eDiscovery Standards

eDiscovery Standards and Trends

The lack of a published set of eDiscovery standards creates a hole in eDiscovery methods. The standards, proposed in Chicago on June 14 at the Seventh Circuit’s Electronic Discovery Committee Workshop on Computer-Assisted Review, would be administered under an organization approved by the American National Standards Institute. At minimum, it would guide attorneys in how to perform discovery of electronic information. Software companies and service providers could also market their work as standards-compliant.

One of the greatest advantages of a standards-compliant eDiscovery industry is the ability to provide some consistency in process. In the current environment, the results of an eDiscovery process at one firm may not produce the same results as another firm. With a set of eDiscovery Standards, we can actually apply Predictive Coding to our projects. Applying standard process to a certification such as ISO 9001 gives the courts and clients a reasonable expectation of quality within the eDiscovery Process.

Understanding how we develop and deploy standards will vary based on the many different perspectives of eDiscovery. The Federal courts may require application of one standard while civil courts will likely have a different set of needs. Application of eDiscovery methods will vary greatly between a large multinational engineering firm and a small Social Media Marketing company. eDiscovery Standards

Although recent eDiscovery trends show a divergent pattern, they all indicate the need for standard, repeatable processes. Social Media sites such as Twitter, Facebook, and LinkedIn have been the focus of many recent cases. A set of eDiscovery Standards will also help large Social Media sites develop cost efficient eDiscovery tools into their framework. Google Apps for Business is also becoming a data solution for many companies. Google needs to be able to provide solutions for companies to perform their own eDiscovery collection on employees data hosted in the Google cloud.

My personal opinion is that companies that hold large amounts of data will avoid creating collection tools until they are assured that there methods will be accepted by the legal community. Collecting data from the Cloud is obviously one of the most discussed trends in eDiscovery. Under the Federal Rules of Civil Procedure, a party to litigation is expected to preserve and be able to produce electronically stored information that is in its “possession, custody or control.” But in the cloud, the situation isn’t so clear. Information that’s electronically stored in the cloud is presumably under your control, but it may not technically be in your possession, says James M. Kunick, principal and chair of the intellectual property and technology practice at law firm Much Shelist.

Because this area is so new, the legal ramifications of storing data in the cloud are still murky. Among the few instances of case law is Gordon Partners v. Blumenthal, which found that if a company has “access to documents to conduct business, [then] it has possession, custody and control of the documents for purpose of discovery,” according to Murphy.

 

What we mean by ‘e-discovery in the cloud’

“E-discovery in the cloud” can be just as confusing as all other things cloud-related. It means different things to different people. This article focuses on e-discovery on data that has been stored in the cloud for general purposes. (Category three, below.) But vendors sell a variety of tools related to e-discovery and the cloud. Here’s how Christine Taylor, an analyst at Taneja Group, delineates the market:

  • E-discovery SaaS: Using the cloud to deliver e-discovery application software. These SaaS packages typically cover one of several e-discovery processes, such as collection, preservation or review.
  • Cloud-based e-discovery: Using a hosting provider to run e-discovery processes on data archived to the cloud. This comes in two forms. First, a customer can archive data at a hosting provider with the specific understanding that the service provider can and will do e-discovery on that data if the need arises. Second, a customer keeps its archives in-house, but in the case of legal trouble it collects the relevant data and sends it to a cloud provider specifically for the purpose of e-discovery services.
  • E-discovery on any data stored in the cloud: Using a cloud provider to store data in the cloud, with no special provisions or considerations about e-discovery. This is by the far the riskiest option of the three, says Taylor. “Even where the cloud provider is trusted, such as Google or Amazon, service level guarantees for the enterprise are notoriously poor,” she wrote in a recent report. “And these services also have few mechanisms in place to report on physical data locations to their customers, which can be a serious defensibility issue.”

 

Web Based Applications

Take web-based email applications such as Yahoo!, Gmail and Hotmail: They typically provide a good user interface for normal personal or business needs, but cloud services so far have seen little benefit or need to provide users with a robust ability to identify and collect email relevant to a particular issue. This is a problem when business has been mixed with personal email accounts.

Gmail now offers Gmail Backup as a free program. Once installed and configured, the program will back up all messages in an EML format that is saved to a specified location. After backing this up on a local storage device, the email can be searched, collected and handled in a company’s standard way.

And yet most companies are blissfully unaware of the potential problems with e-discovery. In a recent survey of legal and IT professionals using cloud services, Murphy found that less than 16% of 172 respondents had put an e-discovery plan in place before moving data to the cloud. Even more alarming, he says, nearly 60% of respondents didn’t know whether they had an e-discovery plan in place or not.

Tom Conophy, CIO of InterContinental Hotels Group, is one executive who believes he’s got his bases covered. Among the many cloud initiatives of the $18 billion hospitality company is a project to move its global reservations system, now on a mainframe, to the cloud.

IHG is in the process of choosing a cloud provider and in its contracts, the company is “very careful about making sure that our intellectual property and our content is ours, and that at any given time we have the ability to access it, export it, turn it off — whatever we need to do with it,” says Conophy. “It’s no different than if it was running in our own [data center].”

Be mindful of email, social media

eDiscovery StandardPotential e-discovery problems vary depending on the type of cloud provider and the contract, observers say. Because email has been subject to e-discovery for a while, many email hosting providers have this covered in their contracts. And large cloud vendors that typically serve Fortune 500 companies are likely to pay more attention to the discoverability of data.

Know your data’s location

Whatever type of cloud you’re dealing with, it’s important to know exactly where your data resides. In some cases, a cloud vendor may be storing it in a data center in a different country, where different data privacy and e-discovery rules apply. Some SaaS providers make it easier than others to get data out of their systems. Salesforce.com, for example, “is not an easily searchable system — because it’s not a content management system per se — and yet people are storing information there,” says Murphy.

Beware renegade business units

Even if contracts cover every detail, shadow IT activities within corporations can be the source of other e-discovery problems. Charles Skamser, president and CEO of consulting firm eDiscovery Solutions Group, spent the last several months interviewing some 60 cloud service providers. Most told him that their clients are not asking about e-discovery. In fact, “some of the [cloud service providers] even said, ‘What’s e-discovery?'” says Skamser.

More telling, perhaps, Skamser’s research indicates that a high percentage of the client base of these providers are “renegade business units” of large corporations seeking to do an end-run around what they perceive as unresponsive internal IT organizations.

This could be a recipe for disaster. When a large corporation is sued and presented with an e-discovery request, the general counsel would likely go to the IT department and ask for help. The general counsel may not ask a particular business unit manager, and even if they do, the manager won’t know how to comply and probably has no e-discovery provisions in his contract with the cloud vendor, Skamser explains.

 

Questions to ask your cloud vendor

The key to setting successful e-discovery policies for cloud computing is knowing exactly what your cloud vendor will and will not do in the event of e-discovery. More than 70% of the respondents to eDJ Group’s survey did not know their cloud vendor’s policy in terms of responding to e-discovery needs.

Here are some questions that analysts recommend asking:

  • How would information be placed on legal hold?
  • How can the information be accessed by various parties?
  • How would the e-discovery functions of review and analysis be executed? Can you look at the data without having to download it?
  • What are the vendor’s systems, data and backup procedures? Can it ensure that information is protected and redundant?
  • Exactly how is information stored? Is tenancy shared or do you get your own dedicated storage?
  • Where is the physical location of the stored data? Different countries have different regulations and law regarding data privacy and e-discovery.
  • Who bears the responsibility and cost of information collection and preservation? Who would be held liable for a failure to collect and preserve the information?
  • Will the cloud vendor agree to identify an employee to testify regarding preservation and collection? “Doing so goes a long way toward successfully managing the chain of custody of information,” writes eDJ co-founder Barry Murphy.
  • Exactly how can the data be searched and collected or locked down? Some cloud vendors may not have the tools to do this.
  • How long would a large collection of data take? In what format would the cloud provider deliver the data? Unless these details are pinned down, your legal counsel might promise an unrealistic deadline for delivering data or, worse yet, not be able to meet the court’s deadline.
  • How will you get the information back if the vendor goes out of business?
  • How long will the vendor retain your data? If the vendor discards it too soon, then it can “look to the plaintiff as if the defendant has found a way to shred their documents,” says Much Shelist P.C. principal James Kunick.
  • Can you test the vendor’s system to make sure you can access, search and/or download data promptly and properly?

Alternate Solutions

For other cloud email services that do not have such a solution the company, the company’s counsel or vendor can create a POP3 account and have the company’s email administrator create a standalone account that links to the external email account, allowing extraction of the email into the company email platform. (The company should create a standalone email account just for this process so that the personal email is not inadvertently comingled.)

Obviously, this solution is not ideal for anyone. The employee must expose personal information and trust that the employer, its counsel and vendors respect the agreed upon parameters. For its part, the company must trust that the employee has identified and foldered the needed email despite the risks associated with self-collection. Finally, the emails become live once in Outlook, meaning that messages can be forwarded and sent out, just like any other email.

Social Media

Social media sites, on the other hand, pose a different set of challenges. The interactive nature of the medium itself is hard to deal with, but balancing it against conflicting scope, privacy and regulatory issues adds to the challenge. Some organizations take a proactive approach, adopting social media policies and implementing technology to prevent or minimize business-related social media use, and manage privacy expectations if it does occur. For employees whose job it is to use social media for business (e.g., marketing) there are enterprise software solutions for monitoring and capturing such data.

When the need does arise to collect social networking data of an employee whose activities are not routinely monitored and captured, there are methods provided by some social networking sites. For example, Facebook now provides a method for users to archive their data locally for review and production. There are also consultants who can collect Internet information. Note that some methods capture only static pages and do not simulate the interactive nature of the native environment. Some consultants employ tools that watch someone “click around” while on a computer and, thus, allow more native-like play back. Of course, because of the mixture of personal and business data, there will need to be a mutually acceptable process for separating the two.

The cloud presents special challenges for e-discovery. It is best to avoid the admixture of business and pleasure in the cloud. When that fails, however, there are solutions to the special challenges that result.

 

Special Thanks to Contributing Authors

eDiscovery Standards Thomas LidburyThomas A. Lidbury is a partner in Drinker Biddle & Reath’s Commercial Litigation practice and leads the electronic discovery and records management group. He advises clients in the design and implementation of their internal electronic discovery programs and handles electronic discovery in major litigation. 
 eDiscovery Standards Michael BolandMichael J. Boland is managing director of Drinker Discovery Solutions LLC, a subsidiary of Drinker Biddle & Reath, which provides electronic discovery services including processing and advanced culling techniques, a review platform, and production of data. 
 eDiscovery Standards  Tam HarbertI’ve worked both on staff and as a freelancer since the mid-1980s. I’ve had some fantastic full-time publishing jobs. Freelancing, however, gives me the freedom to stretch my wings, learn new skills and evolve with the shifting landscape as technology revolutionizes publishing.

About the Author

Dave