Month: July 2010

Training Employees Before they Hit the SEND Key

Bill Tolson eDiscovery , , , , , , , , , , , , ,

Time and time again we see news stories and legal case writes ups where it has become obvious employees still have no idea that an email is not a private communication. I find most employees, even corporate legal department types, still consider an email is like a verbal conversation in a parking lot; once its ended, it doesn’t exist anymore (unless it was recorded).

A recent example came from the Goldman Sachs Congressional hearings where the following exchange took place:

US Senator Carl Levin: “And when you heard that your employees, in these e-mails, when looking at these deals, said God, what a shitty deal, God what a piece of crap – when you hear your own employees or read about those in the e-mails, do you feel anything?”

David Viniar, chief financial officer, Goldman Sachs: “I think that’s very unfortunate to have on e-mail.”

This is a prime example of a probably very smart guy never considered that specific content in that email would every show up in a blog much less the front page of the Wall Street Journal. This problem of unguarded content in emails has become a major liability for many companies and organizations. Another example is the email flap recently over the emails between various researchers at various universities around the global warming question.

Organizations are doing themselves a huge disservice by not training their employees around proper email use and its implications if not followed. I am not addressing the “right” or wrong” questions about these two specific examples, just the fact that very smart people continuously ignore the consequences of questionable emails.

So what can organizations do to protect themselves from this kind of liability? Well there are two steps that you can take to drastically reduce your liabilities around smoking gun emails. First, train all employees (not just once but at least annually) on your email use policy (hopefully you have one that addresses this kind of behavior). But also just as important is to educate them on the consequences of inappropriate email usage. Explain to them the eDiscovery process and what that means for email. Government agencies as well as attorneys regularly ask for and get emails from organizations in litigation or agency subpoena.

Also educate them on the email technology. I can’t count how many times I have had CEOs, CIOs all the way down the line to line workers explain to me that when they delete an email from their email box, it’s really gone. Show them why that’s not the case with a couple of the hundreds of case examples where company employees believed the same thing and what happened.

The second step is to put technology in place that helps you zero in on this type of behavior before it ends up in court and on the front page.  Many organizations will think this is “big brotherish” and not fitting with their organizations culture. I disagree with this reasoning…Putting protections in place to ensure proper business behavior is a common sense measure to reduce your legal liabilities. Install an email archiving system so that email is secured for some period of time via retention policies and also have content monitoring capability to be able to monitor, in real time, occurrences of content/behavior your organization has deemed out of bounds. Along with this technology, be sure to explain (repeatedly) to each and every employee that all of their emails are being captured for a period of time and that some are actually being monitored for content. I guarantee you that your employees will be overly careful what they put in emails going forward.

Adequately Securing ESI

Bill Tolson eDiscovery , , , , , , , , ,

The law firm of Gibson Dunn has just published their mid-year Electronic Discovery and Information Law Update and pointed out some interesting trends. The report can be viewed here.

From the Gibson Dunn report:

Of the 103 opinions Gibson Dunn analyzed, litigants sought sanctions in 30% (or 31)–compared to 42% in all of 2009–and received sanctions in 68% of those cases (or 21)–compared to 70% in all of 2009.

Courts have continued to impose monetary sanctions on outside counsel for failing to adequately supervise a client’s collection and preservation of electronically stored information (“ESI”). In re A&M Florida Properties, the court sanctioned both the client and its outside attorney, noting that although neither had acted in bad faith, sanctions were appropriate because outside counsel “simply did not understand the technical depths to which electronic discovery can sometimes go.”

Similarly, in Wilson v. Thorn Energy, LLC, No. 08 Civ. 9009 (FM), 2010 WL 1712236 (S.D.N.Y. Mar. 15, 2010) (Maas, Mag. J.), the court imposed an adverse inference sanction for gross negligence where the defendants had lost all data relevant to a large transaction when a USB drive was erased.  Id. at *3.  The Wilson decision declined to apply the protections of Federal Rule of Civil Procedure 37(e), which provides a “safe harbor” “for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system,” as the erasure occurred outside of any routine document management procedures.  Id.

Based on these findings, sanctions for eDiscovery failures are still rising and the courts are holding outside counsel responsible for the discovery practices of their clients.

The Wilson v. Thorn Energy case is interesting for the fact that the responsive data in question was stored entirely on a “USB Thumb drive” with no backup. This brings up the question; what is an acceptable procedure for securing responsive or potentially responsive ESI? Is dumping it to a legal department share drive enough? How about storing it solely on a backup tape? How about putting it on an attorney’s laptop hard disk? The main question that I will address in the next blog post is; What do you need to do to ensure the ESI will be available later on?

Custodial Self-Discovery and Common Sense

Bill Tolson eDiscovery , , , , , , , , , ,

The eDiscoveryJournal, recently ran an article about desktop collection for eDiscovery and mentioned the case of Roffe v Eagle Rock, a case involving custodial self-discovery and expectations from the Judge. The transcript from the conversation between the Judge and both parties of the case can be seen here.

This transcript is interesting in that the judge clearly explains his (and most judges) expectations of the discovery process especially in dealing with custodian’s email accounts and personal computers. In the exchange, one of the defendant’s attorneys explains that he has received some potentially responsive emails from the defendants and is still waiting for some more. To clarify, the Judge asks;

Am I correct that you have been relying on, for the other two committee members, what they self-selected to put in their transaction files, in terms of what you obtained and produced?

The defense attorney answers;

That’s correct, your Honor. I was told that they uniformly would put all of their Eagle Rock e-mails into that folder. I have not checked, and I don’t know whether that is true or whether that is accurate. I believe they are telling the truth, but I don’t know if that is accurate.

In the defense attorney’s answer it becomes obvious that he is relying on the defendants to find and turnover all responsive emails to him and that he has not done any supervisory direction or auditing of the discovery process.

The Judge immediately responds to the defense attorney;

Then here is my ruling. This is not satisfactory. From what you have described to me, you are not doing what you should be doing. First of all, you do not rely on a defendant to search their own e-mail system. Okay? There needs to be a lawyer who goes and makes sure the collection is done properly. So both as to the two directors who already have produced — we don’t rely on people who are defendants to decide what documents are responsive, at least not in this Court. And you certainly need to put somebody on a plane to go out and see Mr. Smith.

So the question for me would be, one, how fast can you do this right? And that means not only the e-mails from Mr. Smith. As I say, somebody should have been on a plane a long time ago to go through his e-mails. And if he chose to use his personal computer, well, that was his bad choice. All right? And if he has it mixed in other stuff that he gets, 150 e-mails a day, or whatever, that was his bad choice. That makes it all the more essential that a lawyer get on a plane, and go and sit down with Mr. Smith, and go through his e-mail and make sure that what is produced is — what is responsive is appropriately produced. And whoever it is better check his auto-delete settings, and they had better find out if these things have been auto-deleting every 30 days or 60 days or 90 days, and they better think through, as somebody properly should have done, whether there needs to be some type of, again, image and forensic check, to make sure that something hasn’t been lost in what sounds to me to be a lackadaisical, unsatisfactory process.

In this exchange, the Judge clearly states; we don’t rely on people who are defendants to decide what documents are responsive. Custodial self-discovery is like the wolf guarding the chicken coop. So for large matters with many custodians with potentially responsive ESI, what can an organization do?

First, the defense attorney should be overseeing the discovery process to ensure it is accomplished correctly. In most courts, the attorney has to certify that the discovery process was done correctly and what attorney wants to do that if they didn’t really manage it?

Second, relying on defendants to find and turn over potentially responsive ESI can be problematic. Most of them will attempt to do what’s right, to the best of their understanding. Those few that could have something to hide may find ways to do a subpar job in the discovery process. If I am the opposing counsel, I am going to want to know if self discovery was relied on. There are a couple of ways to accomplish a custodian-centric discovery. You can image all custodians workstations etc and filter the images for responsive ESI. You can conduct one on one interview with custodians and run search applications on their workstations. Both of these processes are expensive and time consuming.

Companies Need a Social Media Policy

Bill Tolson eDiscovery , , , , , , , , , , ,

Reuters had an interesting article on social media policies on June 28 at:

http://uk.reuters.com/article/idUKLNE65R01920100628

The article pointed out that trying to stop employees from participating in the social media revolution is near impossible and is not the right strategy in any case. The article advocated giving employees some ground rules (via written policy) about what can be written and to always use a “professional” conduct.

In a perfect world…I would agree, but this assumes employees will follow your “general” policies.

The corporate brand is one of the most valuable assets the company owns with years of investment of money, time and goodwill. To simply give that over to any employee could be disastrous.  Let’s look at the problem from the lawyer’s point of view. Your attorney needs to protect the company from possible litigation and costly eDiscovery requirements wherever possible. Corporate social media needs to be managed just like any other marketing program.

All the social media venues I am aware of in one way or another record and displays thoughts, pictures, links etc for some period of time, sometimes forever. The fact to keep in mind is that if you put it in writing, it’s permanent and is out of your direct control from then on. Now, the first question you need to address is “is social media content discoverable (in the legal sense)? Depending on the case and relevancy of the content, the answer is of course! So do you want any employee “speaking” for the company? If your policy is you allow any employee to use corporate social media accounts or allow those employees to refer to the company in any way, then they could be seen as representing the company. Most successful companies I have worked for in the past have very specific rules around for example speaking to the media without prior approval or training. Why would an organization diverge from that strategy?

I know you can’t control what employees do away from work but companies do have a right to control their brand and that includes how they are represented on social media sites. For that reason, every organization should develop, implement and enforce a corporate-wide social media policy for all employees (because if you don’t enforce it, then do you really have a policy?).

Aspects of a corporate social media policy should include:

  1. A policy author with contact information in case employees have questions
  2. An effective date
  3. A definition of what social media is
  4. A description as to why this policy is being developed (for legal defense, brand protection etc)
  5. A description of  what social media sites the company officially participates in
  6. A listing of those employees approved to participate on those sites
    1. The fact that any and all approved social media participations will be done only from corporate infrastructure (this is to protect approved employees from discovery of their personal computers)
    2. A description of topics approved to be used
    3. A description of those topics not approved to be used
    4. A description of any approval authority process
    5. A description of what will happen to the employee if they don’t follow the approved process
  7. A direct statement that unapproved employees that mention the company, company business, other employees, company customers etc. in any social media venue will be punished in the following manner…
  8. A description of how these policies will be audited and enforced

Once the policy is developed, it needs to be communicated to all employees on a regular basis and updated by legal representative on an annual basis.

A side point is, for legal reasons, you should be archiving all approved social media participations much like many companies now archive their email and instant message content.

This type of policy will seem rather draconian to most employees but in reality the organization needs to protect the brand and always have a proactive strategy to potential litigation.