e-Discovery: The Five Things a CIO Needs to Know

Electronic Data Discovery or EDD is one of the hottest water cooler topics today. Too often there is a chasm between what I hear from my lawyer pals about what EDD is and means, and what I hear from our clients (vendors too). While this article can only dive into this topic briefly, let me describe a few of the important issues and how it may affect those of us in IT.

First, a definition: EDD or e-Discovery refers to the term “discovery” as used in civil litigation which deals with information stored in electronic format. This of course is markedly different from the “old days” when discovery focused only on paper-based information. Paper is physical, where electronic information is intangible in its form, placement, and duration. Interestingly, electronic data usually has additional metadata associated with it where the paper version normally does not.

Second, because the nature of discovery within an electronic information environment is so different, a series of amendments addressing the new environment were made to the Federal Rules of Civil Procedure (FRCF) and placed into effect in 2006. Without going into the specific language, here is the fundamental impact of these amendments:

• Regardless of whether you are already operating under any of the dozens of Federal, State, or Local data retention regulations (HIPAA, Sarbanes Oxley, SEC Rule 17a-4, OSHA etc.), there are NO additional requirements for retention.
  

• They advocate good data management policy and organizational awareness for responding to electronic discovery requests.
  

• There is no mandate for a specific technology solution.

Third, if you become involved in a lawsuit and it is determined that some of the evidence is held in electronic documents, here is what the legal system expects:

• Messages and data must be saved, and for the right length of time.
  

• You need to be able to locate specific data within a specified amount of time.
  

• Records must be kept in a safe and accessible location.
  

• The integrity of the stored data must be ensured.
  

Four, I have had too many conversations where the belief is that all data must be retained because of the FRCP rules. This is simply not true and is sometimes a difficult point to understand. The FRCP rules allow all parties a reasonable expectation of access to the data determined to be within scope of the matter. If you, as the person responsible for producing the data, can respond by using manual methods, that is acceptable. Of course, the challenge quickly builds as you consider all the data types (e-mail, office documents, CAD drawings, IM, voice mail, call records, etc.) and all the possible locations (file servers, local workstations, cell phones, copy machines, home computers) that could fall within scope of a discovery request.

Five, I believe the best preparation that an IT group can make is to create and maintain an organization-wide information map. This information map documents where each type of data is housed, what process creates it, what data retention policies are currently in place, and what media, format, and schedule is used for backup, etc. Obviously, this is not a trivial task, but when the legal hold demand is received followed by a data retrieval request, you know where to look and which purge schedules to alter. Having this information map also allows you to determine the retention/retrieval technology that best supports your business. I have not yet seen a retention system that can address all data types across all storage locations, so the information map becomes very useful in understanding the gaps that remain, and allows you to make plans for addressing that data as well. Additionally, the information map is a key component of a litigation response plan that defines the proper organizational response to a litigation crisis.

Clearly, there is plenty to discuss here, and if you have additional questions or the need for help in this matter, give us a call.