New federal rules will take effect next month requiring corporations to produce documents in legal cases or face stiff penalties, raising yet another regulatory compliance issue for IT departments.
On December 1, several amendments to the Federal Rules of Civil Procedure regarding a company’s duty to preserve and produce electronically stored information (ESI) in the face of litigation — or pending litigation — are scheduled to take effect. The rules (specifically Civil Rules 16, 26, 33, 34 and 37) have already been adopted in some states, like New Jersey, and other states, including Texas and California, have already implemented some of the new rules.
As with most new compliance rules, there is some confusion and hand-wringing on the part of enterprises as to what the amendments really mean. In this case, the big question companies are asking of their attorneys, IT people, vendors and compliance officers is: Do the new rules mean we have to drastically alter the way we preserve, retrieve and produce electronic data? The answer to that question: It depends. It depends on what practices, procedures and technology you already have in place (if any), and how susceptible your enterprise is to a lawsuit.
If your company has clearly stated, consistent, across-the-board policies and procedures in place on ESI preservation and production in the event of litigation, you may be protected. If your company doesn’t, you could be vulnerable to crippling sanctions and fines. Not sure where you stand? Keep reading.
First, Save All the E-mails
To help find out what the new rules really mean for companies, we went to the experts. While all of them agreed there is no one “silver bullet” IT solution that will automatically bring an enterprise into compliance with the new rules, all is not lost.
Many of the problems enterprises face in light of the new rules have more to do with change management — policies and procedures — than with expensive IT solutions. And even if a careful readiness review by your IT experts, compliance team and attorneys finds that you must invest in a content management, e-mail archiving, e-discovery, indexing or other solution, that investment is almost sure to be less expensive than paying dozens or hundreds of attorneys $200 an hour or more to sift through months or years of decentralized, unstructured ESI (such as e-mail) or getting slapped with huge fines and sanctions for failing to comply with the new federal rules.
“What I think is most important about the new rules is that they underscore the importance of the duty to preserve [electronic data] and put processes in place for very early discussion between parties about the scope of that preservation and what’s to be done afterwards,” says Stephen Whetstone, a former litigator and currently vice president of client development and strategy at e-discovery company Stratify Inc. “Most companies do not have their house in order when it comes to preservation and document management policies. The new rules attempt to impose some structure in a litigation context against an existing backdrop, which is not necessarily a bad thing.”
A Gigabyte of Prevention is Worth a Terabyte of Cure
According to a recent report by the Business Performance Management Forum and AXS-One Inc., 36.4 percent of the senior executives and subject matter experts interviewed said their companies had no technologies or policies in place to manage a legal discovery order involving electronic records. Even more troubling, 33 percent said they had no corporate policy in place covering electronic records management in general — and 20 percent didn’t know if they even had a policy.
Here’s another troubling set of statistics: an October 2005 study by law firm Fulbright & Jaworski revealed that companies with at least $1 billion in annual revenue are engaged in an average of 147 lawsuits simultaneously, while companies with average revenues under $1 billion were juggling 37 lawsuits at any given time. On top of that, nearly one-third of firms surveyed spent more than 2 percent of their gross revenues on legal expenses, while 10 percent spent more than 5 percent.
So perhaps putting in place policies, procedures and technology that aid in records management and retention and reduce the cost of litigation is not such a bad thing.
Size Doesn’t Matter
Many companies that don’t make close to $1 billion may be reading this and thinking that the new Federal Rules of Civil Procedure don’t apply to them. But they would be wrong. Even small companies are susceptible, though the likelihood of them spending tens or hundreds of thousands of dollars to prevent potential sanctions or fines is small.
“I don’t think the size of the company is the way to look at it,” says Ken Rubin, senior vice president of corporate strategy at information protection and storage giant Iron Mountain. “I think it’s the risk exposure. While there is generally a correspondence between size and risk, it also depends on your industry. If you’re a small medical devices company, you have a lot of litigation risk, more so than a manufacturing organization. It depends on your business. But in general, large organizations — Fortune 500 and Global 2000 organizations — should all be worried about this.”
‘The Dog Ate My Homework’ Won’t Cut It
According to Rubin, the days of “the dog ate my homework” — or in this case, “my robodog ate my data” — excuse are over.
“In the old days, if a company’s information was stuck in a bunch of information silos and they didn’t have common processes and good procedures and said it would be overly burdensome [to produce the data], the judges would be sympathetic,” he says. “That is going to end. In order to demonstrate good faith, you have to put in place processes and technology that help you bridge the gaps between all of your storage silos.”
Steps Businesses Should Take
To Prepare for Litigation
“People have to have a better understanding of what they’re creating, what information they’re storing and for how long they’re storing it,” adds Brian Babineau, an analyst at Enterprise Strategy Group, who agrees that most companies don’t know where all of their data is kept.
On top of that, says Babineau, companies are going to have to develop consistent processes for managing (storing and deleting) data and “be able to assign a cost of accessibility for that information over time. So for example, now they’re going to store everybody’s e-mail consistently for 90 days online and it’s going to cost them X amount to retrieve it. After 90 days they’ll store it for another two years and it’s going to cost Y to access it.”
Still, Babineau doesn’t see the new rules as bad news. “I think this is actually good news for enterprises, because there’s more clarity around electronic discovery than there ever was.”
Creating a ‘Treasure Map’
So how do companies go about complying with the new rules? They need to have a “topographical map of where all there electronic records are,” says Rubin. “And they need to know not only where they are, they need to know the relative ease of retrievability. They need to understand relevance and the production costs and the formats. They really need to have what I would call a treasure map of where their records are.”
But can a single IT solution give companies a map to their buried treasure — and ensure compliance with the new amendments in the case of litigation?
“We don’t really see any silver bullets out there from a technology perspective,” says Mike Kinnaman, vice president of marketing at Attenex, an e-discovery company that helps enterprises improve the efficiency of processing and reviewing electronic documents. “There isn’t an end-to-end solution that someone can just drop in.”
But you can — and should — get your IT and compliance people and your attorneys all speaking and working together to find out where your data resides, what’s accessible, what’s inaccessible, and make sure you have a readiness plan, which means, says Whetstone, having “best practices and procedures in place when the duty to preserve is triggered, so that you know you can quickly lock down [data].”
Good News for IT Vendors?
“Technology got us into this mess and technology will get us out of this,” says Whetstone. “There are new tools, Stratify happens to be one, that allow lawyers, reviewers, companies to better understand their data universes, better manage them in real time, better organize and pre-organize these data universes, so that when a litigation threat arises, when the duty to preserve triggers and there is a need to go get the data, they’ll be able to look at their data across business units by subject matter and be able to then focus their review and leverage technology’s ability to cluster like documents together.
“As a result of that, reviewers will be able to far more rapidly review the documents and communicate their conclusions with one another and ultimately to the courts or investigative bodies,” he says. “That’s very powerful. And it’s going to drive down the labor costs, because it’s just not sustainable to have dozens or hundreds of litigators at $200, $300, $400 pouring through massive volumes of electronic data as if they are looking at stacks of paper on their desks. So there’s going to have to be a need to leverage technology.”
That’s good news for a lot of IT vendors — many of whom have been hawking their various data management, data retention, data indexing and e-discovery wares in advance of the new rules.
Late this summer, Symantec announced it had added support for new federal regulations (among other services) for its Enterprise Vault Discovery Accelerator e-discovery solution (see Symantec Speaks Legalese).
More recently, Iron Mountain announced a new retention management solution called Retention Center, which “will allow organizations to manage, monitor and audit systems and repositories that contain records and information to meet compliance and litigation requirements.”
And the list goes on, with e-discovery companies such as Attenex and Stratify talking up their solutions’ ability to help companies sift through large collections of unstructured content, such as e-mail and MS Office documents, and quickly zoom in on the most relevant information needed, and data management software provider CommVault positioning its Unified Data Management approach as a way for customers to “establish and document end-to-end processes for data discovery and preservation,” according to David West, vice president of marketing and business development at CommVault.
The new rules also “bode well for the information classification folks like Kazeon and Index Engines that can index corporate content,” says Babineau.
Is Any of This Good News for Enterprises?
For enterprises that do act in good faith, there is a “safe harbor” provision, Civil Rule 37, “that protects a party from sanctions for failing to provide electronically stored information lost because of the routine operation of the party’s computer system.”
While that is definitely good news, it is not a “Get out of Jail Free” card, says Whetstone. “In other words, it will not work for lawyers or companies to continue to delete or overwrite consistent with their standard document retention or management policy after the duty to preserve arises,” he says. “If you have a 30-day recycling policy in place with respect to e-mail, when the duty to preserve arises, or when you’re served with a complaint and you have to lock down data, you can’t hide behind Rule 37 and say, oh, the data was lost in good faith because the system kept overwriting data for the next 30 days and someone forgot to turn that off. That’s not going to work very well.”
The bottom line: “It’s hard to say that these types of things are great, because they require organizations to change a little bit, but it’s just about standard operating procedures and policies and then buying the technology to support them, as opposed to forcing companies to go down a specific path and buy specific things,” says Babineau. “There’s enough guidance, but it’s not specific enough to be a burden.”
Mike Kinnaman, vice president of marketing at Attenex, agrees. “The good news about these amendments is they’re taking the best practices that already exist and making them more widespread,” he says. “It really comes down to understanding where all the data is and then the bigger piece is using a document retention policy. If you do those two things, then the courts are going to look upon you favorably.”
For more storage features, visit Enterprise Storage Forum Special Reports