Six Critical Steps To Managing Electronically Stored Information Under FRCP

Tuesday, April 1, 2008 - 01:00

Mark P. Diamond

Contoural, Inc.

Litigation always, has been, and will continue to be, a reality of doing business. What is changing, however, is discovery and its focus on electronically stored information (often abbreviated ESI). Recent amendments to the Federal Rules of Civil Procedure concerning the discovery of ESI coupled with the explosive growth of electronically stored documents are exposing organizations to new risks and costs during litigation and the subsequent discovery.

Under these new constraints, organizations need to be aware of these changes, and take specific steps to become litigation ready. Becoming litigation ready is about knowing what ESI you have, where you have it, and how readily you can access it. Retention policies should define defensible data expiration processes, and litigation hold procedures should enable quick and effective preservation of evidence. The best way to manage discovery is to prepare for it before litigation occurs.

Step 1: Create An ESI Survey Data Map

Perhaps the greatest impact of the FRCP on discovery of ESI is the accelerated timeline for the Rule 26(f) "Meet and Confer" process. Within 99 days of a suit being filed, parties are required to meet and disclose any issues relating to disclosure or discovery of ESI, including form of production, preservation, and privilege/protection issues. Considering that often times both inside and outside counsel need to review this information to prepare their strategy, under the new rules, organizations often in reality have only days to weeks to search and retrieve relevant electronic information.

If companies wait until discovery is upon them to start understanding what ESI they have, they run the risk of not locating all relevant information in time. Perhaps more damaging, those who cannot detail what information they have or detail where they have it, or list whether this information may be considered non-accessible, may be forced to search everywhere for relevant information and face an expanded scope of discovery - an expensive and difficult result. In the words of one litigator: "How I come to the Meet and Confer sets the tone for the rest of the trial. If I really know what I have, and where, it sends a strong message to the other side. Likewise, if we aren't as prepared as we should be, that communicates weakness on our part."

The best preparation should occur before litigation, in creating an ESI Survey Data Map. This is a general enterprise-wide data "map" that lists the types and locations of data across an organization. Often thought of as a "map of the forest" it provides a high-level description of type of documents. This data map is a general, non-case specific tool, to enable litigation readiness. Organizations should create such a data map as a general practice, and it should be kept up to date.

Step 2: Update Your Records Retention And Deletion Policy-And Then Execute It

Most companies already have document retention policies in place, but most of these policies are out of date due to a number of factors. First, most document retention policies are focused mainly on paper-based documents, not electronic documents. They were developed around best practices that were in effect at a time when paper was the primary communication and recordkeeping medium. According to a recent study from UC Berkeley, more than 96% of all information in an enterprise is in digital format, and even 70% of all paper documents are copies of electronic documents. These existing policies do not reflect the "far flung" and multiple-copy nature of email, for example. This lack of clarity can be (and is) exploited by the opposing party as evidence of a lack of good-faith preservation efforts. Equally important, they don't set clear guidelines for deleting older documents that are no longer needed (and that are not subject to preservation under litigation).

Perhaps worse than an outdated document retention policy - or even no policy - is a policy that is inconsistent or not followed. A typical example of this is a policy that calls for the immediate deletion of all expired documents, while some users still save or print documents. When an opponent during litigation can show that the policy was not followed, this can be used as justification for significantly expanding discovery or to imply that the inconsistent implementation of the policy was due to the company having information to hide. Such an interpretation may be false, but it can play well during litigation.

Step 3: Effective Litigation Hold And Discovery Processes

The duty to save relevant data starts when notice is received or when a lawsuit could be "reasonably anticipated." The courts have ruled that duty to preserve documents relevant to litigation begins when companies "knew or should have known" that they were entering litigation. (See box below.) As soon as they enter or have a reasonable belief they will enter litigation, companies should enact a litigation hold, ensuring that all documents relevant to the litigation will be preserved. Legal departments will expect their IT organizations to be able to preserve electronic documents effectively, and be able to locate and retrieve documents quickly.

Step 4: Delete Documents ThatThe Business Does Not Need

Electronic documents tend to accumulate over time. People tend to save their e-mail, files and other ESI without ever deleting them, representing a de facto "save everything forever" retention strategy. Furthermore, ESI often survives simple attempts to delete it. Users will go to great lengths to save their e-mail from thirty-day deletion policies, for example. This accumulation of ESI can be problematic when it comes to discovery. Moreover, the sheer volume of accumulated documents represents a significant expense, as the cost of reviewing these documents for production (even with appropriate sampling, as permitted under FRCP) can be burdensome.

Therefore companies are advised as part of their records and information management strategy to include provisions for policy-based document expiration. Some guidelines for deletion include:

• Create a consensus with users that documents are no longer needed for business purposes, before targeting them for deletion.

• Automate deletion processes where practical and appropriate

• Avoid extremely short retention periods for e-mail. This often has the unintended consequence of driving "underground archiving."

• Keep a log of what you delete and when. This of course should agree with your policy.

Good ESI management is a balance between saving and deleting. The challenge is finding and maintaining that balance in your organization.

Step 5: Designate And Prepare A Rule 30(b)(6) Witness

As part of the "Meet and Confer" proceedings, organizations need to be prepared to answer specific questions about their data. For ESI, organizations are encouraged to designate and prepare a specific individual who will be able to testify about the ESI produced during the discovery.

Companies should identify their designated witnesses well before litigation strikes. This can be someone in IT or a business unit that understands the data, but it is important that he or she be well versed in the IT infrastructure and the applications that create and manage information. The best Rule30(b)(6) witness is one who is dispassionate and reasoned while still well informed. Many organizations are reaching out to independent vendors, as they are likely to be viewed as objective and present a credible witness.

Step 6: Audit Your Process and Periodically Refresh Your Policy

Even the best designed policy, litigation hold and data destruction processes may become out-of-date. New applications are launched, old applications are retired, new storage is deployed, users move around, etc. Furthermore, regulations change as does the e-discovery landscape. Companies are encouraged to periodically review and audit their policies and processes.

An audit should validate that the policy or process is being consistently followed and implemented. A refresh or review should verify that the policy or process addresses the current legal and business requirements. Organizations are encouraged to keep records of these tests to demonstrate reasonable efforts. The key here is to know you are doing what your policy says you are doing, and to make sure the policy and processes are up to date with legal and other business drivers.

A note of caution is in order. Sometimes companies wait to develop the perfect policy or discovery process. Policies and processes are inherently imperfect. Quite frankly, the courts and regulators do not expect perfection. Instead, they expect reasonable efforts. Create a policy and publish it; follow the policy; and show you have been following the policy. This risk is that organizations wait to deploy policies or processes until they are perfect or near-perfect. While waiting, companies may operate without effective controls, and put themselves at risk. The unpredictability of litigation has caught many companies who were evaluating their policies and were on the verge of being litigation ready - but weren't actually ready. Companies are better off deploying a good policy and process today, and improving it over time, instead of waiting for the perfect policy that will never come.

Final Thought - The Litigation-Ready Organization

Nothing can completely prepare an organization for litigation, but the six steps outlined above can reduce the time and energy required to respond when legal issues arise. This understanding of e-discovery - and the establishment of policies and processes for records retention and litigation hold - will reap enormous benefits, but additional steps can be taken to further prepare for litigation. Most businesses have vast quantities of outdated and superfluous electronic documents that can be removed over time, reducing the volume of data subject to search and discovery. Employees that will be expected to testify to the organization's handling of electronic records can be designated and trained for this role. Processes and policies should also be audited and revisited to ensure that they are kept up to date.

Mark P. Diamond is President and CEO of Contoural, Inc., a leading independent provider of business and technology consulting services focused on litigation readiness, compliance, information and records management, and data storage strategy.

Please email the author at markdiamond@coutoural.com with questions about this article.