This is the second in a series of blogs about the legal discovery challenged related to electronically stored information (ESI). Last week, I provided an overview of ESI discovery. In this blog, I take a closer look at an organization's responsibilities. Included in the discussion are examples of the sanctions placed on companies that fail to adequately respond to legal discovery requests and how to avoid similar negative financial impact. First, let's look at shadows of discovery yet to come, the future of an organization that ignores the possibility of being asked to produce hard-to-find, and harder-to-recover, ESI.
- In 2006, U.S. District Judge Faith Hochberg in Newark, N.J., imposed an array of penalties on Health Net Inc. and two related carriers, stating that Health Net's "repeated and unabated discovery abuses and lack of candor leave this court no other choice."(Gallagher, 2006) Health Netwas ordered to pay fines and fees "...that could exceed hundreds of thousands of dollars (Gallagher). In addition, Health Net attorneys were prohibited from using thousands of pages of documentation and barred various witnesses from testifying, all because of "mistakes" in responding to repeated requests for discovery.
- In 2005, Morgan Stanley suffered ajudgment of $1.45 billion,due largely to non-compliance with discovery requests. "Finding once again that Morgan Stanley had violated discovery orders and had chosen to conceal the nature and extent of its violations, the court granted partial default judgment to [plaintiff]. Ultimately, the jury returned verdicts totaling more than $1.4 billion against Morgan Stanley" (McConnell, et al).
- In a 1999 case, Phillip Morris was fined $2.5 millionbecause employees ignoreda legal hold order and Phillip Morris' own document retention policy (Blank Rome).
These are high-profile cases that made it into the news. Their mistakes not only included failure to produce documents when the courts believed it reasonable to do so. In some cases, management failed to safeguard the integrity of the affected documents and data. In addition to these highly publicized incidents, many smaller organizations also incur sanctions or default judgments because they fail to meet court discovery expectations. So how can an IT manager help his organization avoid ESI discovery pitfalls? Preparation.
The secret is preparation
The best way to avoid sanctions is to prepare. IT managers and their friends in the legal department should assume that they will be served with a discovery request at some point. Understanding how to respond, implementing the right technology, and documenting supporting policies and processes can put them in a negotiable position.
The following is a list of processes and documents, useful for supporting a plan designed to adequately meet the expectations of a Federal court. It includes actions to take before and after discovery is immanent.
- Develop and maintain a close working relationship with the attorney(s) responsible for helping your organization through the e-discovery maze. Deciding what to keep, when to keep it, and where, are primarily business risk issues, based more on legal questions than on how much disk space is available or the cost of near line storage.
- Develop, document, and enforce a document retention policy with supporting processes. One of the first artifacts your attorney needs, following the receipt of a discovery request, is a copy of your document retention policy. ESI destruction during the normal course of business, including the regular destruction of documents according to type, is a valid reason for its unavailability for legal hold or for it residing on media regarded as "inaccessible" for the purposes of discovery. "...outside of industry regulations and any litigation hold requirement, a company need only keep electronic information as long as necessary for business purposes--but no longer than that" (LexisNexis, 2007).
- Archive, index, and store email messages and chat sessions based on retention policy. Messaging discovery is covered in more detail in Part 3 of this series.
- Know where your sensitive information is stored, how it's stored, and how to access and deliver it. In Part 4 of this series, I'll discuss how to use content monitoring and filtering tools to identify where your data are moving and where they end up.
- Train your staff, both technical and business. The content and frequency of the training, discussed in Part 5, determines the effectiveness of preventing spoliation and providing evidence to the court of organizational due diligence.
The bottom line is, if you're ready for e-discovery, if you understand what should be accessible and what is not expected to be easily delivered, if you and your employees understand the importance of legal holds, and if you implement reasonable and appropriate technical and administrative controls to support company e-discovery polices, then severe sanctions for non-compliance should not be a problem.
In Part 3 of this series, I plunge into the quagmire of how to deal with electronic messaging discovery. I'll discuss specific solutions and vendors who provide effective archiving and retrieval systems.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.