A complicated puzzle
As a number of recent high-profile legal actions have shown, managing corporate records and being able to accurately discover and recover documents are extremely important business activities. Getting them wrong could lead to serious penalties from government regulators and massive payouts in litigation and class action lawsuits. Indeed, managing the discovery of documents and records was hard enough before the widespread adoption of e-mail, electronic filings and the digitization of data. Perhaps surprisingly, the prevalence of this technology has made the picture more complicated.
‘E-discovery is a very complex problem, and it’s not as simple as merely setting up a system and then forgetting about it,’ explains Michelle Lange, staff attorney, legal technologies at Kroll Ontrack. ‘That’s why we see a lot of litigation in this space, and why we see so many examples of corporations getting it wrong.’
So why, with all the technology we have available and the apparent ease of tracking e-mail messages, are document management and e-discovery so difficult? The first, and probably most vexing, issue is determining what actually constitutes a ‘record’ for legal purposes. The modern corporation generates millions of documents a day. There are notes, memos, financial documents, audit files and correspondence with outsiders – not to mention the endless e-mails that are sent back and forth on a daily basis. And depending on the context, these are just a few of the things that may be considered a record.
Arma International, the association of information management, estimates that 90 percent of all documents created or received by a business are in electronic format. Separating the records from the non-records in this environment is the first step to managing this data. Dan Ryan, executive vice president of marketing and business development at Stellent, suggests that only 5 percent of business content might actually be a record. But how do you know what is and what isn’t?
The initial reaction to this issue is sometimes to retain absolutely everything. This, according to most record discovery and data retention professionals, would be a huge mistake. ‘Corporate secretaries want to keep their companies out of trouble, and they think that by saving everything they will be OK,’ says Charlene Brownlee, attorney of the e-discovery and information management group at Fulbright & Jaworski. ‘This is not the case.
‘The things that companies suggest for electronic information retention are things that they would never dream about in the paper world,’ Brownlee continues. ‘The focus needs to be on whether there’s a solution out there that allows for the effective management of electronic documents.’
A large part of the problem is the commingling of business and personal data. Most of what is sent via e-mail – personal letters to friends, for example – is not a record. Some companies are getting it right, so naturally there are systems that work. But it is not just about the discovery system. Once a document is recognized as a record, it needs to be stored and then placed in a system to allow for efficient discovery. And there is still work to be done after that point.
‘The number-one thing that a compliance officer can do to get their house in order is to build a discovery response team,’ says Lange. ‘This should consist of the compliance officer, someone from the IT department – someone who is familiar with document retention policies and how they really work within the company – in-house and outside counsel and possibly an expert consultant or vendor.’
This team should then be commissioned to put together a response plan. They should ask one basic but extremely important question: ‘If we had to produce X information tomorrow, how would we go about doing that?’
‘Corporations that have done this have been very successful, and we don’t see their names in the headlines. That is the best piece of advice there is,’ says Lange.
The first step toward implementing a successful plan is to identify what will be classified as a record and then institute a retention policy. As Joe Romanowski, VP of product strategy at Zantaz, notes, ‘Everything has a retention period.’ It might be very short, or it might be several years. Developing a centralized repository for all company records is a vital step in the discovery process. Once a repository is set up, the function of recovering documents for legal purposes becomes much easier.
However, one of the problems has been that companies have far too many places where data is stored. This so-called ‘silo approach’ causes problems in the event of legal action.
E-mail is a huge issue, and as Brownlee explains, ‘it has turned everybody into a records manager. Most of these people don’t know how to identify a record, let alone how to deal with correctly storing it.’ Without a coordinated system, storage discovery becomes a nightmare.
‘Before you think about discovery,’ adds Ryan, ‘you should know what data you have and have a consistent policy applied across all the records and retention schedules to ensure that you have an auditable track record and proof of a consistent policy.’ He points out that there is a technology challenge as well. ‘Most companies have a range of file serves running various applications,’ he says. You have to build a system that allows efficient retention and discovery across these systems. That is why a single, searchable repository is vital.
But retaining the data, once you have successfully identified it as a record, is only half the challenge. Most firms that have run into legal trouble over data discovery issues have done so because they failed to recognize and respond to a ‘legal hold’ as soon as it takes effect.
‘Companies need to understand their duty to preserve information when litigation ensues,’ Lange explains. ‘You can prepare your [retention] plan, but on the day you find out about a lawsuit or have reason to believe there may be an action about to take place, you need to take steps to ensure that you stop destroying any potentially relevant data.’
The best way to ensure that a hold is put in place is to give one person ownership of the responsibility. ‘Who is looking for the trigger that should start the preservation notice program?’ Brownlee asks. ‘Someone needs to ensure that, as soon as a legal hold comes into effect, all records are being correctly kept. A company’s record retention system and policy can be great, but if they are slow in responding to a hold, they’re going to get into trouble.’
In short, companies need a litigation response plan. This is done by talking to in-house and outside lawyers and finding out what needs to be done. ‘It’s important that companies don’t act in silos,’ adds Brownlee. ‘There needs to be a unified policy and approach to the problem.’
Getting the discovery process right is important, but the final reports still need to be used. ‘The ability now exists to put the output of your discovery search into a litigation-ready file format that can be loaded straight into a litigation software package,’ Romanowski says. ‘What happens now is that companies hand their output to outside counsel, who then process it again, at a cost to the company, and extract everything they need for legal operations. This includes redactions – the ability to black out sensitive or unnecessary sections of a document – and tagging that allows tracking.
‘Often, the final documentation that the lawyers used is not passed back into the company’s retention system,’ he continues. ‘This is a problem. The more people who handle data, the greater the risk – so thinking about the outputs and how they are used is a very important piece of the puzzle.’
‘It is a very complicated issue, and there is no one definitive source of knowledge,’ Brownlee concludes. ‘Everyone has different ideas on what must be done, and that is why it is important to get everyone together and nail down a unified approach. It is like a Rubik’s cube. You are never going to solve it working on one piece at a time.’