managing risks in document preservation and e-discovery
DESCRIPTION
A presentation on managing litigation and other risks associated with document retention and destruction.TRANSCRIPT
Managing Risks in Electronic Information Management
Seth H. RowNovember 4, 2009
Characteristics of Electronic Data
• Voluminous• Fragile• Unstructured (often)
Electronic data is often ignored…
m
s
30% Report that their records management program does not include electronic records
88% Report their organization has a formal records management program Cohasset Associates, 2007 Electronic Records Management Survey, Call for Collaboration, at www.merresource.com
Content Types
Page 4
For each type of content, evaluate the degree of control that exists in your organization in managing it – “somewhat” or “very
unmanaged”.
All respondents (462)
Text messages, IM, blogs & wikis
are off the corporate
radar in 70% of
organizationsEmails and
attachments not much
better
Page 5
Which of the following would best describe standard practice in your organization for dealing with "important" emails?
Outlook “Archive”
All >10 emps (857)
Record Preservation Systems
39%44%
Fair 21%
Marginal 18%
0
100
No RecordPreservation
(Litigation Hold)System
Record Preservation(Litigation Hold)System Without
Electronic Records
Effectiveness
Cohasset Associates, 2007 Electronic Records Management Survey, Call for Collaboration, at www.merresource.com
Emails - recorded, complete, and retrievable?
Page 7
How confident are you that emails related to documenting commitments and obligations made by you and your staff are recorded, complete, and
retrievable?
“Slightly” or “Not Confident”
56% have little or no
confidence in their emails.
More Statistics
• 60% of electronic documents are transmitted as attachments to email
• 60% of documents stored by a company are not needed (ARMA)
• Records grow 30% - 60% each year (ARMA)
Page 9
Does your organization address any of the following through formal policies, guidance, or (partial) automation?
Email Policies
All >10 emps (857)
Basic records
management policies missing
Make your boss happy…
61.7% of corporate counsel are dissatisfied with their current corporate records retention
policies
Jordan Lawrence Group, LLC, Survey of Corporate Records Practices 2006 at http://webcasts.acca.com/handouts/ACC_Survey _Report_Final.pdf
Electronic Records: The Need for Balance
Business/legal needs Cost of collection/
review/storage
Risks/Costs Of “Too Much” Data• burden of preserving
• cost of retrieval
• cost of review
• risk of producing confidential/proprietary business records
Page 13
How long would it take to produce all of the organizational information related to a former customer or constituent?
Legal Discovery
All respondents (468)
28% would take more than a
month
18% had been exposed to a
legal challenge in the last 12 months and a further 15% in
the last 3 years – a 1 in 3 chance
Cost of Review in Litigation…
6.26 g = 110 boxes @ 5 hrs per box = 550 hours 550 hours @$200/hour = $110,000
Most electronic information is junk…
• Haystack• Search term: “shred!”• Results:
– “Dude, I was totally shredding on my snow board over the weekend on the mountain.”
– “Add one cup shredded cabbage.”– “Are you sure you want me to shred those
documents about…”?
Humor Break
“I am not in the office at the moment. Please send any work to be translated."
Designing Records Management Policies to Lower Risk
Conceptual…
Record vs. Information
A Record has Enduring
Value
Information does not
LegalFiscalOperationalHistorical
Information Lifecycle Management
Create
Retain
Hold
Dispose
NoAccountability
No Incentive
No Commitment
From C Level
No Common Sense
Categories
No Inventory
No Team
No Knowledge
Common Red Flags
The Dream Team Directors, officers, and managers Audit committee members Records management IT and Information Security Personnel HR Lawyers
Sedona Conference Guidelines
“Information should be retained as long as it has value to an organization, or its required by law or regulation to be retained.”
Know the Law on Retention Periods
• Increasingly regulations, statutes and practices focus on electronic data
• Example: 17 CFR 240.17a-4; 36 CFR 1234• New requirements, such as the FTC “red flag”
rules, are going to be created every year• A regularly updated retention schedule is
therefore essential
Focus on email retention…
• 60% do not have email archiving system; 15% do not have plans to deploy one
• 39% had been ordered by a court or regulatory body to produce employee email in past year
• 66% had been ordered to produce employee email at some point – and an even higher percentage had used archived email to support position in litigation
• Storage requirements for email growing faster than email use itself
Email Retention Concepts
• Not a record category - just a messaging system• Content varies – critical to junk• Duplication a huge problem• 60% of electronic documents are transmitted
as attachments• Searching across content + attachments nearly
impossible• Archive versus disaster recovery
Email Retention Strategies• User mailbox size limitations (“quotas”)
– Advantage: user given warning before deletion– Problem: one size does not fit all
• Automatic deletion of messages/files– Time-based limitation on retention of email– Encourages allocation to permanent storage
• Extended storage options– Tiered storage– Business unit-specific retention needs
• Ban on local storage
Social Media
• Creation of records relevant to discovery requests, but outside of normal records retention policies/practices – may even reside on company devices
• Inadvertent destruction• Disclosure of customer/patient information
Legal implications…
• Are there regulatory obligations? (FINRA, SEC, etc.) http://www.compliancebuilding.com/2009/06/26/twitter-and-compliance/
• At-will employment impactRecent federal court cases, litigants used information on LinkedIn to support their case.
• Who is allowed to give "recommendations?"
Social Media Policies
NOT Performance Policy• Don't confuse a social media policy with HR
policies regarding performance issues and how people spend their time
• Policy should treat employees and partners like the adult professionals they are.
Policy Spectrum
• Live in denial• Ban access to social network sites (for
technical reasons? HR performance reasons?) • Tolerate (with or without defined parameters)• Embrace social networking (e.g., for marketing
efforts)Training for employees on best practices
• Official firm pages on social networks• Designate "official" bloggers/contributors
Samples…
• Enterprise: List of 40 Social Media Staff Guidelines http://laurelpapworth.com/enterprise-list-of-40-social-media-staff-guidelines/
• •Social Media Policy Examples (including Harvard Law School; Gartner; U.S. Navy; U.S. Air Force; Intel; IBM; Cisco and more)http://123socialmedia.com/2009/01/23/social-media-policy-examples/
Implementing and Monitoring a Litigation Hold
Only 20% of Corporate Counsel Can Efficiently I dentify the Owners of the Releveant Records and Tailor the Notice to Preserve Those Key Players
Jordan Lawrence Group, LLC. Survey of Corporate Records Practices 2006 at http://webcasts.acca.com/handouts/ACC_Survey_Report_Final.pdf
Only 20% of Corporate Counsel Can Efficiently Identify the Owners of the Relevant Records and Tailor the Notice to Preserve Those Key Players
Design of litigation holds
.
Less than 50% of corporate counsel reported an ability to issue a litigation hold accurately or identify specific record types subject to a hold.
Jordan Lawrence Group, LLC. Survey of Corporate Records Practices 2006 at http://webcasts.acca.com/handouts/ACC_Survey_Report_Final.pdf
Litigation Holds:Timing is Everything
Compare “litigation is reasonably foreseeable” To “path to litigation was neither clear nor
immediate”
Hynix Semiconductor Inc. v. Rambus, Inc., 2006 WL 565893, at *21 (N.D. Cal. 2006)
Litigation Hold Policy and Procedures
What does “reasonably anticipate litigation” mean? Who’s in charge? Who’s involved? What kind of notice and how often? What has to be preserved? How do I preserve? Verify Document Terminate
Successfully Implementing a Hold
• Chain of command• Clear communication• Team approach• Documentation• Follow up• Understanding role of litigation counsel
Encouraging Compliance With Records Retention Policy
Compliance:Following Records Retention Schedule
0%
10%
20%
20% Report Their Organization Does “Not Regularly” Follow the Retention Schedule
16% Report Their Organization Only Follows the Retention Schedule “When Time Permits”
Cohosset Associates, 2007 Electronic Records Management Survey, Call for Collaboration, at www.merresource.com
Less than 50% of the Time Records Are Routinely Disposed Of In Accordance With Policy’s Retention Schedule
0%
10%
20%
30%
40%
50%
40%OnsitePaper
31%Email
28%OffsitePaper
20%Digital
Images
22%Electronic
46%Archival
Tape
Compliance rates for specific record types:
Jordan Lawrence Group, LLC. Survey of Corporate Records Practices 2006 at hhtp://webcasts.acca.com/handouts/ACC_Survey_Report_Final.pdf
Understanding of “C-Level” Employees
0 50 100
Don’t Understand 14%
Marginally Understand 57%
0 50 100
Don’t Understand 14%
Marginally Understand 58%
Relationship Between Good Records Management and Good Governance
Relationship Between Good Records Management and Risk Mitigation
Cohasset Associates, 2007 Electronic Records Management Survey, Call for Collaboration, at www.merresource.com
What Should I Do?
Addressing Poor Compliance
• The perfect is the enemy of the good• Use risk and profit/loss management to
prioritize retention efforts – “top down”• Don’t “boil the ocean”• Assess impact on employees – “workshop” the
policy• “Big buckets” and “little buckets”• Simplify• Ask questions
Educate, Inspire, Reward
Employee Handbook Intranet Lunchroom Testing
Bonuses
Performance Reviews
Standing Committee
Audit
Records Management Software
Open Text IBM/Filenet EMC Corporation/Documentation Interwoven Hyperwave ZyLab Accutrac
Electronic Records: The Need for Balance
Business/legal needs
Cost of collection/review/storage
Safe Harbor - Good Purging v Bad Purging
• Federal Rule 37(f)• Properly designed and enforced policy• Business realities
– Demonstrate balance between “IT ROI” and “Legal ROI”
• Obedience to statutory obligations• Preservation trigger point
Collecting and Using Electronic Data in Litigation
• Drag & drop• Active data collection• Forensic• Data restoration• Protecting confidential data
Early Case Assessment
• Insert slide from desktop
Efficient Searching For ESI
• Document preservation policy “data mapping” process will assist in understanding where ESI should be located
• Collection from data sources - active data extraction v mirror imaging of entire source
• Search terms: key personnel, date ranges, terminology, concepts
• Sampling - McPeek v. Ashcroft, 202 F.R.D. 31 (D.D.C. 2001).
Litigation Readiness Assessments and Audits
• Employment policies & agreements• Policies and procedures for creation & use of
systems• Document retention policies• Enforcement and implementation• Cost control, privacy, trade secrets protection
Theft of trade secrets: increasingly electronic
The Min Case
• Gary Min, research chemist at DuPont• Before leaving for a competitor in China, Min
downloaded to storage devices technology with an FMV of over $400 million
• DuPont later discovers through network-use monitoring
• FBI searches home; new employer seizes laptop
• 10 year sentence + fine
• Insert pdf of indictment
Effective Protection of Electronic Business Assets
• Policies: identify what is “trade secret” and what is confidential information – overbroad definitions risk dilution of protection
• Practices: take “reasonable efforts” to protect your assets– Physical security– Computing security– Information security– Employee security– Delivery chain security
Protecting Trade Secrets with Restrictive Covenants
• Restrictive covenant agreement (nondisclosure, nonsolicitation, noncompete):– Provides contractual protection for trade secret.– Provides additional remedy and an ability to sue new
employer in tort if it interferes with agreement.– Educates employee on her or her obligations as to
protect trade secrets.• Severity of restrictive covenant depends on importance
of employee and their exposure to and knowledge of trade secrets.