Today’s E-Discovery, A Matter For Substantive Experts

Saturday, September 22, 2012 - 14:06

The Editor interviews Garrett Bendel, Chief Operating Officer, Complete Discovery Source (CDS Legal).

Editor: Please introduce Complete Discovery Source (CDS Legal) to our readers. We understand you were ranked number one in a national survey by the New York Law Journal and were named as a Relativity Orange-Level Best in Service partner.

Bendel: CDS Legal is an end-to-end e-discovery service provider with one of the largest e-discovery footprints in the U.S. Our clients are corporations and law firms, and our services include collecting, organizing, reviewing and distributing electronically stored information (ESI). We support more than 25 e-discovery tools, including our proprietary cloud-based review platform, Nytrix, which was just unveiled at the 2012 ILTA conference (International Legal Technology Association).

We have offices in New York, Washington, DC, San Francisco and Chicago as well as three highly secured national data centers. Our processes have just been successfully audited under the requirements of AICPA SSAE 16, Service Organization Control (SOC) 1 Type II, which replaced SAS 70 and is an international standard.

Editor: On what discovery-related issues should increased attention be paid in the development of e-discovery solutions?

Bendel: Currently, predictive coding, social media, cross-border discovery and data security seem to be inspiring the most discussion. These issues are shaping the industry, and legal teams are concerned about their effects, particularly as they relate to controlling costs, managing big data and developing the most thoughtful approach to the e-discovery process.

Predictive coding, or technology-assisted review, has really excited interest as a recent technology aimed at reducing costs, and cases like Da Silva Moore v. Publicis Groupe have provided high-profile commentary from judges and outside counsel as to what constitutes acceptable e-discovery procedures. However, no matter how good this technology may be, it is not a cookie-cutter solution in all situations. 

The challenge with social media is the complexity it creates in e-discovery, similar to the impact of email just a decade ago. The question of how to produce, manage and review social-media-generated ESI is a source of great anxiety for our corporate clients. And there are not many solutions currently available. There’s talk about “bring your own device” (“BYOD”) – a policy enabling employees to use their own mobile devices to access privileged company systems. Questions remain as to how to handle it from an e-discovery perspective, and solutions are at the infancy stage of development. Your e-discovery strategist can look at a company's specific environment and help shape policies for information governance.

Editor: What legislative or judicial developments point to the need for innovation, both in technology and with respect to information governance?

Bendel: The Federal Rules of Civil Procedure were amended in 2006 specifically to include the term ESI, forcing the need to address the issue. For our purposes, the most significant amendments are FRCP 16, 26, 33, 34, 37 and 45. Highlighting the last three – Rule 34 affirms that all existing information is discoverable, no matter for how long or where it is stored, including in the cloud. Rule 37 clears the way for sanctions, and Rule 45 affirms that ESI is evidence, i.e., a discoverable document.

Recent decisions such as those in Da Silva Moore and Global Aerospace v. Landow Aviation have supported the latest assisted-review technologies, highlighting technology and information governance as critical priorities. The message is clear: corporations must address these issues now or face the threat of sanctions.

Editor: What are the key components of effective corporate information governance schemes?

Bendel: Beyond technology, the first step is to develop a master data-management process or approach, and a critical component here is senior management buy-in. While the costs of data storage are decreasing, as the price of technology always does over time, a corporate policy of saving everything doesn’t work and merely creates a mountain of information to store and manage.

Companies should establish an IT steering committee to develop a comprehensive map of the IT system. As companies grow and employees come and go, many corporations lose track of information; and even companies that keep track don’t systemically understand what it means. So in addition to resisting the urge to collect everything, companies need a remediation strategy – a uniform policy that formalizes the process of eliminating information from their systems. Proper remediation is even more critical in companies that are being merged or acquired to ensure consistency across the company and individual business units.

It’s important to remember that there is no legal requirement to save all data, unless and until data relates to an imminent litigation. Our company enters the picture once litigation has begun. We work with large storage companies – such as EMC – which are looking at new technologies that assist with managing and indexing data. Such data processing enables intelligent searching toward producing relevant documents during litigation.

Most existing technology focuses on the data archiving stage, so corporations that don’t have a formal information governance policy naturally will feel obliged to save everything and worry later about de-duplication, reducing and otherwise processing it. We are now seeing more analytics technologies that actually crawl through and index the data, enabling better and more cost-effective business practices around information governance.

Editor: What are the key elements of data security and privacy policies that enable companies to engage productively in e-discovery in cross-border disputes?

Bendel: Multinational corporations doing business in the U.S. face a unique dilemma whenever they are up against compliance with a Rule 26 discovery obligation. Do I comply with U.S. preservation and production demands but face potential violations of local laws and regulations where potentially relevant data resides, or do I fully comply with the non-U.S. legal framework and risk sanctions from a U.S. court? 

Any data security or privacy policy should be firmly grounded in a respect for the history underlying non-U.S. legal frameworks plus a solid grasp of the law. I don’t mean to suggest that such policies should be implemented by history buffs but, rather, that mutual respect for non-U.S. laws can turn on understanding the cultural differences that underpin the protection of personal data overseas. 

Further, it goes without saying that any useful data security and privacy policy begins with a firm grasp of the legal and regulatory framework, including a fundamental understanding of the differences between the discovery processes of common law versus civil law systems. The immensely broad scope of e-discovery is alien to most countries outside the U.S., and some judges would prefer to allow counsel to altogether avoid the production of data outside the U.S.   

Robust data security and privacy policies can help address this seeming conundrum, and there are three basic elements that can promote productive e-discovery in the cross-border realm. First, an effective classification system is critical and enables appropriate protection and handling of massive amounts of information within the context of e-discovery. Different legal frameworks treat data differently, rendering it equally important to understand how the EU Data Directive defines “personally identifiable information” (PII) versus what PII means under the Shanghai consumer protection regulations. 

Second, policies must include clearly defined standards for data protection based on that classification. These standards may differ depending on the type or location of data (i.e. data stored in the cloud, legacy data, data stored for disaster recovery purposes, or data on active servers). This element promotes the ancillary benefit of empowering corporations to know where their data resides, which is half the battle in e-discovery. 

Third and more generally, to ensure that policies are robust, data controllers must implement a comprehensive administrative framework. What are the key roles within the team; who should be named as a data protection officer; and how do team members communicate? How can the company promote awareness of the policies and develop effective training procedures? How is employee consent gathered? How are policies monitored and vetted against new legal or regulatory developments (on which the company must remain current)? The list goes on. A policy is only as productive as a company’s ability to implement it effectively.      

Once again, the key to successful cross-border e-discovery involves having a unified approach to information governance. Such an approach promotes the alignment of data security and privacy policies with other internal polices and regulatory frameworks under the larger umbrella of successfully promoting the company’s business goals. Efficient cross-border e-discovery should reduce risk, and it can serve purposes well beyond litigation, such as reducing barriers to commerce and promoting global economic growth. 

Practically speaking, and really in all cases, our clients want policies that are auditable and forensically tested for effectiveness in actual situations, such as when a custodian receives and processes a litigation-hold letter. Also, document retention and destruction policies must be standardized, repeatable and focused on information relevant to the business.

Editor: What does it mean for an e-discovery service provider to be compliant with the U.S. Department of Commerce U.S. EU Safe Harbor Framework (“Safe Harbor”)?

Bendel: Compliance with Safe Harbor reflects that companies have demonstrated adequate protection of personal and corporate data as required by the EU Data Protection Directive. In the U.S., employee data is property of the employer, whereas in the EU, this data belongs to the employee and is subject to strict privacy laws. Custodians in the EU have to collect and filter data locally, and individuals have the right to opt out if the data is private and they don’t want to share it. That’s the framework of Safe Harbor compliance.

Internationally, discovery processes must support a party’s claim or defense in order to minimize conflict with data privacy laws and their impact on custodians. As a result, CDS Legal created a technology called Digital Customs, which essentially is a mobile unit that can process data in a secure environment that is not attached to the company’s infrastructure. For example, a German company hired us to identify, collect, process, cull, review and redact within a client’s facility, but still detached from its local infrastructure, thereby preserving data privacy and security.

A similar situation in the U.S. would have found us connecting directly to the company’s infrastructure, performing a targeted collection, and then removing the resulting data for processing outside the facility. With the German company, we removed unprocessed data from their network and loaded it into our appliance. We worked with the IT director to collect the data internally and with the international compliance officer to process and cull information from custodians. Next, the general counsel reviewed and approved the results, which were then encrypted and exported back to the U.S. for review and production.

Our Digital Customs product really differentiates CDS Legal in allowing us to disengage from the company’s systems – we never touch its infrastructure – which adds a substantial layer of security and objectivity to the process. The German client was very happy with the service and the results.

Editor: Should companies consider using e-discovery service providers to help more broadly with litigation readiness and cost control?

Bendel: The right e-discovery expert can provide results-driven solutions that map how to manage risks, reduce costs and build a standard process before a complaint is even filed. Today’s e-discovery strategists delve into detailed process management and actually guide evidence through the review.

They help address real concerns, such as spoliation of potential evidence. After all, courts in all jurisdictions are stepping up with monetary sanctions, adverse inferences and even non-traditional spoliation remedies.

Cost reductions should be the end-goal of all e-discovery, and CDS Legal embraces our role as an enterprise analytics-level partner with our own products and with outside technology providers. It simply isn't enough to apply the technology. You need to know how to marry advanced analytics and process with the specific needs of a case to produce relevant documents most useful to human reviewers. That is something technology cannot do alone.

Smart litigation readiness is the first line of defensibility in enabling the corporation to respond to e-discovery requirements quickly and within the expectations of the courts. Analytics is a game-changing advantage to even the most daunting ESI requests, drastically reducing the number of documents slated for costly manual review – all with a high level of accuracy.

Editor: How can our readers learn more about CDS Legal?

Bendel: I invite your readers to visit our website at http://cdslegal.com, and they are welcome to download our “eDiscovery Best Practices Guide” at http://cdslegal.com/download-form-4/

Please email the interviewee at gbendel@cdslegal.com with questions about this interview.