Managing Risks in Document Preservation and E-Discovery


Published on

A presentation on managing litigation and other risks associated with document retention and destruction.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Managing Risks in Document Preservation and E-Discovery

  1. 1. <ul><li>Managing Risks in Electronic Information Management </li></ul><ul><li>Seth H. Row </li></ul><ul><li>November 4, 2009 </li></ul>
  2. 2. Characteristics of Electronic Data <ul><li>Voluminous </li></ul><ul><li>Fragile </li></ul><ul><li>Unstructured (often) </li></ul>
  3. 3. Electronic data is often ignored… 30% Report that their records management program does not include electronic records 88% Report their organization has a formal records management program Cohasset Associates, 2007 Electronic Records Management Survey, Call for Collaboration, at
  4. 4. Content Types Page  For each type of content, evaluate the degree of control that exists in your organization in managing it – “somewhat” or “very unmanaged”. All respondents (462) Text messages, IM, blogs & wikis are off the corporate radar in 70% of organizations Emails and attachments not much better
  5. 5. Outlook “Archive” Page  Which of the following would best describe standard practice in your organization for dealing with &quot;important&quot; emails? All >10 emps (857)
  6. 6. Record Preservation Systems Cohasset Associates, 2007 Electronic Records Management Survey, Call for Collaboration, at
  7. 7. Emails - recorded, complete, and retrievable? Page  How confident are you that emails related to documenting commitments and obligations made by you and your staff are recorded, complete , and retrievable ? “ Slightly” or “ Not Confident” 56% have little or no confidence in their emails.
  8. 8. More Statistics <ul><li>60% of electronic documents are transmitted as attachments to email </li></ul><ul><li>60% of documents stored by a company are not needed (ARMA) </li></ul><ul><li>Records grow 30% - 60% each year (ARMA) </li></ul>
  9. 9. Email Policies Page  Does your organization address any of the following through formal policies, guidance, or (partial) automation? All >10 emps (857) Basic records management policies missing
  10. 10. Make your boss happy… <ul><li>61.7% of corporate counsel are dissatisfied with their current corporate records retention policies </li></ul>Jordan Lawrence Group, LLC, Survey of Corporate Records Practices 2006 at _Report_Final.pdf
  11. 11. Electronic Records: The Need for Balance Business/ legal needs Cost of collection/ review/storage
  12. 12. Risks/Costs Of “Too Much” Data <ul><li>burden of preserving </li></ul><ul><li>cost of retrieval </li></ul><ul><li>cost of review </li></ul><ul><li>risk of producing confidential/ </li></ul><ul><li>proprietary business records </li></ul>
  13. 13. Legal Discovery Page  How long would it take to produce all of the organizational information related to a former customer or constituent? All respondents (468) 18% had been exposed to a legal challenge in the last 12 months and a further 15% in the last 3 years – a 1 in 3 chance 28% would take more than a month
  14. 14. Cost of Review in Litigation… 6.26 g = 110 boxes @ 5 hrs per box = 550 hours 550 hours @$200/hour = $110,000
  15. 15. Most electronic information is junk… <ul><li>Haystack </li></ul><ul><li>Search term: “shred!” </li></ul><ul><li>Results: </li></ul><ul><ul><li>“ Dude, I was totally shredding on my snow board over the weekend on the mountain.” </li></ul></ul><ul><ul><li>“ Add one cup shredded cabbage.” </li></ul></ul><ul><ul><li>“ Are you sure you want me to shred those documents about…”? </li></ul></ul>
  16. 16. Humor Break <ul><li>“ I am not in the office at the moment. Please send any work to be translated.&quot; </li></ul>
  17. 17. <ul><li>Designing Records Management Policies to Lower Risk </li></ul>
  18. 18. Conceptual… <ul><li>Record vs. Information </li></ul>A Record has Enduring Value Information does not <ul><li>Legal </li></ul><ul><li>Fiscal </li></ul><ul><li>Operational </li></ul><ul><li>Historical </li></ul>
  19. 19. Information Lifecycle Management Create Retain Hold Dispose
  20. 20. No Accountability No Incentive No Commitment From C Level No Common Sense Categories No Inventory No Team No Knowledge Common Red Flags
  21. 21. The Dream Team <ul><li>Directors, officers, and managers </li></ul><ul><li>Audit committee members </li></ul><ul><li>Records management </li></ul><ul><li>IT and Information Security Personnel </li></ul><ul><li>HR </li></ul><ul><li>Lawyers </li></ul>
  22. 22. Sedona Conference Guidelines <ul><li>“ Information should be retained as long as it has value to an organization, or its required by law or regulation to be retained.” </li></ul>
  23. 23. Know the Law on Retention Periods <ul><li>Increasingly regulations, statutes and practices focus on electronic data </li></ul><ul><li>Example: 17 CFR 240.17a-4; 36 CFR 1234 </li></ul><ul><li>New requirements, such as the FTC “red flag” rules, are going to be created every year </li></ul><ul><li>A regularly updated retention schedule is therefore essential </li></ul>
  24. 24. Focus on email retention… <ul><li>60% do not have email archiving system; 15% do not have plans to deploy one </li></ul><ul><li>39% had been ordered by a court or regulatory body to produce employee email in past year </li></ul><ul><li>66% had been ordered to produce employee email at some point – and an even higher percentage had used archived email to support position in litigation </li></ul><ul><li>Storage requirements for email growing faster than email use itself </li></ul>
  25. 25. Email Retention Concepts <ul><li>Not a record category - just a messaging system </li></ul><ul><li>Content varies – critical to junk </li></ul><ul><li>Duplication a huge problem </li></ul><ul><li>60% of electronic documents are transmitted as attachments </li></ul><ul><li>Searching across content + attachments nearly impossible </li></ul><ul><li>Archive versus disaster recovery </li></ul>
  26. 26. Email Retention Strategies <ul><li>User mailbox size limitations (“quotas”) </li></ul><ul><ul><li>Advantage: user given warning before deletion </li></ul></ul><ul><ul><li>Problem: one size does not fit all </li></ul></ul><ul><li>Automatic deletion of messages/files </li></ul><ul><ul><li>Time-based limitation on retention of email </li></ul></ul><ul><ul><li>Encourages allocation to permanent storage </li></ul></ul><ul><li>Extended storage options </li></ul><ul><ul><li>Tiered storage </li></ul></ul><ul><ul><li>Business unit-specific retention needs </li></ul></ul><ul><li>Ban on local storage </li></ul>
  27. 27. Social Media <ul><li>Creation of records relevant to discovery requests, but outside of normal records retention policies/practices – may even reside on company devices </li></ul><ul><li>Inadvertent destruction </li></ul><ul><li>Disclosure of customer/patient information </li></ul>
  28. 28. Legal implications… <ul><li>Are there regulatory obligations? (FINRA, SEC, etc.) </li></ul><ul><li>At-will employment impactRecent federal court cases, litigants used information on LinkedIn to support their case. </li></ul><ul><li>Who is allowed to give &quot;recommendations?&quot; </li></ul>
  29. 29. Social Media Policies <ul><li>NOT Performance Policy </li></ul><ul><li>Don't confuse a social media policy with HR policies regarding performance issues and how people spend their time </li></ul><ul><li>Policy should treat employees and partners like the adult professionals they are. </li></ul>
  30. 30. Policy Spectrum <ul><li>Live in denial </li></ul><ul><li>Ban access to social network sites (for technical reasons? HR performance reasons?) </li></ul><ul><li>Tolerate (with or without defined parameters) </li></ul><ul><li>Embrace social networking (e.g., for marketing efforts)Training for employees on best practices </li></ul><ul><li>Official firm pages on social networks </li></ul><ul><li>Designate &quot;official&quot; bloggers/contributors </li></ul>
  31. 31. Samples… <ul><li>Enterprise: List of 40 Social Media Staff Guidelines </li></ul><ul><li>• Social Media Policy Examples (including Harvard Law School; Gartner; U.S. Navy; U.S. Air Force; Intel; IBM; Cisco and more) </li></ul>
  32. 32. <ul><li>Implementing and Monitoring a Litigation Hold </li></ul>
  33. 33. Jordan Lawrence Group, LLC. Survey of Corporate Records Practices 2006 at Only 20% of Corporate Counsel Can Efficiently Identify the Owners of the Relevant Records and Tailor the Notice to Preserve Those Key Players Design of litigation holds
  34. 34. Less than 50% of corporate counsel reported an ability to issue a litigation hold accurately or identify specific record types subject to a hold. Jordan Lawrence Group, LLC. Survey of Corporate Records Practices 2006 at
  35. 35. Litigation Holds: Timing is Everything <ul><li>Compare “litigation is reasonably foreseeable” </li></ul><ul><li>To “path to litigation was neither clear nor immediate” </li></ul>Hynix Semiconductor Inc. v. Rambus, Inc., 2006 WL 565893, at *21 (N.D. Cal. 2006)
  36. 36. Litigation Hold Policy and Procedures <ul><li>What does “reasonably anticipate litigation” mean? </li></ul><ul><li>Who’s in charge? </li></ul><ul><li>Who’s involved? </li></ul><ul><li>What kind of notice and how often? </li></ul><ul><li>What has to be preserved? </li></ul><ul><li>How do I preserve? </li></ul><ul><li>Verify </li></ul><ul><li>Document </li></ul><ul><li>Terminate </li></ul>
  37. 37. Successfully Implementing a Hold <ul><li>Chain of command </li></ul><ul><li>Clear communication </li></ul><ul><li>Team approach </li></ul><ul><li>Documentation </li></ul><ul><li>Follow up </li></ul><ul><li>Understanding role of litigation counsel </li></ul>
  38. 38. <ul><li>Encouraging Compliance With Records Retention Policy </li></ul>
  39. 39. Compliance: Following Records Retention Schedule 20% Report Their Organization Does “Not Regularly” Follow the Retention Schedule 16% Report Their Organization Only Follows the Retention Schedule “When Time Permits” Cohosset Associates, 2007 Electronic Records Management Survey, Call for Collaboration, at
  40. 40. Less than 50% of the Time Records Are Routinely Disposed Of In Accordance With Policy’s Retention Schedule Compliance rates for specific record types: Jordan Lawrence Group, LLC. Survey of Corporate Records Practices 2006 at hhtp://
  41. 41. Understanding of “C-Level” Employees Don’t Understand 14% Marginally Understand 57% Don’t Understand 14% Marginally Understand 58% Relationship Between Good Records Management and Good Governance Relationship Between Good Records Management and Risk Mitigation Cohasset Associates, 2007 Electronic Records Management Survey, Call for Collaboration, at
  42. 42. <ul><li>What Should I Do? </li></ul>
  43. 43. Addressing Poor Compliance <ul><li>The perfect is the enemy of the good </li></ul><ul><li>Use risk and profit/loss management to prioritize retention efforts – “top down” </li></ul><ul><li>Don’t “boil the ocean” </li></ul><ul><li>Assess impact on employees – “workshop” the policy </li></ul><ul><li>“ Big buckets” and “little buckets” </li></ul><ul><li>Simplify </li></ul><ul><li>Ask questions </li></ul>
  44. 44. Educate, Inspire, Reward <ul><li>Employee Handbook </li></ul><ul><li>Intranet </li></ul><ul><li>Lunchroom </li></ul><ul><li>Testing </li></ul><ul><li>Bonuses </li></ul><ul><li>Performance Reviews </li></ul><ul><li>Standing Committee </li></ul><ul><li>Audit </li></ul>
  45. 45. Records Management Software <ul><li>Open Text </li></ul><ul><li>IBM/Filenet </li></ul><ul><li>EMC Corporation/Documentation </li></ul><ul><li>Interwoven </li></ul><ul><li>Hyperwave </li></ul><ul><li>ZyLab </li></ul><ul><li>Accutrac </li></ul>
  46. 47. Electronic Records: The Need for Balance Business/ legal needs Cost of collection/ review/storage
  47. 48. Safe Harbor - Good Purging v Bad Purging <ul><li>Federal Rule 37(f) </li></ul><ul><li>Properly designed and enforced policy </li></ul><ul><li>Business realities </li></ul><ul><ul><li>Demonstrate balance between “IT ROI” and “Legal ROI” </li></ul></ul><ul><li>Obedience to statutory obligations </li></ul><ul><li>Preservation trigger point </li></ul>
  48. 49. Collecting and Using Electronic Data in Litigation <ul><li>Drag & drop </li></ul><ul><li>Active data collection </li></ul><ul><li>Forensic </li></ul><ul><li>Data restoration </li></ul><ul><li>Protecting confidential data </li></ul>
  49. 50. Early Case Assessment <ul><li>Insert slide from desktop </li></ul>
  50. 51. Efficient Searching For ESI <ul><li>Document preservation policy “data mapping” process will assist in understanding where ESI should be located </li></ul><ul><li>Collection from data sources - active data extraction v mirror imaging of entire source </li></ul><ul><li>Search terms: key personnel, date ranges, terminology, concepts </li></ul><ul><li>Sampling - McPeek v. Ashcroft, 202 F.R.D. 31 (D.D.C. 2001). </li></ul>
  51. 52. Litigation Readiness Assessments and Audits <ul><li>Employment policies & agreements </li></ul><ul><li>Policies and procedures for creation & use of systems </li></ul><ul><li>Document retention policies </li></ul><ul><li>Enforcement and implementation </li></ul><ul><li>Cost control, privacy, trade secrets protection </li></ul>
  52. 53. Theft of trade secrets: increasingly electronic
  53. 54. The Min Case <ul><li>Gary Min, research chemist at DuPont </li></ul><ul><li>Before leaving for a competitor in China, Min downloaded to storage devices technology with an FMV of over $400 million </li></ul><ul><li>DuPont later discovers through network-use monitoring </li></ul><ul><li>FBI searches home; new employer seizes laptop </li></ul><ul><li>10 year sentence + fine </li></ul>
  54. 55. <ul><li>Insert pdf of indictment </li></ul>
  55. 57. Effective Protection of Electronic Business Assets <ul><li>Policies: identify what is “trade secret” and what is confidential information – overbroad definitions risk dilution of protection </li></ul><ul><li>Practices: take “reasonable efforts” to protect your assets </li></ul><ul><ul><li>Physical security </li></ul></ul><ul><ul><li>Computing security </li></ul></ul><ul><ul><li>Information security </li></ul></ul><ul><ul><li>Employee security </li></ul></ul><ul><ul><li>Delivery chain security </li></ul></ul>
  56. 58. Protecting Trade Secrets with Restrictive Covenants <ul><li>Restrictive covenant agreement (nondisclosure, nonsolicitation, noncompete): </li></ul><ul><ul><li>Provides contractual protection for trade secret. </li></ul></ul><ul><ul><li>Provides additional remedy and an ability to sue new employer in tort if it interferes with agreement. </li></ul></ul><ul><ul><li>Educates employee on her or her obligations as to protect trade secrets. </li></ul></ul><ul><li>Severity of restrictive covenant depends on importance of employee and their exposure to and knowledge of trade secrets. </li></ul>
  57. 60. Thanks! <ul><li>Seth H. Row </li></ul><ul><li>[email_address] </li></ul>