Preparing for an E-Discovery Showdown
As a buzzword, "e-discovery" doesn't have much flash, but it does have plenty of substance─as those involved with litigation have discovered. Because so much corporate communication and information is stored in digital form, being able to retrieve that data quickly and affordably is helpful, but it's not always realistic.
Many organizations might store data in legacy systems or at off-site locations, and requests for specific e-mail, for example, could be expensive to locate, and may not even be relevant to the case. CIOs need to implement and enforce e-discovery protocols and infrastructure, but some believe many companies are woefully unprepared.
"What a CIO should be asking is, 'What happens if my company gets sued?'" says Tom Hathaway, an attorney who specializes in e-topics at law firm Clark Hill.
CIOs need to know several issues to be prepared in case litigation crops up and e-discovery looms large, and the first wake-up call is that e-discovery is expensive and time-consuming, Hathaway says. Although CIOs may be aware that there will be costs and effort, they tend to underestimate the effects of trying to manage ESI (electronically stored information) since there are so many avenues of communication.
For example, voice mail that is part of a voice over IP system could be subject to regulations, which means that the messages not only need to be stored, but also located if a request comes in as part of litigation.
Another Clark Hill attorney, Brian Ziff, has noticed that in the commercial litigation cases he handles, nearly every suit involves e-discovery to some degree, including contract drafts, purchase orders and e-mail. Just having recognition of the importance of ESI for e-discovery is an important first step that can be overlooked.
Once the recognition is in place, CIOs can prepare by working with in-house or outside counsel to get an understandig of current rules. Ziff suggests implementing a written plan that will outline how different departments will act and provide in the case of litigation.
"The rules of e-discovery don't require that you shut the company down completely in order to comply," says Ziff. "But they do require protocols. Sometimes, the only proof you might have of some data is that you tried to save it, but don't count on that being enough."
CIOs, in particular, will need to start this effort within a company to learn the rules and develop the procedures, Hathaway explains. "They're the first responders in many suits; they're the gatekeepers."
Although e-discovery is driving more awareness of protocols and procedures at some companies, that doesn't seem to be the case in most firms.
Storage firm Kroll Ontrack performed a survey of in-house counsel, focusing on how they managed ESI in litigation and internal investigations. The study showed that only about 25 percent of U.S. in-house counsel claim to be fully up-to-speed with all case law, developments and regulations related to ESI, and the percentage is even smaller in the United Kingdom, the other country covered by the survey. Of all respondents, about half noted that they don't have any ESI policy.
Although the survey covered just in-house counsel, respondents reported that primary responsibility for ESI strategy development could be found in other departments. About half the companies had in-house counsel as the ESI leaders, but among the others, those accountable might include CIOs, IT managers, CFOs, HR managers and compliance officers.
"The most interesting part here is where the blame gets put if something goes wrong with e-discovery," said Michele Lange, Kroll Ontrack director. "In-house counsel tends to blame the CIO as well as themselves if the company is sanctioned, even if the CIO isn't directly responsible for setting the policies."
She suggests that CIOs create a data map of the company to show how data is being transferred inside and outside the firewall, and also where it's being stored. "How accessible is this data if you have to produce it in litigation?" she notes. "Is it something that requires a Herculean effort to get to, or can you get it fairly inexpensively? These are the kinds of questions to ask during a tabletop drill, when you go through hypothetical situations."
Another strong approach is to develop a team-based effort, in which C-level executives and department heads from HR and accounting are brought together to learn about how to store information, Hathaway says.
It won't do much good, for instance, if the CIO has a stellar storage strategy in place, but HR and accounting are digitally shredding all documents more than a few months old. And if it's found that information has been erased, it could be even more damaging to a case than if it's used by the other side, Ziff adds.
"You're almost highlighting it by deleting it," he says. "These days, if other departments aren't properly trained by CIOs in how to handle potential litigation situations, all they're doing is creating liability."
What e-discovery preparation essentially boils down to, Hathaway believes, is the CIO's ability to emphasize that all information is company property, whether it's a voice mail, text message, or personal e-mail on the company's network.
Staying current on regulatory policies, creating a plan for information retrieval, and training departments on proper document and communication preservation can go a long way toward dealing with e-discovery, rather than getting derailed by it.