If youre an IT professional whos also interested in legal affairs, there has never been a better time to blend the two worlds. With the amendments in December 2006 to the Federal Rules of Civil Procedure (FRCP), IT has become inextricable from the discovery process of corporate litigation.
IT has to be a part of most of these matters because, regardless of whether its sexual harassment or slip-and-fall, it all involves some level of electronic information, says Brian Babineau, an analyst at Enterprise Strategy Group Inc.
In fact, in an ESG survey in August, 44% of 568 IT and records management professionals polled said they had a dedicated or specialized IT staff to help with the discovery of electronically stored information (ESI), whereas only 4% said they had specialized e-discovery attorneys. IT has to dedicate people to the lawyers, Babineau says.
And while the FRCP changes were intended to make e-discovery easier and cheaper to do, they were based on the presumption that IT organizations were managing things better than they actually were, says Jim Minihan, president of IMerge Consulting in Orlean, Va. So now IT has to do all this stuff they never thought of before, including records management and closer supervision of data systems and how things are being stored in 100% of the cases, he says. Before, theyd worry about it when they were sued, but because theres now a defined process, the penalty of not following procedure can become horrific.
Weve compiled an FAQ to help you understand the changes to the FRCP.
Why should the FRCP concern me as an IT professional?
The FRCP directives govern federal civil lawsuits. Before Dec. 1, 2006, the rules didnt formally address ESI or companies responsibilities for preserving and producing this data. But now, the rules say, once and for all, that electronically stored information is now discoverable, just like paper documents, says John Thomure, an attorney at Michael Best & Friedrich LLP in Milwaukee. The intent is to provide clearer standards to help resolve or reduce disputes over data preservation, according to Robert Sikellis, associate general counsel at Vance International Inc., a Centreville, Va.-based consulting firm that offers digital investigation and litigation-support services.
What this means for IT, Sikellis says, is increased pressure to proactively manage data in order to avoid sanctions or unfavorable rulings that would result from failing to produce ESI thats relevant to a case. Legal and IT professionals need to come together to understand the new rules and their impact on IT planning and management, he says.
Which rules do I need to be aware of?
ESGs Babineau summarizes the relevant rules this way:
Rule 26: There are three important parts to this rule. First, as soon as a claim is filed, the parties must meet and discuss, among other things, any issues relating to disclosure or discovery of ESI. Second, the parties must identify without awaiting a discovery request all ESI they may use to support their claims or defenses, both by category and location. And third, parties are not required to search or produce data from sources that arent reasonably accessible. Typical examples are magnetic backup tapes used for disaster recovery and older data stored on obsolete and unused media.
Rule 34: As part of the pretrial discovery process, ESI must be produced in a form in which its ordinarily maintained or in a reasonably usable form.
Rule 37: Routine, good-faith business operations may provide protection from sanctions for destruction of ESI.
So, how does this change things for IT?
IT professionals will now have to be involved any time their companies enter litigation. And, because of the changes to Rule 26, IT needs to do a lot of advance preparation.
Essentially, an attorney has to understand what information exists, what category it falls into, where its stored and how much it would cost to produce as evidence, Babineau says. And because most general counsels and IT professionals dont have a complete understanding of what ESI the company has and how accessible it is, IT must create a detailed road map.
What does this road map need to include?
Sikellis says such a road map should detail where all ESI is stored. This includes deleted data, data in systems that are no longer used, and data in remote or third-party locations. Data sources should include all media and formats, such as backup media, portable media, audio recordings, images, other data compilations, and remote or third-party locations.
You also need an idea of how quickly various forms of ESI can be processed and reviewed, prior to production. You want to go into the scheduling conference with full awareness of your timetables, Thomure says.
Can I just wait until litigation happens to worry about this?
Its tempting to wait, but its better to be prepared. Minihan says, There are some lawyers who would say, I cant tell you how to have a foolproof organization that would work properly under the e-discovery rules, so dont do anything, and well just deal with it when we have to. But while its easy to get overwhelmed by the cost and operational changes involved in preparing for e-discovery, its crucial to not get caught flat-footed, Thomure warns. If you havent thought of preserving ESI before the Rule 26 discovery conference, you may be in trouble, he says. Discovery moves quickly, so you must plan for handling ESI early.
Babineau says it would be better to document three years worth of e-mail archives than let the opposing party go on a fishing expedition. They may find out you have Years 4 and 5 on tape that you didnt know about, he says. That raises the question, What else do you have back there?
What are the typical types of data requested?
Its advisable to identify, categorize and create a map of where and how you store all documents and information, including general correspondence, corporate records, contracts, pension documents, safety and environmental records, financial statements, tax records and more.
However, the two most-requested types of data are e-mail and business records that are stored in databases, according to Milford, Mass.-based ESGs survey. Business records include invoices, customer records and financial statements.
The type of data youre likely to be asked to produce will vary according to industry, Babineau says. At biotech companies, drug-trial documents would be likely targets; at real estate firms, building code permits might be at the top of the list; and at entertainment companies, copyright and content ownership documents could be in demand.
Once you understand your biggest area of risk, you can start to prioritize where you spend your time on these new rules, Babineau says.
How far back might I be asked to retrieve data? And How long will I have to complete the request?
In ESGs survey, 48% of the respondents said the average age of the information they had to produce in a discovery situation was 36 months or older. By the time you get through hearings, pretrial conferences and arguments back and forth, it might take two or three years to just get going on a case, Babineau says. Companies need to figure out a way to cost-effectively keep and find this information.
What does not reasonably accessible mean in Rule 26?
Theres nothing exact about it. Before the trial, companies are required to identify unreasonable sources of ESI, based on the cost or labor required to access it, but the judge makes the final decision. Thats why, Thomure says, companies need to detail the time, effort and cost of searching for, retrieving and producing documents, as well as the likelihood of finding relevant information in that ESI source. If you cite undue cost, Sikellis says, you must be able to quantify the actual cost required to preserve, collect, restore and access the ESI. You should also prepare someone to make this argument in court, since not all IT professionals know how to testify, Sikellis says.
Even if the judge rules in your favor, the court could still require the discovery if the requesting party shows good cause, Thomure says. The opposing party might also agree to shoulder the cost.
What does Rule 34 mean?
Parties must specify the form in which they intend to deliver ESI, and this form must be one in which its ordinarily maintained or one thats reasonably usable, Thomure says. You cant, for instance, deliver a static form of a file purged of metadata, he says.
This might become an issue if you encrypt your databases or if you have a system that stores images separately from the metadata associated with them, Minihan points out. You not only have to turn over the data in its pure form; you have to turn over the catalog that points to it or the tools to open and unencrypt it, he says.
Well, at least Ive got a safe harbor in Rule 37, right?
Yes, but dont bank on it, observers warn. Under the rule, you are protected from being punished for deleted data if the data was destroyed as a result of good-faith business procedures. However, that means you need to have solid retention policies in place, and you need to be able to prove that the entire organization adheres to those policies consistently, Minihan says. All the judge has to do is find that while the retention policy for this series of information was complied with over here, with this other series, you didnt comply, he says. If you didnt consistently apply the policy, the safe harbor is gone.
So what I dont save wont hurt me?
Not really. Once a litigation threat is known or a lawsuit filed, companies must preserve all documents that might be relevant to the case, including anything normally scheduled to be destroyed under the retention policy, Thomure says. That means that IT has to help identify people possessing potentially discoverable data and identify all forms of backup storage potentially containing relevant evidence, he says. Backup storage tapes should be excluded from routine recycling. And remember, not saving something is different from deleting it, Minihan says. Many companies think data is overwritten just because their retention schedule says it can be deleted after 90 days, but in fact, it could be in a queue somewhere waiting to be deleted. That means its still discoverable, he says. This type of scenario will affect the e-mail and storage management policies that IT has in place, Minihan says. For instance, its typical to move data further from online usage the older it gets. But some companies might want to stage older data upfront to ensure it gets deleted. This is particularly true for e-mail, Babineau says. Right now, organizations think its gone, but its on a backup disk, he says.
Related news and discussion:
- From Backroom to Courtroom
- Storage on Trial
- The Big Backup Squeeze
- Look beyond legal discovery when designing e-mail archives, urge experts
- DHS e-mail snafu reveals info on thousands of security pros
- Bad data source of costly storage management problems
- Larry Medina's blog: Conversion is NOT preservation!
Brandel is a Computerworld contributing writer. Contact her at marybrandel@verizon.net.