Much will be written in the coming weeks and months about the eDiscovery and preservation issues in the AMD/Intel case, and the court will ultimately decide the outcome there. However, there are a number of practical issues that have come up in that case, that come up in many cases, and that apply to just about every entity that does business in the US. The following is a discussion of some of those issues.
Two Sides of a Coin - Policy Management and a Repeatable eDiscovery Process
When thinking about eDiscovery it is helpful to think of two sides of a coin. First, how is the "source" information being operationally managed. Where do the emails and files sit, is there control over that content, and are any policies being systematically applied. Second, on the other side of the coin, the question is - what is the process that is used after the subpoena or discovery request hits? The two issues are tightly linked since the better the policy management of the electronically stored information, the more efficient and less risky the eDiscovery process can be. A few observations are as follows:
- When it comes to eDiscovery, proactive is good; reactive is bad. "Proactive" begins NOT when the subpoena is received, but at the time information is created.
There is a need for a repeatable cross functional business process for eDiscovery. That process will almost certainly include "hold notices" that rely on the employee "honor system", but also there will be a need for a "menu" of other collection and preservation methods that leverage the right IT infrastructure to drive out costs (especially intelligent federated search and automated collection) and to drive out risk (with forensically sound data collections, and a collection and preservation repository or "matter vault").
Policy Management
On the policy management side of the equation, the goal is to keep what you need and get rid of the content when it no longer has business or legal value. One of the central questions is - how is classification to be achieved? In an email environment, for example, there is everything from absolute junk to an enterprise's most critical content. How do you sort that out? The first steps are to get control over the information and to get cross functional inputs on what a simplified set of policies should be. Some thoughts and considerations regarding policy management:
- There is a need to have some control over email and unstructured content: (a) to leverage its business value, (b) to de-duplicate it and drive cost out of its management, and (c) to classify it so that it can be policy managed, "defensibly destroyed", and more efficiently discovered and preserved after the subpoena hits.
Proactive information management is critical. You cannot policy
manage a warehouse full of tapes. For most enterprises, there is a
need some combination of archive, index, search and content management
tools and strategies
"Archiving" strategies allow information to be brought into a
central repository to be indexed and policy managed. Alternatively,
there are developing "in place" information management strategies
(Intelligent Information Management) where the information stays where
it is (perhaps on shared drives for example), but its meta data is
mined, brought into a repository, orchestrated, and then policies are
applied back to the information in place.
On the policy setting side, think "big buckets." It is better to
actually set and enforce a 3 year policy (ie really "push the delete
button" after 3 years) then to set a 3 month policy that in fact is
never enforced.
Consider what role if any you want employees to have in the
classification of content. Anticipate how they'll respond and change
management impacts. Consider if you want to have employees act as a
"filter" (merely making keep/don't keep decisions) rather than asking
employees to become records managers (who get involved in tagging and
classification of content).
Email box size limitations and even auto-delete policies, in the absence of some archiving or systematic records management tools, typically lead employees to create "personal archives" (psts, nsfs) on their own desktop hard drives and shared drives. Thousands of psts and nsfs leads to a lack of information sharing, tremendous duplication and therefore no policy management, and costly eDiscovery. Think of it this way - if a document resides on a 1000 desktops, you cannot delete it, but if it is de-duplicated in a central repository, with 1 object having 1000 pointer to it, then it can be deleted. The key is to have a policy you're actually going to be willing to enforce, and not allow the eDiscovery preservation obligations to overwhelm that policy (see below).
When choosing a policy for unstructured files and email, get cross functional inputs. Some may want to delete everything after 30 days, and others may want to save everything forever. Typically, the appropriate policies are somewhere in the middle.
If you choose a short policy, you must have extremely efficient and effective eDiscovery collection and hold processes and capabilities. If you don't, every time a subpoena hits you'll either: (a) take the risk of being held accountable for failure to preserve ("evidence spoliation") or (b) as a practical matter, you'll never actually enforce your "official" policy (nothing will be deleted because no one will be in a position to "push the delete button").
Remember that this is risk management. There are no perfect answers, but the goal is to show that your program is thoughtful, reasonable, aligned with legitimate business objectives such as cost efficient information management, and that the program can be validated.
The eDiscovery Process and theHonor System
In an effort to meet legal "hold" or preservation of evidence responsibilities under the eDiscovery rules, it is standard practice for many companies to issue "hold" notices to employees directing them not to destroy certain categories of information. Is some respects, this is an "honor system" since employees may need to be trusted to follow the direction set forth in the notice. Under what set of circumstances will the "honor system" be enough to meet preservation obligations? Some thoughts and considerations regarding the eDiscovery process:
Establish a cross functional team - Legal needs previously identified contact people in IT and often in Records Management to drive the process.
Train the attorneys, RMs and other staff that as soon as they get notice of a case (a "triggering event" for litigation hold), they must do 2 things: (1) identify the key witnesses and custodians and get them hold notices, and (2) contact the right people in IT to trigger their part of the process (and give direction to IT on the "menu" of choices for preservation - see below).
Maintain an audit trail of the hold notices. This can be manual or automated, but if questioned, you have to be able to prove that you sent the right notices to the right people, that the proper directions were provided, that compliance with the notices was validated, reminders were sent as appropriate, and so on. This is more art than science, but you have to show a reasonable effort (and what that means exactly is still being defined by the courts).
Create a source map or inventory. Don't wait for the subpoena to hit before you figure out (even at a high level) what applications and content types you have, where the information resides and who is responsible for it. There's a lot of judgment that goes into how you create your source map, but you might want to start simply (get a "top down" understanding of your key data sources.) This knowledge, together with technology tools allows more focused collections and holds (rather than the attorneys saying that they don't know where anything is, so everything must be saved).
Remember - prior to a triggering event, there is no eDiscovery legal obligation to preserve content (thus the operational policies, discussed above, are what apply). One key is to have an eDiscovery process and supporting tools that allow a company to continue to apply those operational policies, and not have to suspend them (ie. continue to allow auto-deletes).
From the process side, consider a "menu approach" to litigation
preservation. In some instances the hold notices (honor system) will
be fine. For example, if a customer slips, falls and injures himself,
and 10 employees see it, it probably won't be necessary to collect 10
desktops and conduct forensics on them. That response is not
proportional and therefore not reasonable. On the other hand, if a
company is hit with a huge government investigation, and there's 100
witnesses/custodians, there may be a need to do more than just send
notices. Again, reasonableness should dictate. For example, if 10 of
the 100 witnesses are identified as the most critical, then perhaps in
some cases all of their information should be completely locked down
(mirrored drives, journaled emails etc), for the next 60 witnesses,
perhaps some key word searches across a repository is sufficient, and
for the final 30, just notices are enough.
When unstructured information and email is under management, then
the tools that can be leverage as part of the "menu" are more efficient
and less risky. With federated search, there is the capability of
doing a more automated intelligent focused collections (including by
key words) and achieving preservation at the same time. The idea is
that there are times when companies need to make a copy and collect
relevant content into a secure "matter vault" repository. This allows
the company to continue to policy manage the underlying repositories
because they now have a set of the content locked down for the legal
case. The "delete button" on the operational repository can continue
to be pressed, without the lawyers telling IT "save everything because
we're under investigation."
The key under the new rules is that if you have a good process in place and if you have tools build into your infrastructure, as the producing party, you'll be ready for the early meet and confer, and you can be transparent with the other side about the approach you're taking. If they have a problem with it, then it will have to get resolved by the judge. If not, a lot of uncertainty (which traditionally led to significant over-preservation) has been forced out of the process as a result of the new rules.
- Andrew Cohen
Comments