How do you keep the ESI skeletons out of your closet?

A blog post written by Jim McGann of Index Engines on May 4th zeroed in on an interesting topic; how to keep ESI skeletons out of your corporate closet.

In his post Jim writes: Law firms and corporations alike tend to keep data storage devices well beyond what their compliance requirements or business needs actually dictate.  These so-called “skeletons in the closet” pose a major problem when the entity gets sued or subpoenaed. All that dusty data is suddenly potentially discoverable. Legal counsel can be proactive and initiate responsible handling of this legacy data by defining a new, defensible information governance process.

These skeletons can encompass both old, out of date data as well as the devices the old data is stored on. The risk includes not just the old data that might have content that you would rather not have discovered but also the storage devices that would “read” the old data. An attorney friend of mine related a case he was involved in several years ago where a company in discovery was asked about a filing cabinet in their warehouse that contained hundreds of 8 inch floppy disks. The plaintiff’s attorney asked if those floppy disks could contain data from the time period in question (8 years ago). No one at the company could really answer the question so the plaintiff’s attorney asked for an inventory of the data on those 8 inch floppy disks.

The defendants counsel obviously raised concerns over their ability to actually read the data as well as the cost involved. They argued that the disks drives which could read the 8 inch floppy disks couldn’t be found, that even if they could find the drives, they didn’t have computers with the correct interface to actually look at the data and the software to enable the floppy disks to be read did not exist.

The Judges question to the defendants was obvious; “why do you have a filing cabinet full of hundreds of 8 inch floppy disks if they can’t be read?”

The point of the story is data/information has a life span. 8,9,10 year old data in most cases will not be useful to an organization (unless there are regulatory reasons to keep it) so manage it for as long as its useful to your organization then get rid of it, especially if the technology to utilize it is way out of date.

2011 Seems to be the Year of On-Line Privacy Laws…Finally

One day after an internet privacy bill was introduced in the senate, one was introduced in the house. The senate bill called the Commercial Privacy Bill of Rights introduced by Sens. John F. Kerry and John McCain includes measures to address consumer concerns that their sensitive data could be misused. The senate bill does not however include the “Do Not track” provision asked for by many. The unrestrained collection and sale of our data and on-line habits to retailers and others have raised wide concern.

The house bill, referred to as “the Consumer Privacy Protection Act of 2011” was introduced by U.S. Rep. Cliff Stearns. The Stearns bill would require web sites to clearly state what personally identifiable information is being collected and how it is used. If a consumer opts out from having his information collected, the opt-out will last for five years unless the consumer changes his mind before then.

“The Consumer Privacy Protection Act of 2011” bill joins another House bill introduced in February by Congresswoman Jackie Speier, Democrat from California, that also targets privacy issues. Speier’s “Do Not Track Me Online Act of 2011” directs the FTC to develop a “do not track” mechanism that allows consumers to opt out of having their data collected, used or sold. The California State Legislature also is considering a bill at the state level that would give consumers more control over how their online behavior is tracked and shared with marketers and retailers.

What do these potential laws mean to consumers? Well, if one or more of them are finally passed into law, your electronic footprints, habits and on-line purchasing information will not be sold to organizations that you don’t know and don’t approve of. These types of laws need to be passed into law so the average consumer is not afraid to utilize all aspects and capabilities of our electronic frontier.

Adequately Securing ESI

The law firm of Gibson Dunn has just published their mid-year Electronic Discovery and Information Law Update and pointed out some interesting trends. The report can be viewed here.

From the Gibson Dunn report:

Of the 103 opinions Gibson Dunn analyzed, litigants sought sanctions in 30% (or 31)–compared to 42% in all of 2009–and received sanctions in 68% of those cases (or 21)–compared to 70% in all of 2009.

Courts have continued to impose monetary sanctions on outside counsel for failing to adequately supervise a client’s collection and preservation of electronically stored information (“ESI”). In re A&M Florida Properties, the court sanctioned both the client and its outside attorney, noting that although neither had acted in bad faith, sanctions were appropriate because outside counsel “simply did not understand the technical depths to which electronic discovery can sometimes go.”

Similarly, in Wilson v. Thorn Energy, LLC, No. 08 Civ. 9009 (FM), 2010 WL 1712236 (S.D.N.Y. Mar. 15, 2010) (Maas, Mag. J.), the court imposed an adverse inference sanction for gross negligence where the defendants had lost all data relevant to a large transaction when a USB drive was erased.  Id. at *3.  The Wilson decision declined to apply the protections of Federal Rule of Civil Procedure 37(e), which provides a “safe harbor” “for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system,” as the erasure occurred outside of any routine document management procedures.  Id.

Based on these findings, sanctions for eDiscovery failures are still rising and the courts are holding outside counsel responsible for the discovery practices of their clients.

The Wilson v. Thorn Energy case is interesting for the fact that the responsive data in question was stored entirely on a “USB Thumb drive” with no backup. This brings up the question; what is an acceptable procedure for securing responsive or potentially responsive ESI? Is dumping it to a legal department share drive enough? How about storing it solely on a backup tape? How about putting it on an attorney’s laptop hard disk? The main question that I will address in the next blog post is; What do you need to do to ensure the ESI will be available later on?

Are foreign laws restricting the production of customer data being ignored by US courts?

In a recent case; Accessdata Corp. v. ALSTE Tech. GMBH, 2010 WL 3184777 (D. Utah Jan. 21, 2010), the Plaintiff, an American company, sought to compel defendant’s production of documents, including information related to customer complaints and defendant’s technical support of non-customers. Defendant objected to the interrogatories and requests for production on the grounds that they were overly broad, unduly burdensome, and seeking irrelevant information and because “disclosure of information relating to third parties’ identities would violate German law.”

The defendant’s main argument was that German law prohibits the production of third-party personal information and that, if it complied with the discovery requests at issue, it would “subject itself to civil and criminal penalties for violating the German Data Protection Law … and the German Constitution.”

In this case the court found that ESI asked for from a German company should be turned over in discovery even though the defendant stated that German privacy laws prohibit customer data being turned over without the customer’s approval.

In this specific case, the court found:

While defendant asserts that providing personal information about its customers and their employees “would be a huge breach of fundamental privacy laws in Germany,” defendant has failed to demonstrate the verity of this assertion. Defendant has not cited to the particular provisions of the German Data Protection Act (”GDPA”) and/or German Constitution that would prohibit disclosure of personal third-party information. Based on the court’s brief review of the GDPA, it appears that it does not necessarily bar discovery of personal information. In particular, Part I, Section 4c of the GDPA, entitled “Derogations,” provides that the transfer of personal information to countries that do not have the same level of data protection “shall be lawful, if … the data subject has given his/her consent [or] … the transfer is necessary or legally required … for the establishment, exercise or defence of legal claims.” The GDPA further states that “[t]he body to which the data are transferred shall be informed that the transferred data may be processed or used only for the purpose for which they are being transferred.” ALSTE has not demonstrated that it has been unable to obtain consent from its customers or that it has even attempted to seek consent. ALSTE has also failed to address this particular provision of the GDPA or explain why it would not apply in the instant case.

On the face of it, this case looked like the United States District Court was imposing its will upon a foreign government and its privacy laws. In reality, the two main points of this particular case was:

  1. The defendant did not cite the particular provisions of German privacy law and did not try to obtain the customer’s approval to have their personal data transferred.
  2. The German laws actually make provisions for the possibility of ESI transfer to another countries jurisdiction; the GDPA does not necessarily bar discovery of personal information. In particular, Part I, Section 4c of the GDPA, entitled “Derogations,” provides that the transfer of personal information to countries that do not have the same level of data protection “shall be lawful, if … the data subject has given his/her consent [or] … the transfer is necessary or legally required … for the establishment, exercise or defense of legal claims.”

10 Clues Corporate Counsel Should Take to Heart about eDiscovery

The following content was inspired by an article in Law Technology News in Oct 2009 by Tom O’Connor titled “Top 10 EDD Tips for General Counsel”.

  1. Read the Rules: Read the Federal Rules of Civil Procedure or at least the amendments passed in December of 2006. For most of you, the days of farming out all discovery preparation is quickly disappearing. You are going to be responsible to not lose the case against you in the first couple of weeks by screwing up the discovery process. Come on…you made it through law school and read (?) all those books as well as you probably have suffered through your share of mind numbing IP applications. The FRCP is not as bad as that. I also recommend taking a look at the Electronic Discovery Reference Model (EDRM), a great site for in-depth learning of the eDiscovery process.
  2. Learn from Others: Case decisions are a great place to learn what others assumed or tied and didn’t work. They are also a great place to determine Judge’s opinions and judicial thinking. There are many great blogs and websites. The one site I look at every day is Electronic Discovery Law which consistently has great write ups and analysis on current and past cases. I have been constantly amazed over the years to see how little corporate counsels pay attention to current legal actions. If nothing else, some of these decisions have a great deal of humorous revelations in them and will give you a chance to make fun of others. Another great organization to look at for information and leadership in the discovery process is the Sedona Conference organization.
  3. Understand the Terms: No, eDiscovery is not an electronic dating service; early case assessment (ECA) is not a process to determine if a case of wine in your basement has gained in value and “PST” is not a juvenile texting shortcut for “Please Stop Texting”. Knowing the legal terms is expected, generally knowing technical terms such as “Giga Byte” and “Thumb Drive” will be helpful and just might impress the Judge.
  4. Understand Where the Corporate ESI Could be Stored: Understanding all the places ESI could exist is the first step in lowering your risk in litigation. After you understand where all the ESI could exist, and it could be thousands of places that have little or no central control, limit the number of locations that ESI can be stored. This will lower your cost of collection a huge amount.
  5. Talk to your IT department: Take the key individuals in your IT department out once in a while, maybe to your club. This will impress the propeller heads enough so that the next time you incorrectly reverse sync your Blackberry and blow all your contacts out of your outlook, they might actually fix it quickly. You might also learn some other stuff that would be helpful like the fact that they are keeping backup tapes around for years (if you don’t know why this is a problem, you didn’t take the prerequisite to this class).
  6. Acknowledge (and work with) your Records Managers: They’re not bad people, just misunderstood. I have heard Records Managers often referred to as “Blue Hairs”. This is an obvious reference to the stereotype that all records managers are “mature” women. I won’t lie to you; this is sometimes true in certain industries but not everywhere. The Records Management department can be an important ally in your understanding of eDiscovery problems and ways to fix those problems. They are also important in the next clue.
  7. Create a Usable Records Management Policy and Schedule: I walked into a large company several years ago on a consulting engagement and asked them for their records retention schedule. After about a day and a half I was given a 212 page document that was full of record types and retention periods, all in 8 point type. When I asked them if they really thought every employee actually followed this schedule, they answered “absolutely” and they met it. After interviewing 40 or so employees I found that 34 on them didn’t know the company had a retention schedule and the other 6 employees just regularly kept everything for ever. Having a records retention policy and schedule is the first step in controlling your ESI. The idea is to manage and control it; not keep everything forever. A word of caution; a retention schedule that is not enforced is worse than not having one at all.
  8. Create a Litigation Hold Policy and Test It: Creating a litigation hold policy before you experience litigation should not be a revelation to anyone even though I know for a fact it is for many.  It just makes sense that being able to effectively stop the destruction of potentially responsive ESI would lower your risk of spoliation. A common sense next step would be to test it. A litigation hold policy that doesn’t work will not usually impress the Judge.
  9. Train Your Employees: Train your employees on the records retention policy and schedule as well as the litigation hold policy. Remember the example above in the “Create a Usable Records Retention Policy and Schedule” topic. Having a policy and not telling your employees about it will not get you an invitation to the next Mensa gathering. Employees should be trained regularly and asked to sign a document that says they understand the training.
  10. Automate Where You Can: The bigger your organization, the harder it will be to do things manually. I know “archive” is a dirty word to most legal types but the term archive does not mean save everything for ever. It is a way to manage your ESI so that it is eventually deleted. Put ESI management systems in place that will help you meet your legal, regulatory and business requirements.