An In-House Counsel’s Guide To eDiscovery,
Legal News & Analysis - Asia Pacific - eDiscovery
8 March, 2018
Metadata, terabytes, forensic images, slack space, email archives. So when did they teach this in law school? For most in-house counsel, these are not terms even Webster knew existed when you were in law school, nor are you likely to use them every day in your legal practice. But for the subset of in-house counsel who manage the company’s eDiscovery activities, these terms get committed to memory very quickly. There are numerous best practice treatises and articles that outline the case law requirements, the tools that can be utilized and the overall architecture of an eDiscovery program. And good as all of these are, what seems to be missing is the practical application of all those great principles to a pro t making entity. Because be clear on one thing – the corporation exists for its bottom line. If you are not a law firm, all the legal and risk management theory in the world is not going to matter when you are trying to convince a messaging manager why she or he needs 12 more servers for your discovery efforts. This paper attempts to provide at least some practical guidance on how you might go about developing such a program INSIDE the company rewall and live to talk about it.
Let’s begin with, the Electronic Discovery Reference Model. It models all the phases in the discovery lifecycle. Each of the phases presents a unique challenge to the in-house practitioner.
Because records management can be, and has been, the subject of multiple treatise volumes, let’s stick to the discovery space and start with identi cation. It’s 10 o’clock – do you know where your data is? If you are like most in-house professionals, you haven’t a clue. The problem is that rules require that we get one quick – so where do we start? The treatises tell us we should have a data map – a detailed listing of every server and storage array, as well as every PC connected to the corporate network. In companies with global business operations, commanding a disciplined knowledge of every database, document management system, data store and piece of hardware is a full time job for an entire IT organization. How about settling for a reasonably comprehensive idea as to where data responsive to document requests might be? Here are some simple tips that might help:
Don’t focus on the universe of electronically- stored information (ESI) rather rst outline the company’s main business lines. Identify those business lines with the highest litigation pro le and start there.
For each business line, develop a high level overview of the business – number of employees, what geographic locations they are in, what systems they use on a daily basis (e.g. comptroller’s group probably accesses an account payable system while marketing likely has some kind of customer database). This is grass roots private investigation. You can’t do this over the phone – get out of your office and go to the business; sit with the business; live the business. No amount of interviewing can replace simply being there while people are working – they may not even know what they are accessing is a company database – and more likely, if they do, they call it something much different than the IT professional supporting it does. Bottom line: know the business = find the data.
Reduce to writing, in no matter how crude a form, the high-level information you get from step No. 2, and then do the whole thing all over again with the IT professionals. Tell them what you learned from the business and try to match the systems they support to what you heard from the business constituents about what they use. If you get a 50 percent match, you are way ahead of the game.
What do you do with the other 50 percent? Convince your IT department that it is a good idea to have a centralized company application database – one where you can input a free text search and get basic information about the system and most importantly, who the IT and business owners are. Then, if you hit a brick wall, you can at least get those two people on the phone and try to get to the bottom of it.
Now comes the hard part – the global systems like email, voicemail and instant messaging. You have to search deep within your IT organization and nd the people responsible for these services. As above, interview each one about the type of system or systems (many companies have one email system but several voicemail and IM systems), the physical location of the servers housing these applications and the overall volume of information (hardware and data) they store. Most importantly, ask what the system doesn’t do (e.g., can you save voicemail for more than 10 days?). Knowing all these answers gets you the prize of being able to attend the Meet and Confer!
Go to step No. 3. Document, document, document – no matter how good your memory is, consolidating all you’ve learned into one document is not only legally advisable; it may also save you from having to be the 30(b)6 witness – you can use this information to prepare someone else to be the witness – always a good thing when you are in house counsel!
Repeat steps 2 through 4 for every business unit that is practicable. If one of your business units got sued once ve years ago, do a risk bene t analysis and maybe it is not worth your time to spend the legal capital right now, but at least you have a plan if you ever have to tackle that business unit.
So now you know generally what you have (or at least you are working on it!). When litigation becomes reasonably anticipated, we have to preserve and/or collect to meet our obligations.
So which one of those should you do – preserve or collect? The answer to that will depend on what you learned in the identi cation phase.
Where is the data that is likely responsive to the claims or defenses in the case? Is it on company managed and controlled servers or is it on free oating laptops in the eld? A good rule of thumb to follow is: if it is more likely that something could go missing unless you collect, then more likely your preservation efforts should closely resemble collection. If, however, the emails are all stored on company servers, the company databases all have audit trails that can roll back the clock to any point in time without resorting to back-up tapes, and the number of key players is relatively small, you can probably instruct those key players to preserve and hold off on collection.
So that brings us to the legal hold – the start of any preservation campaign is the legal hold. Hopefully, it is at least an email from someone with the authority in the company to convey the seriousness of the matter, it contains a brief description of the matter and what kinds of information should be held (not the typical “any and all documents related to . . .” language), and it contains your email and phone number to help them gure it out. It should also, however, contain SOME instruction on what to do to meet their obligations – even if that instruction is to do nothing, meaning don’t move, don’t delete, don’t touch – until the lawyers call you.
Now, of course the litigator in all of us is cringing right now. Do we really think they won’t touch anything?
That is entirely dependent on the company culture. There are some companies where the importance of records management is so ingrained in the day-to-day lives of the employees that a mere instruction will suf ce. In others, it is a call to arms for spoliation. You have to know your culture and make a reasonable decision based on that. And then by all means, as above, document, document, document. Make sure you keep a record of who got the hold, what the hold said, when it went out, when the recipients received it, etc. Even the best memories fail so keep your records.
To help you keep those records, there are some great tools on the market – they can link to your email system and track all the information you need about when you issued the hold, to whom you issued it, when you collected, etc. But beware of putting the technology cart before the horse. Get your process down rst, test it, repeat it and test it again.
Once you are sure of your process, you can look to technology to ENABLE that process, not create it. And the technology doesn’t necessarily have to be one of these hold systems – it can be good old fashioned Microsoft Excel or Access with manual entry by a responsible person inside the company (if not an attorney, someone supervised by one). If your litigation pro le doesn’t warrant a Cadillac, don’t buy one. However, if you can’t go a day without issuing a hold of some form or fashion, consider one of the more robust tools to keep your sanity. Bottom line is can you prove what you did when (and not have to spend an inordinate amount of time gathering and sorting to find out)? Do what works for your company.
Collection sounds simple, right? Push the big red button and gather everyone’s emails, the databases, etc., and ship them off to counsel. But unfortunately, in the real world, you don’t just stroll down the hall and stop at someone’s of ce door and say “Hi, I’d like your computer for an hour please.” Go back to step 1 above – know your business. If the people in that business unit don’t listen to anyone but the regional VP, maybe the regional VP should send the note informing the employees of the collection and spelling out what will happen – you will of course draft this communication for the VP – but you get the clout he/she carries in delivering the message.
You also need to gure out HOW to do the collection. If it is laptops and desktops, there are many tools on the market that can make a forensically sound harvest of the data. Do you need an image or just the active data? Which tool works best for what you need? Can your in-house technical people use the tool and do the collection or do you need help from a consultant or vendor? The thing to keep in mind is your ability to explain what you did. Again fast forward to the spoliation hearing (which we all hope you never get to!).
How do you want to come across to the judge?
If it sounds like a hush-hush-wink-wink kind of effort, your opponent is not likely to think you were acting reasonably – and neither is the judge. If you are using proven technology and process that can be explained to the other side, is understandable to the other side’s experts, collection is logged and adequately documented, you should be OK, whether or not you choose to physically do the collection yourself or with a vendor’s assistance.
If it all ended at collection, life would be simple. Unfortunately, it doesn’t. Informing your decisions in the collection phase must be the long range plan for the next step in the process – processing. For example, if you collect forensic images alone in phase one, you need to be prepared to restore those images if and when you have to produce. Sometimes it is just as easy to do two collections – one of the active data, and one forensic image. This way, you can use the active data to start the process and preserve the image as your insurance policy for later on.
Now here’s the dilemma: do you need a true forensic image in every case? Like with everything else in this area, you need to balance the risks and costs. If you are not careful, you will create tons of forensic images and have stacks of drives to use as coasters because you never need them in litigation. Plus, you’re now adding to that mountain of stored data that we affectionately refer to as “legacy,” meaning no one knows what’s on it, but it might relate to litigation so we have to keep it. Be smart, look at the long-term implications of your collection decisions so that they do not leave the company in worse-off position AFTER your litigation.
So now your motions to dismiss were unsuccessful and you actually have to do something with that data you collected – on to processing. “Processing” means different things to different people. While over-simpli ed, processing simply means taking the data from collection, attening it all out so you can search all of it (attachments, etc.), running your search terms (or not), de-duplicating and getting it ready to put somewhere for review.
Some vendors charge for each step, others lump it all together. Either way, the key here is again documentation. Make sure you know exactly what is happening to your data and how the process is quality checked. For example, if you give the vendor 100GB, how can you prove all 100GB were processed, nothing fell off or didn’t process?
Make your vendors explain all of these steps and where necessary, reduce that explanation to writing so you can use it if there is ever a spoliation hearing. If a vendor refuses to share that level of detail with you, you would be wise to nd another partner. Because that is the key when it comes to processing. Your vendor is your partner. You are stuck together for the entire case. You wouldn’t choose a law firm simply by price or choose a lawyer who wouldn’t explain themselves to you, so don’t accept it from your vendor.
The key questions to ask yourself are:
- Does the vendor have grounded experience and a good reputation in the industry (note the recent rash of suits against vendors for poor performance)?
- Will the vendor reduce their “secret sauce” recipe to writing?
- Does the process explain what goes in, what happens to it, and what comes out with strong quality controls throughout the process?
- How strong is the project management? Will you have a dedicated project manager reachable at all hours? All joking aside, litigation is a 24X7 business and to work with a vendor that provides support and project management from 9-5 probably isn’t going to get you your desired results.
- Is the vendor working with you to create the right solution for your case or are they trying to t your square case into their round case solution? There are numerous excellent tools out there – but not every one is right for every case – make sure the overall design of the vendor’s process is in line with the goals of your case.
Now for the hard (and most expensive) part of the whole process – review. Is that conjuring up visions of hundreds of rst year associates or contract attorneys in the basements toiling over every page of the documents? Well, in a lot of ways, things haven’t changed that much in this electronic age. Because technology allows us to create and store so much so easily, even with sophisticated culling and processing steps, we still wind up with hundreds of thousands of page equivalents to review. What to do? Here’s where technology and a little creative thinking can help.
First, know how long you have to complete the review. If you are in a mass tort/class action setting, chances are your discovery deadlines a bit off and you have some time to plan and organize. But let’s say it’s the DOJ (or other agency) knocking on your door. Chances are your review time is going to be compressed. To gure how long your review should take, estimate the number of pages you have to review and divide by 200 pages (average review speed) per hour. That’s the number of hours the review will take. Divide by 40 and that’s the number of weeks with one reviewer – you get the idea – increase number of reviewers or the number of pages reviewed per hour and shorten review time. The hard part is making sure all those reviewers make consistent decisions and protect the company’s privilege.
Consider the use of what many refer to as “conceptual clustering tools.” These tools take like items (chain emails, different versions of the same document, documents with the same overall concept in them) and group them together, allowing a reviewer to get a bigger picture of the sphere of documents in the collection that might be related. These tools can be incredibly effective for rst pass review. If nothing else, these tools can help you in the quality control phase of the review to ensure inconsistent calls have not been made on related documents.
Whatever tool or platform you choose, chances are you still need a human licensed to practice law to do the review. You have several options available here. Most of your law rms are willing to hire contract attorneys and pass the cost straight through with no markup or, if they provide space and computers, with only a slight markup. That can save millions over traditional law firm associate review. The thing to consider here is can the law rm MANAGE that review? Managing a review room, ensuring the reviewers are working at adequate productivity and accuracy levels and quality controlling the process is not in most law school curriculums – nor is it part of many rm training efforts.
To help in this regard, you might also consider the use of third party review firms. These are rms organized as law firms, or not, that specialize in document review. They have developed familiarity with most of the document review platforms on the market and quality control practices to govern the review room. They can report on productivity and error percentage rates – all things which will make your internal nance colleagues smile. Review can be measured and quanti ed in such a way that you can use that valuable information as a predictor for future costs. And we all know that the litigation attorney who can accurately predict what discovery will cost will be the star of the group - in nance’s eyes anyway.
Whether it’s a conceptual tool or a traditional linear tool, whether contract attorneys or a review firm, keep the following in mind:
Establish a written review protocol, even for small cases, that, while clearly privileged, can serve as documentation (in camera of course) to prove that there was an organized approach to the review, that the reviewers were adequately trained and speci cally that privilege review was intended and addressed.
Require senior/trial counsel from your outside rm to attend and/or conduct part of the reviewer training – reviewers are much more effective when they know how they t in the case. Sharing theories of the case and overall strategy with the folks actually looking at the documents can provide an invaluable bene t to the fact development curve for outside counsel.
Regularly monitor review room performance and metrics – when you are running up against the production deadline and your opposition is mounting the motion to compel, you want to have facts and gures to explain why it takes so long and be able to demonstrate your reasonableness (e.g., 50 attorneys working full time for x days to meet the deadline).
So we’re done, right? Well, unfortunately, your day job might get a bit lighter (on this case anyway), but now someone actually has to learn the merits of the case and get ready for a trial if necessary. But you can be sure that you have greatly aided in that end goal by allowing outside counsel to know that they are building that factual case for you based on a solid discovery foundation. It’s a team effort with in-house counsel typically bearing the greatest front end laboring ore.
But never forget the team. The case law is very clear that both inside and outside counsel have roles to play in this discovery process and neither one can blindly rely on the other. Trust but verify – do not get annoyed when outside counsel wants to take your time to understand exactly what you did and when.
Consider an upfront meeting at the beginning of the case (or periodic meeting with all your outside counsel) that teaches counsel on your practices and desired approach. Then, you can work together on
a case-by case basis and tweak those processes for each case where necessary. What results is a team ownership of this process. You avoid nger pointing and ensure that if you ever have to defend your process, both you and outside counsel are working toward the same goal – winning cases.
For more information, please contact:
Sebastian Ko, Regional Director, Document Review & Expert Services, and Legal Counsel Asia, Epiq