Data responsive to litigation, investigations, subpoena response, due diligence and other legal and compliance activities can pose colossal organizational risks that reverberate up to the highest rungs of the corporate ladder. Where answering for discovery-related practices once fell firmly on the shoulders of legal, CIOs and other top IT, information security and compliance executives are increasingly caught in the crosshairs of challenges to their companies' discovery responses -- and are being held accountable for the practices they oversee and on which they've stamped their imprimatur.
This is perhaps no more evident, or unfolding more publicly, than in the Volkswagen emissions scandal, where the company's CIO has been accused by a former employee of intentionally destroying potentially incriminating evidence. While most challenges don't directly implicate heads of IT, it is not uncommon for breakdowns among the rank and file to pull the C-suite into the morass. Consider the nearly $7.5 million in discovery sanctions an Atlanta federal judge recently imposed on Delta for the "colossal blunders" of its Computer Security and Investigative Response team in attempting to find and preserve evidence on email servers and archives. Barring foul play, it is the executives responsible for implementing and executing policy that are ultimately duty-bound. As they say, heavy is the head that wears the crown.
If you're in charge of your company's information practices, yours is one of the necks on the line in the event a discovery response is challenged or undermined. Below are some questions for which you should have thorough answers -- or have a direct line to the person that does. They do not represent a comprehensive list, but are meant to stimulate meaningful internal discussions about how IT and legal can work together to better protect the enterprise.
Chain of Custody, Due Diligence, Reasonable Investigation
1. Who is the witness?
This is perhaps the question for which those responsible for data integrity must have a persuasive answer. If an opposing party claims your production is incomplete, who can attest in detail otherwise? Every organization should identify a go-to person who can describe efforts to preserve, collect, search, review and produce data, and explain why those efforts were "reasonable" under the circumstances.
In federal litigation and investigations, Rule 30(b)(6) is the vehicle by which opposing parties can solicit testimony on an almost limitless range of topics. It allows opposing parties to depose the company through one or more designated individuals who must speak to the company's due diligence in responding to discovery. Failures to identify a person who can adequately fill that role have doomed parties in the past. In Peerless Indus., Inc. v. Crimson AV, LLC, No. 1:11-cv-1768 (N.D. Ill. Jan. 8, 2013), for instance, the defendant suffered monetary sanctions due to its 30(b)(6) witness's inability to "to answer questions about... computer and backup systems, what searches were performed, which employees had relevant information, whether a document hold had been implemented, or whether employees at (Crimson) were even contacted regarding plaintiff’s document request.”
2. Where do the "first pressings" live?
Electronically stored information (ESI) is unlike physical evidence in that it is ephemeral, malleable, replicable and easily distributed. A prerequisite to preserving data is to know where it resides in the first place. Business data ecosystems are becoming increasingly complex and expansive. Responsive data may reside, among other repositories, on network systems, email servers and archives, local workstations, remote devices, removable media, personal network shares, social media, internal intranet and messaging programs, databases, backup systems and with third-party providers.
The sheer breadth of spaces data can hide can be intimidating, so it is essential both to take inventory of existing repositories and to distinguish what is truly of potential business, compliance, and/or legal value, and what is not. Part of this exercise is identifying where the original or "native" files of that data live. Under the new federal discovery sanctions standard, if ESI that should have been preserved is lost due to failures to take reasonable steps to preserve it, a judge may only impose sanctions if the ESI "cannot be restored or replaced...." To this end, it is most important to preserve the native versions of data that is potentially relevant to the claims and defenses at issue. It is these materials that make up the canonical record of how your company operates. Duplicative materials can be lost without penalty, so long as the integrity of the originals is maintained.
3. Where is your discovery data right now?
Discovery data represents an easy target for hackers and other bad actors because it often moves from party to party through insecure paths. Think of the way it flows from the enterprise to outside counsel and outside vendors to opposing parties as a game of telephone, where there is the potential during every relay for something to be lost. Just because information leaves your network doesn't mean it is no longer your responsibility, or that you should trust your outside partners to maintain its integrity and security.
A typical eDiscovery workflow may involve a client collecting its own materials from local repositories and either sending that data to its outside counsel via insecure connections like email, FTP, or file-sharing sites, or shipping physical media. The law firm may then share that data with a third-party vendor through similar means, or data may be sent from the client directly to the vendor. You should know where your discovery data is at all times, assure that it is secure via proper encryption methods, and be able to access it from anywhere at a moment's notice. To maintain control and increase security, some organizations host centralized discovery platforms internally or use SaaS platforms into which they invite outside counsel and vendors who are given permissions-based access.
4. How confident are you that your vendors and/or outside counsel would notify you in the event they suffered a data breach?
A recent survey of more than 600 IT professionals conducted by the security company Bomgar found that, while most organizations trust outside vendors to handle data, more than two-thirds say that they've "definitely or probably" suffered a data breach due to those vendors' access. Nearly 80% of respondents said they expected to experience "a serious information breach" relating to vendor access in the next two years.
Law firms, which are, in essence, vendors of legal expertise, fall into this camp -- and their vulnerability to data breach is well documented. Recent admissions of client data breach at Cravath, Swaine & Moore and Weil, Gotshal & Manges, two of the premier corporate litigation firms in the world.
To the extent that your organization trusts sensitive data to outside partners, it is imperative to vet the security of those vendors, tightly monitor their access to internal systems, ensure they have cyber-insurance, and come to terms on a sound incident response and remediation protocol in the event a breach does occur. If your data is compromised, you don't want to learn about it from the front page of the Wall Street Journal.
5. What assurances do you have that your discovery data is protected once it is produced to opposing parties?
For enterprise, in the context of litigation and investigations, security measures often cease at the very moment data is turned over to opposing parties. Parties and their legal providers often go to great lengths to protect data when it is in their own possession only to produce that information to others with few safeguards. Such arrangements have cost litigants dearly in the past -- most notably, perhaps, in the Apple-Samsung global IP battle, where Samsung’s outside counsel compromised sensitive files it received from Apple by exposing them over Samsung's company intranet.
As an article in the New York Law Journal recently put it, “Companies can build their own data security systems and choose advisors with appropriate security, but they cannot choose their opponents, their opponents’ counsel, or their opponents’ discovery vendor.”
CIOs must work with their companies' legal teams to define security measures for protecting enterprise data once it leaves the internal network, and network of providers. This might include insisting that all discovery data is encrypted in transit and at rest at all times, and encouraging outside legal counsel to move for protective orders when certain categories of sensitive data are at issue. It is also wise to discourage or restrict opposing parties from copying information they receive through discovery, or otherwise distributing it. In the most sensitive instances, it may be appropriate to restrict review of documents by opposing counsel to a secure site or physical location your company maintains.
6. What systems and protocols does your organization have in place to preserve data?
As soon as an organization anticipates legal action, it is under an obligation to preserve all ESI that may be relevant to that action. Critically, this entails executing a legal hold across all custodians and data repositories that may possess relevant material. For serial litigants and organizations that face constant regulatory scrutiny, preserving custodian data may entail managing "cascading" legal holds, where holds must be attached to and released from certain documents that are relevant to more than one matter -- without disturbing other concurrent holds. Routine deletion schedules, such as those applied to company email, must be suspended upon reasonable anticipation as well.
There are many other moving parts and considerations related to preservation, such as how enterprise data residing on employee mobile devices will be preserved, how the integrity of cloud-based third-party repositories (such as Salesforce and Slack), will be maintained, and so on. IT is often in the best position to identify the location of relevant data through a combination of enterprise search and custodian interviews, assess network topology, and determine the business disruption that will occur as a function of preservation.
7. Can you account for company data that resides in the cloud and on mobile devices?
The accelerated proliferation of cloud and mobile data, and the concurrent rise of the Internet of Things, pose unprecedented challenges for corporate legal and IT departments. To put the problem in perspective, consider that, while there are more than 3.1 million combined Apple and Android apps available for download, e-discovery and forensics vendors are able to collect and process data from less than a thousand of them. Yet cloud- and mobile-based data is increasingly likely to be responsive to discovery requests, and to be of value in internal and regulatory investigations.
The focus, then, should be on clearly articulating and enforcing through BYOD and other data security policies and procedures rules around the appropriate use of personal devices, networks, and apps in the workplace. When data arising from personal activities and "shadow IT" is swept up in the dragnet of corporate litigation and investigations, it creates greater potential for risk and excessive cost. It is therefore important to have a means of identifying and removing this information from large data collections if it is not relevant to the issues.
8. How much information do you collect, where is it coming from, and how much is it costing?
One of the largest costs associated with litigation and investigation arises from reviewing useless and clearly irrelevant information. CIOs concerned with reducing organizational cost and risk should know how much data is typically collected from each custodian, and what portion of it is ultimately reviewed internally or by outside counsel/providers. Investing in tools that allow your team to quickly identify and remove non-relevant materials from large collections can drastically reduce downstream legal review costs. Assessing collections before they are prepared for review can also give your legal team valuable early insights into your organization's exposure and the strength of its positions.
CIOs and their teams are also in a unique position to be able to authoritatively quantify the cost and burden associated with various discovery-related activities in a way that protects the organization from incurring exorbitant expenses -- as KPMG famously experienced. In the past, courts have imposed broad preservation and production requirements due to the failure of producing parties to state why opposing requests were disproportionate to their value, and/or why the data responsive to those requests was "not reasonably accessible." The more granularly an organization's IT and legal team can speak to the costs of various discovery-related activities, the better they are able to shield the company from excessive costs and overreaching requests.
9. What assurances do you have that discovery data, and all copies of it, has been properly destroyed when it is no longer needed?
While data disposition is primarily thought of in terms proactive data management (i.e. getting rid of useless data so as not to include it in discovery collections), it is also important to consider how to properly dispose of discovery data that is no longer needed. Often, at the conclusion of a matter, that information and its copies may reside with outside counsel, vendors, opposing parties and elsewhere. Do you have protocols in place to ensure that your partners and adversaries destroy that data upon the matter's resolution -- or is sensitive data left unaccounted for? Leveraging an internal discovery platform that your organization controls, and limiting the duplication and distribution of discovery material by third-parties, eases the disposition process and limits your risk.