The time to develop your data archiving strategy is not the day you get hit with an eDiscovery request. Here are a few pointers to help you implement a system that will keep you in compliance.
eDiscovery, email discovery, electronic discovery — however you refer to it, eDiscovery is a necessary burden for IT managers, corporate legal teams, and executives alike. Federal, state, and corporate regulations require most companies to retain electronically stored information for two to seven years and to be able to produce it quickly upon request. Noncompliance can be costly; FINRA (Financial Industry Regulatory Authority) alone handed out $50 million in fines in 2009. Thankfully, companies that follow simple best practices can drastically reduce the burden of eDiscovery while protecting their finances — and reputations.
1: Know your regulations
Do you know what the December 2006 revision to the Federal Rules of Civil Procedure (FRCP) mean for eDiscovery requirements? According to Debra Logan, VP of Research at Gartner, "Many companies aren't even aware of the new eDiscovery requirements ... this could cost them billions of dollars if they don't get up to speed quickly." If you are not familiar with FRCP, here is the short version: EVERYONE must be prepared to discuss how and where they store their email early in the pretrial proceedings, they must preserve their email in a compliant manner and produce it with specified metadata intact, and they must produce their email quickly according to discovery timelines. Talk to your legal department. Or if you don't have one, consult outside counsel. Make sure you are aware of the regulations that affect your company and then promote awareness and preparedness internally.
2: Create an internal policy
Create an internal policy that details exactly what data needs to be retained to comply with regulatory and eDiscovery requirements. In most cases, companies choose to implement an archiving strategy that addresses retention and compliance requirements for email and other communications. Not only will an effective plan alleviate pressure and lighten the workload of your organization's IT staff, but it will allow IT staff and legal departments to define an email retention policy that automatically archives all necessary emails. This will further protect the company, should it face litigation, by removing the possibility of human error.
3: Ensure that you can search your archive
The number of companies that still use email server backup tapes to store their digital information is baffling. Searching through backup tapes for an eDiscovery request can take weeks or months. As we said in tip #1, FRCP regulations state that "everyone must produce their email quickly according to discovery timelines." Backup systems do not satisfy this requirement. Fortunately, technology has caught up with eDiscovery regulations. If search engines can search billions of Web pages in under a second, why can't you search through your organization's email database quickly? Some third-party archiving solutions offer advanced search capabilities that make performing eDiscovery as easy as searching the rest of the Internet. With third-party archiving, you can reduce the time that it takes to respond to discovery requests from weeks or months to seconds.
4: Don't forget about instant messages and social media
Debate surrounding the future of eDiscovery remains intense. The Library of Congress recently decided to archive the entire history of Twitter. While settling for just an email archive seems adequate, key documentation can easily be overlooked or missed with a lack of other communication platform archiving and/or a well-executed and enforced retention policy. Companies can benefit by implementing an archive not just for email, but for social media, IM, SMS, and all other critical data sources as well. The regulatory landscape is constantly changing as communications between organizations, their customers, partners, and other stakeholders evolves. Adopting a modern archiving approach today will help your organization navigate future regulatory changes. The only thing that is certain in this space is that data is growing at a tremendous speed and that organizations will be required to retain more and more of that data in the future.
5: Hope for the best, but assume the worst
Even if you would naturally follow all of the steps outlined here, you should assume that other employees in your organization might not. You do not want to be the one explaining to an executive, board of directors, auditor, or judge why your company failed to comply with a regulation. So err on the safe side and ensure that employees are aware of your internal retention policy, and more important, that they understand the consequences of deliberately concealing or destroying information. By clearly outlining your internal retention policy, you not only discourage both intentional and unintentional regulatory missteps amongst employees, but you also better protect the company if an employee, or employees, deliberately disregards the policy.
Greg Arnette is founder and CTO of Sonian.