E-Discovery and the role of the CIO?

E-Discovery is one of the hottest legal issues facing companies today. In simple terms, E-discovery is a firm's obligation to produce all documents or information in its possession, including documents that exist only in electronic form, in the event of initiated or threatened litigation. With that obligation comes costs and risk: the costs of potentially reviewing millions of pages of electronic information, and the risk of failing to understand the information that the company itself is creating.

As the head gatekeeper of corporate information, the CIO faces many issues around E-discovery. For example, what information retention strategy should the CIO put in place in view of the fact that the company may one day face a significant lawsuit? And what should the role of the CIO be when the organization is threatened with a lawsuit?

Here are five key issues around E-discovery that the CIO needs to be aware of:

1. Litigation is an active and strategic focus of the business

It is important to recognize that in today's business climate, litigation is not always a last-resort alternative. Increasingly, it is becoming an active strategy of the business and is being critically assessed, based on its potential to generate a positive return on investment.

Other strategic factors, such as the potential impact on the organization's reputation and the ability to create competitive advantage, form part of the equation in evaluating litigation as an ongoing strategic focus.

2. In-house counsel should play an important role in information access and management

In many organizations, the in-house counsel group is treated as a separate silo -- a necessary adjunct that is strictly a cost of doing business -- and its role is to react to problems once they arise. But in-house counsel can also be an excellent resource for the CIO, assisting in the building of IT strategies around access to information, document retention, document destruction, information collaboration, and litigation.

E-discovery includes an obligation to preserve all relevant electronic evidence as soon as litigation is threatened or contemplated. That obligation simply cannot be fulfilled in the absence of complete information about the company's information structure and technology. And whose obligation does it become, the CIO's or in-house counsel's? This is an issue that the company needs to address.

3 more issues to come in the next blogpost....

7 Key Items When Planning an E-Discovery Strategy

1 -- Have a Governance Model to control the eDiscovery process centrally.

Without an approved governance model, eDiscovery will be prone to failures associated with:

• Ill-defined roles and responsibilities, resulting in everyone doing everything and/or no one doing anything
• Inability to properly monitor the success of or adherence to policy and processes
• Inability to measure the effectiveness of policies and processes
• Inability to track the costs/benefits and properly budget for ongoing operational activities
• Inability to ensure that the eDiscovery strategy continues to align with business strategies

The program needs to encompass four core competencies: guiding/strategizing, designing/coordinating, executing and monitoring. Each of these competencies is necessary to ensure a relevant and sustainable governance model.

• Who will guide the company by defining policy for eDiscovery and aligning it with Information Management / Records Management policy?
• Who will design and coordinate processes to enable each business to consistently fulfill their execution obligations?
• Who within each business will execute and enforce the policies and processes?
• Who will audit and monitor adherence to the policies and processes?

2 -- eDiscovery is risky and costs money.

eDiscovery costs a lot of money. The primary costs occur at the review and the processing stage. The review stage is used to sort out responsive documents to produce and privileged documents to withhold. It is the time where the legal team can begin to gain a greater understanding of the factual issues in a case. 30-70 % of the eDiscovery budget is spent here. The processing stage must accommodate a wide variety of unstructured data, handle each form in a manner appropriate to its file type, and generate output that is structured in accordance with review requirements that often vary with law firm practices and client needs.
Connected to costs is risk. The most obvious risk is that e-mails, files or paper are destroyed after a litigation hold has been called. Sanctions can be significant if this procedure is violated. Such sanctions include but are not limited to:

1) Substantial fines; 2) Adverse inference instructions; and 3) Striking a Claim or Defense.

3 -- You need an e-mail policy with a specific section on eDiscovery.

Your e-mail policy should cover the aspects of eDiscovery. The section should describe what happens when your company is hit by litigation or by subpoena. It should state the mandatory process of litigation hold and all responsible contacts. But keep it simple and useable.

4 -- Use an accepted eDiscovery Framework.

Using an accepted framework helps your organization to speak the same language about the necessary task during the eDiscovery process. There are two common frameworks available:
The Sedona Principles (http://www.thesedonaconference.org), focusing on fourteen best practices recommendations and principles of eDiscovery issues, including comments on their application.

The Electronic Discovery Reference Model EDRM (http://edrm.net), guiding a common, flexible and extensible framework for the development, selection, evaluation and use of electronic discovery products and services. It can be used as the basis for comparison of your current eDiscovery practices

5 -- IT, Legal, Business and Administration must work together.

Being forced by court to produce tons of electronic stored information within a short time frame is the emergency case for IT, Legal, Business and Administration Departments. All four departments are stakeholders within an eDiscovery process and must be recognized by the Governance Model. They must closely work together during the phase of document preservation, document collection, processing, review, analysis and document production. All for one and one for all!

6 -- Think of in-house vs. SaaS and hosted eDiscovery solutions

During the current economic climate it is helpful to think about a hosted email archiving and hosted review platform, in order to avoid spending budgets on an inhouse solution. On the other hand an inhouse solution is a preferred way to control the eDiscovery process.

7 -- eDiscovery is not only an e-mail issue

Although most litigation focuses on e-mail, the changes driven by the Federal Rules of Civil Procedure (FRCP) do not focus on e-mail alone. E-mail is just an example. Other content types on file shares and desktops are of importance and the FRCP requires that all companies who conduct business in the U.S. must:

• Produce electronic information in its native format, with metadata intact (which precludes providing hardcopy of email, for example)
• Prove chain of custody for electronic information
• Ensure litigation hold policies are enforced
• Complete an exhaustive search of all electronically stored information (ESI), noting its description, category and location, prior to the first pre-trial discovery meeting (within 99 days)
• File an electronic discovery plan within 120 days of a complaint being filed in federal court

Roadmap to E-Discovery

So how can you meet compliance for all the global regulations and rules that affect your business while remaining competitive in the marketplace? Management commitment to compliance while reducing change is essential to beginning this journey. Once you have management commitment, you cannot turn back or relax your vigilance. The journey is ongoing and requires flexibility to maintain your program in a continually changing environment.

There are three key components that make up an effective e-discovery and compliance program:
1. Governance
2. Process
3. Technology

Step 1: Governance for Compliance and Policy Management

The first step in developing a sustainable program is to mitigate the inherent discovery risks for your electronically stored information by adopting an enterprise governance package. A governance package sets organizational standards, processes and compliance rules for streamlining document-handling activities, providing ease of reference and reducing the amount
of information you need to manage. A document and records governance package can consist of anynum ber of policies and procedures, based on your organizational culture, external risks, infrastructure complexity and compliance impact.

A governance package can also supply technology domain rules to help your IT department manage your program. These policies and procedures or business rules can affect all of your organizational staff, including external contractors, or they may affect specific functions. At the core some of the rules are Records Management policy or standard, Electronic Messaging policy or standard, enterprise retention schedule, document handling procedures, inactive media and archival standards, Litigation hold order and so on.

Step 2: Process for Knowing your Information Universe


The second step of the e-discovery journey—process— is the most challenging and resource intensive. Understanding how information is processed throughout its lifecycle is essential. Process also means change, especially as it relates to electronically stored information.
If you do not have individual, departmental or functional standards for describing how electronic
documents and e-mail are to be indexed, retained or disposed, any imposed standards can change how you process information.

Implementing information lifecycle standards must account for the functional needs of your organization. But when data can be stored on PC or laptop hard drives, external drives, thumb (universal serial bus or USB) drives, or CDs and DVDs—as well as on servers, external Websites, share drives and backup devices, how can you disclose all of the locations where you
keep electronically stored information? Only by conducting surveys and interviewing users by department or function can you create a realistic picture of your complex enterprise. Only after you capture storage protocols and understand how information is currently cataloged or indexed can you begin to break down the silo effect of storing information. This begins the
process of developing classification standards and local procedures that link with your overall
governance package.

Some key things to think here are Chain of custody and avoiding spoliation, Authenticity, Metadata and "Meet & Confer" standards.

Step 3: Technology to bring it all together

The increasing demand for e-discovery with the exponential increase in electronic information
demands that every organization should be prepared. You should not have to react when litigation arises. You need to man age your information proactively as a core asset, not only to reduce the risk of e-discovery but to increase the productivity of your day-to-day operations. In order to implement a governance package and processes, you need to implement technology to help you manage your information as an asset across your enterprise. The magnitude of
the problem, the volume and wide distribution of information and the implication of not taking proactive measures indicate that managing your information is now mandatory. Organizations around the globe are looking at document and records management solutions with rigorous and unified records management to support their e-discovery preparedness and operational productivity.

Whether information is in a paper document, an elec tronic document or a record, it is discoverable. There fore, you need to capture information upon creation and manage it through its lifecycle to disposition. You need to apply retention management regardless of whether a document is a record, and you need an easy-to-use process for your end users, one that does not require them to know how to use your retention rules. When looking for a document and records man agement system, make sure that all electronically stored information is treated consistently
across your organi zation, that it is easily captured, that it is categorized for easy finding over large volumes and time, that retention policies are applied by default, and that liti ga tion holds are easily applied and managed. Successful document and records management solutions provide value to both end users and your organization while helping you prepare
for e-discovery.

Technology can support your preparedness for e-discovery through some of the following:

• Lifecycle management of electronic information— capturing information at the point of creation and managing it throughout its lifecycle in line with corporate policies

• The ability to capture information easily from existing, commonly used authoring applications, such as Microsoft word and e-mail

•Capturing electronic metadata from an authoring application and preserving it throughout its lifecycle, supporting authenticity for the information

• Managing information, whether a document or a record, according to your organization’s policies for retention and disposition of information

• The ability to prove chain of custody through extensive audit trails that are preserved with your electronic information

• The ability to preserve electronic evidence, including audit trails and business rules for deletion, with security controls

• The ability to find information easily over long periods of time and from former employees

• The ability to preserve electronically stored information for long periods of time, regardless of the technology in which it was created

• The ability to place litigation holds on all forms of electronically stored and physical information, regardless of its format and how many litigation holds may already be in place, to protect you from spoliation and to support your discovery processes

What's the problem with Information Silos?

let me give an example of Information Silos:

Consider how information is managed in one representative organization. In this
organization:

· Unstructured IM includes records management compliance . . . Information managers within one part of the company spearheaded the development of an ECM solution that supports records management to specifically address eDiscovery requirements. This targeted records management initiative addresses the content repositories housing the document types within the scope of this initiative but ignores many other content repositories housing valuable
information supporting other functions.

. . . . While other risk analysts focus on BI. Finance and risk analysts from another part of the company built a BI platform to reconcile disparate financial data from across the organization to provide management with a single source of truth to support financial reporting and risk
analysis. However, they did not scope customer, product, and employee data into this BI
initiative, and disparate versions of this other, critical data remain a problem that affects many
parts of the organization.

· The chief risk officer (CRO) spearheads strategic governance risk and compliance (GRC). . . The chief risk officer’s new initiative drives new policies and business processes to reduce legal and financial risk exposure. This initiative, driven from the CRO down, doesn’t take into account the eDiscovery efforts going on in one part of the organization or the BI efforts taking place in another group. Consequently, the CRO and her team have neither reports nor dashboards that present a unified rollup of all risks facing the enterprise nor scorecards showing how well the company is complying with GRC mandates.

. . . . Creating duplication of resources. The unfortunate result is unnecessary duplication of infrastructure, business and IT resources, applications, and other project deliverables. For
example, the records management initiative could have adopted a broader scope to consolidate
disparate enterprise content management repositories, and the BI initiative could have focused
on the creation of an enterprise data warehouse that could have reconciled and centralized a
wider variety of enterprise data.

But in this example, there is precious little sharing or reuse within and across the diverse IM initiatives. The company wastes valuable money, effort, and time and is hard pressed to document any coherent contribution to its strategic mission.

All of the example company’s projects support a single, top-down, executive-level mandate to
ensure corporate compliance with external regulations. However, per standard practices in many IT organizations, each of these initiatives has its own technical project team, and the various teams have no cross-project coordination or broader architectural strategy that might harmonize their efforts. Senior executives find it difficult to track or align disparate IM initiatives against a common strategic plan. But the example shows that it’s important to keep your IM strategy in sync with your business-level planning framework and priorities to ensure that various IM initiatives contribute to strategic success imperatives, as it has become untenable for CIOs to fund disparate silos that generate a massive number of tools and repositories.

In the Event of an eDiscovery Emergency, Break Glass: Preparing for the Inevitable

The incredible information explosion of the last decade -- including the proliferation of collaboration tools such as Sharepoint and all other Web 2.0 applications, text messages, voicemails sent directly to email, social networking, IM messages -- together with the stiffening of records retention consequences and the increasingly stringent records requirements on corporations have all contributed to creating an Information Management Perfect Storm for today's corporation. Courts and regulators expect corporations to know what information and records they have, where same are located/stored, and also to be able to identify, collect, retain, and produce such information in a timely fashion and in a useful (i.e. native) format.

Not having a well thought out information management structure that is adhered to by all employees and a means for quickly organizing the various information repositories and tools can cost more than just money. It can also cost a corporation in terms of lost claims, insufficient defenses, tarnished reputation, and employee frustration and turnover.

Assuming that a corporation has done as much as it possibly can to organize its information and records in a logical fashion while at the same time capturing appropriate metadata and doing all of the other fundamental records management activities, here are two specific things that a corporation can do to prepare for the inevitable litigation, as it is only a matter of time before the corporation wants to sue or is itself sued by another corporation or individual.

Prepare an eDiscovery "Break Glass" Plan

The obligation to preserve records/evidence in any litigation matter arises when litigation has commenced (i.e. the statement of claim has been issued) or it is reasonably foreseeable that litigation will occur. So what happens then? Obviously, relevant records need to be preserved, but how does your corporation go about doing that? It is absolutely essential that an "In the Event of eDiscovery, Break This Glass and Follow These Steps" plan is prepared in close consultation with a corporation's in-house and external legal counsel.

Some of the items to consider in preparing the "Break Glass" plan are as follows:

1. Who is on the eDiscovery Dream Team and who is responsible for notifying them of the actual or threatened litigation? The eDiscovery Dream Team likely comprises your external counsel, who will in all likelihood be leading the charge, together with in-house counsel, IT professionals (system architects, records management system administrators), members of the business that were involved in a particular deal or matter during the honeymoon (which is now ending in divorce) and so on.

2. How will custodians of information/records be identified?

3. Who will prepare the preservation/hold letter or email to send to all custodians?

4. Who will be responsible for taking physical or electronic possession of all relevant records and information sources (i.e. hard drives, etc.)?

5. What procedures will IT use to ensure that all records are collected and stored, including how metadata will be managed, the format that files will take, and so on?

6. When and how will external vendors form a part of the process?

7. Depending on the matter (e.g. termination of an employee), what needs to be done forensically to restore hard drives?

8. What internal auto-deletion processes need to be turned off and for which users/custodians?

Test the "Break Glass" Plan: Carry Out an eDiscovery Fire Drill

It is one thing to have a plan in place, but how well does it work in reality? As the potential consequences of getting eDiscovery wrong can be quite disastrous (for example, imagine if the information collection process/tool changed all of the metadata and made it impossible for any of the records to be authenticated, meaning they were inadmissible in court? Imagine further that in this example, the amount of money at risk in the claim could make or break your company...), it is important that all players involved, from internal IT, Law, and Business groups to external counsel and eDiscovery/records vendors, know their roles and responsibilities and that there are back-up personnel in place in all key areas that know what needs to be done, as timing will be critical.

Make sure that your external consultants and counsel evaluate how well the plan worked and implement their suggestions to improve the process. Every eDiscovery will have its nuances, but if you can have a eDiscovery Break Glass Plan in place, it will at least cover the most important bases and drive your corporation to continually improve its eDiscovery and records management capabilities, which will minimize the cost of eDiscovery and put you in the best position possible to win or significantly reduce potential losses through litigation.

FRCP and What IT Needs to Know When Planning eDiscovery Systems/Initiatives

What Are the Federal Rules of Civil Procedure (FRCP)?

The FRCP, established in 1938, govern federal court procedures for civil suits in the United States district courts. Put forth by the United Supreme Court pursuant to the Rules Enabling Act, they were then approved by the United States Congress. The Court's modifications to the rules are usually based on recommendations from the Judicial Conference of the United States, the federal judiciary's internal policy-making body.

The most recent revision to the FRCP, which took effect in December 2006, included practical changes to discovery rules to make it easier for courts and litigating parties to manage electronic records. These new amendments continue to have major effect on how companies retain, store, and produce ESI (i.e. electronically stored information, a term created by the judiciary) for litigation - especially email, document management and file system data.

The FRCP does not specify or even suggest any particular technologies be used for record archiving or eDiscovery processes, but rather makes clear the obligation to quickly secure, hold and produce all pertinent data for litigation when directed.

Let's take the Rule 26 for example and elaborate:

This rule clarifies a responding party's duty to include ESI in its initial disclosures. It also requires the party to describe the location, format, and the accessibility of all ESI they have in their possession. It reads in part: "A copy of, or a description by category and location of, all documents electronically stored information, and tangible things that are in the possession, custody or control of the party and that the disclosing party may use to support its claims or defenses, unless solely for impeachment."

Rule 26(a)(1)

Rule 26(a)(1) specifies that the organization must have a location and high-level inventory of all electronic data ready at the pre-trial conference. This rule removes any maneuvering room around producing instant messages, SMS messages, voicemail, or other forms of electronic data stored in less accessible locations, such as removable storage devices, USB thumb drives, digital camera memory, and so on.

What does it mean for IT?

IT will be called upon to quickly produce this detailed data mapping or inventory. Be proactive! Create the data map or inventory ahead of time and keep it up to date.

There are several other rules that impact how IT rolls out eDiscovery systems, rules such as rule 16(b), rule 34, rule 37(e) and so on.

Questions to Ask Prospective eDiscovery Vendors

When it comes to implementing an eDiscovery product or service, it is extremely important to know what you exactly need. In the eDiscovery realm, customer needs are extremely diverse. Some organizations need a full-service provider to put together soup-to-nuts eDiscovery process support while others need only forensic collection support.

The diversity of requirements and various product offerings makes it difficult to select the perfect eDiscovery vendor. In addition, as the main drivers behind implementing eDiscovery systems and procedures are compliance, litigation readiness, and fine/sanction avoidance (and vendors are well aware of this fact), it is often difficult for an organization that is in the early stages of developing its eDiscovery capabilities to distill the fear-mongering messaging of certain vendors down to what services those vendors actually provide and, most importantly, whether those services are a fit. Please find below a glimpse of a few key questions to be asked of potential vendors.

You will want to break down the questions in the following categories: collection, processing, review, production and pricing models and specific pricing for both implementation and per eDiscovery process that you run. The first four categories are major parts of of eDiscovery process and vendors often specialize in one or two of those activities.

Questions About Collection:

• How is paper-based information brought into the eDiscovery process?
• What methods of electronic collection exist (e.g., remote agent desktop collection, disk imaging)?
• What methods are used to initiate a defensible chain of custody and secure access?
• How quickly can tapes be restored? What is the cost of tape restoration? Is this a native capability or provided by partners?
• What methods are used to identify/fingerprint documents?
• How is chain of custody preserved and spoliation avoided?
• Where and how is metadata managed and preserved?

Questions About Processing:

• What culling methods exist?
• Can culling happen at the point of collection?
• How is data extracted from different types of media?
• Are attachments extracted from emails and processed as separate documents? If so, how are they associated with the original email message?
• Does the product/service support both static and dynamic encryption?
• Are documents converted to a standard type for review? If so, what type and if there is additional cost?
• How is deduplication performed (e.g. within custodians, across custodians)?
• What is the average indexing speed?
• What methodology is used for metadata management?

Questions About Review:

• For native file reviews, are native applications required?
• Does the review application have workflow support?
• What kind of statistics are provided to manage the workflow?
• What type of access rights are enabled (e.g. by function or by data)?
• How are documents indexed and categorized?
• Are double-byte characters indexed?
• How is "concept" searching defined and enabled?
• How is value-add metadata managed?
• What security protocols are used?
• How is redaction enabled?
• How many simultaneous reviewers can the system support?
• What is the average document to document speed?

Questions About Production:

• What output options are available (e.g., native, TIFF, PDF, load files)?
• What is the average turnaround time for exporting data?
• How does the product support Bates numbering?
• What fonts are supported?
• How is output to multiple languages handled?
• Are there any partners for production services?

Questions About Pricing Models:

• What software pricing models are available (per user, per CPU, etc.)?
• Are there recurring charges for installed software (other than typical maintenance fees)?
• Is there an ASP offering? If so, how is it priced?
• How is data processing charged (e.g. per GB)?
• Are there different pricing models for load files to different review applications?
• What is included in management consulting (e.g., strategic guidance, computer forensics, technology consulting)?

Hope this is useful for all who are trying to move forward with eDiscovery solutions.

How to Drive Information Management Adoption

'Information Management' is a problem identified by many and you would think that IM adoption should be easy, but every organization I have consulted with suffers from an Information Management adoption problem.

All too often, IT-driven product evaluations focus on how well a tool supports managing, finding & retaining documents, leaving project teams in many enterprises surprised at how quickly users abandon what IT believes to be a superior Document Management/Records Management product. Here are some of the key lessons I have learned:

• What worked for one department doesn't/won't necessarily work for another - Focus on the business processes of a department and what they do on a day to day basis instead of taking a massive cookie cutter approach.

• Mandate from the 'Boss' negatively affecting users - Today's increasing focus on compliance and risk mitigation forces many enterprises to lock down and better manage documents located on the notorious shared drive. Properly mandating without change management is not going to cut it. Almost all effort is spent on rolling out the system and very little on Change Management, whereas my personal approach is to focus around 70-80% on Change Management.

• Poor usability plagues many IM initiatives - If the IM system does not integrate well with the most commonly used tools, then it can be a nightmare. Be very careful when selection a vendor/tool.

• Making everyone a Information Manager - When onboarding a group into an Information Management system, build solutions that reflect their business process and do not bog users down with useless classifications, categories or making them select individual documents and declaring them as records. Leave the job of RM with the records managers and focus instead on creating an information architecture for the particular user group that works for them.

Finally, all IM needs are not the same and make sure you gather requirements and answer key questions for each constituency. Rapid deployment of technology is the easy part, but deriving business value out of the deployment is the difficult part.