E-Discovery for Enterprise Decision Makers
E-discovery is the identification, gathering, culling, analysis and legal review of data (e.g., electronic documents, communications, database records and systems transaction logs) related to an actual or anticipated legal matter. E-discovery touches important data-related organizational areas such as IT, information governance, compliance, email and records management, legal hold and information access.
Electronic discovery solutions are more and more critical to successful litigations. Cases can be won or lost totally or primarily based on e-discovery procedures alone and the processes and technologies underlying them. Below is a list of best practices that every organization should follow with respect to its corporate e-discovery data strategy.
1. Have a plan. A simple plan can ensure that preservation is taking place in a defensible, rapid and cost-effective manner. The plan should include standard operating procedures for first-response in reactive situations such as lawsuits or regulatory investigations. Most important are checklists and procedures for data identification and creating a preserved copy.
Longer term strategies for proactive e-discovery best practices include good data retention plans and enforcement, and avoiding purchase of new IT systems that make e-discovery difficult.
2. Initiate legal hold notifications quickly. Inform employees of their obligation to retain certain emails and documents and other relevant data sources for legal reasons. Notifying employees (referred to by lawyers as "custodians") that they must not delete data because it may be evidence for a legal matter can be automated and managed across the organization at very little cost or effort. For example, BIA's legal hold compliance SaaS solution costs less than $2 per user per month. Even if legal hold is done manually with spreadsheets and email, the cost is negligible compared to the amount of money spent on fines and attorney fees if legal holds or data preservation are mishandled.
3. Scope the legal issues, then choose the technology. Do not perform e-discovery by brute force. Data should be gathered from common areas such as laptops, home folders, email accounts and other business-related systems (such as the marketing document management system if the case is about marketing). First identify the relevant employees who may be data custodians, then determine which related data systems and resources must be preserved. For example, a targeted collection of user-created file types from laptops and home folders and an export of an email account is much more efficient and cost-effective than copying an entire hard drive or pulling many backup tapes.
4. Always maintain data integrity when gathering data. Increasingly, courts and parties are focusing on the integrity of document and email metadata as aspects of good evidence in lawsuits and regulatory matters today. Since almost all data created and used in business today is digital and never printed to paper, the reliance upon electronic records is critical to legal data compliance. Parties and courts rely on the date created or modified, where it was stored on the network, or its email recipients and time sent/received. All that information MUST be maintained; regular IT operations and other user actions can easily alter or delete that information. For example, using a mature e-discovery data collection tool as part of an organization's overall strategy is one part of the process to ensure data integrity. People must enforce and manage the data-gathering process.
5. Have technology solution options ready. Have several technology solutions ready for use to facilitate different aspects of the process-most importantly processes occurring behind-the-firewall, inside the corporate network, such as managing legal hold compliance and performing data collection for legal matters. Technology should be tested, piloted and accepted by the organization. Having technology ready before a legal matter arises allows for more efficient and cost-effective e-discovery.
6. Create a "go-to" e-discovery team. The e-discovery team should meet on a scheduled basis to discuss organization-wide e-discovery issues. Each team member should represent a different area of the organization and include at least one person from legal and IT (or IT security). Other key departments include InfoSec, risk, compliance, HR and some relevant business units. Strong and successful e-discovery teams, sometimes referred to as Data Action Response Teams (DARTs), pull from several key areas of the organization, and have the authority to make important recommendations and decisions with respect to e-discovery policies and best practices. The team relies on internal resources but also on trusted and knowledgeable external resources such as outside legal counsel, experts and appropriate e-discovery vendor resources.
7. Reasonableness. In e-discovery, courts have stated repeatedly that reasonableness is the standard to follow for e-discovery issues. If a task doesn't stop critical systems or burden employees to an unreasonable extent, then it should be done. Otherwise, if reasonable measures exist to notify employees of their obligations to retain data and if systems are in place to preserve and gather relevant data from identified people and systems, then that critical balance between using defensible processes and costs is achieved.
8. There is no magic bullet. Organizations attempting to implement enterprise-level automated solutions for e-discovery spend a lot of money and time on unnecessary tasks. They ultimately rely on many more people and third-party systems than planned, which leads to expensive and disorganized e-discovery. Instead, focus on easy-to-implement solutions that have low capital expense and get the job done well and quickly-without burdening IT resources or employees.
9. Garbage-in, garbage-out is real. If the data collection process is not performed in a compliant manner, then the rest of the legal (discovery or investigatory) process will always be in doubt. Use best practices to ensure data integrity. Otherwise, organizations are at serious risk of damaging data integrity such as the inadvertent alteration (or worse, destruction) of critical metadata and system history data. Furthermore, the IT staff involved in the gathering process may be called upon for witness testimony. Inefficient data gathering methods and unnecessary IT costs only lead to weak legal defensibility and higher legal costs.
10. Work to become mature in e-discovery. All organizations find themselves somewhere along an e-discovery maturity model-low to high. Many organizations still find themselves in dismal territory-with ad-hoc and chaotic e-discovery practices (i.e., no maturity). But by implementing a few simple and inexpensive best practices, organizations can be catapulted into a more mature level, thus placing the organization in a solid, defensible position and helping save costs on unnecessary e-discovery related spending.