According to the old cliché, content is king. For many organisations today, the content that they produce could be considered as the crown jewels of the business, including highly sensitive and valuable data such as financial records, intellectual property and databases of customer records. There are many that would like to get their hands on those gems of information and preventing this data from leaking out of an organisation is of prime concern to governments, enterprises and small businesses alike.
Navigating the minefield of e-discovery
In recent years, the number of e-discovery cases has spiralled. Law firm K&L Gates LLP maintains a searchable database of e-discovery cases that includes some 1,000 separate cases in the US alone. The Oklahoma Bar Association estimates that one in 20 US organisations has battled a lawsuit triggered by an e-discovery request, and management consultants Cohasset Associates state that e-discovery costs are the second largest uncontrolled expense for organisations, primarily because they are not prepared. This is exceeded only by healthcare costs. The average amount for complying with an e-discovery request is widely estimated by a variety of sources at around $4 million-but failure to comply can cost many times that amount, as some large corporations have already found.
The processes involved in an e-discovery case are: information management, identification, preservation, collection, processing, review, analysis, production and presentation to a court of law. But the fact of the matter is that organisations produce a colossal amount of information in a wide range of digital formats containing both structured and unstructured data, stored on a wide range of storage systems. Given the vast quantities of information produced and stored by organisations, it is a daunting task to find all of the information needed for evidence. What is required is a good system of information governance.
At the very heart of this is a good records retention policy and management system, covering all data repositories. This requires that organisations undergo a planning exercise, including designation of a cross-functional team with clear responsibilities defined, drawn from all parts of an organisation, including IT, legal and compliance officers, as well as the custodians of all data stores in the organisation. Then organisations need to identify all devices, data stores and applications in use across all devices connected to the network, or held in physical data stores to identify where all documents are created and stored.
Today, a number of technology vendors offer products that help automate information governance requirements, providing transparency over what data is stored in an organisation and where, helping organisations to reduce the risk that information produced is outside the control of the organisation. This will help the organisation to ensure that all of the information it produces is stored according to the policies set and hence is retrievable should it be required to pass a regulatory compliance-related audit, or to more easily be able to produce all of the evidence required as part of an e-discovery request.
Whilst it is true that most of the cases of e-discovery that have come to light to date concern organisations in the US, data is increasingly spread across multiple countries in many organisations, making the process of fulfilling e-discovery requests an even more arduous task. And that throws up another challenge-that of the legality of e-discovery in different jurisdictions. In some countries in Europe, such as England and Wales, the laws are relatively permissive, allowing courts to order the disclosure of information as evidence as long as the demands are not excessive. In others, including France, Germany and Italy, there are as yet no general disclosure laws. In some cases, limited disclosure is allowed, although blocking statutes exist that can make document disclosure illegal and in Germany the workers' council must be involved in all such requests. In Switzerland, e-discovery requests made without the involvement of Swiss officials are regarded as a violation of Swiss sovereignty and can lead to criminal proceedings.
This legal minefield is one that does not look likely to be sorted out any time soon, with only muffled sounds being heard from the EU regarding the possibility of standardising laws across Europe. But organisations cannot afford to be complacent. Many things that start in the US cross over the pond sooner or later and, with e-discovery, it is likely to be sooner. Organisations need to get their houses in order. They should ensure that they have the right information governance tools and processes in place so that when an e-discovery request comes they are in a position to respond without breaking the bank in terms of the costs and the effort involved in complying with demands made.
Regulatory compliance has shown the need for legal officers to be closely involved in setting policies and procedures for organisations to follow, and in ensuring that technology systems chosen to support those processes fully support legal and audit requirements. To prepare for the likelihood that companies will face more e-discovery challenges in the near future, it is imperative that legal resources become even more closely involved and take an active part in the procurement of information governance systems. Expert legal counsel should also be engaged to ensure that organisations do not break laws in specific countries. There never was a better time to be a lawyer, nor to prepare a solid information governance capability.