EMC Solution for eDiscovery Collection

During the last week, EMC formally launched the Solution for eDiscovery Collection. The Solution combines the StoredIQ indexing appliance with EMC's compliance infrastructure. The technology is finally mature enough to really deliver a return on investment; it really works. The following is a link to a 10 minute demo of the solution. If you're spending too much on eDiscovery, and/or if you're at all interested in "bringing eDiscovery in house" I recommend you spend a few minutes and view it: EMC Solution for eDiscovery Collection Demo.  EMC will also conduct free proof of concepts (POCs), where you can use the solution on your own data sets to test for yourself how well it works.

Bringing eDiscovery In-House

Last week, I sat on a panel at Georgetown University (Advanced eDiscovery Institute) where the focus was on technology tools for bringing eDiscovery in-house.  The concept is that, rather than spending on reactive data collections and third party consultants who charge by the project, what aspects of eDiscovery should be done with an organization's own people, process and technology.

The panel considered four types of technologies - email management, work-flow, search/collection, and review.  Each have positive and negatives, which I summarize as follows:

Before discussing the technologies, one point had the universal support of the panel and the audience; namely, that no technology will fully succeed in helping to solve eDiscovery challenges unless the organization first understood where that technology fit into a defensible and repeatable process. 

Email Archive/Management:  there was strong agreement on the panel that a tipping point had been reached for most organizations, and it was more costly (both from a storage management perspective and an eDiscovery perspective) to do nothing versus building out an email archive.  An archive allows  the emails to be brought to one place where they can be found, de-duplicated, stored more efficiently, and importantly deleted at the end of a retention period.  Without an archive, emails tend to end up as psts (personal archives on individual desktops and shared drives) or on backup tapes, where they're duplicated over and over, never deleted and the content is costly and risky to discover and preserve.  The downsides of email archives include the lack of granular classification, and implementation cost (but those costs should be re-couped if the archive is done properly, and depending on the chosen policy).

Work-flow:  this is a tool that does not control the flow of information, but rather automates aspects of the eDiscovery litigation hold process (ie rather than manually keeping track of which employees are subject to litigation holds on spreadsheets, this type of tool provides a dashboard for managing that process).  There was general agreement that this type of tool was very helpful to the paramount issue of having in place a defensible process.  It is typically a fit only for larger organizations who have so much litigation that they're willing to invest in a 'dashboard' to help manage it and reduce the risk. 

Search/Collection:  think of these tools as utilities that crawl unstructured environments and index them, allowing for much more efficient data collection.  There was a difference of opinion about these tools, where one panel member thought they were not mature enough and that he was more comfortable doing manual collections that could be demonstrated to be forensically sound.  I didn't get much of a chance to say so on the panel, but I disagree with that point of view.  In my view, these tools are increasingly going to be leveraged by companies who want to collect and policy manage content that is sitting on file shares and desktops (and is  outside of a central repository such as an email archive).  Given that these tools allow for hashing and chain of custody, I believe they will more than meet the (developing) court requirements for authenticity and the admissibility of evidence.

Review:  the concept here is that, after collecting content, it is loaded into a review platform (for attorneys to review each document and determine if it is responsive/non-responsive, and privileged/non-privileged).  Today, most review is hosted by third parties, but a small number of organizations have brought these review platforms in-house.  There did not seem to be a huge amount of support for this type of application.  My point of view is that eventually this type of tool might be brought in-house by some organizations, but for now, what I see organizations doing, is focusing on the core issue, which is how the information is being managed in the first place, rather than focusing on how it gets reviewed on the back end. 

The bottom line for me was (i) you must have a defensible process, (ii) technology is increasingly being leveraged and in-sourced because a purely outsourced model is expensive, and (iii) the core issue to be addressed is the policy management of information throughout its lifecycle. --A

The Power of the Funnel

In talking with many customers and peers, I find that I repeatedly use the concept of a funnel to describe practical ways to overcome the challenges associated with classifying sometimes massive volumes of electronically stored information (ESI), and applying defensible policies for retention, security/privacy, eDiscovery and ultimately "defensible deletion".  Please see slide 5 of the attached presentation.  Download Funnel.ppt

The funnel is a logical metaphor because organizations are being tasked with managing huge amounts of electronic content, some which has tremendous value, but much of which is either junk or is being retained long past the time when it has any business, legal or referential value.  Across all types of organizations, around the world, the goal is the same - how do I get to the important stuff at the bottom of the funnel?

Think of a funnel as representing the electronic information that enters your enterprise every day (for some organizations, this might be several million objects per day, across hundreds and hundreds of different applications and content types, and even for a relatively small organization, there is going to be a lot of content flying around the network at the speed of light, and then piling up unmanaged on drives and tapes). 

The core challenge for companies is classification - how do I in a practical way put this information into logical categories so that reasonable policies can be applied (and so that the important information can be found efficiently)?  As discussed in an earlier post (Aspirational Records Management Policies), if you merely declare that the existing records management manual, which was put into place for paper documents (and which often contains hundreds of records types), applies to the electronic content, the classification and policy goals of the official records program typically are not met. Given current systems, processes, the state of auto-classification technology, and the refusal of employees and organizations to allow efforts at RM to reduce productivity, the IT department is just not able to operationalize what end up being "aspirational records management policies".

Now picture a funnel divided into three (3) pieces.  On the top (and often the largest part of the funnel) is information with little value (or even negative value) to the enterprise.  The goal at the top of the funnel generally is to "filter" or get rid of this content as soon as practicable, provided that the effort associated with separating out this content is not greater than the efficiencies and risk reduction of getting rid of it sooner.

In the middle of the funnel is what I think of as "productivity" documents, or content that has referential value, but is NOT an official company record.  Think of the emails, powerpoints etc that you might save in subfolders on your desktop every day.  These are not likely to be identified as official records in the company records manual, but they do have value to individuals and small working teams. Importantly, at most companies, if you try to take those away from employees by setting across-the-board short email and file retention periods for non-records, often employees will not react well and they will come up with their own (uncontrolled) ways to save those documents (which may completely undercut the goals of the underlying policy). Conversely, it is important to note that despite the strong feelings of employees about the "need" to keep these types of productivity documents, at nearly every organization in the world, the reality is that when you examine actual utilization rates from an IT perspective, after 180 days, very few of these "productivity" documents are actually accessed.  This lines up with the personal experiences of many - we set aside these documents every day, but how often do we really go back and use ones that are years old?   

At the bottom of the funnel (and often the smallest overall volume of content) is a company's most important business and legal records, and increasingly, included in that category is content on "litigation hold" (in other words, the file that was not a record yesterday, ends up being treated like a record once it is determined to be potentially relevant to a legal matter).  For the content at the bottom of the funnel, there is often a need to attach much greater security, content management and process discipline of true on-line records management.  (I note that in earlier posts, there was some healthy back- and-forth and some may have been left with the impression that my view is that records management should be marginalized in favor of a small number of simplistic policies.  That is not my view.  My view is that records management has never been more important.  That said, there is too much content to try to get employees to classify each and every object.  Rather, you need to determine how to get to the bottom of the funnel and then apply the RM discipline where it belongs.)

The funnel model discussed above does not solve all the issues, and it is wildly oversimplified, but simple is good. I've found it to be a valuable starting place for a risk adjusted approach to setting policy.  I'll plan to expand on some of these concepts in future posts, which will be more frequent than in the past.  --Andy

Morgan Stanley Winning the War But Not Winning the eDiscovery Battle

Yesterday, the FL state appellate court threw out the $1.5 billion award against Morgan Stanley.  This case, which was first filed in 1998, has been heavily analyzed, especially because of the sheer size of the award, and because of the eDiscovery implications of the case.  The case concerned the allegations of financier Ron Perelman, who obtained Sunbeam stock in a transaction, but that stock lost most of its value after it was determined that Sunbeam's former executives had engaged in financial fraud.  Morgan Stanley was the investment bank on the transaction and Perelman alleged that Morgan helped falsify the value of the Sunbeam stock.  Morgan vigorously denied those claims.

The trial court, however, the underlying claims in the case were almost overwhelmed by eDiscovery issues having to do with Morgan Stanley's failure to produce certain electronically stored information.  The trial judge eventually sanctioned Morgan after a series of eDiscovery problems, essentially telling the jury that Morgan's failure to produce email and other electronic content to the other side in the case itself amounted to fraud.  That ruling resulted in Morgan never really getting a chance to defend itself on the actual facts of the case (the underlying fraud claims relating to the value of the Sunbeam stock); they never got the chance to overcome taint of the initial eDiscovery problems. 

The appellate court completely avoided a review of whether the trial judge's eDiscovery sanction was justified.  Instead, the appellate court found that the Plaintiff (Ron Perelman) failed to make a proper proof of economic damages; basically, that his expert did not correctly calculate the loss in the value of the Sunbeam stock. Because such a proof is an essential element of the claim, that failure - the appellate court held - was fatal.  The case will continue to be appealed to the next level in the FL appellate court system; it is not over for either party.

Despite the failure of the appellate court to expressly review the eDiscovery issues in the case, there are two key eDiscovery lessons to be taken from the case at this point.  First, trial judges have tremendous discretion to sanction parties for eDiscovery abuses, but those sanctions still have to bear a proportional relationship to the underlying conduct.  Here, the notion that a company could essentially lose a massive verdict without ever getting the chance to defend itself was, in my view, excessive. 

Second, and most importantly, the eDiscovery lessons of the Morgan case remain unchanged (despite the reversal of the verdict).  It would have been hard enough (and expensive enough) for Morgan just to defend itself on the underlying allegations in the case.  However, due to their eDiscovery problems, Morgan has been on its heels for several years, the appeals will continue, the legal bills will continue, and Morgan will spend perhaps tens of millions more than they would have spent had they had good records management, proactive and repeatable eDiscovery processes and a proactive information management infrastructure in the first place.

 

When is the "Honor System" Not Enough?

Much will be written in the coming weeks and months about the eDiscovery and preservation issues in the AMD/Intel case, and the court will ultimately decide the outcome there.  However, there are a number of practical issues that have come up in that case, that come up in many cases, and that apply to just about every entity that does business in the US.  The following is a discussion of some of those issues.

Two Sides of a Coin - Policy Management and a Repeatable eDiscovery Process

When thinking about eDiscovery it is helpful to think of two sides of a coin.  First, how is the "source" information being operationally managed.  Where do the emails and files sit, is there control over that content, and are any policies being systematically applied.  Second, on the other side of the coin, the question is - what is the process that is used after the subpoena or discovery request hits?  The two issues are tightly linked since the better the policy management of the electronically stored information, the more efficient and less risky the eDiscovery process can be.  A few observations are as follows:

• When it comes to eDiscovery, proactive is good; reactive is bad.  "Proactive" begins NOT when the subpoena is received, but at the time information is created.

There is a need for a repeatable cross functional business process for eDiscovery.  That process will almost certainly include "hold notices" that rely on the employee "honor system", but also there will be a need for a "menu" of other collection and preservation methods that leverage the right IT infrastructure to drive out costs (especially intelligent federated search and automated collection) and to drive out risk (with forensically sound data collections, and a collection and preservation repository or "matter vault").

 

Policy Management

On the policy management side of the equation, the goal is to keep what you need and get rid of the content when it no longer has business or legal value.  One of the central questions is - how is classification to be achieved?  In an email environment, for example, there is everything from absolute junk to an enterprise's most critical content.  How do you sort that out?  The first steps are to get control over the information and to get cross functional inputs on what a simplified set of policies should be.  Some thoughts and considerations regarding policy management:

• There is a need to have some control over email and unstructured content: (a) to leverage its business value, (b) to de-duplicate it and drive cost out of its management, and (c) to classify it so that it can be policy managed, "defensibly destroyed", and more efficiently discovered and preserved after the subpoena hits.

Proactive information management is critical.  You cannot policy manage a warehouse full of tapes.  For most enterprises, there is a need some combination of archive, index, search and content management tools and strategies
"Archiving" strategies allow information to be brought into a central repository to be indexed and policy managed.  Alternatively, there are developing "in place" information management strategies (Intelligent Information Management) where the information stays where it is (perhaps on shared drives for example), but its meta data is mined, brought into a repository, orchestrated, and then policies are applied back to the information in place.

On the policy setting side, think "big buckets."  It is better to actually set and enforce a 3 year policy (ie really "push the delete button" after 3 years) then to set a 3 month policy that in fact is never enforced.
Consider what role if any you want employees to have in the classification of content.  Anticipate how they'll respond and change management impacts.  Consider if you want to have employees act as a "filter" (merely making keep/don't keep decisions) rather than asking employees to become records managers (who get involved in tagging and classification of content).

Email box size limitations and even auto-delete policies, in the absence of some archiving or systematic records management tools, typically lead employees to create "personal archives" (psts, nsfs) on their own desktop hard drives and shared drives.  Thousands of psts and nsfs leads to a lack of information sharing, tremendous duplication and therefore no policy management, and costly eDiscovery.  Think of it this way - if a document resides on a 1000 desktops, you cannot delete it, but if it is de-duplicated in a central repository, with 1 object having 1000 pointer to it, then it can be deleted.  The key is to have a policy you're actually going to be willing to enforce, and not allow the eDiscovery preservation obligations to overwhelm that policy (see below).

When choosing a policy for unstructured files and email, get cross functional inputs.  Some may want to delete everything after 30 days, and others may want to save everything forever.  Typically, the appropriate policies are somewhere in the middle.

If you choose a short policy, you must have extremely efficient and effective eDiscovery collection and hold processes and capabilities. If you don't, every time a subpoena hits you'll either: (a) take the risk of being held accountable for failure to preserve ("evidence spoliation") or (b) as a practical matter, you'll never actually enforce your "official" policy (nothing will be deleted because no one will be in a position to "push the delete button").

Remember that this is risk management.  There are no perfect answers, but the goal is to show that your program is thoughtful, reasonable, aligned with legitimate business objectives such as cost efficient information management, and that the program can be validated.

The eDiscovery Process and theHonor System

In an effort to meet legal "hold" or preservation of evidence responsibilities under the eDiscovery rules, it is standard practice for many companies to issue "hold" notices to employees directing them not to destroy certain categories of information.  Is some respects, this is an "honor system" since employees may need to be trusted to follow the direction set forth in the notice.  Under what set of circumstances will the "honor system" be enough to meet preservation obligations?  Some thoughts and considerations regarding the eDiscovery process:

Establish a cross functional team - Legal needs previously identified contact people in IT and often in Records Management to drive the process.

Train the attorneys, RMs and other staff that as soon as they get notice of a case (a "triggering event" for litigation hold), they must do 2 things:  (1) identify the key witnesses and custodians and get them hold notices, and (2) contact the right people in IT to trigger their part of the process (and give direction to IT on the "menu" of choices for preservation - see below).

Maintain an audit trail of the hold notices.  This can be manual or automated, but if questioned, you have to be able to prove that you sent the right notices to the right people, that the proper directions were provided, that compliance with the notices was validated, reminders were sent as appropriate, and so on.  This is more art than science, but you have to show a reasonable effort (and what that means exactly is still being defined by the courts).

Create a source map or inventory.  Don't wait for the subpoena to hit before you figure out (even at a high level) what applications and content types you have, where the information resides and who is responsible for it.  There's a lot of judgment that goes into how you create your source map, but you might want to start simply (get a "top down" understanding of your key data sources.)  This knowledge, together with technology tools allows more focused collections and holds (rather than the attorneys saying that they don't know where anything is, so everything must be saved).

Remember - prior to a triggering event, there is no eDiscovery legal obligation to preserve content (thus the operational policies, discussed above, are what apply).  One key is to have an eDiscovery process and supporting tools that allow a company to continue to apply those operational policies, and not have to suspend them (ie. continue to allow auto-deletes).

From the process side, consider a "menu approach" to litigation preservation.  In some instances the hold notices (honor system) will be fine.  For example, if a customer slips, falls and injures himself, and 10 employees see it, it probably won't be necessary to collect 10 desktops and conduct forensics on them.  That response is not proportional and therefore not reasonable. On the other hand, if a company is hit with a huge government investigation, and there's 100 witnesses/custodians, there may be a need to do more than just send notices.  Again, reasonableness should dictate.  For example, if 10 of the 100 witnesses are identified as the most critical, then perhaps in some cases all of their information should be completely locked down (mirrored drives, journaled emails etc), for the next 60 witnesses, perhaps some key word searches across a repository is sufficient, and for the final 30, just notices are enough. 
When unstructured information and email is under management, then the tools that can be leverage as part of the "menu" are more efficient and less risky.  With federated search, there is the capability of doing a more automated intelligent focused collections (including by key words) and achieving preservation at the same time.  The idea is that there are times when companies need to make a copy and collect relevant content into a secure "matter vault" repository.  This allows the company to continue to policy manage the underlying repositories because they now have a set of the content locked down for the legal case.  The "delete button" on the operational repository can continue to be pressed, without the lawyers telling IT "save everything because we're under investigation."

The key under the new rules is that if you have a good process in place and if you have tools build into your infrastructure, as the producing party, you'll be ready for the early meet and confer, and you can be transparent with the other side about the approach you're taking.  If they have a problem with it, then it will have to get resolved by the judge.  If not, a lot of uncertainty (which traditionally led to significant over-preservation) has been forced out of the process as a result of the new rules.

- Andrew Cohen

The New Federal Rules (Over) Simplified

The Federal Rules of Civil Procedure have been amended to address elects Newronic discovery, and these amendments will become effective on Dec 1. On the one hand, the new rules will have a significant impact on company processes for information management and preservation, but on the other hand, the world is not going to completely change as of Dec 2.

Much has been written about these amendments. In an attempt to cut through some of the noise, the following is a brief (over) simplification of the new rules and their practical impact.

Electronically Stored Information (“ESI”) is subject to production in lawsuits, which means it will be harder for lawyers to ignore technology and to act as if paper documents are the only form of information or communication.  The way information is managed, from cradle to grave, impacts costs and risks of eDiscovery.

For the first time in the history of the Federal Rules of Civil Procedure, the word “preserving” appears.  This relates to a party’s obligation to identify potentially relevant materials, as soon as the party is on notice of a new case (a "triggering event"), and to preserve or hold those materials so that they are available for subsequent production to the other side in the case.  This is a significant records and information management challenge since each new case will require a company to find the content relevant to that case and preserve it for the life of the case (and this preservation obligation continues even after the normal retention period of the information has expired).  Indeed, given the velocity of information together with the fact that, at the beginning of a case, it is often unclear what should be preserved, the ability to achieve perfect preservation is impossible for most large enterprises.  The key is to create a repeatable process that allows the enterprise to demonstrate after the fact that it made good faith efforts to preserve what it reasonably believed to be relevant.

In every federal case, there will be an early “meet and confer” where each side’s lawyers will be forced to sit down and discuss the scope of discovery, including the sources of ESI, the scope of information preservation obligations (including “litigation holds”) and the formats in which information may be produced.  There may well be the need to have IT experts at these meetings (since the lawyers will typically be “over their skis” when it comes to the technology).  These sessions will drive (i) greater transparency and less of the uncertainty that in the past cause lawyers to "save everything" lest they destroy the wrong thing, but also (ii) more disputes over the scope and form of discovery, and (iii) potentially greater costs associated with having to get outside attorneys up to speed on the details of how the client (enterprise) manages its information.  The latter point will likely cause organizations who face ongoing litigation to prepare some of that collateral (including in the form of “source maps”) themselves so they don’t have to pay their lawyers, in every new case, to learn about how their ESI is managed.

There is a need to understand the “sources” of ESI - where does your company’s information sit, how is it managed, who has control over it, how easy or difficult is it to access, and what are the normal retention and disposition policies.

There is less obligation to produce “inaccessible” content (versus "accessible" content), but you still may have to preserve/hold inaccessible content (which can be just as burdensome). There will likely be a lot of litigation over what is and is not accessible.

There is a “safe harbor” for good faith inadvertent destruction of content, but this is limited and this risk is likely best addressed through a good records and information management program, a reasonable and defensible preservation process, as well as with transparency (e.g., tell the other side you plan to continue to overwrite backup tapes and then take it up with the judge if there’s a disagreement).

There will be some protection for inadvertent waiver of attorney client privileged materials.  On the flip side, the sheer volumes of materials make waivers more likely, and generally, the transparency that is driven by both the current trends in compliance and in the ways that information is managed means that the assault on the attorney client privilege will continue.

The content of this blog, and the opinions in it, are my own, and they do not constitute legal advice. 

-- Andrew Cohen

Bridging the Gap

Most organizations are experiencing an explosion of electronic information, especially in the form of semi-structured (email) and unstructured electronic documents and files.  Is this explosion of such content a problem for IT, Legal, Compliance, Records Management, Security, or is it really the responsibility of each of a company’s employees who are generating it? The answer of course is ‘yes’.

Discovering information for legal matters is costing companies billions of dollars per year.  In addition to a general failure to harness the critical corporate asset of information, some have ended up on the front page of the Wall Street Journal, often for unintended loss or disclosure of information that was legally required to be securely kept. Technology drives tremendous efficiencies, but if we don’t policy manage electronically stored information (and “defensibly destroy” it when it no longer has business or legal value), it can overwhelm us.

Why haven’t companies done a better job addressing this problem? A central reason is that techies and lawyers often don’t speak the same language.

Welcome to my first blog. I am both an attorney (Associate General Counsel), and a business executive for a technology company (EMC Corporation, a Fortune 500 company and leading provider of information management solutions).  As the head of EMC's compliance solutions practice, my goal is to bridge the gap between Legal and IT, by taking my legal knowledge and experiences and applying them, in risk adjusted and practical ways, to the most acute information management compliance pain points that companies are facing.

The content of this blog, and the opinions in it, are my own, and they do not constitute legal advice.

-- Andrew Cohen