Not responding to an electronic discovery request is just as good as an admission of guilt, and this downfall lies squarely on the shoulders of the IT organization. In the well-known case of Zubulake v. UBS Warburg LLC, UBS could not produce potentially incriminating emails critical to the case, and the courts actually ruled that it was more likely than not these emails existed. This had damaging effects on UBS's case. Likewise, in...
United States v. Philip Morris USA Inc., Philip Morris was fined $2.75 million for continuing to delete emails after a notice of litigation was issued.
Cases like this have instantiated a tidal wave of fear in organizations, and just as they did in response to the Sarbanes-Oxley Act, organizations have seemed to overreact, overcorrect and overspend. And, as with Sarbanes-Oxley, I'm now hearing electronic discovery used as a blanket excuse to justify IT processes and spending that serve no business purpose. Continue down this road, and you won't need to worry about a lawsuit because there will be no company left to sue.
So how do you put these e-discovery concerns to rest for good? Well, you can't. E-discovery is like a reckless teenager; you do the best you can, then cross your fingers and hope nothing happens. Here are three key tips, though, that will get you 80% there. Don't worry too much about the other 20% -- that's where the cost starts kicking in and it's not really necessary.
No. 1: Get your IT organization under control
This is going to sound a lot like the advice I give for Sarbanes-Oxley because it equally applies. The first step is to get your own act together. If you're not organized, get organized. If you're already organized, stay organized.
Know everything about your data. Know where all your servers are and their purpose. Know what's in every database, and maintain tight data governance control. Understand both your transactional systems and your data warehouses. Know every detail about every transformation that your reporting systems make to rearrange your data.
Know where your data is at all times, from the time it gets created until the time it is destroyed. Know how your data is backed up, where your data is stored, and how long it is stored there.
For the purposes of e-discovery, the focus should be on email and instant messaging; however, e-discovery should not be the driver. Get everything documented and organized because this information is vital to a properly running IT organization.
No. 2: Don't do anything special for e-discovery purposes.
Coordinate with finance, legal and other departments to clearly understand what your document retention and destruction policies are and make sure you do your part to comply. I once led the development of a compliance data warehouse that had a policy of keeping everything online for 11 years -- and destroying anything older than that. The destruction is just as much a requirement as the retention.
Do everything you need to do to support your corporate policies (i.e., Sarbanes-Oxley, privacy, etc.) as they pertain to your business function, but don't make special accommodations in your normal business practice purely for e-discovery purposes (except for tip No. 3, below). You cannot anticipate what a potential lawsuit may require from an e-discovery standpoint, and the law does not require you to be clairvoyant.
No. 3: Hope for the best, but plan for the hold.
A litigation hold means things are about to get interesting. When there's even the anticipation of a lawsuit, your legal department will mandate that you stay your information destruction process. Litigation holds override any and all other retention policies. This is a contingency that you absolutely need to plan for and execute flawlessly. You must have the capability of altering your systems so information can be retained longer than usual.
E-discovery is like a reckless teenager; you do the best you can then you cross your fingers and hope nothing happens.
I suggest organizing fire drills with your legal department to accurately assess the capability and effectiveness of your contingency plan. Have legal create a mock lawsuit, and go through the motions as if it were real. Focus first on email and instant messaging then branch out to other forms of electronically stored information like Microsoft Word and Excel documents. The first time through you will invariably find weaknesses in your system: This is normal. Continue executing drills until you know for sure you can react properly when it's the real thing.
E-discovery can turn into an e-nightmare if not handled properly. However, by running an efficient and lean IT organization and having a good litigation contingency plan, you can rest in confidence that you've done your diligence in the matter. Start discussions today with your legal department, about assessing your capability to support them.
John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco-based management consultancy that helps companies dramatically improve efficiency and avoid penalties and fines. For more information, visit www.excellentmanagementsystems.com.