e-discovery 2.0

The headline-grabbing news this week regarding Twitter facing possible contempt sanctions is an important reminder that organizations should consider developing a strategy for addressing social media governance. In criminal proceedings against protesters involved in the Occupy Wall Street movement, a New York state court ordered Twitter several weeks ago to turn over various tweets that a protester deleted from his twitter feed relating to the movement’s blocking of the Brooklyn Bridge last year. Twitter has delayed compliance with that order, which has invited the court’s wrath: “I can’t put Twitter or the little blue bird in jail, so the only way to punish is monetarily.” The court is now threatening Twitter with a monetary contempt sanction based on “the company’s earnings statements for the past two quarters.”

At first blush, the proceeding involving Twitter may not seem paradigmatic for organizations. While most organizations do not engage in civil disobedience and typically stay clear of potential criminal actions, the conduct of the protester in unilaterally deleting his tweets raises the question of whether organizations have developed an effective policy to retain and properly supervise communications made through social networking sites.

Organizations in various industry verticals need to ensure that certain messages communicated through social media sites are maintained for legal or regulatory purposes. For example, financial services companies must retain communications with investors and other records that relate to their “business as such” – including those made through social networking sites – for at least three years under section 17a-4(b) of the Securities Exchange Act of 1934. Though this provision is fairly straightforward, it has troubled regulated companies for years. Indeed, almost two-thirds of surveyed asset managers reported that “regulatory recordkeeping” remains their greatest challenge with respect to social media.

Supervision is another troubling issue. With the proliferation of smartphones, burgeoning “bring your own device” (BYOD) policies and the demands of a 24-hour workday, supervision cannot be boiled down to a simple protocol of “I’ll review your messages before you hit send.” Yet supervision is necessary, particularly given the consequences for rogue communications including litigation costs, lost revenues, reduced stock price and damage to the company brand.

Though there are no silver bullets to ensure perfection regarding these governance challenges, organizations can follow some best practices to develop an effective social media governance policy. The first is that companies should prepare a global plan for how they will engage in social media marketing. This initial step is particularly important for groups that are just now exploring the use of social media to communicate with third parties. Having a plan in place that maps out a contact and communication strategy, provides for supervision of company representatives and accounts for compliance with regulatory requirements is essential.

The next step involves educating and training employees regarding the company’s social media policy. This should include instructions regarding what content may be posted to social networking sites and the internal process for doing so. Policies that describe the consequences for deviating from the social media plan should also be clearly delineated. Those policies should detail the legal repercussions – civil and criminal – for both the employee and the organization for social media missteps.

Third, organizations can employ technology to ensure compliance with their social media plan. This may include archiving software and other technology that both retains and enables a cost-effective supervisory review of content. Electronic discovery tools that enable legal holds and efficiently retrieve archived social media content are also useful in developing an efficient and cost-effective response to legal and regulatory requests.

By following these steps and other best practices, organizations will likely be on the way to establishing the foundation of an effective social media governance plan.

Update For Report Submission By Agencies

We are fast approaching the March 27, 2012 deadline for federal agencies to submit their reports to the Office of Management and Budget and the National Archives and Records Administration (NARA) to comply with the Presidential Mandate on records management. We are only at the inception, as we look to a very exciting public town hall meeting in Washington, D.C. – also scheduled for March 27, 2012. This meeting is primarily focused on gathering input from the public sector community, the vendor/IT community, and members of the public at large. Ultimately, NARA will issue a directive that will outline a centralized approach for the federal government for managing records and eDiscovery.

Agencies have been tight lipped about how far along they are in the process of evaluating their workflows and tools for managing their information (both electronic and paper). There is, however, some empirical data from an InformationWeek Survey conducted last year that takes the temperature on where the top IT professionals within the government have their sights set, and the Presidential Mandate should bring some of these concerns to the forefront of the reports. For example, the #1 business driver for migrating to the cloud – cited by 62% of respondents – was cost, while 77% of respondents said their biggest concern was security. Nonetheless, 46% were still highly likely to migrate to a private cloud.

Additionally, as part of the Federal Data Center Consolidation Initiative, agencies are looking to eliminate 800 data centers. While the cost savings are clear, from an information governance viewpoint, it’s hard not to ask what the government plans to do with all of those records?  Clearly, this shift, should it happen, will force the government into a more service-based management approach, as opposed to the traditional asset-based management approach. Some agencies have already migrated to the cloud. This is squarely in line with the Opex over Capex approach emerging for efficiency and cost savings.

Political Climate Unknown

Another major concern that will affect any decisions or policy implementation within the government is, not surprisingly, politics. Luckily, regardless of political party affiliation, it seems to be broadly agreed that the combination of IT spend in Washington, D.C. and the government’s slow move to properly manage electronic records is a problem. Two of the many examples of the problem are manifested in the inability to issue effective litigation holds or respond to Freedom of Information Act (FOIA) requests in a timely and complete manner. Even still, the political agenda of the Republican party may affect the prioritization of the Democratic President’s mandate and efforts could be derailed with a potential change in administration.

Given the election year and the heavy analysis required to produce the report, there is a sentiment in Washington that all of this work may be for naught if the appropriate resources cannot be secured then allocated to effectuate the recommendations. The reality is that data is growing at an unprecedented rate, and the need for the intelligent management of information is no longer deniable. The long term effects of putting this overhaul on the back burner could be disastrous. The government needs a modular plan and a solid budget to address the problem now, as they are already behind.

VanRoekel’s Information Governance

One issue that will likely not be agreed upon between Democrats and Republicans to accomplish the mandate is the almighty budget, and the technology the government must purchase in order to accomplish the necessary technological changes are going to cost a pretty penny.  Steven VanRoekel, the Federal CIO, stated upon the release of the FY 2013 $78.8 billion dollar IT budget:

“We are also making cyber security a cross-agency, cross-government priority goal this year. We have done a good job in ramping up on cyber capabilities agency-by-agency, and as we come together around this goal, we will hold the whole of government accountable for cyber capabilities and examine threats in a holistic way.”

His quote indicates the priority from the top down of evaluating IT holistically, which dovetails nicely with the presidential mandate since security and records management are only two parts of the entire information governance picture. Each agency still has their own work cut out for them across the EDRM. One of the most pressing issues in the upcoming reports will be what each agency decides to bring in-house or to continue outsourcing. This decision will in part depend on whether the inefficiencies identified lead agencies to conclude that they can perform those functions for less money and more efficiently than their contractors.  In evaluating their present capabilities, each agency will need to look at what workflows and technologies they currently have deployed across divisions, what they presently outsource,  and what the marketplace potentially offers them today to address their challenges.

The reason this question is central is because it begs an all-important question about information governance itself.  Information governance inherently implies that an organization or government control most or all aspects of the EDRM model in order to derive the benefits of security, storage, records management and eDiscovery capabilities. Presently, the government is outsourcing many of their litigation services to third party companies that have essentially become de facto government agencies.  This is partly due to scalability issues, and partly because the resources and technologies that are deployed in-house within these agencies are inadequate to properly execute a robust information governance plan.

Conclusion

The ideal scenario for each government agency to comply with the mandate would be that they deploy automated classification for their records management, archiving with expiration appropriately implemented for more than just email, and finally, some level of eDiscovery capability in order to conduct early case assessment and easily produce data for FOIA.  The level of early case assessment needed by each agency will vary, but the general idea would be that before contacting a third party to conduct data collection, the scope of an investigation or matter would be able to be determined in-house.  All things considered, the question remains if the Obama administration will foot this bill or if we will have to wait for a bigger price tag later down the road.  Either way, the government will have to come up to speed and make these changes eventually and the town hall meeting should be an accurate thermometer on where the government stands.

On November 28, 2011, The White House issued a Presidential Memorandum that outlines what is expected of the 480 federal agencies of the government’s three branches in the next 240 days.  Up until now, Washington, D.C. has been the Wild West with regard to information governance as each agency has often unilaterally adopted its own arbitrary policies and systems.  Moreover, some agencies have recently purchased differing technologies.  Unfortunately,  with the President’s ultimate goal of uniformity, this centralization will be difficult to accomplish with a range of disparate technological approaches.

Particular pain points for the government traditionally include retention, search, collection, review and production of vast amounts of data and records.  Specifically, these pain points include examples of: FOIA requests gone awry, the issuance of legal holds across different agencies leading to spoliation, and the ever present problem of decentralization.

Why is the government different?

Old Practices. First, in some instances the government is technologically behind (its corporate counterparts) and is failing to meet the judiciary’s expectation that organizations effectively store, manage and discover their information.  This failing is self-evident via  the directive coming from the President mandating that these agencies start to get a plan to attack this problem.  Though different than other corporate entities, the government is nevertheless held to the same standards of eDiscovery under the Federal Rules of Civil Procedure (FRCP).  In practice, the government has been given more leniency until recently, and while equal expectations have not always been the case, the gap between the private and public sectors in no longer possible to ignore.

FOIA.  The government’s arduous obligation to produce information under the Freedom of Information Act (FOIA) has no corresponding analog for private organizations, who are responding to more traditional civil discovery requests.  Because the government is so large with many disparate IT systems, it is cumbersome to work efficiently through the information governance process across agencies and many times still difficult inside one individual agency with multiple divisions.  Executing this production process is even more difficult if not impossible to do manually without properly deployed technology.  Additionally, many of the investigatory agencies that issue requests to the private sector need more efficient ways to manage and review data they are requesting.  To compound problems, within the US government there are two opposing interests are at play; both screaming for a resolution, and that solution needs to be centralized.  On the one hand, the government needs to retain more than a corporation may need to in order to satisfy a FOIA request.

Titan Pulled at Both Ends. On the other hand, without classification of the records that are to be kept, technology to organize this vast amount of data and some amount of expiry, every agency will essentially become their own massive repository.  The “retain everything mentality” coupled with the inefficient search and retrieval of data and records is where they stand today.  Corporations are experiencing this on a smaller scale today and many are collectively further along than the government in this process, without the FOIA complications.

What are agencies doing to address these mandates?

In their plans, agencies must describe how they will improve or maintain their records management programs, particularly with regard to email, social media and other electronic communications.  They must also move away from such a paper-centric existence.  eDiscovery consultants and software companies are helping agencies through this process, essentially writing their plans to match the President’s directive.  The cloud conversation has been revisited, and agencies also have to explain how they will use cloud-based services and storage solutions, as well as identify gaps in existing laws or regulations that presently prevent improved management.  Small innovations are taking place.  In fact, just recently the DOJ added a new search feature on their website to make it easier for the public to find documents that have been posted by agencies on their websites.

The Office of Management and Budget (OMB), National Archives and Records Administration (NARA), and Justice Department will use those reports to come up with a government-wide records management framework that is more efficient, maintains accountability by documenting agency actions and promotes “appropriate” public access to records.  Hopefully, the framework they come up with will be centralized and workable on a realistic timeframe with resources sufficiently allocated to the initiative.

How much will this cost?

The President’s mandate is a great initiative and very necessary, but one cannot help but think about the costs in terms of money, time and resources when considering these crucial changes.  The most recent version of a financial services and general government appropriations bill in the Senate extends $378.8 million to NARA for this initiative.  President Obama appointed Steven VanRoekel as the United States CIO in August 2011 to succeed Vivek Kundra.  After VanRoekel’s speech at the Churchill Club in October of 2011, an audience member asked him what the most surprising aspect of his new job was.  VanRoekel said that it was managing the huge and sometimes unwieldy resources of his $80 billion budget.  It is going to take even more than this to do the job right, however.

Using conservative estimates, assume for an agency to implement archiving and eDiscovery capabilities as an initial investment would be $100 million.  That approximates $480 billion for all 480 agencies.  Assume a uniform information governance platform gets adopted by all agencies at a 50% discount due to the large contracts and also factoring in smaller sums for agencies with lesser needs.  The total now comes to $240 billion.  For context, that figure is 5% of what was spent by Federal Government ($4.76 trillion) on the biggest bailout in history in 2008. That leaves a need for $160 billion more to get the job done. VanRoekel also commented at the same meeting that he wants to break down massive multi-year information technology projects into smaller, more modular projects in the hopes of saving the government from getting mired in multi-million dollar failures.   His solution to this, he says, is modular and incremental deployment.

While Rome was not built in a day, this initiative is long overdue, yet feasible, as technology exists to address these challenges rather quickly.  After these 240 days are complete and a plan is drawn the real question is, how are we going to pay now for technology the government needed yesterday?  In a perfect world, the government would select a platform for archiving and eDiscovery, break the project into incremental milestones and roll out a uniform combination of solutions that are best of breed in their expertise.

In the first settlement of its kind, FINRA settled with the SEC on October 27, 2011 due to allegations over a 2008 incident where a regional Kansas City office of FINRA doctored documents.  The alleged doctored documents were from three internal staff meetings, where information was either edited or deleted and then provided to the SEC with the “inaccurate and incomplete” changes. Mary Shapiro, currently the Chairman of the SEC, is in an interesting spot as she was Chief Executive of FINRA at the time of the alleged wrongdoing.  She apparently had no direct involvement with the decision to take action against FINRA.

The motives for doctoring the documents are unclear, and so is whether or not the alterations of the documents led to any material damage other than FINRA’s diminished credibility.  Ironically, the SEC has had its own struggles in recent months with a slew of articles published in various newspapers highlighting their own challenges with document retention and the improper destruction of documents. Both of these scenarios have been called to light by whistleblowers within their respective agencies.

These antics certainly pose the question: Is it a good use of taxpayer money to have regulatory agencies fighting each other over document retention and record keeping practices? The answer is probably no. But the first question begs the second: If they don’t do it, who will?  While information management is not the sexiest part of the SEC and FINRA’s responsibilities, it certainly is an important one and the foundation of their information intelligence.  Without proper document retention and information governance, the probability of connecting the dots to discover insider trading or other malfeasance is low.  Moreover, in order for agencies to retain credibility they need to be able to locate documents with ease and speed and those documents must be truthful and accurate.

Because FINRA is a self-regulatory firm for securities and is overseen by the SEC, it seems appropriate that they investigate matters like the one at hand.  According to the SEC, the 2008 incident is the third instance in the past eight years where an employee of FINRA, or its predecessor, the National Association of Security Dealers, has provided altered or misleading documents to the SEC.  It remains to be seen if this is intentional on the part of FINRA to conceal undesirable facts or to promote an item on their agenda, or if in fact they are simply negligent with regard to their record keeping policies.  Either way, it is a problem for the SEC and the government in general as it undermines agency credibility and compromises the ability to intelligently leverage information.   This settlement also does no favors for FINRA at a time when they aim to expand their 4,600 base of supervisory authority to include 10,000 more investment advisory firms.

So, what can be done about this behavior and the risks it poses? Corporations and governments are facing the same issues that information governance poses due to the data explosion and the growing complexity of data sources today.  At a minimum, there needs to be a policy in place that governs how data, regardless of form, is handled and disposed of in the information lifecycle.  It also makes sense to form an audit committee within the government that can inspect and assess the information management practices of each agency, as well as serve as a  third party mediator between agencies when these challenges arise.  This is a good idea for two reasons.  One, agencies can focus on their responsibilities instead of getting sidetracked with issues they are not expert in, like document retention or record management.  Next, this problem has reached a point that it’s necessary to appoint an independent group to audit the government due to the data explosion and pace of technology today.  We have the SEC and FINRA to watch the financial industry and provide us with assurance that business is being conducted in a lawful manner.  We don’t need the SEC or FINRA to take up document retention as another responsibility, as there are other professionals that can do that more effectively and independently.

While expansion of government is not the goal of forming yet another committee, this committee could potentially free up agencies to do more of the work they are charged with.  This would also promote standardization across agencies and regulatory bodies, which would be a giant step in the right direction as data volumes grow.  The actions that resulted in this settlement were remedial in nature.  FINRA took decisive action to air a podcast about document integrity and scheduled an agency-wide town hall meeting addressing the same for all current and new employees.  They also hired an independent outside consultant to provide additional staff training on document retention and integrity.  This will be a continual educational process for the private and public sector, and employee training and auditing the process will be the lynchpins for success.  The element of deflection is also at work here, as the SEC is not a model example of best practices for document retention and the moment.

The SEC is working through allegations of document destruction, FINRA is accused of document doctoring, but all these assertions circle back to the central theme of having a document retention policy and compliance with that policy.  This naturally leads to the need for education and training, and the ultimate auditing of the process for compliance.  In this rare case of watchdog bites watchdog, three points become clear: 1) The SEC has a higher and best use other than policing these issues; 2) information management has reached a point that it requires a separate and independent body to monitor and regulate allegations of misconduct; and 3) sometimes it takes a dog biting a dog to truly illustrate the magnitude of a problem.

Google has publicly released the number of U.S. Government requests it had for email productions in the six months preceding December 31, 2009.  They have had to comply with 94% of these 4,601 requests.  Granted, many of these requests were search warrants or subpoenas, but many were not.  Now take 4,601 and multiply it by at least 3 for other social media sources for Facebook, LinkedIn, and Twitter.  The number is big – and so is the concern over how this information is being obtained.

What has becoming increasingly common (and alarming at the same time) is the way this electronically stored information (ESI) is being obtained from third party service providers by the U.S. Government. Some of these requests were actually secret court orders; it is unclear how many of the matters were criminal or civil.  Many of these service providers (Sonic, Google, Microsoft, etc.) are challenging these requests and most often losing. They are losing on two fronts:  1) they are not allowed to inform the data owner about the requests, nor the subsequent production of the emails, and 2) they are forced to actually produce the information.  For example, the U.S. Government obtained one of these secret orders to get WikiLeaks volunteer Jacob Applebaum’s email contact list of the people he has corresponded with over the past two years.  Both Google and Sonic.net were ordered to turn over information and Sonic challenged  the order and lost.  This has forced technology companies to band together to lobby Congress to require search warrants in digital investigations.

There are three primary laws operating at this pivotal intersection that affect the discovery of ESI that resides with third party service providers, and these laws are in a car wreck with no ambulance in sight.  First, there is the antiquated Federal Law, the Electronic Communications Privacy Act of 1986, over which there is much debate at present.  To put the datedness of the ECPA in perspective, it was written before the internet.  This law is the basis that allows the government to secretly obtain information from email and cell phones without a search warrant. Not having a search warrant is in direct conflict with the U.S. Constitution’s 4th Amendment protection against unreasonable searches and seizures.  In the secret order scenario, the creator of data is denied their right to know about the search and seizure (as they would if their homes were being searched, for example) as it is transpiring with the third party.

Where a secret order has been issued and emails have been obtained from a third party service provider, we see the courts treating email much differently than traditional mail and telephone lines.  However, the intent of the law was to give electronic communications the same protections that mail and phone calls have enjoyed for some time. Understandably, the law did not anticipate the advent of the technology we have today.  This is the first collision, and the reason the wheels have gone off the car, since the standard under the ECPA sets a lower bar for email than that of the former two modes of communication.  The government must only show “reasonable grounds” that the records would be “relevant and material” to an investigation, criminal or civil, compared to the other higher standard.

The third law in this collision is the Freedom of Information Act (FOIA).  While certain exceptions and allowances are made for national security and in criminal investigations, these secret orders are not able to be seen by the person whose information has been requested.  Additionally, the public wants to see these requests and these orders, especially if they have no chance of fighting them.  What remains to be seen is what our rights are under FOIA to see these orders, either as a party or a non-related individual to the investigation as a matter of public record.  U.S. Senator Patrick Leahy, (D-VT), the author of the ECPA, acknowledged in no uncertain terms that the law is “significantly outdated and outpaced by rapid changes in technology.”   He has since introduced a bill with many changes that third party service providers have lobbied for to bring the ECPA up to date. The irony of this situation is that the law was intended to provide the same protections for all modes of communication, but in fact makes it easier for the government to request information without the author even knowing.

This is one of the most important issues now facing individuals and the government in the discovery of ESI during investigations and litigation.  A third party service provider of cloud offerings is really no different than a utility company, and the same paradigm can exist as it does with the U.S. Postal Service and the telephone companies when looking to discover this information under the Fourth Amendment, where a warrant is required. The law looks to be changing to reflect this and FOIA should allow the public to access these orders.  Amendments to the Act have been introduced by Senator Leahy, and we can look forward to the common sense changes he proposes that are necessary.  The American people don’t like secrets. Lawyers, get ready to embrace the revisions into your practice by reading up on the changes as they will impact your practices significantly in the near future.