e-Discovery for Risk Managers
9
1 E-Discovery: Rules, Principles & Practices Consultants & authors of * Linda Volonino * Ian J. Redpath Learning the Language Federal Rules of Civil Procedure (FRCP): amended in Dec. 2006 to specifically involve e-discovery in civil cases. Figure 1 Figure 2 E-discovery (electronic discovery): The process of identifying, collecting, reviewing, & producing electronically stored information (ESI) that has been requested by regulators or litigators for use in a legal proceeding, audit, or investigation.
-
Upload
rochester-security-summit -
Category
Business
-
view
635 -
download
0
description
E-discovery is the process of identifying, collecting, reviewing, and producing electronically stored information (ESI) that has been requested by regulators or litigators for use in a legal proceeding or investigation. Almost all communications and business records are ESI since it includes e-mail and attachments, word processing documents, spreadsheets, any computer file, faxes, voice-mail, tweets, texts, and social network posts. Unmanaged ESI is high-risk. Linda will be discussing e-discovery (electronic discovery) risks and best (and worst) practices. She’ll explain the e-discovery rules of procedure, the protections they provide, and how to position your company to be covered by those protections. The lessons you can learn from this seminar may save you from high-cost mistakes--and are much cheaper than learning through experience. . Linda Volonino Dr. Linda Volonino is Professor of Information Systems in the Richard J. Wehle School of Business at Canisius College. Linda has been a computer forensics investigator and expert witness in civil and criminal cases for the past seven years. She teaches courses in information technology, cyber security and computer forensics; and has written seven professional and text books on these topics, including Computer Forensics Principles and Practices (Prentice-Hall), Computer Forensics For Dummies, and most recently e-Discovery For Dummies. Linda is a senior editor of Information Systems Management. She’s served as an associate editor of the Business Intelligence Journal and as Program Chair of the 2009 International Conference on Digital Forensics, Security and Law. Her professional memberships include the Information Systems Audit and Control Association (ISACA), Information Systems Security Association (ISSA), Association of Certified Fraud Examiners (ACFE), and FBI Infragard.
Transcript of e-Discovery for Risk Managers
1
E-Discovery: Rules, Principles & Practices
Consultants & authors of
* Linda Volonino
* Ian J. Redpath
Learning the Language
Federal Rules of Civil Procedure (FRCP): amended in Dec. 2006 to specifically involve e-discovery in civil cases.
Figure 1
Figure 2
E-discovery (electronic discovery): The process of identifying, collecting, reviewing, & producing electronically stored information (ESI) that has been requested by regulators or litigators for use in a legal proceeding, audit, or investigation.
2
The e-discovery rules rocked the legal and corporate landscape by
making ESI discoverable. Government investigations of fraud or
misconduct invariably dig into e-mail, texting, tweets,
smartphones, social networks, GPSs, blog posts, documents,
memos, appointment calendars……
Figure 3 e-Discovery Processes
With e-discovery playing the key role in corporate litigation, data
retention policies are needed as part of the duty to preserve to ensure
the reasonable retention, safe storage, and accurate retrieval of ESI.
Figure 4 Timeline showing when the duty to preserve attaches
3
*Time minus zero: Duty to preserve. You need to take affirmative action--
active and timely measures--to prevent the destruction or
alteration of what might be relevant e-evidence. This duty
generally begins when a legal action is reasonably anticipated.
That’s a tough duty to comply with. Clairvoyance would be
helpful since the scope of what needs to be preserved and as of
when are not clear.
Accept the fact that it’s difficult even under the best of
circumstances to know when a duty to preserve has triggered or
what to preserve. Regardless, the courts consistently require
counsel to be aware of these issues, and to have guided their
clients appropriately in regard to the duty to preserve ESI.
*Day 1: Complaint served. You’re on solid ground here since there’s no
mistaking that a lawsuit is in play. When the lawsuit is filed and
complaint is served on the defendant, it starts a clock that counts
off days, although sometimes you need to count backwards.
*By Day 99: Meet and Confer conference. The meet and confer conference is
also a duty. Litigants must participate in a meet and confer
conference to negotiate an e-discovery plan. The list of topics to
negotiate include the following:
* Any issues relating to preserving discoverable ESI.
* Any issues relating to search, disclosure, or discovery of ESI.
* Format in which ESI should be produced.
* Scope of ESI holdings
* Estimated costs in terms of difficulty, risk, time, and money
of producing the ESI.
Agreements made at the meet and confer and that are listed in
Form 35 need to be conducted. Form 35 was amended by the new
FRCP to include a report to the court about any agreements that
the parties have reached.
*By Day 120: Scheduling conference. A scheduling conference is a hearing
attended by the prosecuting attorneys, defendants, defendant’s
attorneys, and the judge to schedule certain dates and deadlines
for the case. This event is generally the first time the litigants and
their attorneys come before the Court.
You have no choice except to be ready to move forward with e-
discovery at the start of a case.
4
Know the Rules You Must Play By
Throughout the entire e-discovery process you should be considering
how ESI will affect the outcome of your case. Just because you got it
doesn’t mean you can use it. You may be right but can you prove it?
What is admissible in court is determined under the rules of evidence.
In federal cases that is the FRE. Each state has its own rules of
evidence. In most situations they are similar to the federal rules but
not exact. It is important that the attorney is familiar with the
applicable evidentiary rules. The case can be won or lost here.
In Federal Court, all federal rules apply to a lawsuit. Thus in any case, all the
FRCP must be considered and reviewed.
Table 4-1 Comparison of Applicable Rules for e-discovery
Type of
Case
Apply
FRCP
Apply
F.R.
Crim.
P.
Apply
State
Rules of
Procedure
Apply Any
Local
Rules of
Procedure
Apply
FRE
Apply
State
Rules of
Evidence
Federal Civil
Yes No No Yes Yes No
Federal Criminal
Reference Only
Yes No Yes Yes No
State Civil
Reference Only
No Yes Yes No Yes
State Criminal
Reference Only
No Yes Yes No Yes
Deciphering the FRCP
The FRCP set out a path to manage a lawsuit from the filing of a
complaint to its conclusion. Civil cases are commenced by the filing
of a complaint by a Plaintiff. The party sued is the Defendant. The
failure to properly follow the FRCP can result in everything from
sanctions to actually losing the case. Don't rely on the forgiveness of
a judge, strict adherence to the rules is always your best policy.
Think of your relationship with the FRCP like that of a parent/child.
You may not agree with a rule, but follow it because it says so.
5
FRCP 1
The first rule of the FRCP is often overlooked because of its simplicity. But
it sets forth a clear statement of the purpose of the rules. They are “ to
secure the just, speedy and inexpensive determination of every action”.
When you stop laughing, remember this when considering establishing your
plan of discovery or possible cost shifting. Costs can be reduced by
applying best practices (Chapter 3) proper planning (Chapters 6 and 8) or
possible cost shifting approaches (Chapter 12).
FRCP 1 has been used successfully to force such things as more definite
pleadings (Gordon v Impulse Mktg., 2007) and the format of production
(Ayers v SGS Control Services, 2006). It can always be used in cost shifting
arguments.
FRCP 16 and 26
The Courts manage e-discovery through Rule 16. This rule is coordinated
with the “meet and confer” of Rule 26. The Court’s Scheduling Order sets
the time to complete discovery and may provide for the following.
* limits on the extent of discovery
* provisions on disclosure or discovery of ESI
* any agreements of the parties asserting claims of privilege or protection
after production such as clawback or quick peek agreements
* the dates of future conferences or the trial
* any other matter appropriate to the court to include.
Being unprepared or failing to effectively participate in a conference puts
you at risk of being sanctioned. Judges have great latitude in sanctions
including the costs and expenses incurred by the other side as a result of
your actions. These cost penalties may be in addition to the sanctions
related to Rule 37. It should be remembered that the ultimate sanction could
be losing the case.
The bottom line is that there is a 120-day window for the lawyers to learn
the client’s ESI issues and the IT professionals to learn about e-discovery.
It is said that knowing is half the battle. In e-discovery knowing Rule 26
may be most of the war. Rule 26 is essential in discovering a party’s ESI.
One of the most important aspects of discovery is the so called "meet and
confer". Rule 26(f) requires the parties to have a conference at least 21 days
before the Scheduling Conference. This can be a make it or break it for your
case. At this "meet and confer" all issues in discovery should be addressed.
You must be prepared and come with a plan.
6
If you are a party to litigation, Rule 26(a) requires that you either
provide a copy or a categorical description and location of any ESI
that may be used to support your claims or defenses. This is a
mandate without the need for discovery. This should be viewed as a
positive as the other side must also do the same thing and that should
help reduce the costs. The disclosure must be in writing and made at
or within 14 days of the “meet and confer”. Don’t panic, you don’t
need to know everything so soon. Just disclose what you know then
and tell them the rest later. Disclosure is an on-going requirement. All
pre-trial disclosures are due within 30 days of the trial date and the
other party has 14 days to object. Failure to object could result in a
waiver of objections for trial purposes.
Generally under Rule 26(b)(1) you can discover any nonprivileged
matter relevant to your claim or defense. There some limitations. If
you can demonstrate that the ESI is "not reasonably accessible
because of undue burden or cost" the ESI may not have to be
produced. The court may still order it produces if, for example, the
benefit from production outweighs the cost. The court may consider
cost shifting.
Tip: You may be able to withhold ESI if it is privileged or protected. It is an important
aspect of e-discovery.
You must be familiar with the rules applicable to properly protecting
that ESI. The large volume of ESI makes it difficult to avoid an
inadvertent disclosure of privileged or protected ESI. There are ways
to undo what you just did. You may be able to get it back with no
harm, no foul.
FRCP 33 and 34
A party may be requested to answer written questions,
interrogatories" from the other party. Rule 33(d) allows the
responding party to respond by specifying the records to be reviewed,
there location and give a reasonable opportunity to examine, audit and
make copies of the records. This applies only if the answer to the
question may be determined from the records and the burden of
getting the answer would be the same for either party.
Rule 34(b) allows a party to request the form in which ESI is to be
produced. A party may also "inspect, copy, test or sample the other
parties' ESI. If you are the responding party you may object to the
7
requested form and tell them the form you intend to use. You must
"translate" ESI into a "reasonably useable form. If there is no form
requested then:
* in the form in which the ESI is ordinarily maintained, or
* in a form that is reasonably useable.
Assessing your position and strengths
If you’re a party to a lawsuit, here are the logical steps to follow.
1. Determine what you must legally prove to win your case.
2. The IT and legal teams must meet to determine what ESI is essential to winning the case.
3. Establish what ESI you may have that the other party wants.
4. Figure out what ESI the other party has that you want.
5. Establish the form you want to get the ESI from the other party and what form you may want to give ESI to them.
6. Determine if there will be issues of privilege or protection and how to deal with it.
7. Consult the appropriate rules - state or federal and any local rule that may apply
8. Estimate the costs of e-discovery.
9. Prepare a plan of e-discovery, your roadmap and
10. Revise the plan as necessary going forward.
If you’re not a party, you may still be involved if you have ESI a
party wants. Non-party discovery is handled by subpoena in Rule 45.
There’s no meet and confer, but in most cases, you can negotiate with
the parties concerning the scope of the discovery or resort to
obtaining an Order of Protection. You will be entitled to your own
claims of privilege, protection and the "not reasonably accessible due
to undue burden or cost." Cost shifting is appropriate. Keep in mind
that failure to abide by the subpoena may result in contempt of court.
Defining Privilege and Privacy
Like any game, there are established rules and penalties for breaking
them. When litigation triggers, you’re in a high-stakes game.
Consider e-discovery the Super Bowl of discovery controlled by
8
FRCP and FRE and refereed by the Courts. In state cases, state rules
apply that may vary from the federal rules. General concepts apply to
both so we concentrate on federal rules.
You can envision the explosion in the number of servers and hard
drives of handhelds that retain a copy of e-mail messages that have
been cc’d to a lot of people who then forward it on and on. There’s no
scenario indicating a curbing of the exponential growth of business
and personal text messaging via iPhones, Blackberries, and social
networks. More e-mails are exchanged in one day than mail handled
by the United States Postal Service in a year.
Because of digital deluges, it’s not unusual to have hundreds of
thousands of documents that must be culled and reviewed for
potential confidential information or privileged communication.
Think of the e-mails you sent within the past day to a colleague or
associate. Determine the degree of formality you used. Did you
consider the possible impact your language may have if the e-mail
was produced in litigation? Probably not! Informality makes it harder
to scrub potential confidential information or privileged
communications.
Private and privacy are not the same. You only have to look at the
civil and criminal actions that arose out of the discovery of private
text messages of high profile people. Former Mayor of Detroit,
Kwame Kilpatrick and his Chief of Staff Christine Beatty exchanged
over 14,000 text messages, using City-owned devices, over a period
of time totaling four months. Did any City work get done? Their for-
your-eyes-only texts dealt with various issues involving the City,
including those contradicting the Mayor’s account of the dismissal of
the former police chief as well as their relationship. Graphically-
detailed texts between Kilpatrick and Beatty were evidence of lying
under oath.
Recognizing privileged communication
“I thought I could trust you?” Well, that trust can only go so far when
litigation starts. Only communications recognized as privileged
communications are not subject to e-discovery. The privilege is meant
to protect certain relationships as developed under common law.
9
Duty to Make a Diligent Effort
Electronic discovery has been front and center in many recent high
profile cases from Merck, Phillip Morris, Adelphia, Arthur Anderson,
Martha Stewart and Enron. Once the case has been filed, both sides
begin the search for the smoking gun. The smoking gun may exist.
In Ernst v Merck & Co., Inc. e-mails showing that Merck scientists
had concerns over the drug were introduced in the case which resulted
in the plaintiff being awarded over $253million dollars. An e-mail
turned out to be crucial in the Zubalake decision. In most cases it is
nothing more than an episode of Indiana Jones and the search for the
smoking gun.
FRCP 26(a)(1) establishes an obligation on a party to provide a copy
or description by category and location of all documents, ESI and
tangible things in its possession and control that it may use to support
its claim. The scope of discovery is broad as long as what is sought is
relevant, even if not admissible in court.
FRCP 26(b)(2) permits you to withhold ESI that is not reasonably
accessible because of undue burden or cost. The FRCP Rule 26 "meet
and confer" initial obligation is on the party.
e-Discovery bottom line
Case law tells us that …. IT, legal, and internal audit departments need to cooperate on electronic records management & take a risk-based proactive approach to e-discovery.
Why? To meet the reasonableness standard.
Companies should take a risk-based approach to e-discovery policies and procedures; and then make decisions based on its risk assessment.
Tip: When you’re up to your neck in alligators, that’s not the time to start
thinking about draining the swamp.
