| The scope and focus of legal requests for electronically stored information (ESI) were changed profoundly with the December 2006 revisions to the Federal Rules of Civil Procedure (FRCP). IT teams are now under increasing pressure to maintain a data destruction policy that's applied in good faith and regularly, and prior to any request for information. (A data destruction policy applied after an inquiry from corporate counsel looks more than suspicious.)
For example, Rule 26 (Duty to Disclose) addresses pre-trial discovery agreements made by two opposing counsels. Prior to the first court conference, opposing parties must meet to determine the number and type of ESI requests that will be made and met. Mark Foley, an attorney and partner at Foley & Lardner LLP who specializes in IT litigation, says those agreements and the resulting "litigation holds" have a direct impact on IT teams and their processes.
"You sue me and ask for a broad list of documents and data,'' explains Foley.
"I object, arguing that certain things you've asked for are either not relevant or that they are too expensive to search.'' Then, he says, it's likely the two parties would agree that a subset of the data would be provided quickly, but a preservation policy will protect a broader range of ESI items that might be requested later.
"Now the person involved with storage needs to know which data must be retained, but not just in the regulatory sense or the generic business sense," says Foley. "We also are promising to protect and preserve certain things in these agreements. And now some poor guy in the IT department has to figure out how to do it."
In these pre-trial meetings, says Foley, he often has conversations that are more technical than legal. "They have to do with things like meta data and tape rotations," he says. In one antitrust case, Foley deposed IT staffers regarding communication and sales data that was almost a decade old and kept on legacy systems no longer in use. The questions for IT departments today, he says, are whether or not they have the necessary tools to capture and preserve the data (and meta data); and whether they have a willing, competent and effective witness who can explain the rationale behind data destruction policies. Often, companies have neither and are less likely to have the latter, says Foley.
Greg Buckles, an ediscovery process consultant for Reason-eD LLC, a legal discovery consulting firm, says the new regulations can increase the amount of data firms retain, and sometimes they translate to the only standard a firm has for storing and destroying data. "Organizations without external regulatory pressure and structured document-retention programs often find that the interpretations of these discovery agreements become their de facto corporate record-retention requirements," says Buckles.
Andrew Cohen, VP of compliance solutions and associate general counsel at EMC, says FRCP is forcing many firms to formalize processes around ESI requests. "Organizations with repeat litigation are thinking about how to make the process more efficient, including putting in place 'playbooks' for repeatable ediscovery processes and 'source maps' of where their data is located," he says.
Matt Scherocman, a VP at the the Cincinnati-based PCMS IT Advisor Group, urges his small- to medium-sized business clients to pay attention to the new FRCP rules.
"The IT department today is waiting until legal shows up at their door saying, 'We need that data.' In my opinion, it's a lose-lose strategy," says Scherocman. "At some point, you are going to be sued and they are going to ask you for data. Even a well-founded judge, I think, could say 'If you can't produce it maybe it's because you are hiding it.'"
--Jerome M. Wendt and Joshua Konkle; additional reporting by Ellen O'Brien (EO)
- Impact of General Data Protection Regulation on Storage Systems –IBM
- The EU General Data Protection Regulation –Oracle Cloud
- Implementing General Data Protection Regulation in SAP Environments –Attunity
- Preparing for the General Data Protection Regulation –Fortinet, Inc.