E-discovery is complex, even for the most sophisticated corporations. A wrong turn or inadvertent misstep can send the case spiraling down quickly, not to mention what it can do to your budget. Here’s what we believe clients should be talking about with their outside law firms and e-discovery providers — before starting a project.
#1: What kind of potentially relevant data do you have, how is it stored, and what are implications for collection and processing of that data?
Communicating about how client data is collected and processed upfront can avoid headaches down the line. With the growth of new types of data — social media, chat, cloud-based business applications and more — corporate IT departments may not have the most up-to-date tools and expertise to accurately collect from these new and emerging data sources (or even if they do, they may not have the technical expertise to address the constant changes that these data types require for collection). Furthermore, once collected even the most sophisticated processing environment may produce unexpected results because traditional processing tools were not built to handle these types of data. Simple communications at the start of a relationship can help identify and map data types to ensure that the appropriate collection and processing tools, processes and resources are assembled.
The communications should involve the client, firm and e-discovery provider. This is because certain types of data (i.e. instant messages or chat) may be more relevant to a case and the client is in the best position to know the issues at hand and where potentially relevant data resides – but may need to rely on a provider, under the oversight of counsel, to identify the priority data types and have it processed correctly.
Know the answers to the following questions:
- Do custodians use PC and/or Apple products?
- Are there any mobile devices or tablets from which data should be collected?
- What are the email messaging systems used by employees (i.e., Outlook, Bloomberg Chat, Lotus Notes, Gmail) and how will data from these systems be identified and processed?
- Are there any instant messages subject to discovery? If so, what properties distinguish these from emails?
- Does the client have potentially relevant data residing in the cloud?
- Are there any unique data types or password protected files in the client’s environment that will need to be addressed during the processing stage?
As employees move to different types of devices such as Mac computers, iPad, iPhone and other smartphones, tablets, and the like, and clients move to different types of storage (including cloud-based data archiving and storage), new data types and metadata will be created requiring updated collection and preservation strategies. Addressing these strategies upfront will assist in processing this data correctly in preparation of litigation and investigations.
#2: Are there custodians outside of the U.S.?
Knowing if a client has any potential custodians that are based outside of the U.S., specifically in the EU where many countries’ data privacy rules restrict the processing and transfer of data outside of the country, is critical for planning a new matter. The presence of custodians in international jurisdictions thus affects how data is collected, processed, hosted and reviewed.
If there are custodians outside of the U.S., it is imperative to know those jurisdictions’ data privacy laws to plan accordingly. Can data leave the country, or must it be processed and/or hosted in the physical location? The second step is knowing who can access the data. Can members of the legal team outside that jurisdiction remote in to access the data or must they be present?
As countries expand their data privacy laws, having knowledge of these jurisdictions as early as possible can help case teams and their e-discovery provider best prepare for the upcoming project. While it is unlikely that many discovery providers have footprints in every jurisdiction, alternatives exist such as ”backpack” technology and service deployment models that can address processing and hosting in almost any situation (either on-site or leveraging the provider’s local datacenters).
#3: What are the key project milestones?
Time is of the essence. This is especially important in the litigation arena. The more time, the more options are available. However, often times we are up against a wall with a very short deadline in which the only strategy is to “get it done as fast as possible.” (We don’t think this is, in fact, a strategy.) While discovery timelines are often open ended and very difficult to pin down, identifying and working towards key milestones can best set up a project for success.
Although the end of the discovery deadline is the big date that seems to be the end goal, setting out and working towards milestones early on in the discovery process can open up new opportunities for more efficient and cost-effective discovery – and ultimately, better results for the client.
For example, many times, the biggest obstacle to not using new methods or technologies is that case teams are working against time. For example, working with a complaint early can help negotiate terms and get estimates on volume to see if using technology-assisted review (TAR) would be a good fit for that matter. When under the gun, parties are more likely to use what is most familiar, such as keyword terms. The result is that cost reduction measures like TAR are put on the backburner. If these new strategies are identified as possible approaches at the onset of a matter, parties can discuss the merits of using new technologies and run test cases to see if this will be a good fit. The result is cost-savings to the client and also, in many cases, more consistent and relevant data that is produced between parties.
#4: Who are all the relevant parties, and what are their roles and responsibilities?
When multiple law firms and e-discovery vendors are engaged on a project, there could be a significant number of bumps along the road, specifically in lack of communication (or miscommunication) among the parties and lack of standardized processes that drag down timelines and efficiencies (and can lead to wasteful duplication of efforts and add to overall costs to the client). These challenges can be avoided by specifying the involved parties and their respective roles upfront, the subject of a recent article in Corporate Counsel magazine, In E-Discovery, Delete the Law Firm v. Vendor Mentality.”
For instance, there may be a matter with multiple law firms engaged on different pieces of the project, a separate managed review team doing substantive document-level review, and also additional vendors involved in the processing and hosting of the data. This is a case where the client should come in early to clearly define the parties and their roles. In many cases, the e-discovery vendor can act as a central “project management office” to ensure that all parties are working in coordination to meet the client’s goals.
Below are a few helpful questions to address:
- Who has authority to make decisions, such as cost-related items or user access to the review platform?
- If certain parties do have authorization, not just the client, is there any hierarchy between the parties (i.e., can law firm A approve access of Managed Review team B)?
- Can the parties communicate between themselves, as necessary, or are there any walls due to confidentiality or privilege?
#5: Do you know your own security measures to protect employee data, and have you audited the security measures by your providers?
When dealing with data, security is a top concern. While law firms and e-discovery services providers should have the most stringent information security measures to protect client data, it’s not always the case – and law firms, with their troves of valuable client data – can be the weakest link. Having protocols in place regarding how data is encrypted, who can access it and how it should be transferred should be part of an open dialogue at the onset of any relationship (and you should know your organization’s strengths and potential areas of weaknesses, as well). Today, law firms and vendors handle sensitive data of clients on a daily basis. Knowing the clients’ security practices is a minimum safeguard to protecting their data from being subject to a security breach or otherwise damaged.
Develop a checklist to assess your and your providers’ security protocols. Do you and your providers…
- Design and deploy a regular training program designed to inform employees of the risks associated with mobile devices, malware, phishing, and other cyber-attacks that can expose confidential data?
- Inventory data and create a data map?
- Draft and enforce policies that restrict the use of cloud-based applications and file-sharing services?
- Require the use of strong passwords and two-factor authentication?
- Encrypt data that is proprietary, confidential or otherwise valuable?
- Minimize the risks of mobile devices and the cloud by restricting the use of unsanctioned applications?
- Know your cloud providers’ security infrastructure, policies and procedures?
- Retain outside consultants to regularly test IT systems for cyber-attacks and system weaknesses?
To make your e-discovery life easier, avoid being the employee in ‘Everybody’s Talkin’ at Me’ and set expectations with your legal and litigation support, including law firms and e-discovery providers, at the outset.