At the core of any litigation today is the concept of understanding electronic data: where it is located, how it is managed, and how it can be accessed.
In the past, the litigation team consisted of inside and outside counsel, the business unit manager and outside suppliers. The legal responsibility for the management of a company’s data in most businesses falls squarely on the shoulders of the Information Manager. Thus, if a company is ever entrenched in a legal battle, the Information Manager needs to be part of the team and must be prepared to take the stand. Because of this person’s unique ability to discuss the internal systems that generate the data in question, an Information Manager will almost inevitably make any trial attorney’s short list.
The Information Manager has the same attributes as a professional e-disovery project manager: A good project manager is a risk management expert and consultant. They are in the conflict resolution business and must have an arsenal of skills to solve the many issues that arise during a case. They must have the skills to execute every aspect of basic management, technology, and operations and communicate it in a way that the legal team and client can understand.
The Information Manager must create a plan of action to address the data involved in the litigation. They must be able to speak to the company’s internal IT functions as well as the complexity of the company’s data architecture and be prepared to defend the company’s work practices and policies in anticipation of, not just in response to, litigation. Creating a litigation response team that prepares these responses and policies ahead of time is critical.
There are many issues that an Information Manager needs to address as part of the litigation response team, but more importantly in advance of any litigation so they are prepared in the event of a trial.
For example, an Information Manager should present a simple overview of how data is managed within the corporate structure. It should be clearly communicated to ensure that the litigation team can identify where the relevant data might reside and how it can be accessed and reviewed for responsiveness and privileged information.
In addition, an Information Manager should discuss data mapping and chain of custody procedures within the company. The ability to easily explain this data mapping process, who completed the process, how it was done and how it was audited, is a key element of any litigation involving e-Discovery.
Similarly, an Information Manager will need to know how to explain how data is handled on a day-to-day basis by the business unit and managed by the IT services organization. They will also need to explain how the back-up policies and rotation of this material is followed and how it meets the needs of the business and any regulations.
Lastly, if an Information Manager can speak to compliance issues and how they are managed from an IT perspective they will be at a tremendous advantage. How was the compliance audited and who did it? Are there any reports that confirm that this was done properly and on a routine basis? Be prepared to assess what impact this system may have on the litigation.
An Information Manager’s Checklist
In addition to the issues that an Information Manager will need to consider there are also some questions they need to ask. By discussing how data is managed in overseas subsidiaries and what safeguards are in place to collect data from these locations they will get a better understanding of how data is stored, accessed and reviewed in each country and how it applies to the respective privacy issues in that country while ensuring compliance with the company’s privacy officer.
Secondly, how is the records management program handled and what is the Information Manager’s role in that process? How might this process be impacted by a litigation hold? Is the records management process a separate entity within the company and if so, is their oversight by the Information Manager?
Thirdly, what role does the Information Manager play when staff need to be interviewed by the legal team for a deposition or interrogatory? Easily identifying where a particular custodian’s data resides, such as on the company network, a laptop or a portable device will ensure that all of the data is readily available for collection and processing.
In addition, how is the collection of data managed internally? Who collects the data? Is it self-collection or is it managed by an outside partner? Often, companies believe that they can self-collect the data without an outside experts assistance. This is a fallacy unless the company has a professionally trained collections team and has a certification such as CCE. Without a process in place, data runs the risk of being spoliated and this could result in sanctions by the court.
Lastly, what type of audit trail or chain of custody is in place as part of the day-to-day business activities? Providing reports and workflow diagrams to support the day to day activities will bolster the chain of custody compliance.
Here are a few basic guidelines that the Information Manager should adhere to as part of the litigation team:
- An Information Manager should be aware of, enforce and maintain regulations pertaining to its business operations and records. The company records should be easily located through a set of criteria such as by; custodian, department, facility, subject or product.
- Ensure there is an appropriate retention program so records are kept as long as required and are reliably disposed of when no longer necessary.
- Respond to the discovery obligations of litigation filed against the company within the time deadlines of the courts and ensure the company’s lawyers, whether in-house or outside counsel, are supplied with the information they need and their efforts are effectively supported.
- Manage the cost of the litigation to minimize effect on the company, both financially and in terms of the disruption of ongoing operations.
When using a professional e-Discovery vendor, there are a few ways you can ascertain if the company will be a good fit for your needs.
Firstly, ensure that the e-Discovery vendor has certain data security controls in place. The company should provide a reasonable assurance that management will provide oversight, segregation of duties and guidance with the implementation of security practices.
An Information Manager should also look at the companies HR policies. Ask them how the staff are hired and whether background checks were executed on the staff.
Similarly, it’s important to check what controls the e-Discovery vendor has in place to ensure they have provided reasonable assurance that physical assets will be adequately protected and that physical access to the computer equipment, system infrastructure and storage media is limited to authorized personnel.
Additionally, the e-Discovery vendor should have a documented scope of work and workflow for processing data. An Information Manager should ensure there is a back-up policy for client data.
Lastly, ensure that the company has a business continuity plan in place.
Once an Information Manager has qualified an e-Discovery vendor based on the above ‘check list’, there are additional specific questions that must be asked to verify that the data being handed over to the vendor is processed properly and completely for the litigation. Examples are:
1. Who owns the source code for the ESI processing software?
- Who will justify the defensibility of the process?
2. How can changes be made to the software if required for a project?
- Can your vendor modify the process to support your needs (new document types, different workflow, different meta‐data handling)?
3. How is chain of custody managed throughout the process?
- Is the data processed from the original drive that is sent for processing or is the data copied to a server while the original media is maintained in its pristine version?
4. How are exceptions tracked and managed through the process?
- This is a key component of chain of custody and defensibility of the process.
5. What type of reporting is available?
- It is very important for managing what has and has not been processed, status reports, exception reports, etc.
6. How scalable is the software to manage small and large projects?
7. What level of Project Management does the provider have to support and manage the ESI processing?
As discussed earlier the Information Manager must be a professional project manager and that same requirement must be expected from any vendor that is used.
The e-Discovery vendor Project Manager plays a vital role with the Information Manager and the legal team to create and communicate a budget and project plan that is realistic. In many cases, the client is unaware of what is happening on a project (they don’t receive a detailed budget or a project plan that clearly delineates what needs to be done to ensure what happens during a project is defensible). The Project Manager fills this void. Since there is no cookie cutter approach or “magic technology” that reduces litigation costs, the Project Manager that spends time with the legal team will better understand their needs and requirements and can solve the issues.
Information Managers must work with the legal team before a litigation hits to understand their expectations; create a plan that meets the company’s needs and prepare for the worst case scenario so the demands of a litigation are met while not compromising and impacting the day to day business of the company. Dealing with litigation can be an all-consuming task for any Information Manger, but if they are prepared and follow this guide for planning, these tasks and the risk are manageable.