’s argument because such a position failed to appreciate the basic workings of corporate records retention policies. As the court reasoned, “[e]vidence may simply be discarded as a result of good faith business procedures.” When those procedures operate to inadvertently destroy evidence before the duty to preserve is triggered, the court held that sanctions should not issue: “The Federal Rules protect from sanctions those who lack control over the requested materials or who have discarded them as a result of good faith business procedures.”

The Brigham Young case is significant for a number of reasons. First, it reiterates that organizations need not keep electronically stored information (ESI) for legal or regulatory purposes until the duty to preserve is reasonably anticipated. As American courts have almost uniformly held since the 1997 case of Concord Boat Corp. v. Brunswick Corp., organizations are not required to keep every piece of paper, every email, every electronic document and every back up tape.

Second, Brigham Young emphasizes that organizations can and should use document retention protocols to rid themselves of data stockpiles. Absent a preservation duty or other exceptional circumstances, paring back ESI pursuant to “good faith business procedures” (such as a neutral retention policy) will be protected under the law.

Finally, Brigham Young narrows the holding of the Adams case to its particular facts. The Adams case has been particularly troublesome to organizations as it arguably expanded their preservation duty in certain circumstances. However, Brigham Young clarified that this expansion was unwarranted in the instant case, particularly given that Pfizer documents were destroyed pursuant to “good faith business procedures.”

In summary, Brigham Young teaches that organizations will be protected from eDiscovery sanctions to the extent they destroy ESI in good faith pursuant to a reasonable records retention policy. This will likely bring a sigh of relief to enterprises struggling with the information explosion since it encourages confident deletion of data when the coast is clear of a discrete litigation event.

Take Two and Call me in the Morning: U.S. Hospitals Need an Information Governance Remedy

Wednesday, April 11th, 2012

Given the vast amount of sensitive information and legal exposure faced by hospitals today it’s a mystery why these organizations aren’t taking advantage of enabling technologies to minimize risk. Both HIPPA and the HITECH Act are often achieved by manual, ad hoc methods, which are hazardous at best. In the past, state and federal auditing environments have not been very aggressive in ensuring compliance, but that is changing. While many hospitals have invested in high tech records management systems (EMR/EHR), those systems do not encompass the entire information and data environment within a hospital. Sensitive information often finds its way into and onto systems outside the reach of EMR/EHR systems, bringing with it increased exposure to security breach and legal liability.

This information overload often metastasizes into email (both hospital and personal), attachments, portable storage devices, file, web and development servers, desktops and laptops, home or affiliated practice’s computers and mobile devices such as iPads and smart phones. These avenues for the dissemination and receipt of information expand the information governance challenge and data security risks. Surprisingly, the feedback from the healthcare sector suggests that hospitals rarely get sued in federal court.

One place hospitals do not want to be is the “Wall of Shame,” otherwise known as the HHS website that has detailed 281 Health Insurance Portability and Accountability Act (HIPAA) security violations that have affected more than 500 individuals as of June 9, 2011. Overall, physical theft and loss accounted for about 63% of the reported breaches. Unauthorized access / disclosure accounted for another 16%, while hacking was only 6%. While Software Advice reasons these statistics seem to indicate that physical theft has been the reason for the majority of breaches, it should also be considered that due to the lack of data loss prevention technology, many hospitals are unaware of breaches that have occurred and therefore cannot report on them.

There are a myriad of reasons hospitals aren’t landing on the front page of the newspaper with the same frequency as other businesses and government agencies when it comes to security breach, and document retention and eDiscovery blunders. But, the underlying contagion is not contained and it certainly is not benign. Feedback from the field reveals some alarming symptoms of the unhealthy state of healthcare information governance, including:

  • uncontrolled .pst files
  • exploding storage growth
  • missing or incomplete data retention rules
  • doctors/nurses storing and sending sensitive data via their personal email, iPads and smartphones
  • encryption rules that rely on individuals to determine what to encrypt
  • data backup policies that differ from data retention and information governance rules
  • little to no compliance training
  • and many times non-existent data loss prevention efforts.

This results in the need for more storage, while creating larger legal liability, an indefensible eDiscovery posture, and the risk of breach.

The reason this problem remains latent in most hospitals is because they are not yet feeling the pain of the problem from massive and multiple lawsuits, large invoices from outside law firms or the operational challenges/costs incurred from searching through many mountains of dispersed data.  The symptoms are observable, the pathology is present, the problem is real and the pain is about to acutely present itself as more states begin to deeply embrace eDiscovery requirements and government regulators increase audit frequency and fine amounts. Another less talked about reason hospitals have not had the same pressure to search and produce their data pursuant to litigation is due to cases being settled before they even get to the discovery stage. The lack of well-developed information governance practices leads to cases being settled too soon, for too much money when they otherwise may not have needed to settle at all.

The Patient’s Symptoms Were Treated, but the Patient’s Data Still Needs Medicine

What is still unclear is why hospitals, given their compliance requirements and tightening IT budgets, aren’t archiving, classifying, and protecting their data with the same type of innovation they are demonstrating in their cutting edge patient care technology. In this realm, two opposite ends of the IT innovation spectrum seem to co-exist in the hospital’s data environment. This dichotomy leaves much of a hospital’s data unprotected, unorganized and uncontrolled. Hospitals are experiencing increasing data security breaches and often are not aware that a breach or data loss has occurred. As more patient data is created and copied in electronic format, used in and exposed by an increasing number of systems and delivered on emerging mobile platforms, the legal and audit risks are compounding on top of a faulty or missing information governance foundation.

Many hospitals have no retention schedules or data classification rules applied to existing information, which often results in a checkbox compliance mentality and a keep-everything-forever practice. Additionally, many hospitals have no ability to apply a comprehensive legal hold across different data sources and lack technology to stop or alert them when there has been a breach.

Information Governance and Data Health in Hospitals

With the mandated push for paper to be converted to digital records, many hospitals are now evaluating the interplay of their various information management and distribution systems. They must consider the newly scanned legacy data (or soon to be scanned), and if they have been operating without an archive, they must now look to implement a searchable repository where they can collectively apply document retention and records management while decreasing the amount of storage needed to retain the data.  We are beginning to see internal counsel leading the way to make this initiative happen across business units. Different departments are coming together to pool resources in tight economic and high regulation times that require collaboration.  We are at the beginning of a widespread movement in the healthcare industry for archiving, data classification and data loss prevention as hospitals link their increasing compliance and data loss requirements with the need to optimize and minimize storage costs. Finally, it comes as no surprise that the amount of data hospitals are generating is crippling their infrastructures, breaking budgets and serving as the primary motivator for change absent lawsuits and audits.

These factors are bringing together various stakeholders into the information governance conversation, helping to paint a very clear picture that putting in place a comprehensive information governance solution is in the entire hospital’s best interest. The symptoms are clear, the problem is treatable, the prescription for information governance is well proven. Hospitals can begin this process by calling an information governance meeting with key stakeholders and pursuing an agenda set around examining their data map and assessing areas of security vulnerability, as well as auditing the present state of compliance with regulations for the healthcare industry.

Editor’s note: This post was co-authored with Eric Heck, Healthcare Account Manager at Symantec.  Eric has over 25 years of experience in applying technology to emerging business challenges, and currently works with healthcare providers and hospitals to manage the evolving threat landscape of compliance, security, data loss and information governance within operational, regulatory and budgetary constraints.

Email Archive Saves the Day, Prevents eDiscovery Sanctions

Thursday, April 5th, 2012

The recent case of Danny Lynn Electrical v. Veolia Es Solid Waste (2012 WL 786843, March 9, 2012) showcases the value of an information archive from a compliance and eDiscovery perspective. In Danny Lynn Electrical the plaintiff sought sanctions against the defendant for the spoliation of electronic evidence, including the usual blend of monetary sanctions, adverse evidentiary inferences and the striking of affirmative defenses. Plaintiff argued that the defendant “blatantly disregarded their duty to preserve electronic information” by failing to implement an effective legal hold policy and deleting email after litigation began. In rejecting plaintiff’s claims, the court concluded that sanctions on the basis of spoliation of evidence were not warranted.

The court, in a harbinger of good things to come for the defendant, questioned “whether any spoliation of electronic evidence has actually occurred.” In finding that there wasn’t any spoliation, the court relied heavily on the fact that the defendant had recently deployed an email archive:

“[T]here is no evidence that any of the alleged emails, with the exception of the few that were accidentally deleted due to a computer virus or other unforseen [sic] circumstance, were permanently deleted from the defendants’ computer system. … VESNA began using a new software system which archives all emails on the VESNA network. Therefore, it is clear to the court that the defendant preserved email from its custodians in a backup or archive system.”

In combination with the deployed archive, the court also noted that plaintiff’s arguments were devoid of substantive evidence to support their spoliation claims:

“In order to impose sanctions against the defendants, this court ‘would have to substitute Plaintiffs’ speculation for actual proof that critical evidence was in fact lost or destroyed.”

The rejection of plaintiff’s spoliation claims in Danny Lynn Electrical reinforces the long held notion that information archives[i] have tremendous utility beyond the data management/minimization benefits that were the early drivers of archive adoption. This prophylactic, information governance benefit is particularly useful when the archive goes beyond email to additionally capture loose files, social media and other unstructured content.

As we said in 2011, organizations are already finding that other sources of electronically stored information (ESI) like documents/files and unstructured data are rivaling email in importance for eDiscovery requests, and this trend shows no signs of abating, particularly for regulated industries. This increasingly heterogeneous mix of ESI certainly results in challenges for many organizations, with some unlucky ones getting sanctioned (unlike the defendant Danny Lynn Electrical ) because they ignored these emerging data types.

The good news is that modern day archives have the ability to manage (preserve, categorize, defensibly delete, etc.) ESI from a wide range of sources beyond just email. Given cases like Danny Lynn Electrical it’s increasingly a layup to build the business case for an archive project (assuming your organization doesn’t have one deployed already). Further pushing the archiving play to the top of the stack is the ability to deploy in the cloud context, in addition to traditional on premise deployments.

The Danny Lynn Electrical case also shows how an upstream, proactive information governance program can have an impact in the downstream, reactive eDiscovery context. It is the linking of the yin and yang of the proactive and reactive concepts where an end to end paradigm starts to fulfill the long anticipated destiny of true information governance. As the explosion of data continues to mushroom unabated, it’s only this type of holistic information management regime that will keep eDiscovery chaos at bay.



[i] In the interests of full disclosure, Symantec offers both on-premise archiving and cloud archiving solutions. They are not the solutions referenced in the Danny Lynn Electrical case.

The eDiscovery “Passport”: The First Step to Succeeding in International Legal Disputes

Monday, April 2nd, 2012

The increase in globalization continues to erase borders throughout the world economy. Organizations now routinely conduct business in countries that were previously unknown to their industry vertical.  The trend of global integration is certain to increase, with reports such as the Ernst & Young 2011 Global Economic Survey confirming that 74% of companies believe that globalization, particularly in emerging markets, is essential to their continued vitality.

Not surprisingly, this trend of global integration has also led to a corresponding increase in cross-border litigation. For example, parties to U.S. litigation are increasingly seeking discovery of electronically stored information (ESI) from other litigants and third parties located in Continental Europe and the United Kingdom. Since traditional methods under the Federal Rules of Civil Procedure (FRCP) may be unacceptable for discovering ESI in those forums, the question then becomes how such information can be obtained.

At this point, many clients and their counsel are unaware how to safely navigate these international waters. The short answer for how to address these issues for much of Europe would be to resort to the Hague Convention of March 18, 1970 on the Taking of Evidence Abroad in Civil or Commercial Matters (Hague Convention). Simply referring to the Hague Convention, however, would ignore the complexities of electronic discovery in Europe. Worse, it would sidestep the glaring knowledge gap that exists in the United States regarding the cultural differences distinguishing European litigation from American proceedings.

The ability to bridge this gap with an awareness of the discovery processes in Europe is essential. Understanding that process is similar to holding a valid passport for international travel. Just as a passport is required for travelers to successfully cross into foreign lands, an “eDiscovery Passport™” is likewise necessary for organizations to effectively conduct cross-border discovery.

The Playing Field for eDiscovery in Continental Europe

Litigation in Continental Europe and is culturally distinct from American court proceedings. “Discovery,” as it is known in the United States, does not exist in Europe. Interrogatories, categorical document requests and requests for admissions are simply unavailable as European discovery devices. Instead, European countries generally allow only a limited exchange of documents, with parties typically disclosing only that information that supports their claims.

The U.S. Court of Appeals for the Seventh Circuit recently commented on this key distinction between European and American discovery when it observed that “the German legal system . . . does not authorize discovery in the sense of Rule 26 of the Federal Rules of Civil Procedure.” The court went on to explain that “[a] party to a German lawsuit cannot demand categories of documents from his opponent. All he can demand are documents that he is able to identify specifically—individually, not by category.” Heraeus Kulzer GmbH v. Biomet, Inc., 633 F.3d 591, 596 (7th Cir. 2011).

Another key distinction to discovery in Continental Europe is the lack of rules or case law requiring the preservation of ESI or paper documents. This stands in sharp contrast to American jurisprudence, which typically requires organizations to preserve information as soon as they reasonably anticipate litigation. See, e.g., Micron Technology, Inc. v. Rambus Inc., 645 F.3d 1311, 1320 (Fed.Cir. 2011). In Europe, while an implied preservation duty could arise if a court ordered the disclosure of certain materials, the penalties for European non-compliance are typically not as severe as those issued by American courts.

Only the nations of the United Kingdom, from which American notions of litigation are derived, have discovery obligations that are more similar to those in the United States. For example, in the combined legal system of England and Wales, a party must disclose to the other side information adverse to its claims. Moreover, England and Wales also suggest that parties should take affirmative steps to prepare for disclosure. According to the High Court in Earles v Barclays Bank Plc [2009] EWHC 2500 (Mercantile) (08 October 2009), this includes having “an efficient and effective information management system in place to provide identification, preservation, collection, processing, review analysis and production of its ESI in the disclosure process in litigation and regulation.” For organizations looking to better address these issues, a strategic and intelligent information governance plan offers perhaps the best chance to do so.

Hostility to International Discovery Requests

Despite some similarities between the U.S. and the U.K., Europe as a whole retains a certain amount of cultural hostility to pre-trial discovery. Given this fact, it should come as no surprise that international eDiscovery requests made pursuant to the Hague Convention are frequently denied. Requests are often rejected because they are overly broad.  In addition, some countries such as Italy simply refuse to honor requests for pre-trial discovery from common law countries like the United States. Moreover, other countries like Austria are not signatories to the Hague Convention and will not accept requests made pursuant to that treaty. To obtain ESI from those countries, litigants must take their chances with the cumbersome and time-consuming process of submitting letters rogatory through the U.S. State Department. Finally, requests for information that seek email or other “personal information” (i.e., information that could be used to identify a person) must additionally satisfy a patchwork of strict European data protection rules.

Obtaining an eDiscovery Passport

This backdrop of complexity underscores the need for both lawyers and laymen to understand the basic principles governing eDisclosure in Europe. Such a task should not be seen as daunting. There are resources that provide straightforward answers to these issues at no cost to the end-user. For example, Symantec has just released a series of eDiscovery Passports™ that touch on the basic issues underlying disclosure and data privacy in the United Kingdom, France, Germany, Holland, Belgium, Austria, Switzerland, Italy and Spain. Organizations such as The Sedona Conference have also made available materials that provide significant detail on these issues, including its recently released International Principles on Discovery, Disclosure and Data Protection.

These resources can provide valuable information to clients and counsel alike and better prepare litigants for the challenges of pursuing legal rights across international boundaries. By so doing, organizations can moderate the effects of legal risk and more confidently pursue their globalization objectives.

eDiscovery Down Under: New Zealand and Australia Are Not as Different as They Sound, Mate!

Thursday, March 29th, 2012

Shortly after arriving in Wellington, New Zealand, I picked up the Dominion Post newspaper and read its lead article: a story involving U.S. jurisdiction being exercised over billionaire NZ resident Mr. Kim Dotcom. The article reinforced the challenges we face with blurred legal and data governance issues presented by the globalization of the economy and the expansive reach of the internet. Originally from Germany, and having changed his surname to reflect the origin of his fortune, Mr. Dotcom has become all too familiar in NZ of late. He has just purchased two opulent homes in NZ, and has become an internationally controversial figure for internet piracy. Mr. Dotcom’s legal troubles arise out of his internet business that enables illegal downloads of pirated material between users, which allegedly is powering the largest copyright infringement in global history. It is approximated that his website constitutes 4% of the internet traffic in the world, which means there could be tons of discovery in this case (or, cases).

The most recent legal problems Mr. Dotcom faces are with U.S. authorities who want to extradite him to face copyright charges worth $500 million by his Megaupload file-sharing website. From a criminal and record-keeping standpoint, Mr. Dotcom’s issues highlight the need for and use of appropriate technologies. In order to establish a case against him, it’s likely that search technologies were deployed by U.S. intelligence agencies to piece together Mr. Dotcom’s activities, banking information, emails and the data transfers on his site. In a case like this, where intelligence agencies would need to collect, search and cull email from so many different geographies and data sources down to just the relevant information, using technologies that link email conversation threads and give insight into a data collection set from a transparent search point of view would provide immense value. Additionally, the Immigration bureau in New Zealand has been required to release hundreds of documents about Mr. Dotcom’s residency application that were requested under the Official Information Act (OIA). The records that Immigration had to produce were likely pulled from their archive or records management system in NZ, and then redacted for private information before production to the public.

The same tools are needed in Australia and New Zealand to build a criminal case or to comply with the OIA that we use here in the U.S for investigatory and compliance purposes, as well as for litigation. The trend in information governance technology in APAC is trending first toward government agencies who are purchasing archiving and eDiscovery technologies more rapidly than private companies. Why is this? One reason could be that because the governments in APAC have a larger responsibility for healthcare, education and the protection of privacy; they are more invested in the compliance requirements and staying off the front page of the news for shortcomings. APAC private enterprises that are small or mid-sized and are not yet doing international business do not have the same archiving and eDiscovery needs large government agencies do, nor do they face litigation in the same way their American counterparts do. Large global companies should assume no matter where they are based, that they may be availed to litigation where they are doing business.

An interesting NZ use case on the enterprise level is that of Transpower (the quasi-governmental energy agency), where compliance with both the “private and public” requirements are mandatory. Transpower is an organisation that is government-owned, yet operates for a profit. Sally Myles, an experienced records manager that recently came to Transpower to head up information governance initiatives, says,

“We have to comply with the Public Records Act of 2005, public requests for information are frequent as we and are under constant scrutiny about where we will develop our plants. We also must comply with the Privacy Act of 1993. My challenge is to get the attention of our leadership to demonstrate why we need to make these changes and show them a plan for implementation as well as cost savings.”

Myles’ comments indicate NZ is facing many of the same information challenges we are here in the US with storage, records management and searching for meaningful information within the organisation.

Australia, New Zealand and U.S. Commonalities

In Australia and NZ, litigation is not seen as a compelling business driver the same way it is in the U.S. This is because many of the information governance needs of organisations are driven by regulatory, statutory and compliance requirements and the environment is not as litigious as it is in the U.S. The Official Information Act in NZ, and the Freedom of Information in Australia, are analogous to the Freedom of Information Act (FOIA) here in the U.S. The requirements to produce public records alone justify the use of technology to provide the ability to manage large volumes of data and produce appropriately redacted information to the public. This is true regardless of litigation. Additionally, there are now cases like DuPont or Mr. Dotcom’s, that legitimatize the risk of litigation with the U.S. The fact that implementing an information governance product suite will also enable a company to be prepared for litigation is a beneficial by-product for many entities as they need technology for record keeping and privacy reasons anyway. In essence, the same capabilities are achieved at the end of the day, regardless of the impetus for implementing a solution.

The Royal Commission – The Ultimate eDiscovery Vehicle

One way to think about the Australian Royal Commission (RCs) is to see it as a version of the U.S.’ government investigation. A key difference, however, is that in the case of the U.S. government, an investigation is typically into private companies. Conversely, a Royal Commission is typically an investigation into a government body after a major tragedy and it is initiated by the Head of State. A RC is an ad-hoc, formal, public inquiry into a defined issue with considerable discovery powers. These powers can be greater than those of a judge and are restricted to the scope and terms of reference of the Commission. RCs are called to look into matters of great importance and usually have very large budgets. The RC is charged with researching the issue, consulting experts both within and outside of government and developing findings to recommend changes to the law or other courses of actions. RCs have immense investigatory powers, including summoning witnesses under oath, offering of indemnities, seizing of documents and other evidence (sometimes including those normally protected, such as classified information), holding hearings in camera if necessary and—in a few cases—compelling government officials to aid in the execution of the Commission.

These expansive powers give the RC the opportunity to employ state of the art technology and to skip the slow bureaucratic decision making processes found within the government when it comes to implementing technological change. For this reason, initially, eDiscovery will continue to increase in the government sector at a more rapid pace than in the private in the Asia Pacific region. This is because litigation is less prevalent in the Asia Pacific, and because the RC is a unique investigatory vehicle with the most far-reaching authority for discovering information. Moreover, the timeframes for RCs are tight and their scopes are broad, making them hair on fire situations that move quickly.

While the APAC information management environment does not have the exact same drivers the U.S. market does, it definitely has the same archiving, eDiscovery and technology needs for different reasons. Another key point is that the APAC archiving and eDiscovery market will likely be driven by the government as records, search and production requirements are the main compliance needs in Australia and NZ. APAC organisations would be well served by beginning to modularly implement key elements of an information governance plan, as globalization is driving us all to a more common and automated approach to data management. 

Data Classification and Data Loss Prevention: Indispensable Building Blocks of Information Governance

Thursday, March 15th, 2012

In an effort to envision information governance as a modular and digestible concept, a great place to start is by imagining two building blocks. Not only will this approach make the task of thinking about holistic information governance less daunting, but it will carve out a beginning and an end with two basic concepts, thereby enabling a realistic and modular implementation.

Classification, Intelligent Archiving and Storage

The first block, and one of the single biggest cost savers an organization can embrace, is the proactive classification of data. Data classification begins with policy creation. Organizations that form a committee(s) to define policies and invest the energy into the enforcement of those policies almost always reap significant benefits from the initiative.  The efficiencies are so compelling that it’s a wonder that data classification and archiving are ever considered separately. One major benefit includes the ability to intelligently leverage information since the classification places the data with similar material pursuant to the stated policy. Organizations that embrace archiving for storage footprint reduction, compliance, litigation, and retention will also see the value of preventing trash from entering the archive upfront.

The more useless data that can be disposed of at the initial point of classification, the more intelligently and nimbly the archive can run, thereby reducing costs when it comes time to collect and cull potentially non-relevant data for eDiscovery. At a minimum, policies should be created to prevent trash from entering the archive.  Optimally, policies should contain key identifiers that direct information into specific folders within the archive.

One common concern among record managers is that data classification needs to be perfect – but perfection is  neither the goal nor is it achievable. For most organizations, any improvement in data management would be a big step in the right direction. Proactive data classification and archiving are not meant to be granular records management systems.  Instead they serve as safeguards on what enters the archiving system, and where and for how long that data is subsequently maintained.

Data Loss Prevention, Asset Protection and Security

The other beneficial block of a holistic information governance plan is security-centric and focused on data loss prevention (DLP). With the proactive management of data, it is important to reduce costs as information is created and received.  Similarly, it is critical to monitor sensitive data on an outgoing basis to protect organizations from inadvertent disclosures of sensitive information and intellectual property assets. Much like the policy-driven classification, data loss prevention requires policy creation as well. The policy creation requirements for DLP can luckily leverage much of the hard work done with document retention and classification as they often mirror each other.

If an organization does not know which data is sensitive or constitutes an asset, how can it be protected? In order for organizations to address their valuable information they need to assess, at a minimum, the following four considerations:

  1. What kind of information does the organization consider to be valuable/sensitive?
  2. What happens if that information gets into the wrong hands?
  3. Where does the sensitive information presently reside/where should it reside?
  4. How to track such information if it is transmitted outside of the organization?

The primary events that keep information security officers concerned regarding data loss prevention are: the unauthorized disclosure of sensitive customer information, unauthorized downloads of intellectual property, lost/stolen laptops, the transfer of proprietary information onto flash drives, and finally, concern over outbound emails containing sensitive information. These events most frequently occur at the hands of malicious and/or careless workers. A way to monitor and control activities associated with breach is through data loss prevention policy and technology.

Next Steps

Examine the document retention/classification policies and data loss prevention policies of the organizations and compare them for similarities.  Next, consider getting the key stakeholders for Compliance, IT, Legal, RIM, and Security together to talk about these aforementioned scenarios and to construct a policy. Make the agenda for the meeting short and simple, focusing first on email. Initially focus on how to address the trash being kept so it does not enter the archived environment in the first place. If you do not have an archive, consider getting one.

Finally, tie in data loss prevention as a necessary means of protecting the assets of the organization, as well as providing consistency through classification and data protection. The parameters for defining valuable information will be the same whether looking at classification or data loss prevention. If nothing else, addressing these two critical building blocks will reduce storage and eDiscovery costs, facilitating better coordination of information through intelligent archiving, while simultaneously protecting the organization’s critical assets.  

Policy vs. Privacy: Striking the Right Balance Between Organization Interests and Employee Privacy

Friday, March 9th, 2012

The lines between professional and personal lives are being further blurred every day. With the proliferation of smart phones, the growth of the virtual workplace and the demands of business extending into all hours of the day, employees now routinely mix business with pleasure by commingling such matters on their work and personal devices. This trend is sure to increase, particularly with “bring your own device” policies now finding their way into companies.

This sometimes awkward marriage of personal and professional issues raises the critical question of how organizations can respect the privacy rights of their employees while also protecting their trade secrets and other confidential/proprietary information. The ability to properly navigate these murky waters under the broader umbrella of information governance may be the difference between a successful business and a litigation-riddled enterprise.

Take, for instance, a recent lawsuit that claimed the Food and Drug Administration (FDA) unlawfully spied on the personal email accounts of nine of its employee scientists and doctors. In that litigation, the FDA is alleged to have monitored email messages those employees sent to Congress and the Office of Inspector of General for the Department of Health & Human Services. In the emails at issue, the scientists and doctors scrutinized the effectiveness of certain medical devices the FDA was about to approve for use on patients.

While the FDA’s email policy clearly delineates that employee communications made from government devices may be monitored or recorded, the FDA may have intercepted employees’ user IDs and passwords and accessed messages they sent from their home computers and personal smart phones. Not only would such conduct potentially violate the Electronic Communications Privacy Act (ECPA), it might also conceivably run afoul of the Whistleblower Protection Act.

The FDA spying allegations have also resulted in a congressional inquiry into the email monitoring policies of all federal agencies throughout the executive branch. Congress is now requesting that the Office of Management and Budget (OMB) produce the following information about agency email monitoring policies:

  • Whether a policy distinguishes between work and personal email
  • Whether user IDs and passwords can be obtained for personal email accounts and, if so, whether safeguards are deployed to prevent misappropriation
  • Whether a policy defines what constitutes protected whistleblower communications

The congressional inquiry surrounding agency email practices provides a valuable measuring stick for how private sector organizations are addressing related issues. For example, does an organization have an acceptable use policy that addresses employee privacy rights? Having such a policy in place is particularly critical given that employees use company-issued smart phones to send out work emails, take photographs and post content to personal social networking pages. If such a policy exists now, query whether it is enforced, what the mechanisms exist for doing so and whether or not such enforcement is transparent to the employees.  Compliance is just as important as issuing the policy in the first place.

Another critical inquiry is whether an organization has an audit/oversight process to prevent the type of abuses that allegedly occurred at the FDA. Such a process is essential for organizations on multiple levels. First, as Congress made clear in its letter to the OMB, monitoring communications that employees make from their personal devices violates the ECPA. It could also interfere with internal company whistleblower processes. And to the extent adverse employment action is taken against an employee-turned-whistleblower, the organization could be liable for violations of the False Claims Act or the Dodd-Frank Wall Street Reform and Consumer Protection Act.

A related aspect to these issues concerns whether an organization can obtain work communications sent from employee personal devices. For example, financial services companies must typically retain communications with investors for at least three years. Has the organization addressed this document retention issue while respecting employee privacy rights in their own smart phones and tablet computers?

If an organization does not have such policies or protections in place, it should not panic and rush off to get policies drafted without thinking ahead. Instead, it should address these issues through an intelligent information governance plan. Such a plan will typically address issues surrounding information security, employee privacy, data retention and eDiscovery within the larger context of industry regulations, business demands and employee productivity. That plan will also include budget allocations to support the acquisition and deployment of technology tools to support written policies on these and other issues.  Addressed in this context, organizations will more likely strike the right balance between their interests and their employees’ privacy and thereby avoid a host of unpleasant outcomes.