Collecting and preserving electronic data for disclosure in a court case is a complex task. How can you devise a strategy which will do the job across international borders? Lee Gluyas and Jonathan Maas have the answer
The growth in technology has meant that companies now need to have strategies in place to handle regulatory investigations and litigation which require the disclosure of electronic documents. As business becomes more global, companies cannot simply rely on mechanisms to deal with disclosure on the domestic front, but need to cast their net across international boundaries.
What is disclosure?
Disclosure is the process under which each party must provide to the other parties all the documents – whether hard copy or electronic – it has (or has had) which help or hinder either side’s case. The documents disclosed form the basis of the evidence available at trial, so it is vital that disclosure is conducted properly, as it can be material in determining the outcome of the dispute. Moreover, a party’s credibility may be seriously undermined if it becomes apparent that it has failed to disclose an important document. If the court believes that disclosure is inadequate, it may draw adverse inferences and be prejudiced against the defaulting party.
The disclosure process in England and Wales is governed by the Civil Procedure Rules (CPR). They define a document as ‘anything in which information of any description is recorded’. They suggest places where documents may be located: PCs, portable data storage media, databases, servers, back-up tapes, off-site storage, mobile phones, laptops, notebooks, handheld devices and PDA devices. They also give examples of electronic documents: e-mails, document files, calendar files, web-based applications, spreadsheets, graphics and presentation files.
The EDRM diagram below, or variations of it, will be familiar to many who have been through a disclosure or discovery exercise. It charts the standard processes involved in the lead up to disclosure of electronically stored information and, it generally holds true whether one is engaged in a dispute or a regulatory investigation, although, in the latter instance, the processes tend to happen more in parallel than in series.
The diagram should put our comments into context when discussing the practical issues and cultural, technical or legal challenges to consider when one’s e-disclosure reach extends across borders, specifically in the areas of data preservation and collection – perhaps the two aspects of electronic disclosure that have the biggest impact on a company’s day-to-day business.
An obligation to preserve data
As soon as a dispute arises you are under an inescapable obligation to preserve all potentially discloseable documents. In a nutshell this means:
halting any policy for routine document destruction, including the overwriting of back-up media
taking appropriate measures within the business to preserve potentially discloseable data from inadvertent alteration or destruction (including reviewing any electronic document retention policy to determine whether it should be suspended because of the risk of destroying what may be important evidence)
instructing employees not to make any notes on any hard copy documents or alter documents in any way.
This obligation is hard enough to comply with when a business is based in one country. It can, frankly, be a nightmare when dealing with related business entities in other jurisdictions that do not necessarily understand the legal and financial ramifications of non-compliance. Furthermore, this is not a one-off obligation but one that can continue for months, if not years.
It is critical to have a clearly mapped out preservation strategy that is broken down into individual steps and tested to ensure that it holds water regardless of its duration. Such a strategy, especially when elevated to the status of corporate policy, makes it considerably easier to ensure compliance by business units in different jurisdictions.
The preservation strategy is, of course, useless unless it is communicated to the business at all levels, and the reason for it, and the penalties for non-compliance with it, comprehensively explained. Communication needs to be more frequent the longer the preservation strategy is in place. This is especially so with electronic documents, as they tend to be viewed as more transient than their hard copy equivalents.
As with disaster recovery plans, there shoulde a cascade system established, from senior management down, to activate the strategy, to maintain awareness of it and efficiently to effect any changes (for the strategy should be periodically reviewed to ensure its continued relevance and applicability). With such a system in place, the strategy should be capable of being immediately activated by e-mail across the business and compliance confirmed by the receipt of pre-defined forms from each department.
If a senior manager can be allocated to look after the preservation strategy, so much the better. There is a growing trend across corporate America to recruit people whose sole, or main, job is to manage disclosure exercises internally (to be their litigation manager) and who have an understanding of the business, twinned with sound IT skills.
The preservation strategy is, of course, also useless unless all sources of data are included within its bounds. Central to the strategy, therefore, must be the task of locating, and recording (or mapping), all potentially relevant data sources both on and
offsite. This data map needs to be updated regularly and should be the responsibility of the IT and litigation managers. We recommend keeping safe all previous iterations of the data map.
Technology can also be your friend when preserving data. Document management or retention systems can be used to handle the bulk of data preservation (and, indeed, data collection) automatically if correctly configured and maintained and deployed across a well-thought out network architecture. However, as with most technology, it is only as good as its users, so it is sensible to have all relevant parts of the business using it correctly to maximise the investment in its purchase. The litigation manager could have useful input here.
Finally, the preservation strategy and all related communications are extremely important documents. Depending on the nature and geographical spread of the business, it is sensible to have them, and any subsequent drafts, professionally translated into the language of every country in which there are relevant business entities.
In terms of its impact on day-to-day business, data preservation may seem like a big thing, but it comes second to data collection. The principal reason for this is that the preservation strategy, once devised, can be implemented and managed by the business itself. Data collection, on the other hand, will invariably involve an external party at some stage, depending on the internal resources available to the business and the nature of the collection required.
For example, if metadata (information about an electronic document, such as the details of when and by whom the document was created and amended or the dates when an e-mail was delivered and read) is to be disclosed, then, depending on the complexity of the IT architecture and, of course, the importance of being able to defend the collection in court, forensic experts might be instructed to work alongside the firm’s legal advisers.
So how can this disruption be minimised? Assuming that staff at all levels of the business understand the preservation strategy and the reasons behind it, the most important thing is for the collectors to be sympathetic to the social and cultural ethos of the business entity and country within which they are operating.
By way of example, some time ago key staff at a client’s research and development centre were being interviewed on-site to identify where potentially discloseable documents might be. These people were far from helpful. We subsequently learned that a few months before there had been a round of redundancies. Management had omitted to brief them about our purpose on site and, perfectly legitimately, they thought we presaged further redundancies. Once we got over that hurdle the remainder of the exercise went smoothly.
We are assuming here that a natural extension of collecting electronic documents is collating them somewhere (a repository) ready to process them and, ultimately, to review them.
Procedures we would recommend when collecting domestic electronic disclosure are to prepare and communicate. Procedures we would therefore recommend when collecting electronic disclosure internationally are:
The vital first step to collecting documents, electronic or otherwise, is to develop a plan and then to make sure that everyone knows what the plan is and follows it. The plan needs to be flexible because
circumstances change, and the team on the ground needs to be empowered to suggest sensible changes. As a result of your preservation strategy you will know what nature of electronic documents you will be collecting and on what platforms they will be residing. You will doubtless still come across a few surprises, but you will be able to anticipate the majority, so make sure you have, or have engaged, the necessary technical expertise to deal with them.
Audit trails are a very necessary evil. You will be collecting from a wide variety of places, and the documents will probably pass through a large number of hands before they get to your repository. For an audit trail to be successful you need chain of custody forms so that when something moves from one place to another everyone knows about it or can find out about it, and the responsibility for that object is formally transferred along with it.
Similar to audit trails, and equally important, is the need to document everything. You are undertaking a major exercise and you will be relying on its results through to trial. You will not want your methodologies, and therefore the veracity of their results, called in to question. Certainly, you will not want to have to do it all again.
As to practicalities that really only appear when you are collecting data internationally, you need to consider how to deal with the following.
Time zones You only get caught out once trying to explain why a DVD of electronic documents arrived at its destination before it apparently left its departure point. You need to establish up front a rule governing the default time zone and date format to be used for the entire exercise. Legal implications These require careful thought from the outset when collecting internationally, as they will have a direct impact on what you can do and where you can do it. The following loom large:
European Union data protection requirements (and, by extension, Binding Corporate Rules and US Safe Harbor agreements)
domestic privacy laws
waiver of privilege
local Customs (that is, the local equivalent of Her Majesty’s Revenue and Customs).
What media will be used to transport the collected data? Does it need to be encrypted? If so, how? Do you need to be able to receive data on CDs, DVDs, zip/hard/FireWire drives or via secure FTP? In our experience, probably all of these.
Hopefully, we have explained some of the (generally) surmountable risks inherent in conducting e-disclosure on a global basis.
Lee Gluyas is a partner and Jonathan Maas is head of litigation technology in the litigation and regulatory group of DLA Piper, www.dlapiper.com