May 2013

Home – E-Discovery Checkpoints Part 3

E-Discovery Checkpoints Part 3

E-Discovery Checkpoints:  A 360-Degree View-Part 3

Identifying, Assembling and Sorting the Data From the Inside

 

By Susan Winchurch, J.D.

 

In complex litigation involving discoverable documents numbering in the tens of thousands, the first critical steps in the discovery process are taken in-house.  

 

LexisNexis recently assembled four speakers for a Webinar to address the critical early stages of discovery, presenting the perspectives of a U.S. Magistrate Judge, an experienced e-discovery litigator, a corporate data security executive and a litigation technology expert, in a complex hypothetical computer-hacking case.

 

Note: This is the third in a four-part series covering what the speakers had to say.  This article will focus on the practical aspects of locating, identifying and processing of data-key concerns for in-house attorneys and in-house data security professionals.  Previous articles discussed the bench's expectations for lawyers involved in discovery and the litigator's mandate to work closely with her client to facilitate efficient production of discovery.

 

The speakers based their presentations on the hypothetical case of Beta Co. v. Alpha Co. which featured two corporate rivals.  Beta, the plaintiff, alleged that Alpha, the defendant, hacked into Beta's databases in order to pirate proprietary information with the intent to beat Beta to the market with a competing video game.  Alpha countered that Beta launched a social media campaign against Alpha to generate negative reviews of Alpha's competing game. The claims ranged from patent infringement to corporate espionage and implicated a massive volume of potentially discoverable information, spanning four countries, including 20 million emails. 

 

U.S. Magistrate Judge John M. Facciola started the discussion by warning that the bench does not tolerate counsel or parties who ignore discovery management protocols or those who pay only lip service to the "meet and confer" requirement of Federal Rule of Civil Procedure 26.  Lawyers must collaborate meaningfully to find solutions to a discovery impasse, to demonstrate a firm grasp of the technical issues inherent in electronic discovery, and to hire competent experts who can guide them through the process.  Lawyers will need to have a command of the theories of liability underlying the litigation, the nature of the case, and the appropriate methodologies for searching, collecting and preserving electronic data.  Any claim that a request is overbroad requires support.  "There is not a federal judge left in the country who is going to let you get away with a one-sentence page that says 'this is too burdensome,' " said Judge Facciola.  Counsel will be called on to demonstrate exactly why the request cannot be satisfied.

 

Twenty-five-year litigator and law professor Mollie C. Nichols of Redgrave LLP, focused on the lawyer's role in counseling the client, starting by establishing a solid working relationship with in-house counsel, technology staff and business unit heads, to assess potentially relevant company information, where it is stored and the technical challenges inherent in locating and producing the information.

 

The process starts from the inside.  Panelists Matthew McKeever, Vice President of Security and Compliance with Reed Elsevier, and Trent Walton, President of Electronic Legal LLC and Cumulus Data LLC, gave insight into the internal data collection and preservation process.

 

Breaking it Down

 

The critical role of the security and compliance professional emerges instantly, said McKeever.  When a lawsuit is filed, the company needs to be sure from the outset that "we gather the appropriate data in a systematic and reasonable way," he said.  Especially in a hacking case, McKeever noted that the company needs to keep in mind, as data is assembled, that the civil case may give rise to criminal allegations, and this possibility must inform the data collection process from the beginning.

 

But the fundamental issue, McKeever noted, is the large amount of data.  Immediately, the company must devise processes for breaking it down and deciding what portion of it is relevant.  Of the 20 million emails in the database, only a portion of them are relevant.  "We need to break that issue down and working with internal and outside counsel, we need to scope that out," he said.  He echoed Nichols' earlier comments, noting that the company needs to identify its key custodians.  In this case, the development teams who devised the disputed computer game are within the scope of discovery.  "But maybe the finance guys are, or are not, in scope and we need to break that down," he said.

 

Because data-such as emails-may be dynamic, it is subject to change and manipulation.  The company needs to implement controls quickly to stop material from being deleted.  At the earliest stage of the case, McKeever said, "We don't know if it's a hack, or a bad actor on the inside.  We need to be careful, and as covert as possible, and work with Molly's [legal] team to decide what to collect," he said.

 

In a case like Beta v. Alpha, featuring data located in different geographic locations, collection and assembly becomes more complicated, particularly as the data crosses borders.  Nichols noted that the privacy laws of the various jurisdictions in which the data resides will be implicated.  For example, Massachusetts data privacy laws are potentially applicable even if no computer servers are located in Massachusetts-the involvement of a Massachusetts resident is sufficient to implicate Massachusetts law, which, Nichols said, covers the personal information of any Massachusetts resident and dictates how that information is to be stored and encrypted, possibly even requiring the use of armed guards if the data resides on non-encrypted backup tapes.

 

Choose Technology Wisely

 

As matters become more complicated, so do the tools that are available for data sorting and likewise the decisions about how much to spend on forensic and data collection technology.

 

The company needs to be mindful of costs, Walton observed.  "This is the point where you can get technical experts involved, and learn about all the latest greatest techniques to streamline the discovery and project costs."  These include encrypted remote forensic collection devices, being able to project data sizes, and techniques to project the billable time that could be involved to go through and identify the data.  As useful as these tools are, each one comes with a price tag, and the company needs to tailor its technology "spend" to match its actual need.

 

Walton added that at the preservation stage, it is important to remember that data doesn't have to be transported across borders.  It can be preserved in the country in which it was generated.  "It all depends on what we determine to be discoverable evidence," he said.

It falls on the in-house security expert to work with in-house and outside counsel to decide what data is confidential, McKeever said.  "When we give out an encrypted hard drive, we need to make it clear if one party's data is more sensitive than others."  For example, the employee who generated sensitive project plans and market research must be identified so that her data can be handled appropriately.

 

Companies also should periodically survey their databases, McKeever said, and identify where the most sensitive information-such as credit card data-resides so that, when e-discovery plans are being devised, privacy laws are respected.  "It's always good to know where your sensitive information is, so you can protect it," he said.

 

Manual Sorting:  A Bygone Method

 

As the company devises its e-discovery plan, the panel agreed, the idea of manually sorting the data should be dismissed out of hand.  In a case like Beta v. Alpha, the sheer volume of the information forecloses any notion of manually sorting and delivering data. "If you came into my court and said that you were going to do this manually you'd be out of my court in about 30 seconds. I only have an eight-year term and I don't plan to spend it on this case," Judge Facciola commented. "That's preposterous."  Each side, he said, will be expected to hire a competent vendor to manage the e-discovery process.

 

"The judge is spot on here," said McKeever.  While as recently as a few years ago, it was still possible to survey the data "with a few tools and keyword searches and get down to a manageable lot," today, companies will be dealing not just with email, but with voicemail, videos, drawings and other media.  The company needs to confer with its e-discovery vendor and devise a method of converting voicemails, videos and drawings to a reviewable format. The company must work with its vendor to identify exactly what is relevant.  If there are 80,000 voicemails, perhaps only 100 people will have left potentially relevant messages.   The in-house team needs to work with counsel to identify what is relevant "so that whatever we're sending to the vendor is reasonable and helps keep the costs down," McKeever noted.

 

Walton agreed.  "The days of linear document-by-document review are pretty much gone.  The amount of data is increasing exponentially every single year," he said, adding that the volume is so high and the formats so varied that finding the review methodology is a challenge unto itself.  "A lot is determined during the meet and confer at the beginning to see what we do have and what techniques we can apply to these different sources of data and get them down to a manageable set," he said.

 

Narrow the Data Set

 

Also important for companies to remember, observed Walton, McKeever and Nichols, is the question of preservation versus production.  While a broad set of data may be preserved internally, the actual data that is subject to discovery should be reasonable, but narrower.  The company may have 800 vendor contracts in its database, but you must query whether the contracts with the companies that clean the offices or wash the outside of the building are relevant.

 

"You really do have to work with your custodians and your IT to narrow that data set as much as possible," Nichols said.  "That's what the meet and confer is for, but you have to be working with your client to drill down as to what needs to be collected and reviewed."

 

"The name of the game," said Walton, "is what's reasonable?  What type of evidence is in there, and is it going to be helpful to the case?  What are the techniques we can apply to it, what are the costs associated with it?" It is, he said, a cost-benefit analysis.

 

Key Takeaways

 

1.     In-house security experts need to be pro-active in the identification of sensitive data. The process starts with occasional surveys of a company's databases to identify where particularly sensitive data resides.

 

2.     Practicality and reasonableness govern what is produced.  If a company has 80,000 voicemails, it must devise a sound methodology for determining which of the 80,000 are potentially relevant.

 

3.     Manual surveys of documents are a thing of the past.  With ever-increasing volumes of data, companies must be prepared to hire competent vendors to manage e-discovery.  Courts will not tolerate any company attempting to pass through a manual review process.

 

Note: Part 4 of this series will focus further on the contributions collectively of Magistrate Judge Facciola, Mollie C. Nichols of Redgrave LLP; Matthew McKeever, VP Security & Compliance with Reed Elsevier; and Trent Walton, president of Electronic Legal LLC and Cumulus Data LLC. Part 4 will address emerging trends in e-discovery.