eDiscovery: Every CIO's Dreaded Call
E-discovery requests are rarely straightforward and tend to evolve. However, if proper processes, communications, and project management are leveraged with a few IT best practices, e-discovery requests need not shut-down IT to address what always seems to be an urgent request. Make no mistake, an e-discovery request impacts operations and is rarely easy, but taking some of the following proactive steps can minimize disruption to IT and the company while supporting the efforts of your General Counsel. Moreover, these steps can save significant amounts of time, money, and resources for the company.
First, the company must have an open, thorough dialogue about the nature of requests and the expectations related to production. Communication between senior IT leadership such as the CIO and OGC needs to be established before the request. There needs to be a common understanding and education from the OGC to the CIO as to what types of requests may come in (and why), as well as education from the CIO to the OGC as to the types of data IT maintains, where the data is located and operational activities (including backup procedures and retention policies) that might impact the preservation or recovery of the data for the request. Further, it should be emphasized that establishing a true “relationship” benefits both IT and counsel. When a request comes in, they should work as a team and not simply as order giver (counsel) and order taker (IT). Again, all of this should be done long before the first e-discovery request is received (or at least the second request) as history will tend to repeat itself over-and-over again, causing needless and ongoing friction between IT, counsel and the business.
Second, representatives from all areas of the company should assemble a comprehensive data map. Best Practices for IT’s organization, management of systems, and data require at least basic documentation as to the document stores (e.g., email, document management system, financial data, Human Resources, Custom Sales Relationship (CRM), etc.) whether it be onsite, cloud or with a vendor. Further, you need to be able to map the data to the applications that leverage the information.
"Once an e-discovery request comes in (or arguably when reasonably anticipated) this is not and should not be the time to start executing a retention policy from an IT perspective"
This may seem very simple, but even in small organizations, these data stores are probably no less than several dozen and the applications or systems supporting the information are probably several hundred; these numbers can grow exponentially depending on the size of the company, its customers and its segments. Adding to the complexity is discussing with counsel where the data may reside outside of data stores in your traditional back office data center, such as non-company owned devices (e.g. home computers, smartphone, tablets, portable storage, etc.)The complexity of actually knowing what is stored on those non-company owned devices can be alarming!
Third, general counsel should be consulted regarding the data processing, storage, and retention policies. I recommend starting simple but broadly, working with your general counsel so they have an appreciation for the data sources and applications, as well as operational activities which may impact the data for potential e-discovery requests. Although your general counsel has probably been consulted on the duration you are retaining data, from a legal and records management perspective, this is a good time to make sure IT, the general counsel, and the business owners/departments ensure they are on the same page with regard to retention policies. For instance, if you are keeping email, financial, sales, HR and other data forever, this could not only be costing your company significant dollars from an IT operational perspective, but also needlessly exposing your company to an e-discovery fishing expedition by opposing counsel.
Once an e-discovery request comes in (or arguably when reasonably anticipated) this is not and should not be the time to start executing a retention policy from an IT perspective. Policies, procedures, and the execution should be placed into operations via a well-documented, defined manner and supportable program in conjunction with your general counsel long before the first request comes to IT.
Once IT and counsel have established good communications, a common understanding of the data stores, applications, and IT operational processes including retention, you have a good start of a basic e-discovery process. However, there is much more involved in a well-defined e-discovery program than a common understanding, including how the requests come to IT from counsel, the structure of the requests, the expected delivery format, timing, who should execute the requests, who/what communications to the business/ end users if necessary, preservation, chain of custody and discussing when it might be necessary to hire outside experts to search systems such as individual PCs, laptops, smartphones, tablets, etc. These are all areas that need thorough review with counsel and the development of detailed checklists, processes, and procedures. All of these planning steps need to occur before you even start exploring the ever expanding number of technologies and tools to assist with discovery. Otherwise, you are investing in expensive technology before understanding what you are trying to accomplish.
With that said, as with most business IT problems, “there is an app for that,” however, I’ve purposely kept the scope of this article to the people and process side of e-discovery. There are a myriad of products that help identify data stores to applications which may help streamline some of the efforts recommended above. Further, there are countless e-discovery applications and service providers who can provide tools to help identify, collect, and ultimately assist lawyers with the review and production to counsel. These tools and service providers can be critical components to any long-term e-discovery program. However, without the building blocks of a solid relationship and understanding between IT/CIO and the company’s legal team/OGC, it will be difficult (if not impossible) to determine what tools and technology will be needed. Hence, tools and technologies are not necessarily the starting point, and they are definitely not a substitute for a common understanding of business legal needs and the IT operations as jointly understood by two critical business functions – IT and Counsel.