You've been sued!

If your organization is sued, many IT and data handling procedures can change, some radically, and perhaps forever. The ability to effectively manage the process of litigation or regulatory inquiry mandates bridging the communications gap normally found between IT management and staff, and the legal departments (or other legal counsel) of an organization. It's a non-trivial exercise, and can have a huge result on the desired outcome of the inquiry.

The processes of litigation or regulatory investigation are similar yet have slight differences, as while litigation may eventually finish, the ongoing needs of regulators may never cease. Either legal process uses something called discovery, or ediscovery in its ‘electronic' form, which amounts to the discovery, search, containment, and contamination-prevention of pertinent information and evidence.

The actions of litigation are well-known. There's an initial complaint, which if it goes to court as litigation does, then spawns various processes. One of the initial processes is a response to the complaint, followed by a period and process called discovery. In discovery, facts are revealed. The facts consist of information that responds to the regulatory questions, or the specific nature of the litigation/suit.

IT usually has the charge of storing all but perhaps paper documents. Financial information, databases, emails, correspondence, and any/all other organizational data might be examined during the discovery phase, or regulatory examination. How IT responds to the needs of their legal departments becomes crucial to the outcome.

Legal and IT Allegiances

"One of the disconnects," says Anthony Diana, co-leader of Ediscovery and a litigation partner at the law firm Mayer Brown, "is that IT doesn't understand what their legal department needs in terms of a case, and equally important, legal departments often don't understand the issues that IT faces in complying with (discovery) needs."

Legal departments must often "freeze" evidence, such as documents and email or even txt correspondence, and often believe that the process is just the matter of "a few clicks." IT often knows the devil of the details. The preservation procedure is often needed to ensure that evidence isn't tampered, altered, appended to unnecessarily, or accidently deleted or even overly responded to. Preservation often also means preserving the state of the evidence, including the applications used to access pertinent data. As each case is different, so will be the procedures to match needs.

"As an example, certain things need to be preserved to have compliance with legal obligations when a hold is put in place, " Diana continues. "Courts don't understand the burdens placed on IT when they make preservation holds. (Like the legal department) they think it's a click for preservation, but IT clearly has to communicate the burdens. "

Are there going to be issues in terms of preserving the data, as in storage, space, and/or server costs? Limits can be put into place so as not to take costs out of control when an organization's legal department talks to the courts, opposing counsel, etc. Requests can go on for years, and the boundaries must be clearly expressed. It's got to be done proactively between IT and legal departments, and discussions need to take place to find procedures that are tenable in terms of cost and IT production/budget needs. Specifics must be defined and acknowledged in terms of constructing the IT framework needed to achieve legal goals.

Appointing interdepartmental liaisons that communicate progress and identify ongoing needs or changes in needs can be a successful strategy. Establishing clear procedures and assigning specific employee responsibilities can help these two very diverse departments to interact sanely.

Says Mayer Brown's Diana, "You'll need to monitor the preservation, knowing its lifecycle, and what the implementation does from a process standpoint" so that everyone understands where and how to access the preservation.

IT must think about what the impact is to the legal obligation, and what the absolutes are in terms of mistakes that can be avoided in an upgrade process. IT does well to consider data collection techniques - how will the collection be done? What does it look like in terms of output? What kind of burden does it impose, and on whom and what processes?

And there are still more questions that IT and legal departments/counsel must answer, according to Diana.

• How will the data collection be done?
• What kind of collection techniques will be employed?
• When does a Standard Operating Procedure/SOP go to extraordinary measures?
• Will full forensic images be needed?
• What about file formats?
• The term/time of collection?
• Should deleted documents be looked hunted?
• What devices need to be examined, and to what extent, and for what duration?

Once plans have been vetted, it's also necessary to consider the roles of non-employee staff. Contractors may need to have up-front and clear contractual constraints imposed to protect an organization's privacy as well as other policies.

"IT needs to know that in terms of security, there's a potential problem when data leaves the security boundary of the organization," Diana warns. Agreements with vendors must be proactively understood in terms of qualifications for security for data in question. IT and legal need to understand vendor (contractor) data security access, the qualities of that access, what kind of tools are used, and the assurances for the security of data assets. What are the boundaries of accessibility by outside contractors or counsel?"

Diana adds that ironclad agreements haven't been the norm for Ediscovery vendors but are an increasing trend. The agreements are made more complex by the lifecycle of the boundaries imposed by Ediscovery on IT, a legal department, and vendors/contractors.

"Sadly," says Diana, "some organizations never get back to normal, as there are serial litigants that impact IT departments. It's a huge management issue, as listing holds are loathe to do, and it's not as simple as saying ‘we can lift the holds', because other cases may touch the data, there may be appeals, and so forth.

"The other difficult issue is when the government is involved, as they're not often clear when an investigation is concluded. IT must press their legal departments to make decisions and give pressure to make decisions for lifting holds and processes on affected data. It all goes back to the SOP between the legal department and the custodians of data.

Accurate overall costs for document preservation are important to project and track. True cost analysis allows a legal department to make an informed decision about the extent of organizational impact. Diana suggests talking in terms of cost per period (example: $100K/month) and clear metrics. Diana also suggests that relief is possible, and IT should rally for partial lifts when that's practical and cost-effective.

The costs of holds can be expensive, but they don't have to be the ‘new norm' unless serial litigation, or ongoing regulatory review mandate them. If mandated, they become the new SOP and the new permanent annual budget line.

Litigation and regulatory inquiry checklist

• Establish a list of liaison contacts between legal departments and outside counsel for IT. Names, phone and cell numbers, email, as well as availability calendars (public and private calendaring notices are preferred) are helpful for communications purposes. When a contact is added or changed, a distribution of this information must be formally circulated for tracking and security purposes.
• IT and other employees should be informed by counsel about what the ‘holds' (i.e. documents and data states) mean, in terms of processes and requirements imposed by the litigation. Special emphasis should be made regarding the security of the processes, and what questions should be answered regarding them, by whom, and to what degree if legal counsel allows this at all.
• When planning the processes needed to comply, IT must do its best to communicate costs, disruptions, and the full implications of servicing the needs of legal counsel's requests. Terminology must be plain and articulate both quantitative and qualitative impact that will be imposed, given the processes described by counsel. In turn, IT must ask written questions concerning processes that will need to be imposed on it, their length of imposition, and all impacts that they may face during the process of litigation or regulatory inquiry.
• Documents must be submitted in a format that counsel finds usable. This means that IT may need to keep forensic copies of applications that can mine and/or 'resuscitate' years, even decades of old information. Counsel must understand the process, tools, and procedures that will be used to obtain especially older information.
• IT may also get the responsibility to perform or contract the scanning of paper documents. While many third-party document scanning contractors are available, legal departments must be in on the vendor selection and contractual processes, as well as understand the cost of scanning, transportation, delivery, and storage of scanned 'holds'.
• As the nature of litigation and regulatory compliance is complex, IT employees (and contractors) must understand the nature of the processes, and the need to keep held documents undisturbed, unaltered, right down to date stamps and other document metadata information. Simply opening a document can alter its contents, and counsel must instruct IT personnel on exact document search and handling procedures that will comply with legal response needs.
• IT and legal must acknowledge that a policy of ask-first is necessary, should questions arise. Seemingly unobtrusive IT policies regarding document management may be a huge issue for legal counsel. Clear and constant documented communications with a clear line of responsibility prevents errors that could cause much grief and expense.
• Long term (serial) litigation or regulatory/compliance needs may alter an organization's IT policy and even the software choices made. Benchmark review points allow IT and counsel to review ongoing documentation holds and future compliance needs so that what might now be experiences as 'exception handling' might be future standard operating procedure. Periodic reviews must be made to check progress, lift holds, or create policies and processes that aid future litigation and compliance needs.
• Review contractor compliance. Many outsourced tasks may be needed to accomplish document production goals, and each outside contractor needs regular review to ensure that contract goals are maintained. Security/privacy goals must be checked, as well as acknowledgement by staff of the tenets of your agreement(s) with them. As contractor personnel frequently change, updates for new employees must be performed. A quick checklist for each employee involved helps document that all understand the nature of their work, and requirements placed on the work so as to prevent spoiled holds, or inadvertent document misplacement, destruction, or unwitting alteration(s).