New litigation rules put IT on the front lines of data access

Procedures for preparedness, data integrity, and retrieval are right around the corner. Is your enterprise ready?

On Dec. 1, when the latest version of the FRCP (Federal Rules of Civil Procedure) goes into effect, CIOs and their IT departments will find themselves on the firing line in most major business litigation. [Read about the cases that started it all.]

The process in which businesses decide which data they are legally required to save, and which they can safely throw out, is known as “e-discovery and e-hold.” Until now, businesses have been forced to make e-discovery and e-hold decisions based on a mixed bag of individual court decisions, balanced by guesswork by their corporate legal teams. The new FRCP changes all that, codifying a dangerously confusing situation.

Your company’s chances of winning in court -- or staying out of court altogether -- will be greatly enhanced by creating appropriate enterprisewide procedures for retention and disposal of data and documents.

Here are five significant changes to FRCP, and the processes your company should establish in order to be legally secure.

1. Rule 26 (f): Early discussion preparedness

This rule mandates that the pretrial conference between opposing attorneys will now have a very specific purpose. A sweeping requirement obliges the company being sued to cite all storage systems that hold data relevant to the litigation, all relevant data sources and data formats, and the steps counsel has taken to prevent relevant data from being deleted. To comply, companies will need a retention program that allows the litigation department to provide and describe this information accurately.

In other words, attorneys will now be required to know how the company’s entire electronic data processing system works. According to Trent Dickey, a litigation attorney at Sills Cummis Epstein & Gross, this puts IT directly on the firing line.

“Outside and inside lawyers [must become at least somewhat] proficient in computer information systems,” Dickey says. Under the new rules, he explains, during the pretrial conference, company counsel will be required to describe, in detail, all data retention practices, discovery protocols, and preservation processes -- plus exactly which data is accessible, which data isn’t, and why.

This is the most challenging hurdle that a company will face in litigation under the new rules, according to Deidre Paknad, president and CEO of PSS Systems, an ISV that creates software to help businesses manage the e-discovery and compliance process. She says the new rules make the e-discovery process more crucial than ever.

“Companies that can prove they made a good-faith effort won’t see the brutality of a judgment like that made against Morgan Stanley,” says Paknad. In that case, the company was hit with $1.45 billion in damages because the judge and jury believed Morgan Stanley had not made a good-faith effort to discover relevant data.

The biggest risk, says Paknad, is misrepresenting your company’s data. If the company isn’t fully aware of exactly what it has and where it is, and relevant material is uncovered later, as happened in the Morgan Stanley case, the company will find itself in extreme legal jeopardy.

In order to mitigate that risk, legal counsel must fully understand the company’s data practices and indeed must have some control over them. Counsel must be aware of the company’s retention schedules and rules, including a corporate classification schema that identifies the major classes of information the company views as records. According to Paknad, there should be specific retention periods for information in each of those classes.

For instance, among financial services companies, where instant messaging is considered relevant, companies are already sampling IMs on a daily basis and matching text against a lexicon of keywords. Tape cataloging is another key ingredient in preparing IM and e-mail for retention and data discovery during the pretrial conference. Cataloging should record the dates of all information on the tape, including the server it came from and the type of data it is, says Francis Lambert, senior compliance advisor at Zantaz, a content archiving company.

In preparing for the pretrial conference, many larger companies are deploying full-time “discovery response teams” made up of litigation attorneys and IT technicians. These teams are tasked with becoming specialists in collecting and preserving data and in learning how best to go about the process of retention, retrieval, and deletion. In the largest companies, these teams are often broken out by category, such as e-mail IT teams or server IT teams.

When a trained discovery response team is notified of possible litigation, it must swing into action immediately. For instance, a key component of complying with the rule changes in 26 (f) is determining which data needs to be rescued from any automatic deletion process that may be about to destroy it. This is known as a “legal hold.”

From the time a company reasonably anticipates litigation or receives a legal request for data from another party, IT and legal must be able to identify as quickly as possible the systems and data sources where relevant information may be about to be deleted -- and they must prevent such deletion.

Employees and system administrators who are responsible for data deemed relevant to litigation must be notified of their obligations, and they must respond specifically and affirmatively when notified.

For some companies, even when an appropriate process is in place, the task of tracking notification and response on legal holds can be daunting. “For large companies, there [may be] a couple of thousand cases open at any one time,” PSS’s Paknad says. If that is the case, the math is terrifying: A company sending one legal-hold notification and three reminders to each of 50 data custodians would have to send 200 outbound notices for each instance. Multiply that, very conservatively, by 100 cases, and you’ve got 40,000 notices and responses crisscrossing on the network. And all this is merely in preparation for the pretrial conference.

There are additional changes that impact IT directly. For instance, the FRCP and the attached notes from the court recommend that at least one IT person should file a discovery deposition. “It has to be somebody that knows how the IT systems work,” Sills Cummis Epstein & Gross’ Dickey says. “Companies need to know, [beforehand] who is the spokesman, and that person should be deposed under oath.”

A deposition from IT is certainly the smartest and safest way to go, adds Zantaz’s Lambert, especially compared with the IT technician making an in-person appearance at the pretrial conference. “You don’t want him in there, because it is two lawyers and a judge, and you don’t want the IT person saying the wrong thing,” he says.

2 and 3. Rule 26 (a) (1) [B] and Rule 26 (b) (2) [B]: Disclosure

Rule 26 covers initial disclosure of sources of discoverable information, as well as sources of information that are not discoverable due to undue burden or cost. Obviously, IT has a huge role to play here.

Rule 26 requires both parties to disclose all information that is relevant to either their claim or defense. The parties must identify information by category and location, Zantaz’s Lambert notes. If pertinent data is not disclosed up front, it may not be admissible later.

However, the more interesting part of Rule 26 is (b) (2) [B], if only because interpretation of it may change depending on the case at hand. For instance, if a lawsuit is for $150,000, it may not behoove the judge to force a company to spend $2 million accessing hard-to-retrieve data that exists only on legacy disaster-recovery tapes. However, if the case involves a $50 million lawsuit it could be another matter altogether.

This means a company should have a pretty good idea how much it will cost to restore data from various media, file types, and locations. The tricky part is that before you know how much it will cost to retrieve the data, you must know which data is stored where.

The solution lies in mapping your data sources. This should be a joint effort between legal and IT, PSS’s Paknad says. But mapping data sources is easier said than done. For one thing, it assumes that someone in the company knows what data is relevant and where it all is. In a large company, this may be a wholly unwarranted assumption.

With mobile executives storing information on their notebook hard drives, any given piece of data might be on a notebook flying to Milwaukee, in an Access database across the hall, or scattered across dozens of different tables built for end-of-year financial statements.

The solution is to create the data map before you need it. Because there is no business software currently available that can automatically seek out all your data sources and dump them into a document of some kind, IT and legal must come together, not only to map what the data sources are but to record which business processes they touch.

Of course, if you already have a good records-retention policy in place, it will dictate what data your company is going to keep and where it is located. Obviously, the “where” is the link to the data sources.

Companies must identify the departments and employees with custody of the data, and they must create a stewardship that includes a container expert (data source), content expert, or business unit that owns the data -- and a policy owner for retention, privacy, and security, Paknad advises.

4. Rule 34 (b): Form of production

Supposedly, the standard for data retention and disclosure is always “reasonableness,” but Rule 34 (b) can lead to difficulties when the format for delivery is considered. Unless otherwise specified, data is supposed to be delivered in its native form. However, there are issues. For instance, if the data is in an Excel spreadsheet, it can easily be altered. But if you deliver the Excel spreadsheet as a PDF document, it won’t capture the formulas.

Typically, the acceptable format should be the way the data was managed in the normal course of business -- but suppose you’re using SAP software for invoicing. Your company might wish to deliver an invoice or an e-mail in the form of a PDF, while your adversary may demand to see your entire database. “If the metadata for an e-mail is important,” PSS’s Paknad says, “you may have to produce the e-mail in native format.”

Paknad also recommends keeping relevant files in a location that’s provably secure from tampering, as whichever party wants to see the data will also want to be assured it was not, and could not have been, altered.

5. Rule 37 (f): Safe harbor

If you can prove that missing data has been deleted during “routine” data expunging, you are probably safe from legal sanctions. However, you must be able to prove that the deletion was indeed part of a routine process and not “event-driven.” Here we come back to good-faith effort, where producing an audit trail and monitoring are key.

However, Sills Cummis Epstein & Gross’ Dickey counsels that routine deletion is no excuse for destroying something on legal hold. “You must stop and suspend automatic retention and deletion systems in order to secure relevant data,” he says.

Bottom line: You are legally required to secure all relevant data. If you screw up here, the court can say you are obstructing justice, and the judge may assume that the data was detrimental to your case -- as in Zubulake v. UBS Warburg.

Software solutions

Although the onus for compliance will always be on the business itself, many companies are looking to their ERP vendors for solutions. For instance, as PSS’s Paknad notes, Fortune 20 companies are going to expect that their transaction and knowledge management systems support retention periods and legal holds. At the moment, few enterprise applications are doing that.

A sea change is exactly what the Fortune 20 will expect in the next year or two; in fact, it’s already happening. Paknad says that her Fortune 20 clients are implementing policies for 2007 that will require all systems brought online to support retention lifecycles, legal holds, and collection requests for litigation.

In 2007 and 2008, these features will trickle down to software being used by the Fortune 1000 and beyond. Clearly, every company that may face litigation will be looking for a rapid evolution of systems and features in their enterprise software to make it compliant with the new Federal Rules of Civil Procedure.

It’s more than a good idea. It’s the law.

Copyright © 2006 IDG Communications, Inc.

How to choose a low-code development platform