eDiscovery Standards and Trends
The lack of a published set of eDiscovery standards creates a hole in eDiscovery methods. The standards, proposed in Chicago on June 14 at the Seventh Circuit’s Electronic Discovery Committee Workshop on Computer-Assisted Review, would be administered under an organization approved by the American National Standards Institute. At minimum, it would guide attorneys in how to perform discovery of electronic information. Software companies and service providers could also market their work as standards-compliant.
One of the greatest advantages of a standards-compliant eDiscovery industry is the ability to provide some consistency in process. In the current environment, the results of an eDiscovery process at one firm may not produce the same results as another firm. With a set of eDiscovery Standards, we can actually apply Predictive Coding to our projects. Applying standard process to a certification such as ISO 9001 gives the courts and clients a reasonable expectation of quality within the eDiscovery Process.
Understanding how we develop and deploy standards will vary based on the many different perspectives of eDiscovery. The Federal courts may require application of one standard while civil courts will likely have a different set of needs. Application of eDiscovery methods will vary greatly between a large multinational engineering firm and a small Social Media Marketing company.
Although recent eDiscovery trends show a divergent pattern, they all indicate the need for standard, repeatable processes. Social Media sites such as Twitter, Facebook, and LinkedIn have been the focus of many recent cases. A set of eDiscovery Standards will also help large Social Media sites develop cost efficient eDiscovery tools into their framework. Google Apps for Business is also becoming a data solution for many companies. Google needs to be able to provide solutions for companies to perform their own eDiscovery collection on employees data hosted in the Google cloud.
My personal opinion is that companies that hold large amounts of data will avoid creating collection tools until they are assured that there methods will be accepted by the legal community. Collecting data from the Cloud is obviously one of the most discussed trends in eDiscovery. Under the Federal Rules of Civil Procedure, a party to litigation is expected to preserve and be able to produce electronically stored information that is in its “possession, custody or control.” But in the cloud, the situation isn’t so clear. Information that’s electronically stored in the cloud is presumably under your control, but it may not technically be in your possession, says James M. Kunick, principal and chair of the intellectual property and technology practice at law firm Much Shelist.
Because this area is so new, the legal ramifications of storing data in the cloud are still murky. Among the few instances of case law is Gordon Partners v. Blumenthal, which found that if a company has “access to documents to conduct business, [then] it has possession, custody and control of the documents for purpose of discovery,” according to Murphy.
What we mean by ‘e-discovery in the cloud’
“E-discovery in the cloud” can be just as confusing as all other things cloud-related. It means different things to different people. This article focuses on e-discovery on data that has been stored in the cloud for general purposes. (Category three, below.) But vendors sell a variety of tools related to e-discovery and the cloud. Here’s how Christine Taylor, an analyst at Taneja Group, delineates the market:
Web Based Applications
Take web-based email applications such as Yahoo!, Gmail and Hotmail: They typically provide a good user interface for normal personal or business needs, but cloud services so far have seen little benefit or need to provide users with a robust ability to identify and collect email relevant to a particular issue. This is a problem when business has been mixed with personal email accounts.
Gmail now offers Gmail Backup as a free program. Once installed and configured, the program will back up all messages in an EML format that is saved to a specified location. After backing this up on a local storage device, the email can be searched, collected and handled in a company’s standard way.
And yet most companies are blissfully unaware of the potential problems with e-discovery. In a recent survey of legal and IT professionals using cloud services, Murphy found that less than 16% of 172 respondents had put an e-discovery plan in place before moving data to the cloud. Even more alarming, he says, nearly 60% of respondents didn’t know whether they had an e-discovery plan in place or not.
Tom Conophy, CIO of InterContinental Hotels Group, is one executive who believes he’s got his bases covered. Among the many cloud initiatives of the $18 billion hospitality company is a project to move its global reservations system, now on a mainframe, to the cloud.
IHG is in the process of choosing a cloud provider and in its contracts, the company is “very careful about making sure that our intellectual property and our content is ours, and that at any given time we have the ability to access it, export it, turn it off — whatever we need to do with it,” says Conophy. “It’s no different than if it was running in our own [data center].”
Be mindful of email, social media
Potential e-discovery problems vary depending on the type of cloud provider and the contract, observers say. Because email has been subject to e-discovery for a while, many email hosting providers have this covered in their contracts. And large cloud vendors that typically serve Fortune 500 companies are likely to pay more attention to the discoverability of data.
Know your data’s location
Whatever type of cloud you’re dealing with, it’s important to know exactly where your data resides. In some cases, a cloud vendor may be storing it in a data center in a different country, where different data privacy and e-discovery rules apply. Some SaaS providers make it easier than others to get data out of their systems. Salesforce.com, for example, “is not an easily searchable system — because it’s not a content management system per se — and yet people are storing information there,” says Murphy.
Beware renegade business units
Even if contracts cover every detail, shadow IT activities within corporations can be the source of other e-discovery problems. Charles Skamser, president and CEO of consulting firm eDiscovery Solutions Group, spent the last several months interviewing some 60 cloud service providers. Most told him that their clients are not asking about e-discovery. In fact, “some of the [cloud service providers] even said, ‘What’s e-discovery?'” says Skamser.
More telling, perhaps, Skamser’s research indicates that a high percentage of the client base of these providers are “renegade business units” of large corporations seeking to do an end-run around what they perceive as unresponsive internal IT organizations.
This could be a recipe for disaster. When a large corporation is sued and presented with an e-discovery request, the general counsel would likely go to the IT department and ask for help. The general counsel may not ask a particular business unit manager, and even if they do, the manager won’t know how to comply and probably has no e-discovery provisions in his contract with the cloud vendor, Skamser explains.
Questions to ask your cloud vendor
The key to setting successful e-discovery policies for cloud computing is knowing exactly what your cloud vendor will and will not do in the event of e-discovery. More than 70% of the respondents to eDJ Group’s survey did not know their cloud vendor’s policy in terms of responding to e-discovery needs.
Here are some questions that analysts recommend asking:
For other cloud email services that do not have such a solution the company, the company’s counsel or vendor can create a POP3 account and have the company’s email administrator create a standalone account that links to the external email account, allowing extraction of the email into the company email platform. (The company should create a standalone email account just for this process so that the personal email is not inadvertently comingled.)
Obviously, this solution is not ideal for anyone. The employee must expose personal information and trust that the employer, its counsel and vendors respect the agreed upon parameters. For its part, the company must trust that the employee has identified and foldered the needed email despite the risks associated with self-collection. Finally, the emails become live once in Outlook, meaning that messages can be forwarded and sent out, just like any other email.
Social media sites, on the other hand, pose a different set of challenges. The interactive nature of the medium itself is hard to deal with, but balancing it against conflicting scope, privacy and regulatory issues adds to the challenge. Some organizations take a proactive approach, adopting social media policies and implementing technology to prevent or minimize business-related social media use, and manage privacy expectations if it does occur. For employees whose job it is to use social media for business (e.g., marketing) there are enterprise software solutions for monitoring and capturing such data.
When the need does arise to collect social networking data of an employee whose activities are not routinely monitored and captured, there are methods provided by some social networking sites. For example, Facebook now provides a method for users to archive their data locally for review and production. There are also consultants who can collect Internet information. Note that some methods capture only static pages and do not simulate the interactive nature of the native environment. Some consultants employ tools that watch someone “click around” while on a computer and, thus, allow more native-like play back. Of course, because of the mixture of personal and business data, there will need to be a mutually acceptable process for separating the two.
The cloud presents special challenges for e-discovery. It is best to avoid the admixture of business and pleasure in the cloud. When that fails, however, there are solutions to the special challenges that result.
Special Thanks to Contributing Authors