EDRM Evergreen/Information Management/Legal Preparedness
From Working EDRM
| Comments: Please submit comments to the EDRM Evergreen Information Management forum |
Categories
add introduction
Contents |
Enforcement of Litigation Hold & Preservation Order
Once a litigation hold or preservation order is crafted, the next step is to ensure uniform implementation and enforcement. Responsibility lies with the individual organization to ensure that a litigation hold or judicially crafted preservation order is enforced without gaps or holes. IT will bear the largest burden in ensuring that these orders are disseminated to all levels of the organization and each department head conveys the message down to his/her subordinates. Most organizations have a complex series of centralized and departmental network shares, along with individual local stores (personal file storage on individual laptops that may not be synchronized with the larger organizational network), and even documents that employees store on their PC’s at home from work completed after hours or at a home office. This creates additional difficulties around the enforcement of preservation orders as oversight is nearly impossible for information created and stored outside of the scope of an organization’s document management systems.
IT administrators, legal counsel, and department supervisors must work together to understand the scope of a litigation hold, what types of information are impacted, and who is most likely to be holding or working with relevant data that needs to be aware of these restrictions in order to ensure effective adherence.
Identifying Custodians
Preparation for any legal matter, whether civil litigation, regulatory, or compliance matters requires a thorough understanding of issues including key personnel who are likely to have information relevant to the matter at hand. There are several ways an organization can identify key custodians for actual or potential legal matters, though the most common is the organizational chart. Traditionally organizational charts are broken up by functional areas within an organization, allowing the legal team to quickly isolate the segment(s) of the business under shroud of legal uncertainty. Once these functional areas are identified, departmental heads and their subordinates can be defined as potential custodians for relevant ESI.
One major limitation to organizational charts is that they are one dimensional, typically based on older views of organizational segments as isolated, self-contained departments. Organizational charts do not consider the cross-functional nature of 21st century business groups, and often key custodians will be excluded from initial culling because of this limitation. Other means of identifying whose information is likely to be involved in legal matters is the use of data mapping to understand the flow of data across the larger organization. Search parameters can be applied across enterprise wide document management systems that will then identify the authors of documents containing keywords related to a particular legal matter. This provides a more global result that does not limit scope based on functional work segments as with organizational charts.
Another, newer tool for identifying custodians is the use of E-Mail visualization and social networking. Advancements in technology have enabled the development of tools that track E-Mail communication threads and can compute vectors of frequency, density, and spread of electronic communication. Starting with a single identified custodian, one can now trace distribution groups that individual is sending emails to, identify the most frequent E-Mail targets for communication (demonstrating connectedness), and track secondary level distributions of the original communications to locate previously undetectable lower level recipients. For example, it stands to reason that the General Counsel for a large corporation is going to be a key custodian in any given legal matter; visualization and social networking show the obvious links between Counsel and C-level executives such as CEO and CFO, but they also provide lower level detail about how secretaries and paralegals are copied on many of these emails, and even the secondary targets that a secretary may forward these communications to in order to address stated objectives. An organizational chart will result in identification Counsel and CEO, but may not recognize the key relationship between secretaries that are working with Counsel, or the administrative workers who are being tasked with something like filing, copying, proofreading, or even shredding documents. This lower level identification is enabled through the use of visualization and social networking, providing at-a-glance clues that demonstrate deeper and more complex patterns of communication that would not otherwise be discernable.
Naturally, most any legal matter is going to include that organizations legal counsel as a relevant custodian. Creating a list of attorneys within an organization as well as outside counsel for the enterprise is a quick and effective way of identifying groups of individuals likely to be implicated whenever legal matters arise. While this information will not necessarily reveal internal organizational relationships, it does provide a good starting point, and adding outside counsel will also create an external dynamic that would not be captured through purely internal organizational charts. This type of information is more function-based than subject-based, but for a segment of the organization that is likely to be implicated in virtually any legal matter, it is a functional area that will keep appearing time after time.
For organizations that have gone through the time and expense of past litigation, much information can be gleaned from that process to proactively prepare for future issues that may arise. Using past legal matters, a business entity can compile a list of frequently identified custodians and use this as a starting point going forward, avoiding the need to start from the bottom up with each new matter. There has been much talk about managing litigation as a “repeatable process” and about developing organizational knowledge through experience. Here is a prime example of how the past can prepare for the future. Most businesses and corporations tend to face recurring legal matters revolving around similar issues. Whether it be SEC regulatory matters, intellectual property disputes with competitors, or even employment law claims, the same issues tend to arise repeatedly, making it beneficial to recognize and identify common custodians who are tied to these matters. For example, having the corporate controller’s email and documents stored and culled for a particular date range from a past SEC audit will save an organization tremendous time and money if a customer sues the organization over business practices that arise from the same root practices that were being investigated by the SEC. Instead of starting from a zero base, an organization could have the files previously used for another, related matter on hand and ready to be produced in the course of litigation. Not only will this save time and money, but the organization also has the benefit of understanding the substantive content of this data and can knowing the relative strength or weakness of its position, counsel can make logical and strategic decisions about how to proceed (settle quickly to avoid protracted litigation, or fast-track the matter knowing facts are on your side).
International Concerns
With the increasingly global nature of business, international concerns relating to either data privacy or local regulations around transport and handling of data must be considered anytime potential legal matters are in play. One of the most prominent issues that must be addressed is the development of data privacy laws in particular regions, such as those adopted by European Union, commonly referred to as Safe Harbor Laws. This legislation was enacted to protect data residing within the European Union (and certain outside countries that were party to the legislation) that limit the transport of hard copy and electronically stored information outside of the member states encompassed by the legislation. This means that if you have data residing in London, it cannot simply be shipped off to India to be scanned, coded, and processed without certain levels of protection and security put in place. Some countries (such as Switzerland) have broad prohibitions on data being removed from their borders at all.
The EU Safe Harbor provisions do include certain foreign nations (such as Canada, Norway, and Argentina) that have conformed to the necessary data privacy and security protocols to satisfy data transport, and means do exist for individual organizations in counties like the United States to be deemed in compliance with EU Safe Harbor Laws and permit export of data to those individual entities. However, even Safe Harbor Certification is not a blanket release on transport of data, and still requires explicit written authorization from all parties involved with the creation of the underlying data prior to it being exported.
Another factor to consider when facing potential legal action is whether any international conventions or treaties are implicated based on the subject matter of the legal action. International treaties such as the International Trademark Convention create certain rights and causes of action that must be strictly adhered to or else claims may fail on purely procedural grounds. Whether bringing or defending an action, any organization must investigate and understand international laws, treaties, or conventions that may affect substance, procedure, or both. Organizations need to know if claims must be brought in a certain venue, before a certain judicial body, or even if written notice of intent to file a claim must be submitted in accordance with certain timelines. These are critical matters that could potentially toll a statute of limitations or even forestall the ability to make a claim if not adhered to. Membership in an international convention may be required to even have standing to bring particular types of claims or stand before a judicial body.
Additionally, individual nations (and even US states) have different substantive laws so not only the venue but the choice of law in a particular matter can materially impact the outcome. For example, an organization facing an employment law claim needs to understand the difference between substantive laws of Georgia where the organization is headquartered (an at-will employment state) and those in New York (where an individual employee resides) to determine which choice of law is going to be most advantageous for its desired outcome. In particular, areas of employment law and intellectual property tend to vary greatly from state to state, so organizations must carefully consider how to best prepare or combat claims in this areas, whether one state is more advantageous than another, how a court in one state might apply the substantive laws of another if venue is shifted, or even the contrast between state and federal law in deciding whether a lawsuit should be removed to federal court or remain in a local state court. Organizations not only face legal issues from competitors and government regulatory bodies, but also human resource or employment law issues can create complex relationships between substantive, procedural, local, and federal laws. Choice of law issues with respect to subject matter are often implicated in sexual harassment, employment law, right to work, restraint of trade, and enforcement of non-compete clauses. Organizations need to understand the interplay between organizational policies and human resource considerations, as well as those between contract law, common law, and state law. Do organizational contracts spell out a wide enough range to address a given situation between employer and employee or in a specific business transaction with an outside organization? If so, have these contracts taken into consideration the applicability of state legislation or even judicial precedent? These are issues that need to be considered in order to avoid unfavorable outcomes based on lack of research or preparation.
Dynamics Between Legal, IT and Information Security
[updated Jan. 30, 2008]
