Demands for electronically stored information are increasing, but most companies are still coping with those requests on a case-by-case basis, costing them time and money and putting them at risk for sanctions and fines.
So says a new study from Kroll Ontrack, which found that less than half of companies surveyed had a readiness strategy to handle e-discovery requests.
Kroll Ontrack’s 2009 ESI Trends Report polled 461 IT professionals and in-house counsel, half from the United States and half from Britain. The vast majority of both groups said they had a document retention policy (87 percent of U.S. companies, 80 percent of British ones), but far fewer had a policy specific to e-discovery readiness (46 percent and 41 percent, respectively).
“The survey points to a major hole in most companies’ planning for ESI responses,” says Stephen Prignano, a partner at the law firm Edwards Angell Palmer & Dodge. “Even if they have good document retention policies, few companies implemented any sort of formal across-the-board ESI response plan.”
Straight
A strong document-retention policy is important, yes, but “it isn’t sufficient to protect organizations when litigation or other events requiring the discovery of ESI strikes,” says Jason Straight, senior managing director of Kroll Ontrack’s ESI consulting practice.
Straight and others say a one-off approach to e-discovery not only costs companies time and money; it weakens the defensibility of their document retention policies and puts them at risk of failing to identify and preserve data that might be discoverable in civil litigation or regulatory proceedings.
Many companies refer to their document retention policy to aid in their e-discovery response. Straight calls that inefficient at best, since companies end up designing preservation, collection, search, review, and production protocols every time litigation or a subpoena comes over the transom.
Prignano says retention policies often fail to meet e-discovery needs because they don’t standardize procedures for what happens after a litigation hold is put in place, such as how ESI is collected or safeguarded. “Without standardized procedures, companies go through the same learning curve multiple times,” he says.
Companies also face the more prosaic risk that employees’ actual practice might differ from the written policy. The company could then end up making misrepresentations about its data or making decisions based on inaccurate information.
Not surprisingly, companies in highly regulated industries (pharmaceuticals, life sciences, insurance, and the like) and those constantly involved in litigation are ahead of the curve.
Bace
“The ‘frequent fliers’ in the federal courts have good protocols in place already, but the majority of companies are still struggling, even with their document retention policies. So when the face an e-discovery issue they deal with it on a case-by-case basis,” says John Bace, a research vice president at the Gartner Group.
Farrah Pepper, head of e-discovery at the law firm Gibson Dunn & Crutcher, says that while companies are more interested in establishing e-discovery policies, “there’s less implementation than otherwise might exist in a different year” because of the economic climate.
Pepper
Still, Pepper and others argue that companies should spend the time and money to implement a comprehensive e-discovery system. The 2006 amendments to the Federal Rules of Civil Procedure (which pulled discovery rules into the electronic age) and subsequent case law “have pushed for companies to have detailed conversation about their policies, data location, and scope early in the process,” Pepper says. Companies not prepared to do that lose the chance to narrow the scope of discovery requests early on.
SOME ESI STATS
The following excerpt from Kroll Ontrack’s 2009 ESI survey highlights some key statistics in regard to U.S. and U.K. document retention policies:
87% of U.S. companies have a document retention policy, compared to 80% in the U.K.
Only 6% of U.S. organizations do not have a policy; this rises to 13% in the U.K.
In the U.S., IT professionals are most aware of their policy (88%); in the U.K. it is in-house legal advisers (83%)
Only 46% of U.S. and 41% of U.K. companies have a policy specific to ESI discovery readiness
A further 24% of companies in the U.S. and 30% of companies in the U.K. do not know whether they have an ESI discovery readiness strategy or not
Awareness of ESI discovery readiness policies is higher among IT professionals (51% in the U.S., 45% in the U.K.) than in-house legal advisers (39% in the U.S., 37% in the U.K.)
35% of companies in the U.S. and 21% of companies in the U.K. say responsibility for ESI discovery strategy lies jointly with IT and in-house legal counsel
A further 11% of companies in the U.S. and 20% of companies in the U.K. say responsibility lies with a cross-functional team
20% of U.S. companies say responsibility lies with the CIO/IT in contrast to 13% of U.K. companies
Source
Kroll Ontrack’s ESI Survey Results (2009).
The Kroll report also notes that many companies don’t have a mechanism to preserve potentially relevant data in anticipation of a lawsuit or regulatory probe. Among those polled, only 57 percent of U.S. and 39 percent of British corporations have a litigation-hold policy that allows them to deviate from their overall document retention policy in response to litigation.
Again, that means companies must either design fresh litigation-hold protocols for every case or risk not implementing the hold. That could result in lost or spoiled information, Straight says, which brings its own risk of fines, sanctions, or losing a case.
How to Get It Right
Among companies that do have an e-discovery readiness policy, the Kroll survey shows that IT and legal departments typically share responsibility. Thirty-five U.S. companies and 21 percent of British companies described it as such. Twenty percent of U.S. companies and 13 percent of British ones say responsibility lies principally with IT management.
Straight says collaboration between legal and IT is critical. “Either one without the other can’t get the job done,” he says. At the same time, however, a company should designate a single person to be accountable for assuring the program is effective.
Bace says some larger companies and those in highly regulated industries have created a litigation support manager role, to serve as an “e-discovery czar.”
Another challenge: Companies aren’t keeping pace with new technologies such as virtualization, cloud computing, or social networking, which are rapidly scattered corporate data across the Internet. Nearly half of companies haven’t updated their policies over the past year to include new devices and channels, according to Kroll. Straight recommends those policies should be updated twice a year or whenever new platform or technology is introduced into the organization.
Prignano
Prignano says new technologies are creating “huge blind spots” in companies’ litigation response plans. “That’s going to be an exploding area of ESI going forward,” he says.
“Companies tend to focus on what’s on the network, and forget about what’s stored locally,” he says. “Many companies don’t have a good handle on who’s got mobile devices or what they’re using them for. Even laptops are often overlooked.”
Prignano says instant messaging and mobile devices are particularly troublesome, because people “tend to communicate more cryptically than they do in correspondence or even e-mail and they’re less careful about what they say.”
No comments yet