E-Discovery: How to Understand, and Meet, This Legal Challenge

Thursday, 24 April 2008 18:22

By Matt Winstanley

Electronic discovery is no longer just a concept. E-discovery is fast becoming a critical, legal challenge.

The number of requests for production, or discovery, has been increasing for years. Electronic records have been getting more attention as all industries become more reliant on electronic records and electronic communication (which is now designated an electronic record).

Attention has been increasing also as the rules on these electronic communications expand. For example, rules on e-mails designated as public records specify a record is comprised of more than the text within the e-mail. The format, editing history, forwarding history and other metadata are all considered part of that electronic record and must be accounted for.

Indeed, electronic records alone are not the only fair game for legal e-discovery. Everything your company creates is, for legal purposes, "discoverable." Photos, instant messages, voice-mail messages, documents (all versions, hard copy and electronic, no matter who edited them and when) and e-mail--regardless of how trivial--are considered "enterprise content" and must all be presentable in an e-discovery process.
There is no getting around an e-discovery process. It is in your best interests to address e-discovery needs sooner rather than later. Compliance is now law. And the consequences for not complying--for not being prepared in an e-discovery situation--can be devastating.

Understanding e-Discovery: Defining Our Terms

The first step to understanding the e-Discovery process is to define our terms.
E-discovery is the legal process in U.S. law through which attorneys obtain information in electronic form in response to litigation or regulatory action. The e-discovery process involves full disclosure of all electronic information that relates to the matter at hand. As mentioned above, that electronic information includes everything from ordinary office documents to e-mails to Web sites to voice-mail messages to employee cell-phone records and instant messages.
That also means every mobile device--every notebook PC, BlackBerry, PDA, cell phone, thumb drive, and flash memory card--is considered a repository of discoverable data.

Meeting e-Discovery Demands: Policies and Products

How do CIOs and IT staffers meet the challenge of an e-discovery request? Essentially, in three steps: Assess, plan, and implement. Within each of these steps, you will need to address the question of policies and products.

Step One: Assessment
The first step toward meeting the e-discovery challenge is to assess your current status. What's in place now? What types of policies and/or products are you currently using to store and/or retrieve electronic content?

  • Do you currently have an organizational repository where all information is stored, or do you have a distributed system where content resides on users' devices and drives, or a myriad of stovepipe systems?
  • What information resides on your Web site and Intranet?
  • Is your information saved in its native format with appropriate metadata as the federal rules mandate?
  • Do you need to search your workers' cell phones, PDAs and thumb drives?

Next, ask yourself: What would be required in order to be responsive to e-discovery directives? This is a much bigger question than it seems.
This second question, in particular, is often best answered through an active committee or group designed specifically to take charge in preparing you for e-discovery. Every company may have different functional groups contributing to this assessment, but legal, information technology, domain experts, document and records managers and risk management personnel should participate. Ideally, this group would exist as a permanent entity that continuously directs ongoing technology projects to assure continuing compliance.

Step Two, Part One: Planning Policies
Once you have assessed what needs to be done, the next step is creating organization-wide policies that begin to control content.

Your electronic content policies derive from your company's business rules, so the business process owners must be a part of the policy creation. Two key components that must be governed through an electronic content policy are creation and retention/deletion.

  • Content creation: The most basic way to identify and track electronic information from its inception is through metadata. Metadata are "tags" that include the essential information about a file--its title, creator, date of creation, relation to other files, etc.--that enables its rapid and accurate identification. Metadata are also the primary means for establishing the authenticity of documents. Therefore, policies must define how metadata will be created, accessed, and stored.
  • Content retention/deletion: This can be an exceptionally complex issue, depending on the document and how it is being used. Essential questions include the following: How long is content kept before being destroyed, and why? At destruction, should you retain electronic or hard-copy backups?

To elaborate on the second point, understand that a particular piece of information can have different retention schedules depending on how it is used.

For example, I recall working with one organization in which a purchase order would have multiple uses. As a file in the ordering system, it could be destroyed after two years. As an organization record, it had a shelf life of seven years. But because the product with which it was associated had a long lifecycle, the purchase order had to be retained for that lifecycle plus 20 years.

As a paper document, it might be copied and placed in three different cabinets. My solution was a single electronic copy, with a pointer linking from several systems. When the retention schedule for each use came up, the link would be destroyed, but not the content.

Step Two, Part Two: Planning Products
An equally important part of planning is deciding what products and/or services you need to put in place to ensure policies are consistently and strictly enforced.

Particularly in an e-Discovery situation, the architecture of your system can greatly enhance your ability to respond to e-discovery. If files can be copied and forwarded ad nauseum throughout the company, then you risk exponential growth of discoverable versions. You've lost control.

Your overarching goal is to stay in control of an adversarial e-discovery gambit by being able to prove content exists or was destroyed according to a verifiable policy. And if it exists and is subject to discovery, you must be able to produce it in a format acceptable to the plaintiff and to the court. Again, we're not just talking about electronic records--we're talking about all electronic content.

Essentially, you need a tool to manage e-content with discovery in mind. The most comprehensive tools will greatly assist your records management, even as they extend your policy control to all content.

Product Options
Many companies find that implementing an enterprise content management (ECM) system is a viable and relatively painless method for achieving e-discovery compliance goals. ECM is defined as "the technologies, tools, and methods used to capture, manage, store, preserve and deliver content across an enterprise," according to the ECM Association AIIM.

ECM systems are not small investments. Yet, these systems historically deliver quick results by saving time and money. Time savings come from streamlined information searching, retrieving, processing, and management; cost savings come from a significant decrease in storage space.

An ECM system should let you

  • Have a single-instance store, which gives you inherently greater control over access and usage rights. Individual storage devices turn into your biggest headaches in discovery, when you single-copy, policy isn't supported by a robust tool
  • Manage pointers, rather than copies of documents
  • Ensure security of content
  • Manage all content regardless of format, while designating which pieces are, for legal purposes, records
  • Automatically associate an object or file with the correct category, according to your organization's taxonomy and business rules. Remember, all content is not records, but all content is subject to e-discovery. Your final response to an inspector general report might be the record, but the versions, edits and metadata they generate are also discoverable. An ECM system should distinguish between the two

ECM systems are certainly not the only options. Document management and records management systems are viable options. However, most ECM solutions offer these capabilities built in or as part of a more complete ECM offering, providing additional capabilities such as workflow. And most document and records management offerings do not manage unstructured data, such as voice-mail messages and other data that may be demanded in an e-discovery situation.

ECM products also have all their functionality contained within the same code base. An ECM offering can serve as the architecture by which to implement and govern content management policies such that responding to an e-discovery inquiry can yield a quick and complete response.

Step Three: Implementation

This third step of preparing for e-discovery may be your greatest challenge. At this point you've done your homework. You've defined your terms, assessed your needs, assessed your current situation and have made plans to move forward—or have already begun moving forward.

The implementation phase brings you to a potentially significant roadblock: end users.
Statistically speaking, among the greatest roadblocks to any large-scale data-management project is user resistance. Users are often unwilling to change where they save their files, and will certainly not expend extra energy entering metadata (even if taught how to do so efficiently). Therefore, it is important for your e-discovery solution--and subsequent implementation choices--to offer familiar interfaces for users, as well as a variety of capture methods, to help users choose the one that best suits their preferences.

Conclusion
Reiterating the main point, compliance is now law. The consequences for not complying--for not being prepared in an e-discovery situation--can be devastating.

The solution is there, and it takes three steps: Assessment, planning and implementation. None of these steps is easy. At the same time, they are all necessary.

On the technology side, an ECM solution can help significantly ease your transition to becoming an e-discovery-ready company. That said, an ECM system in and of itself won't make you an agile organization nor will it alone mean you are home free on e-discovery. Those both start with careful policy planning. But because so much content is subject to discovery, policies, as a practical matter, require an ECM to bring them to life.

Matt Winstanley is senior engineer at TOWER Software. www.TowerSoft.com