e-discovery 2.0

Outcry from many in the legal community has caused a number of groups to consider whether the Federal Rules of Civil Procedure (FRCP) should be amended.  The dialogue began in earnest a year ago at the Duke Civil Litigation Conference and picked up speed following an eDiscovery “mini-conference” held in Dallas last month (led by the Discovery Subcommittee –  appointed by the Advisory Committee on Civil Rules).  The rules amendment topic is so hot that the Sedona Conference (WG1) spent most of its two day annual meeting discussing the need for amendments and evaluating a range of competing proposals.

During this dialogue (which I can’t quote verbatim) a number of things became clear to me…

1.  This rules amendment quandary is a bit of a chicken and egg riddle — meaning that it’s hard to cast support wholeheartedly for a rules change if there isn’t a good consensus for what a particular change would accomplish and what the long term consequences might be as technology quickly morphs.  As an example, if there was a redefined preservation trigger that started the duty to preserve when there was a reasonable “certainty” of litigation (versus a mere “likelihood”), would this really make a material impact?  Or, would this inquiry still be as highly fact specific as it is today?  Would this still be similarly prone to the 20/20 hindsight judgment that’s inevitable as well?

2. While it is clear that preservation has become a more complex and risk laden process, it’s not clear that this “pain” is causally related to the FRCP.  In the notes from the Dallas mini-conference, a pending Sedona survey was quoted, referencing the fact that preservation challenges were overwhelmingly increasing:

“[S]ome trends can be noted. 95% (of the surveyed members) agreed that preservation issues were more frequent. 75% said that development was due to the proliferation of information.”

3. Another camp of stakeholders complain that the existing rules (as amended in 2006) aren’t being followed by practitioners or understood by the judiciary.  While this may be the case, it then begs the critical question: If folks aren’t following the amended rules (utilizing proportionality, leveraging FRE 502, etc.) is it really reasonable to think that any new rules would be followed this time around?

4. The role of technology in easing the preservation burden represents another murky area for debate.  For example, it could be argued that preservation pains (i.e., costs) are only really significant for organizations that haven’t deployed state of the art information governance solutions (e.g., legal hold solutions, email archives, records retention software, etc.) to make the requisite tasks less manual.

5. And finally, even assuming that the FRCP is magically re-jiggered to ease preservation costs, this would only impact organizations with litigation in Federal court. This leaves many still exposed to varying standards for the preservation trigger, scope and associated sanctions.

So, in the end, it’s unclear what the future holds for an amended FRCP landscape.  Given the range of divergent perspectives, differing viewpoints on potential solutions and the time necessary to navigate the Rules Enabling Act, the only thing that’s clear is that the cavalry isn’t coming to the rescue any time soon.  This means that organizations with significant preservation pains should endeavor to better utilize the rules that are on the books and deploy enabling technologies where possible.

As a proxy for risk assessment, many legal practitioners are simply asked, “What keeps you up at night?”  Aside from (i) small children and (ii) spicy Thai food, it’s becoming increasingly clear that eDiscovery is moving to the head of this inauspicious list, particularly for corporate boards, which now view risk management and regulatory compliance as their top concerns.

In a recent survey, BDO queried more than 100 directors at public companies with revenues between $250 million and $750 million and found that risk management factored heavily into the survey’s findings.  Over half of respondents identified managing risk as the topic they should be spending more time on, with 61% saying that their liability risk has increased during the financial downturn.

“In recent years, the responsibilities of corporate boards have grown considerably and much of their time has been dedicated to responding to new regulatory requirements,” says Wendy Hambleton, a partner in BDO’s corporate governance practice, in a statement about the survey. “What we are seeing in this study is a willingness of boards to take a more proactive role in risk management and it seems to be related to the risk they face as directors.”

On a similar risk management theme, another survey queried general counsel about what keeps them up at night.  Of these nearly 500 directors and GCs, 56% cited electronic discovery for litigation and investigation, which represented a marked increase since 2007, when only 36% of general counsel said they had the same nightmares.

This increasing concern around compliance and information governance isn’t surprising giving that the regulatory environment (FCPA, UK Bribery Act, Dodd-Frank, etc.) is much more rigorous than it was even a few years ago.  And, the fears are that this supercharged regulatory environment will only increase in fervor, with the majority of GCs feeling strongly that it will be the single biggest contributor to their workload through the rest of this year and leading into 2012.

What is interesting about these concerns is the disconnect between the very real fears and the lack of action – since many practitioners simply aren’t taking proactive steps to mitigate their information governance risks.  In an extension of the nightmare analogy, it’s like repeatedly watching scary movies right before bedtime and then being surprised when Freddy Kruger shows up in their dreams.

As noted previously, Symantec’s recent Information Retention and eDiscovery Survey revealed how blissfully ignorant some enterprises are about their shoddy information governance hygiene. Despite the numerous risks that are keeping so many up at night, the survey found nearly half of the respondents did not have an information retention plan in place, and of this group, only 30% were discussing how to do so.  Most shockingly, 14% appear to be ostriches with their heads in the sand and have no plans to implement any retention plan whatsoever.  When asked why folks weren’t taking action, respondents indicated lack of need (41%), too costly (38%), nobody has been chartered with that responsibility (27%), don’t have time (26%) and lack of expertise (21%) as top reasons.

While it is important to get a good night’s sleep, it isn’t wise to slumber through the night with an army of ESI zombies ravaging your house, particularly when it’s possible to implement even the most basic information governance plans.  It’s beyond blissfully ignorant to ignore real risks and snooze away during what is assuredly an escalating regulatory climate.  Instead, put the best possible people, processes and technology in place, and start again, well rested, in the morning.

Symantec today issued the findings of its second annual Information Retention and eDiscovery Survey, which examined how enterprises are coping with the tsunami of electronically stored information (ESI) that we see expanding by the minute.  Perhaps counter intuitively, the survey of legal and IT personnel at 2,000 enterprises found that email is no longer the primary source of ESI companies produced in response to eDiscovery requests.  In fact, email came in third place (58%) to files/documents (67%) and database/application data (61%).  Marking a departure from the landscape as recently as a few years ago, the survey reveals that email does not axiomatically equal eDiscovery any longer.

Some may react incredulously to these results. For instance, noted eDiscovery expert Ralph Losey continues to stress the paramount importance of email: “In the world of employment litigation it is all about email and attachments and other informal communications. That is not to say databases aren’t also sometimes important. They can be, especially in class actions. But, the focus of eDiscovery remains squarely on email.”   While it’s hard to argue with Ralph, the real takeaway should be less about the relative descent of email’s importance, and more about the ascendency of other data types (including social media), which now have an unquestioned seat at the table.

The primary ramification is that organizations need to prepare for eDiscovery and governmental inquires by casting a wider ESI net, including social media, cloud data, instant messaging and structured data systems.  Forward-thinking companies should map out where all ESI resides company-wide so that these important sources do not go unrecognized.  Once these sources of potentially responsive ESI are accounted for, the right eDiscovery tools need to be deployed so that these disparate types of ESI can be defensibly collected and processed for review in a singular, efficient and auditable environment.

The survey also found that companies which employ best practices such as implementing information retention plans, automating the enforcement of legal holds and leveraging archiving tools instead of relying on backups, fare dramatically better when it comes to responding to eDiscovery requests. Companies in the survey with good information governance hygiene were:

• 81% more likely to have a formal retention plan in place
• 63% more likely to automate legal holds
• 50% more likely to use a formal archiving tool

These top-tier companies in the survey were able to respond much faster and more successfully to an eDiscovery request, often suffering fewer negative consequences:

• 78% less likely to be sanctioned
• 47% less likely to lead to a compromised legal position
• 45% less likely to disclose too much information

This last bullet (disclosing too much information) has a number of negative ramifications beyond just giving the opposition more ammo than is strictly necessary.  Since much of the eDiscovery process is volume-based, particularly the eyes-on review component, every extra gigabyte of produced information costs the organization in both seen and unseen ways.  Some have estimated that it costs between $3-5 a document for manual attorney review – and at 50,000 pages to a gigabyte, these data-related expenses can really add up quickly.

On the other side of the coin, there were those companies with bad information governance hygiene.  While this isn’t terribly surprising, it is shocking to see how many entities fail to connect the dots between information governance and risk reduction.  Despite the numerous risks, the survey found nearly half of the respondents did not have an information retention plan in place, and of this group, only 30% were discussing how to do so.  Most shockingly, 14% appear to be ostriches with their heads in the sand and have no plans to implement any retention plan whatsoever.  When asked why folks weren’t taking action, respondents indicated lack of need (41%), too costly (38%), nobody has been chartered with that responsibility (27%), don’t have time (26%) and lack of expertise (21%) as top reasons.  While I get the cost issue, particularly in these tough economic times, it’s bewildering to think that so many companies feel immune from the requirements of having even a basic retention plan.

As the saying goes, “You don’t need to be a weatherman to tell which way the wind blows.”  And, the winds of change are upon us.  Treating eDiscovery as a repeatable business process isn’t a Herculean task, but it is one that cannot be accomplished without good information governance hygiene and the profound recognition that email isn’t the only game in town.

For more information regarding good records management hygiene, check out this informative video blog and Contoural article.

Is your organization among those that have jumped with both feet into the world of social media?

Recent survey results confirm that social media use is on the rise for almost all organizations across the globe.  This is particularly the case in the financial services industry.  A recent industry survey confirms that nearly two-thirds of all asset managers are actively using social media for marketing purposes.

Despite its increasing popularity and ubiquity, the securities industry is experiencing growing pains with social media.  Just like other industries, financial services providers are struggling with applying notions of information governance to these non-traditional forms of communication.  Indeed, with social media becoming an increasingly important data source for both business and legal purposes, it behooves enterprises to develop an information governance strategy with respect to this data.  The best practices being followed in this regard by financial services companies should be paradigmatic for organizations across the board.

Social Media Challenges for Financial Services Companies

Many financial services companies are experiencing difficulty supervising or retaining social media communications as required by FINRA Regulatory Notice 10-06.  A landmark regulation, FINRA 10-06 was promulgated last year to protect investors from false or misleading claims made on social networking sites.  To comply with this regulation, securities firms must develop protocols that enable them to supervise and retain social media content and ensure conformity by their representatives.

It is no secret that social media communications continue to bedevil securities firms.  Indeed, 63% of surveyed asset managers reported that “regulatory recordkeeping” remains their greatest challenge with respect to social media.  And as more firms move toward social media marketing, the number of financial services companies experiencing difficulty with retention is also likely to increase.

The challenges firms are experiencing with social media are not limited to retention.  They also include the need to properly supervise social media communications.  This was acknowledged by FINRA chairman and chief executive Richard Ketchum at an industry event this past June.  Among other social media issues, Ketchum explained that firms have questioned how they can most effectively supervise their employees’ use of smart phones and tablet computers that can access company sites.  In response to these matters, FINRA just issued Regulatory Notice 11-39 to help clarify several lingering questions regarding retention and supervision.

Best Practices for Addressing the Challenges of Social Media

Given the complexity of these issues, regulated enterprises need to know what best practices can be followed to ensure compliance with pertinent FINRA and SEC regulations.  While there are perhaps many steps that could be implemented, three stand out as indispensable for firms.

The first is that firms should develop a global plan for how they will engage in social media marketing.  This initial step is particularly important for groups that are just now exploring the use of social media to communicate with investors.  Having a plan in place that maps out investor contact and communication strategy, provides for required supervision of firm representatives, and accounts for compliance with regulatory requirements is essential for securities firms.  Failing to take these steps could result in fines, suspensions or worse.

The next step involves educating and training employees regarding the firm’s social media plan.  This should include instruction regarding what content may be posted to social networking sites and the internal process for doing so.  Policies that describe the consequences for deviating from the firm’s social media plan should also be clearly delineated.  Those policies should detail the legal repercussions – civil and criminal – for both the employee and the firm for social media missteps.

Third, firms can employ technology to ensure compliance with their social media plan.  Indeed, FINRA 10-06 specifically emphasizes the importance of deploying technological “systems” to facilitate conformity with the regulation’s “Recordkeeping Responsibilities” requirement.  Those “systems” include archiving software and other technology tools.  With the right tools in place, firms can perform a cost-effective supervisory review of content to help ensure compliance with corporate policy and regulatory bodies.  Moreover, an effective “system” will implement legal holds and efficiently retrieve archived social media content in response to legal and regulatory requests.  All of this enables a company to establish the reasonableness of its retention and eDiscovery processes and demonstrate compliance with relevant SEC and FINRA regulations.

By following these steps and other best practices, financial services companies can begin to reasonably address the challenges of social media.  Knowing that those challenges are being dealt with in an effective manner will enable firms to confidently engage in social media marketing – and reap the financial benefits of doing so.

A couple of weeks back, I was on the receiving end of my company’s first summons. It was a trivial issue that resolved itself within a couple of days. But it gave me some insight into how my customers (typically, large companies) think about these things.

My first reaction was shock (“How could this happen? There must be some mistake”). That feeling was soon eclipsed by outrage (“This is ridiculous, we haven’t done anything wrong”); which was followed by regret (“I wish we had just avoided this situation”); finishing up with irritation (“I can’t believe I have to waste time on this when I have so much real work to do.”)

When I mentioned this reaction to a couple of our customers, they just chortled to themselves and suggested that I get used to it: as your business grows, they said, you can be certain that more of these will follow.

That’s when it struck me: dealing with these issues – and by implication, e-discovery – is by no means unusual; it has become part of the cost of doing business. In the same way that companies pay their taxes or process employee visas, they respond to subpoenas, demand letters, and regulatory inquiries. Whether they themselves are directly implicated in wrongdoing, or they were innocent bystanders who had nothing to do with it, doesn’t make any difference. They have to do the work all the same.

With this in mind, I feel better prepared for the next summons, whenever it comes. Right now, we are focused on recruiting and training; at some point, if all goes well, we will get to e-discovery.