Top trends in e-discovery
Back in the late 1990s when e-discovery was in its infancy, it was mostly dismissed as a passing fad. Boy, was that assumption wrong.
‘E-discovery is here to stay, and the rules, case law and technology progress every year,’ says Kaitlin Shinkle, senior manager of worldwide brand communications for Kroll Ontrack, a provider of software, data recovery, data destruction, e-discovery and document review services.
The e-discovery marketplace is not unified, and nothing is simple – technologies and methodologies are complex and varied. ‘There’s much room for improvement,’ says Shinkle. ‘Law firms and corporations yearn for best practices and proven technology to drive time and cost savings.’
Quite simply, e-discovery – the collection, analysis, preparation, review and production of electronically stored information that may be used in a legal proceeding – has become an ever-growing challenge and opportunity. Here’s a look at the key trends and issues that are causing a buzz in the boardroom.
Big data explosion
The growth of data is out of control. ‘The amount of data is staggering, and it’s growing exponentially,’ says Mike Kinnaman, a senior managing director in the technology practice of business advisory firm FTI Consulting. ‘Ninety percent of the data in the world was created in the last two years,’ he notes.
More data means higher costs and increased risks. The costs of retrieving, analyzing and reviewing data for e-discovery can easily reach tens of thousands of dollars per gigabyte. Many lawsuits involve multiple terabytes of information, equating to thousands of gigabytes of data, says Eddie Sheehy, CEO of Nuix, a provider of information management technologies, including e-discovery, electronic investigation and information governance software.
This might be bearable if the frequency of litigation and regulatory oversight was static or shrinking, but that too is growing. According to Enterprise Strategy Group, almost two thirds of medium-sized and large organizations handle more than 25 legal and regulatory matters in a year. More than a quarter of the companies surveyed handled more than 200.
Advice from counsel, a recent study of in-house lawyers at Fortune 1000 firms by FTI Consulting, reveals that 64 percent of those surveyed believe the impact of big data on e-discovery requests will be an overwhelming challenge for the foreseeable future.
Out-of-control growth of data is the root cause of e-discovery trouble – specifically unknown, unstructured data, which is a huge source of litigation costs and risks, says Sheehy.
Rather than spending large amounts of money on e-discovery after the fact, it may make sense to tackle data, storage and information management problems at the core. Information governance uses policies, procedures, processes and controls to manage information efficiently and effectively to meet an organization’s goals. It includes electronic discovery, privacy and security matters, storage optimization and metadata management.
‘Boards tend to get nervous when they hear about large, all-encompassing business initiatives,’ says Sheehy. ‘It’s true that the journey toward information governance takes several years, but it can easily be divided into small projects that provide short-term value. Information governance very quickly becomes self-funding through smaller litigation budgets, reduced storage spending and better risk management. It can also become a source of business value as organizations leverage the knowledge they have gained from understanding their own data.’
Historically the IT department has been tasked with maintaining systems and hasn’t been responsible for content, and there is no group designated to overseeing company policies and procedures. ‘There is a need for an information governance officer, an individual or group, that pulls together constituents like IT, corporate counsel, litigation counsel and others,’ says David Cross, a partner with the litigation group and the e-discovery and information management group at the law firm of Crowell & Moring. The bottom line: accountability.
‘Compliance and discovery obligations don’t stop at the US borders – e-discovery is international,’ says John Tredennick, CEO of Catalyst Repository Systems, a provider of e-discovery technology and services to law firms and in-house counsel. Courts and regulators have been quite clear over the last decade that e-discovery isn’t limited by boundaries, he explains. As the economy becomes more global in nature, this is presenting huge challenges.
Digital data lives all over the globe. ‘It’s not only large companies that have to worry about this,’ notes David Kessler, co-head of the e-discovery and information governance practice at the law firm of Fulbright & Jaworski. ‘Increasingly, even small companies have international reach with the internet, or they may outsource part of their supply chain elsewhere in the world.’
‘As businesses expand their presence and regularly transact business in multiple countries, they need to be aware of the implications of that growth as it relates to data management,’ says Fernando Pinguelo, chair of the cyber-security and data protection group at the law firm of Norris McLaughlin & Marcus. Compliance with regulatory schemes required by data protection, privacy and security laws is an increasingly significant issue for multinational corporations. This includes secure data storage and secure transfer of data across multiple jurisdictions – particularly in the context of the transfer of data required for US lawsuits and arbitration where e-discovery obligations butt up against international privacy and data protection laws.
While the US is home to broad discovery, other countries can be very restrictive, especially when it comes to the privacy of employees and customers, says Chris Forstner, head of the strategic discovery and information management group at the law firm of Murphy & McGonigle. He points to the EU as an example of a place that is very restrictive. ‘US companies have to be careful not to run afoul of foreign data privacy issues when they try to defend themselves,’ he explains. ‘Companies can get into trouble when they are moving data out of the EU.’
There is proposed legislation in the EU where violation of its privacy statutes could result in a company being sanctioned to the tune of 2 percent of its worldwide revenues. ‘This has gotten the attention of US companies,’ says Kessler.
Privacy and information security
According to a 2012 Forrester Research study, Benchmarking your records management program, decision makers reported big spending plans for their records management (RM) programs over the next year. Strong RM programs continue to target traditional compliance and information access objectives, but many organizations say they are also increasingly leveraging RM to stem the surge of growing digital landfills. According to the study, RM leaders report that trimming digital debris using defensible disposition programs backed by appropriate technology is helping them materially reduce storage and litigation costs as well as risks.
Ramping up is a smart move, and privacy and data protection should top corporate agendas. In the Fulbright 9th Annual Litigation Trends Survey, nearly one third of respondents reported having encountered issues involving privacy and/or data protection in disputes or investigations in the past 12 months. Issues arose most frequently in the context of collecting data from company equipment and from employees’ personal equipment. Companies were also concerned about the use of third-party vendors to collect and process data.
The explosion of social media has created new challenges in e-discovery. In the Fulbright survey, about one fifth of all companies participating had to preserve or collect data from an employee’s personal social media account in connection with a dispute or investigation. But only 9 percent of US companies reported having to actually produce, as part of discovery, information stored on social media.
The line between personal and professional is blurring. ‘With companies now enacting ‘bring your own device’ policies and integrating social media platforms in the ordinary course of business, security risks are greater than ever,’ says Shinkle. Companies are grappling with best practices for preserving, collecting, reviewing and producing data, she adds.
The technology is there, though, to help companies fight the privacy war. Advanced tools are being developed to automatically identify patterns in text, such as social security numbers, and in conjunction with automated redaction and anonymization techniques, to eliminate or block out personally identifiable information and its counterpart, non-public information. ‘This is important when data privacy is a big concern for highly regulated industries, such as financial services and healthcare, or in the case of cross-border litigation and data privacy laws,’ says Robert Hellewell, attorney and vice president at Xerox Litigation Services. ‘But despite security concerns, e-discovery platforms are gravitating to Mac OS, tablets and mobile devices, including the iPad, iPhone and Android, giving users the ability to cull through, search, analyze and review case-specific documents on any device of choice.’
Another challenge is caused by uncertainty over what data companies need to preserve and for how long. ‘Data retention, in addition to the default corporate tendency to over-save data, greatly increases e-discovery costs,’ says Mary Mack, enterprise technology counsel for ZyLAB, a provider of e-discovery and information management solutions. ‘Every organization houses too much data: email traffic, documents, records, photos, video, and posts in social media.’
‘The days of one IT person dragging and dropping relevant documents onto a thumb drive, or employees emailing documents to counsel, are gone,’ says Jana Landon, co-chair of the e-discovery task force at the law firm of Stradley Ronon Stevens & Young. ‘Judges in e-discovery-savvy jurisdictions such as Delaware and New York are stating that a party’s self-collection of documents may be tantamount to negligence, depending on the circumstances,’ says Landon. ‘Boards must make everyone aware that experienced counsel, either outside or in-house, must be involved with every collection, or face possible sanctions.’
Apple vs Samsung demonstrated the increasing importance of data and document preservation. Both litigants were sanctioned for failing to preserve data in compliance with the law, says Adam Losey, member of the eDiscovery & Data Management practice at law firm Foley & Lardner. ‘The duty to preserve information under the common law arises when you reasonably anticipate litigation, and data preservation will continue to come under the microscope in large-scale litigation.’
Clawback issues relate to retrieving privileged documents when they are inadvertently produced. ‘Although this sounds like a detail best left to litigators, it is key to controlling costs,’ says Timothy Harkness, a partner with the law firm of Freshfields Bruckhaus Deringer. Effective clawback provisions in protective orders allow firms to avoid the onerous costs of detailed document review.
What does all this mean for boards? ‘Boards must be clear on the company’s obligation to preserve data and ensure that ‘reasonable steps’ are taken to fulfill that obligation,’ Kessler warns. ‘Are proper processes in place? If not, companies should know that more and more, there are cases where in-house lawyers, outside counsel and senior management may face sanctions for failing to act appropriately.’
Keeping things organized
It’s important to put resources and attention into general document management. ‘Having your records in a mess makes preservation and everyday business much more difficult,’ Losey notes.
In fact, the policies and procedures by which board members retrieve, handle and store the information they receive are critical to the success of the company. ‘Board members should be as careful and thoughtful about the use and distribution of information they receive as board members as any other proprietary information,’ says Gilbert Keteltas, co-chair of the national e-discovery advocacy and management team at the law firm of BakerHostetler. ‘If you’re on a board and you don’t understand the company’s record retention policy, ask.’
Keteltas continues: ‘Where do board members receive meeting books, mark up things, and email other board members? What email address do they have? Many get a company-issued email account for the firm whose board they sit on, but not everyone does. Many may access board communications on their workplace computer as well as their home computers.’
When a company gets sued it may not even think to look for information that is on board members’ computers, but such material may be relevant in litigation or an internal investigation. What’s problematic, too, is that the board member’s workplace may have its own retention policy, such as deleting every email after 30 days.
‘Proprietary information can get swept up in the collection of information for an unrelated litigation, or what if the board member has information on his/her iPad and then leaves it in a cab? That could lead to a data breach,’ says Keteltas.
Personal or ‘day job’ email accounts of relevant board members are likely repositories of relevant data and must be preserved. Because these accounts are outside the corporate infrastructure and are not controlled by the company itself, there may be substantial challenges in preserving or obtaining this data. Furthermore, board members who are unaware of this risk are often ‘less than pleased when they learn that their personal or ‘day job’ email accounts are subject to preservation and worse, potential collection and search,’ says Aaron Crews, a shareholder and member of the e-discovery counsel at the law firm of Littler Mendelson.
Without question, any board member must be clear on what’s defensible in terms of deleting information. What is the company doing to protect itself? What is the retention policy? If there is no policy, establishing one should be a top priority.
Governance people are seeing rising bills for e-discovery, primarily due to the sheer increase in volume, says Tredennick. Many companies are seriously reconsidering which aspects of the litigation process they farm out to external providers, Sheehy observes.
‘Bob Lewis, the global director of cyber-forensics and investigations at Barclays Bank in the UK, estimated that the bank saved around $140 million last year by bringing its data discovery and retrieval functions in-house,’ he says. The technological tools that organizations can use to do this work in-house are becoming more advanced, and this makes it possible to reduce costs and get results much faster.
If your company decides to go with outside counsel, Tredennick cautions, ‘Look at the law firms you’re working with. Are they using the latest technology that will save you money? Otherwise, they’re going to blow your budget and there could be more errors.’
For board members, the most important aspect here is to ensure the organization has adequate and well-documented policies and procedures to support any e-discovery work done internally. ‘Courts and regulators will scrutinize home-grown e-discovery much more closely than work done by an external law firm,’ says Sheehy. ‘It may be necessary to get an external advisor to sign off on these controls before putting them in place.’
Taking advantage of technology is key, and stemming the money drain associated with paying outside counsel (or document review companies) small fortunes to read reams of documents in large-scale litigation is a critical consideration. ‘The lion’s share of most litigation budgets is for discovery, and this should lead to decreased legal fees in large-scale litigation,’ says Losey.
Boards must be proactive
‘Ultimately, corporate boards will have to answer to the delinquent or negligent adoption of technologies that manage the flow of data within and outside their operations if there is a data breach or the IT systems are otherwise compromised,’ says Pinguelo. Boards should insist that a legal layer of review be part of any such decisions that are made – well before they are made. Public corporations should also consider the implications of Sarbanes-Oxley for protection of their information assets. Risk can be significantly mitigated if legal is part of the procedure and policy-drafting process from inception.
It’s up to the board to ask technical questions, regularly assess litigation hold procedures and data retention practices and ensure compliance through the IT infrastructure. Ensure that IT and legal have evaluated e-discovery software options. ‘Don’t overlook the benefits of e-discovery software in today’s digital realm,’ Shinkle advises. ‘Inquire whether counsel has a preferred relationship and preferred pricing agreements with e-discovery software providers. Once litigation ensues, question preservation practices, and understand e-discovery issues being raised at early meetings and conferences with the judge and opposing party. Look for innovative technical ways to cost-effectively reduce data volumes.
‘A reactive, ad hoc approach to e-discovery isn’t going to cut it any longer in corporate America,’ Shinkle continues. ‘Corporate boards and corporate leadership must work together to proactively protect the company. Frequent communication between chief executive officers, the chief legal officer, chief information officers and the board of directors is essential for effective litigation management today.’