Data Retention and Electronic Discovery Law

Data Privacy Rules in the EU, Asia, and USA and How John Cleese Might Summarize

2012-01-17T18:48:00.000-08:00

Copyright © 2012 Cary J. Calderone, Esquire

I had the pleasure of attending a terrific breakout session run by Amor Esteban (bio) and William Kellermann (bio). My words would not do their presentation on Cross-Border Discovery and Data Privacy justice. So please forgive me for borrowing the words of John Cleese from The Meaning of Life to summarize:

Before we begin your lesson, would those of you playing in the match this afternoon move your clothes down onto the lower peg, immediately after lunch. before you write your letter home, if you're not getting your hair cut, unless you've got a younger brother going out this weekend as the guest of another boy, in which case collect his note before lunch put it in your letter after you get your haircut and make sure he moves your clothes down to the lower peg for you. (Age restricted Python video clip on Youtube)

Yes it's perfectly simple!

This blog post was a challenge to write. I blogged about one of Amor's presentations on the same subject in 2008 (link to post) so I was looking forward to hearing updates and finally getting a little more clarity on the conflicts in the rules between the U.S.A. and other countries. The result? There has been progress and evolution but there still are so many conflicts and "what-ifs" that even experienced attorneys have to be careful and weigh the risk of each matter before offering the best option. Instead of giving what could only be incomplete tips that potentially cause more harm than good, or a workflow that ends up sounding like John Cleese, here is a list of considerations that can affect how and when you can or cannot preserve, review, and/or collect data. If you understand why all these options are important, and how to navigate through the various "what-ifs," then congratulations, you are probably qualified to be an international data expert.

Considerations

Is your US based legal or investigative matter sufficient justification to collect the data?
Is this personal or business data, or, both?
Could this data be considered a State Secret?
Do you know the country of origin of the data?
Do you know where the data is stored?
Is the data stored in multiple locations?
Is the data on a laptop that might be in a country other than where it originated?
Does your computer usage policy protect you?
Do you need to get consent from the Union to collect or use the data?
Is the data encrypted?
Does the data need to be encrypted to move it?
Do you need to use a special encryption key?
Do you need local counsel?
Are your clothes on the lower peg?

Just kidding with that last one but hopefully this list helps you understand why a simple workflow is not possible. This is one of those areas of law that is extremely complicated, and what's worse? It is constantly changing and evolving. The only "best practices" advice I can offer is:

If you have the chance to listen to Amor or William speak on this subject, do so. You will learn the reasons behind all the above considerations.
Review the 57 page Sedona Conference report on the subject (available here).
Retain experienced legal counsel to advise you on these types of matters before you get yourself into real trouble!

The Hills Are Alive With the Sound of E-Discovery???

2011-12-25T10:33:00.000-08:00

By Cary J. Calderone, Esquire

Still available on Amazon!

It is the Christmas season. Those of us involved in DRED Law wish you and yours the happiest of holiday seasons. Along with many of the more important traditions that occur, this time of year brings television repeats of classic movies like The Sound of Music. For the past few years, I could not help but think of e-discovery while watching parts of this movie. Now, I am not obsessed with e-discovery and data law. I promise you. However, a few scenes from the movie explain in most vivid detail just why the EU has a very different attitude and set of rules towards email and other information that may reveal a user's personal identification. So, this post is for all of you who are not aware, or, are uncertain as to why the EU Data Protection Act is far more strict and penal in attempting to protect personal privacy at work. Let's see if these bits of dialogue from the movie validate my point and perhaps give you an idea of who, is to blame. Take, for example:

Rolf to Lissel when delivering a telegram for Captain Von Trapp- “We make it our business to know everything about everyone.”

Or, dialogue from Heir Zeller-“You were sent a telegram which you did not answer. A telegram from Admiral Von Schreiber of the navy of the 3rd Reich.”
Captain Von Trapp “I was under the impression Heir Zeller that the contents of telegrams in Austria are private! At least the Austria I know.”

The reasons should now be clear. Once we in America understand the origins of the EU Data Protection Act, it will be easier to put in the systems and policies necessary to better comply with the rules. We will follow-up this holiday post in the new year with a more detailed explanation of the EU Data Privacy rules courtesy of a terrific breakout session run by Amor Esteban and William Kellermann. Until then, if you are frustrated and angry with the challenge of navigating US Data rules and EU Rules at the same time, take heart. You are not alone. We can all just blame the Nazis...

Happy Holidays

Churchill Club Presents The Big Data Effect

2011-12-12T18:39:00.000-08:00

Copyright © 2011 Cary J. Calderone

Is Big Data being over-hyped? "I certainly hope not" was Ping Li's heartfelt response to moderator Michael Chui's question to the panel (bios below). Li's firm, Accel Partners, made a splash in the news recently by announcing the creation of a 100 million dollar fund for investments in Big Data. The Churchill Club panel members each gave their own interpretations of the Big Data Effect. They emphasized that Big Data was not just about the volume of data, but how it could be researched, extracted, and analyzed.

Mr. Li, commented that Big Data was a mixture of machine-generated, user-generated, and open data, but the Big Data effect had to do less with size and volume and more with getting value from new data, old data, and, the mixture of the two. Li believes "we are in the early days of this transformation" and he wonders "what will be the next Seibel or Cognos of the Big Data world?" Gil Elbaz emphasized the important issue was whether the data would be open and transparent and therefore, easily accessed and exploited. An interesting explanation of the Big Data effect was offered by Luke Lonergan. Lonergan mentioned a unique situation where a large retailer, that had not yet bought into the idea of Big Data discovered it had customers, who because of their iPhones and Androids, knew more about the products than their retail clerks. So even though one would think the retail clerk is there to help the consumer, because the clerks were relying on an antiquated terminal and sku system, they were in reality, an impediment to the sale. To me, this particular Big Data effect might best be captured by the title of John Hagel's book, "The Power of Pull." How can a company not recognize and move towards the expectations of its better informed customers if it expects to stay in business? Slow moving retailers will be pulled towards Big Data by the expectations and capabilities of their customers and competitors.

My next favorite quote from the panel was that "privacy is the third rail of Big Data." The advanced mining capabilities if Big Data are relatively recent and yet they have already evolved to the point where the average smart phone user would be dumbfounded to learn what collectors and facilitators of meta-data, already know about them. The panel noted that at a recent government inquiry, even the government representatives were surprised by how much information is already mined and how powerful it can be when analytics and metrics are applied with location. This is especially true at what Ping Li finds the most interesting new area, the cross-section between mobile and Big Data. He believes the smart phone is the best data-capture device. Anand Rajaraman added that it is not just about Big Data captured, but rather "fast" data and this is exactly what smart phones capture so well. Mobile data is fast data. In other words, it matters not only that the data can be captured and analyzed, but that the answers or results are calculated quickly. This provides for the optimal Big Data effect. Rajaraman also appreciates the potential and challenges at the cross-section between public and private company data. "Do you bring all the public inside, or, move your private data to the cloud and risk security concerns?" Keith Collins added that it was the flow of data that may lead to the best discoveries and innovations.

It seems the entire panel agreed that one of the important new areas for the Big Data effect would be advancements in the healthcare industry. "The stores of information from real patients is a gold mine." The old model of testing medicines on groups of people, or, a doctor relying on the patient's questionnaire for history, are archaic when compared to mining of healthcare information of most everyone in the world. In this instance, size (of the data base) does matter. The ability to quickly "crunch" every possible variance in patient history may prove as an essential element to the innovators. My own favorite argument in support of the proposition is a simple one and involves Watson, the IBM computer that has been able to continually trounce very smart people in a game of Jeopardy. Very simply, wouldn't you like to have Watson analyze your health for one minute, in addition to your doctor? As smart as your doctor may be, can they cross-check possible side effects of the 3 to 4 pills you are taking as well or as quickly as Watson could? Unlikely. I believe everyone in the audience could identify a similar situation with their own healthcare experience.

Although it was not mentioned by the panel, my own personal experience has dealt with diagnosing food allergies. We allergy patients have always had to self-monitor and self-diagnose to help the process. I would love for that information to be readily available and accessible to every doctor I see. Moreover, I would even offer it to a general database on allergies and interactions so others may benefit from my experience and I, from theirs. To this end, the panel made the point simple. More and better information available to the patients will lead to more accurate understanding of the conditions, and lead the doctor to making a faster and more accurate prognosis and, finally, achieving a better outcome.

In a recent blog post Seth Godin gave an example of the problems that still exist in healthcare, which he labels as "pre-digital." Think about his frustration and imagine what Big Data technology may change. Godon's description of a visit to the Emergency Room:

Six people doing bureaucratic tasks and screening that are artifacts of a paper universe, all in the service of one doctor (and the need to get paid and not get sued). A 90-minute experience so we could see a doctor for ninety seconds. (full blog story)

It is easy to see how Big Data technology can improve a visit to the ER. The ultimate challenge according to the panel, is whether there is a way to do it responsibly? If so, open access to Big Data and personal health information is likely to garner quantifiable life-extending and quality of life improvements.

In addition to healthcare, Keith Collins explained how the Big Data Effect could help with energy policies and a smart grid by providing predictive and optimization analysis. Soon they will have the capability to analyze the grid on 15 minute intervals. He likes those who follow the creation of new regulations and then determine how to turn that into a value proposition. Lonergan added that the new tools, smart meters and smart grids, have provided us with new data and new opportunities around that data.

In conclusion, whether it is healthcare, energy, or just plain old business productivity and profits, the final takeaway from this terrific panel is that everyone involved with Big Data will have to be very careful to safely navigate the third rail. But, if they do it responsibly, then the innovation and growth potential will be very Big, indeed.

The Big Data Effect

		Speakers: Keith Collins, Senior Vice President and Chief Technology Officer, SAS Gil Elbaz, Founder and CEO, Factual Ping Li, Partner, Accel Partners Luke Lonergan, Chief Technology Officer, Vice President and Co-Founder, Greenplum, an EMC Company Anand Rajaraman, Senior Vice President, Walmart Global E-Commerce & co-founder, @WalmartLabs Moderator: Michael Chui, Senior Fellow, McKinsey Global Institute

Big Data-Not Just Big Storage Or It May Be A Big Headache

2011-12-06T09:17:00.000-08:00

Copyright © 2011 Cary J. Calderone Esq.

Time to give the busy professional's definition of the latest technology buzz phrase, "Big Data." In brief, it is about being able to process and mine very large amounts of data (even petabytes) for business intelligence. Big Data indexing and database technologies, like Hadoop and NoSQL allow for distributed processing that previously was impossible with standard table-based relationship databases. However, too many short-term thinkers will try to implement a Big Data strategy by doing nothing more than keeping everything they can and figuring it out later. This approach is fraught with Big danger.

The most frequent justification for employing a Big Data strategy is to improve business intelligence. Customer satisfaction and trends identified with Big Data technologies can be used to optimize your supply chain as well as shape your digital marketing efforts. However, more data can also mean more concerns with US and Foreign rules governing privacy and security. Will your data be anonymized? Will critical HIPAA or Credit Information be scrubbed or tokenized sufficiently to adequately secure and protect it? And last, but not least, are you going to have to analyze your Big Data for E-Discovery? By and large, if you own and control the data, at some point, a court, at the behest of one of your adversaries, will want you to analyze it for E-Discovery purposes. Will you be able to defend your practices? Will you be able to show why you should not have to produce it? If you have to analyze it for E-Discovery production, will you be able to do so in a timely fashion? One company that decided to keep all company email realized too late, that their search tools and storage drives were inadequate. It would take 12 days to get simple keyword search results. This was definitely not useful for performing Early Case Assessment. Good DRED practices suggest that before you decide to keep everything, make sure you have the policies and procedures and technology in place to use your Big Data to your advantage, and limit your exposure to those potential problems. Make sure your Big Data plans provide you with Big benefits that will far outweigh some of the potential costs. Then, maybe you can avoid Big Delays, Big Problems, Big Costs and even, Big Sanctions.

CEO Bans Email-Maybe Email Really Is Dead

2011-11-29T19:17:00.001-08:00

Atos Headquarters Location at Lago Maggiore

A few weeks back I pointed out to DredLaw readers ways that new technology would be superior to email. (Link to article) Now here is a European company, Atos, that is banning employees from using email to communicate with fellow employees (Link to article) and for precisely the same reasons mentioned. They will be using new collaborative tools and instant and video messaging as alternatives. While I applaud the effort, they will have to be very careful with their data retention and privacy programs.

The rules governing retention for business and legal application do not differentiate based on the type of computer tool or application, or smart phone, that may be used to create the data, but rather, the content of the data. I am not saying it can't be done. It can. However, it will take good planning, training, and auditing to make sure their policies and procedures will withstand legal scrutiny later. The ABC news article goes on to say:

When asked how employees have responded to the policy, Crouch told ABC News the overall response “has been positive with strong take up of alternative tools.”

Moreover, the CEO responsible, Thierry Breton is on point. The article reveals his bold logic:

“We are producing data on a massive scale that is fast polluting our working environments and also encroaching into our personal lives,” he said in a statement when first announcing the policy in Feburary. “At [Atos] we are taking action now to reverse this trend, just as organizations took measures to reduce environmental pollution after the industrial revolution.”

The article does not mention some of the applications, but described them as "Facebook-like." Which coincidentally, is the same way I described Rypple and Yammer. We will look to follow-up with Atos in the future to see how their approach continues to work. My hunch is it will be successful and will be emulated by many other companies trying to effectively manage their ever-growing repositories of electronically stored information. Kudos...

The C-Level Nightmare-Do You Know What You Do Not Know?

2011-11-13T14:46:00.000-08:00

Is this your CEO, CTO, or, General Counsel?

This post goes out to all those C-Levels who have not approved pro-active information management and DRED work because, "they can just search and find what they need when they have to." For almost any attorney or e-discovery professional with experience, this cavalier attitude causes a LOL moment. We also call this approach, "head in the sand," or sometimes, "ignorance is bliss...until it's not." After the 9-11 attacks, when the Department of Homeland Security was created, I remember Secretary of Defense, Donald Rumsfeld, speaking about 3 things: 1) What you know as fact, 2) What you do not know but can research and discover and, 3) What you do not know, you do not know. C-Levels who think they will just find what they need, when they have not tested their approach under the threat of pending litigation, are in the last category. They do not know, what they do not know. Not convinced? Then please consider these items:

In all likelihood, you have relevant data in a legacy system or proprietary repository that may not be touched by your search tool. Even the best technology has to be pointed in the right direction.
You have data that should not be touched by your search tool because it will violate a privacy policy.
The more data you have to search, the more it will cost you. This is true even if 99% of the data is ultimately not relevant to the case at hand.
The more data you have, the more likely your search results will be mediocre. Is mediocre acceptable when setting up a strategy to prosecute or defend a legal matter?
Your search plan will probably not adequately cover home computers, laptops, iPhones, or that 32 gig flash drive dangling from your employee's key chain, let alone all those employee posts on Facebook.

The end result will not be pleasant. You will be faced with substantial costs before you even consider the potential damages to an adverse judgement.

Even a basic DRED assessment can help let you begin to know, what you do not know. It is not hard to discover if you know who to ask, what to ask, and, where to look. I have never met with a general counsel for this assessment (I should call it DREAD because it describes the look on their face) who did not pay close attention and thank me profusely for what I shared with them. Now you, even as a C-Level, may still not know, or, care to know the dirty details, but your future opposing counsel most certainly will. Is that when you want to find out that you have ten years of backup tapes with relevant data stored in a closet? I didn't think so...

Coming to a Law School Near You- eDiscovery Class 101

2011-11-04T10:19:00.000-07:00

Professor Rick Marcus

Copyright © 2011 Cary J. Calderone

A few weeks ago, I had the pleasure of attending a Hastings College of the Law alum event where Diane Gibson, a prominent San Francisco litigator with Squire Sanders et al., and UC Hastings Professor Rick Marcus, presented, E-Discovery and Preservation. There was some good DRED news. For an alumnae event, this was very well attended. There were over 100 people who showed up because they were interested in learning about E-Discovery. The bad news was that when Professor Marcus, a principal drafter of the 2006 E-Discovery amendments to the Federal rules, polled the audience to find out who had heard of FRE 502 (critical for protecting privileged material from accidental disclosure) only myself and three others raised their hands. Scary! During the lecture and the Q&A afterword, we heard about many of the interesting E-Discovery and preservation issues, and what the Advisory Committee is considering for future amendments, but for me, the most important item was that Professor Marcus will, for the first time, be teaching Hasting's E-Discovery class in the spring of 2012.

I am looking forward to following up with Professor Marcus, to see how the class progresses from his initial course syllabus to the final exam. Based on my personal interactions and experiences with general counsel and attorneys, I think an E-Discovery course should be required for all law students and members of the bar. When he mentioned the new offering at the law school, and, especially considering the results of the FRE 502 poll, I thought "thank goodness." Still, I can not help but wonder how challenging it will be for Professor Marcus. The typical law case book does not change often and I am concerned that without a fairly deep discussion of the current technology employed, the E-Discovery law and techniques learned will be of short-term value.

It seems as though the Federal Rules of Civil Procedure get amended to keep up with technology, and before the ink is even dry on the amendments, technology innovation renders those rules, ambiguous at best. Remember a few years ago, when all the concern and debate was about what constituted "inaccessible data?" Technology has changed so now that discussion, if it were entertained, would be about easily accessed versus costly-to-access data. Inaccessible has been all but dropped from consideration and the California E-Discovery Act, specifically allows a Judge to require a litigant to produce the information, even if it is considered inaccessible. In all likelihood, practitioners and students are not going to bother discussing that subject. They will be far more worried about what to do with all the data coming in from Twitter and Facebook.

Another great example of law versus technology came from an audience comment. A retired attorney brought up the California rule that required Transit Authorities and certain government entities to keep all surveillance video tape, for 3 years. This rule was, of course, enacted into law during the days when an entity had only one camera and recorded the video to actual video tape. Today, an average bus has 10 to 12 digital hi-resolution cameras on board. For a Transit Authority to keep all "tape" from all cameras on hundreds of buses for even a year it would cost millions of dollars and probably require a special data warehousing structure. We can only wonder how long it will be before that law is updated? And, then, how long before technology advances render that new law obsolete as well?

If I described teaching E-Discovery technology to law students as a Sisyphusian challenge, it would not be adequate. To be appropriate the story would have to have the additional fact that every time Sisyphus rested, the boulder grew even bigger and heavier. Technology moves to Moore's law-processing power goes up and the price comes down. Technology innovation happens constantly and almost as quickly as the speed of thought. Government codes and case-law move and evolve slowly at best, and compared to technological innovation, at a glacial pace. Good luck Sisyphus and those poor attorneys and students who do not already understand quite a bit about technology. Mega-kudos to Hastings and Professor Marcus for recognizing the need for formal E-Discovery training and for getting started!

New Facebook Privacy Settings-Are You Now A Publisher Or A Public Figure?

2011-10-18T15:23:00.000-07:00

Copyright © 2011 Cary J. Calderone

This calls for a quick overview of Libel Law 101. A publisher has standards for accuracy or else they can be sued for defamation and other things (see Description at Student Press Law Center). There are things you can do to limit your exposure to legal action, by following certain protocols and guidelines. For example, you have heard the phrase, "the truth is an absolute defense." This may save you from a legal action for libel. But, unfortunately, sometimes publishing the "truth" can expose you to other legal claims, like invasion of privacy. This is especially so when the items published are, in fact, true, and perhaps, a tad unsavory. However, there may be a defense for that too, if you happen to publish these unsavory truths about a public figure. Public figures are pretty much considered fair game, or, at least at a level where even if you publish something about them, even with some non-truths or inaccuracies, you will be held to a more lenient standard. At this point you may be a bit confused by this area of law and are thinking that you would never consider yourself a publisher anyway? You don't even have a blog. So why worry? No reason, unless you happen to be on Facebook or another Social Media site and have a lot of friends, followers, or the newly created category of "Subscribers."

The latest Facebook feature is the "Subscribe" setting (see Facebook description) What an oxymoron to refer to it as a "privacy setting!" Basically, it permits you to allow "Subscribers" who can see your public posts in their Facebook Newsfeed and also, allows you to "Subscribe" to others. Now, even "non-friends," can subscribe to and follow all your posts and comments that you set to "public" on Facebook. Other sites, like LinkedIn and Google+, are looking for a way to make more of your posted information “public.” Does that make you feel powerful and influential like the New York Times or Kim Kardashian? Regardlessof your answer, it is time to take a little closer look at the legalrules for publishing and public figures, because thesestandards may apply to you.

Here is what it takes to be a Publisher according to the Student Press Law Center.

Publication

A statement is "published" if it is communicated to someone other than the person whom the statement is about.
Publication can take many forms and does not simply mean that the statement has been printed in a newspaper or other document. For example, a defamatory statement's presence on a computer screen in the newsroom where it is read by other students could constitute publication.

In the case of celebrity Twitter, it is obvious. Ashton Kutcher, Kim Kardashian, Lady Gaga, and countless others have tens of millions of followers. These celebrities have learned to "Self-Publish." They are now authors and publishers. On the one hand, they have a simple way to publish and publicize accurate information about themselves. On the other hand, because they have millions of followers, they have learned that there can be legal repercussions when they are not accurate, or, conversely, are too accurate, when they tweet/publish information concerning others. Privacy and defamation lawsuits are an ever-present concern. The danger to you is that you can easily be considered a publisher too. The definition above shows that even if just one person reads your material, you are a publisher and exposed. So before you go "public" as a publisher, you should really learn a few of the basics about what you can and cannot safely publish. And, by learn, I mean do more research than simply reading this thoughtful and entertaining blog post!

Now the flip side. There is more. Maybe you are a publisher but you will always publish safely and you do not feel exposed. Great! But now lets consider what protections you have for those things others say about you. Can you stop them from hurting you or you reputation? Can you sue them for libel? Or, is it possible you have become a public figure due to your thousands of adoring fans and subscribers? Even as a cautious attorney, I hesitantly joined LinkedIn first, and then Facebook, a few years ago. It would be an understatement to say I have always been cautious about who I friend or connect with online. I urge my friends not become Facebook sluts. You know the type. They are the people who will "friend" anybody, anytime, no questions asked. Even with the added risks of exposure to viruses and spam messages, we all know somebody who has gone from 1 to 5,000 "friends," in a matter of weeks. It is notably ironic that at a time when we are witnessing a massive contraction in newspapers and other print media, there are people that, in a short time, increase their circulation from 1 to thousands. Some print newspapers would kill for that kind of a bump in circulation.

This is where it gets interesting. Do you have enough friends and subscribers to be considered a public figure? The fact is we can not know for sure because the law does not provide us with an exact number that is the trigger for transformation from private to public figure. You may be considered private, limited public, general purpose public depending on whether you thrust yourself or, are thrust into the public eye. Again from the Student Press Law Center:

Who is a Public Figure? There are two categories:

(1) General Purpose Public Figure: a "celebrity," whose pervasive fame or notoriety has made his or her name a "household word."

(2) Limited Purpose Public Figure: someone who has voluntarily assumed a leading role in a particular public controversy.

But even as a public figure you can still use the law to protect yourself right? Yes, but remember now you would have to prove the libelous behavior to a higher standard to be successful. Newspapers have published some pretty scandalous things about public figures, and then successfully defended the legal actions.

So you, or, your company, have to assess the situation. We do not know a specific number it takes to be considered a public figure or, a limited public figure. We know you may be considered a publisher. Do you now need to learn all the details and distinctions about General Purpose and Limited Purpose Public Figures, Public Officials, privileges, exceptions, and more, just to have fun or conduct business online with Social Media? It depends. What will you and your friends be publishing?

"ISSA: Emails Prove Holder Knew" and Other DRED Headlines

2011-10-06T12:03:00.000-07:00

Sometimes a headline can be a DRED story in and of itself. Today, while browsing the internet, I saw a headline that said "Issa: Emails Prove Holder Told About Fast And Furious." I could not help noticing how frequently we see those two words, emails and prove, together in a headline? By Googling "emails prove" it came up with 45,900 results. The list included story headlines with names like, Eric Holder, President Obama, Sarah Palin, Mark Zuckerberg and British Petroleum-and that was just on the first page of results. Do you still think it is acceptable to treat your email as non-records, non-information, and, nonchalantly?

By the way, Googling "emails faked" returned only 1,120 hits, and did not include any of the aforementioned names. Ironically, the only headline where the emails proved good behavior was in the case of Sarah Palin, whose emails were released after a blitzkrieg media campaign to reveal the real truth about her. So, perhaps you should reconsider your nonchalant approach? I mean, if we know "emails prove" is the presumption, wouldn't you prefer knowing what they prove, before your opposition does, and before any attention-grabbing headlines are published? In case you need further justification, here are a few links to some of my older posts on the subject of pro-actively managing your email:

E-Discovery-Shall we do it ourselves or outsource? The answer is, Yes

2011-09-28T11:21:00.000-07:00

Copyright © 2011 Cary J. Calderone

Sometimes customers and prospects can ask me difficult questions. The question on whether to in-source or outsource E-Discovery is an easy question. The answer is, Yes. There is no company, or law firm, no matter how large or small, that should do all or none of their E-Discovery themselves. Where should you draw the line between the two? Now, that is a more challenging question. Here are three factors to consider when deciding:

1) Your Potential Issues: There are many legal matters that can start small and then blossom into larger lawsuits. For example, the routine hiring and firing of employees goes on without worry, until a claim comes in. For many regular and routine items your hiring personnel and IT support should be trained to handle and secure electronic data in a defensible manner, when the need arises. As they run through the usual security checks, and other departing employee procedures, it does not take a much extra effort to secure the data so it could be authenticated for potential litigation. Bringing in an outside E-Discovery firm or law firm, for every routine employee departure would be overkill. On the other hand, even seasoned HR personnel know that sometimes routine terminations come back as big complicated lawsuits, so having a process in place that is legally defensible, is great insurance, even when you ultimately may hand off the matter to an outside firm. Also, when the matter is not routine and/or if your legal department has not already handled a particular type of case before, you may have to ask yourself, if your staff will even know what data is most critical? If you do not absolutely know the answer to that question, score another point for outsourcing.

2) The Experience Level of Your People: Will an outside vendor/firm be better than your knowledgeable staff? Sticking to the employee termination example, in many companies HR and IT positions are low turn-over. Often they have many years of experience and specific knowledge of your industry standards and data practices. Will an outside vendor be able to send in somebody who is already familiar with your issues? Doubtful. Your inside staff should be able to handle it. On the other hand, if the matter involves larger and more complicated legal issues, that might necessitate securing hundreds of gigabytes of different types of data, your staff could easily be overwhelmed. Will you over-collect or, under-collect data? In this instance, familiarity with the tools and techniques for large data sets are likely to be more critical to your E-Discovery success, than familiarity with your business practices. Plus, having an independent third party collecting potential evidence can make it more trustworthy and more likely the procedures will withstand legal scrutiny. Of course, your knowledgeable staff will need to work with the outside vendor to achieve the best results.

3) Your Budget: Doing it all yourself or never doing it yourself will waste money. There are great inexpensive E-Discovery tools available, if you do not already have a system that is set up to hold and collect data for E-Discovery purposes. For example, SharePoint 2010 and Exchange Server, as well as many other applications, have built-in features for E-Discovery purposes. However, when it comes to complicated and large volume matters, it is very unlikely your tools, hardware, and software, will be adequate. This is when an outside third-party firm can come to your rescue. Hiring outside managed services when your capacity is stretched, or, for only occasional "big litigation" matters will probably save you money. Infrequent litigation makes it difficult to justify the ROI on what might be a rather large investment in hardware, software, and staff training, just to be ready for the occasional big case.

In summary, there is no hard and fast rule for when to in-source or outsource. Each company must assess their own situation before making the decision. This article should make it rather obvious though, that if your decision to outsource E-Discovery is always, or never, you probably have not considered the correct factors.

Social Media Governance-5 Reasons New Technology Applications Are Better Than Email

2011-09-15T15:32:00.000-07:00

Copyright © 2011 Cary J. Calderone

DredLaw readers know I have mentioned the trend towards using "New Technology" like social media and social enterprise applications, in business. Rypple and Yammer were developed for business use and even Twitter, Facebook, LinkedIn, and Google Plus, are a common consideration for any company looking to market on the internet. Companies are using social style Wikis to manage internal projects. To be sure, I have warned readers about the need to have policies and procedures as a safeguard so their companies can use these New Technology applications in accordance with good data management and DRED practices. But, this post will focus on some of the positives and comparative benefits of using these newer applications. Yes, there are still potential pitfalls to social applications in business. However, when compared to old email policies and practices, social-style applications have the potential to be a tremendous improvement to your organization's computer communications practices, and here are 5 reasons why:

1) Tighter organization: Email is a communication vehicle that is frequently organized apart from its subject-i.e., whether the subject is a web page, a PowerPoint presentation, or a video clip, or a picture, email is kept with emails, and the other documents are stored someplace else. If you do not constantly attach the latest version of the "subject" document, or at least a link to the latest version, the email may be ineffective. In social-style applications, the comments can attach directly to the subject matter. This is so whether it is a document for editing, a video clip for viewing, or a whole host of other types of electronic information.

2) Enhances collaboration: Email that contains its subject as an attachment is inefficient. When three people start editing a document, nobody is working on the same version. How fun is it to get 3 or more versions back and have to resolve the changes and suggestions? Some are duplicates and some conflict other's changes. How does that help move the document to final version? With social collaboration applications, you work on the same version even at the same time.

3) Smaller carbon footprint: Email volume grows much too quickly. Did you get the cc? Did you get the bcc? Will you send me a confirmation? Every time you get an email with 10 ccs, that indicates that at least 10 times the amount of information is stored-and even worse if there is a large attachment with the email. Social collaboration applications avoid the need to cc. People just look at the project thread and see related comments, one after the other. Again, this is much more efficient than sending out ccs, which at some companies are so excessive, they are automatically and routinely ignored. This factor alone could justify the move to New Technology social-style applications.

4) Just the facts, please: When you want to search for project information you'll find your Inbox includes calendar dates and meeting requests that involve the subject, but not in a substantive way. Why should you keep or need to search through calendar or other unrelated information in your inbox, when you are searching for information about a certain project? Answer- you shouldn't.

5) Social is better even if you organize your email: For those who read #4 and thought it did not apply to them because they organize email into project folders, please remember that email can discuss multiple topics. Do you have to keep a copy of the same email in 4 different folders? Do you set one or multiple deletion dates for that email? Once again, social applications generally promote short, to the point comments, under one specific project heading. Moreover, down the road, when it is time to delete all information about that certain project, the entire data set can be deleted at once. This should include all the video clips, pictures, and comments too. That is much more efficient and effective than searching your email repository, your Word documents, your Excel Spreadsheets, etc. etc.

I'll bet that while reading this list you thought of some advantages New Technology social applications would have over your email practices at your business. On balance, one of the challenges of DRED and Information Governance is trying to create a set of best practice rules to manage a wide range of applications, data types, and formats. Social-style business can be scary at first, but it can also make it so all the communication, editing, explanatory materials, and supporting data, are viewed and reviewed in the same place. That works much better than plain old email.

eDiscovery Retreat-Laura Zubulake-Lessons from THE plaintiff

2011-08-01T13:05:00.000-07:00

by Cary J. Calderone

One highlight at the Carmel eDiscovery Retreat, was hearing from THE plaintiff Laura Zubulake. Zubulake v. UBS Warburg LLC., 217 F.R.D. 309(S.D.N.Y. 2003) is a seminal case and is the foundation for many other discovery decisions and even modifications to discovery procedure rules. Rules were modified so they could be better applied to electronic media and computers. Now I have to admit, I was like many attorneys who assumed that some very smart lawyers had recognized the value in searching defendant UBS's emails for evidence of wrongdoing. But, that is not how it happened. Laura was actually the one who insisted her attorneys demand production of emails because she KNEW the defendant had not done a reasonable job in producing the relevant materials in their possession or control. The end result? A $29.2 million dollar jury verdict in her favor. As Laura noted, Electronically Stored Information (ESI) and email in particular, is "like DNA evidence for trials!"

Her talk began with this simple observation-"Sometimes lawyers should listen to their client." And, to reword this lesson for defending counsel-when the plaintiff is a former employee, who routinely received and sent 200 emails a day on the job, and the time frame for the case spans years, producing only 100 "relevant" emails, is not going to suffice. The Zubulake case was written by Magistrate Judge Shira Scheindlin and is known for its discovery rulings and underlying guidelines to determine when ESI data might be considered inaccessible and when it might still be necessary to preserve and/or produce it. The case is a must read for anyone wanting to learn about a whole host of other "basic tenets" for determining "reasonable behavior" for handling ESI in advance of a potential legal matter. Legal scholars and courtrooms, have been discussing and debating the case since it was first published.

What was most surprising to me was to hear Laura describe how difficult it was for her to convince her own lawyers that they needed to press for more email evidence. The demands for production started in 2002 and it was not until 2004, that the bulk of the emails were finally produced. Her persistence did pay off however, as she ultimately won a huge verdict. I can't help but wonder how many attorneys still believe that printing out a few relevant emails is a solid eDiscovery strategy?

Laura described 2001 as the technology dark ages. (I had to laugh as I had just recently learned of a law firm that finally upgraded from Groupwise to MS Exchange for email. Whoa. Cutting edge technology!) It seems I am not alone in noticing that lawyers seldom move quickly to adopt or understand new technology. Part of the problem is they do not ever want to be on the bleeding edge of new technology and discover that a new technology is not reliable. While this is a valid reason for being cautious, there are far too many lawyers who believe, "if it aint broke, don't fix it." Meaning, why pay money for computer technology that can turn 5 hours of billable work into only 1 hour? Well, eventually the client figures it out. That's why. Or, you end up being the only one in court who does not understand the difference between an email, and an email attachment?(another of my real-world examples)

She made another great point regarding the lack of understanding of technology. She knew of some colleagues who had tried to protect emails from disclosure under the attorney-client communication privilege, even though there were no attorneys involved in the email chain! I once again was nodding my head in agreement. I have had more than one worker confide to me the they thought their boss marked everything as "Confidential" so they would not have to produce it in a legal proceeding. That is LOL funny. I bet the Judge will be smiling too as they calculate the appropriate sanction. As Judge Peck quipped during his keynote, "we Judges love being lied to." :)

Laura spoke for an hour, and made one great observation after another. My favorite was this: “eDiscovery is about going to trial and too many consultants and lawyers have never gone to trial." She noted that, since the Zubulake case, an entire new cottage industry has sprung up around litigation preparedness, and early case assessment. "But, there is still a lot of bad advice!" I wanted to give her a standing ovation. Readers of this blog know about some of my past frustrations when trying to guide clients away from sales-puffing claims and "best-practices" extolled by inexperienced consultants, who just recently started dabbling in the legal consulting arena. Wonder what she would have thought about the sincere confession to me by one technology consultant that "he really started to understand just how particular the judges can be, when he went through his divorce!" Yep, that ought to be plenty of legal background to help a company design a reliable eDiscovery plan...ugh. Laura Zubulake too, was frustrated with consultants who did not understand how discovery battles are fought and won, and how ultimately, they can determine the outcome of the case.

In conclusion, I was reminded of my old post from 2008, "Federal Court for Discovery? Be a Boy Scout." The lessons she described, about discovery and reasonable behavior, do not change even though the technology does. So, if you want to be safe, be prepared, and avoid sanctions today, you had better act reasonably in light of the current technology and techniques available. Keep up!

Finally, Laura has written a soon-to-be-released book about her experiences as THE plaintiff, and I will definitely be reading it. If it is half as interesting and illuminating as her talk, it will be well worthwhile. Perhaps you should read it too.

Carmel Valley eDiscovery Retreat-Great debut!

2011-07-21T11:12:00.000-07:00

Nearby Asilomar Beach

When Chris La Cour invited me to attend the inaugural Carmel Valley eDiscovery Retreat I was a little hesitant to accept. I have attended many legal technology, legal education, and eDiscovery shows, both as a speaker and blogger, so I expected an inaugural event to be, well, not very good. I was wrong. This event ran as smoothly as any conference I have ever attended. The panels of legal and judicial speakers were top notch, up to date, and the setting was spectacular. There were no problems with audio, acoustics, or scheduling. The event was well-attended but there was ample comfortable seating and spacious meeting areas to interact with other attendees. I am not alone in my praise. I heard quite a few other attendees lauding the venue and agenda. Some of the speakers really shared some valuable eDiscovery lessons. Here are just a few of the comments:

Laura Zubulake (the most famous eDiscovery plaintiff)-To attorneys wondering what ESI information to request from defendants- "Ask the plaintiff. They know what information is there!"
Magistrate Judge Andrew J. Peck-"Sometimes, when you look closely at the gold standard for review, there isn't much gold."
Magistrate Judge Elizabeth Laporte-"The Cooperation Proclamation is important. The system cannot function without more cooperation."
Kimbur Tate (McKesson)-"Sometimes when rolling out a new policy, it is best not to call it a policy."
Laura Zubulake-"As a plaintiff, she would have loved to receive inadvertently produced privileged material."
Anthony Knappen (Chevron)-"Hold-in-place can work if you have a process and you have the legal team follow-up."

I will post more about some of the specific sessions soon.

Facebook is now totally Ryppled! And, what that may mean for future eDiscovery

2011-06-22T10:49:00.000-07:00

Copyright 2011 Cary J. Calderone

A few weeks after commenting on Facebook's latest big lawsuit and the email evidence involved, I mentioned how a product like Rypple, may effect a company's data retention practices (link to post). Now that Facebook has announced they are using Rypple, I cannot help but wonder how future discovery requests in a lawsuit may have to differentiate between a "Like" designation and a "Thumbs Up" or, a Smiley Face? You can just imagine a cross-examination in court: "Isn't it true Mr. Boss, on this project you gave the former Disgruntled Employee, not one, but TWO Smiley Faces and a Thumbs Up!!!" "Let's bring up the digital display so the jury can see the Smiley Faces." Will the evidence of Smiley Faces be in native or some other format? Do we care? We should, and here's why.

Screenshot of Rypple

Gamification of work practices and procedures is gaining traction. One of the main selling points to Rypple is that better feedback will make for more productive employee/manager relationships and ultimately, lead to fewer disgruntled employees and more productive and collaborative work relationships. Win win we hope. At the same time, we lawyers can always anticipate the potential for a problem with an employee. So, what kind of Legal Hold and Collection challenges will you have if you are using any "gamification" tools? Is it time to be proactive and revisit your Computer Usage Policies and Retention practices? Definitely! On the bright side, if you do the work now, then maybe one day, after you contact your attorney for a potential legal matter, you'll be rewarded with a big Smiley Face... :)

The ROI of eDiscovery? Why not just calculate the ROI of a good night's sleep

2011-06-17T15:16:00.000-07:00

I have seen so many articles that attempt to sell the purchase of large eDiscovery tools with a Return On Investment analysis. The resulting magic formula always shows just how much money a customer can save in an average legal matter. And yet the ROI cannot be very compelling. With the exception of one General Counsel of an international enterprise software provider (kudos Kim), I have never been hired by a company that had not already been “tagged” in a litigation matter for big bucks. And, by tagged, I mean that they were sanctioned for discovery failures or, they realized they could not collect their data to mount a defense and had to settle the case. So, my argument is, it may be more effective and productive to calculate the ROI of a good night's sleep. Let me explain.

The ROI for eDiscovery all have some formula for calculating the average number of gigabytes of data that is collected and reviewed in the average case. Then they chart them against costs of in-house legal, outside counsel, and/or third party processors. They may also scare you with the potential for million dollar discovery sanctions. The ROI analysis for Records and Information Management are frequently less exact. These studies attmept to examine and quantify the average cost of the time that somebody spends searching for information before and after RIM enhancements. I sincerely believe these studies are not wrong. However, they may be too abstract and nebulous to be compelling.

Similarly, the ROI analysis of sleep has shortcomings. What is an extra hour of good sleep worth to you? Most studies show sleep is valuable for clarity of thinking, health, and productivity. But, do we know how much sleep is optimal for everybody everyday? The same unknowns exist for eDiscovery and litigation matters. What costs can you really save? Is it the same for big cases and small cases? And for routine cases or exceptions? If you are a big company or a small-sized one? Lots of litigation or almost none? We don't really understand in a compelling fashion because there are too many unknown variables. And yet, there is real value to knowing that no matter what type of case comes your way, you are prepared to respond quickly and effectively. Knowing that the tools and policies you have employed provide your company with a more organized and productive way to use your computer data, and find it when you need it for eDiscovery, is extremely valuable. And this is true regardless of whether an actual ROI can be formulated.

I recently was complimented by a client who had to test their eDiscovery process with a real matter. They were very happy because they had tools, training and checklists to help prepare them and guide them through the process. The result was that a stressful situation was less stressful. What is the ROI on that? Ultimately, it may just mean your General Counsel, CEO, CFO, CTO, and employees sleep better at night...

Social Network Applications Coming To Your Business-Will there be a Rypple effect?

2011-04-26T11:12:00.000-07:00

Here's a scoop. Companies like Rypple are making “Facebook-style” applications to be used in your business. The Wall Street Journal Digital Edition has an excellent article by Dr. Terri Griffith on this phenomenon. ( full article) With over 600 million users on Facebook and LinkedIn combined, people around the globe now understand the power of status updates, and sharing comments, pictures, and videos, instantly online. Social business applications use an underlying philosophy of open and easy information exchange and are applying it to personnel matters, project management, and collaborative learning and team innovation. I mentioned these new social-style tools recently in a DRED meeting with a CEO, a corporate counsel, and 3 department managers who were in charge of data compliance, and the response was unanimous...”UGH!” How could they possibly manage all this data? But it doesn't have to be so bad and in fact, if implemented properly, these social business tools may actually improve the way your company manages your electronically stored information.

It was great to see Dr. Terri Griffith's article in the Wall Street Journal digital edition, and not just because she has referenced this blog in past writings. The transformation of personal home technology toys into business tools at the office is not new. Noticed any iPhones at work lately? It may have begun as the favorite toy for uber-geeks but it, and similarly, Android smart phones, have made their way into the office as business productivity tools, often replacing the old standard tool, the Blackberry.

There are legitimate concerns to social business. What about your DRED practices? Does anyone understand how these applications will work with data retention policies and electronic discovery? How will they be backed up or locked down for a legal hold? Is it worthwhile to re-work retention and computer policies to allow social business? Is social business even a legitimate business tool?

While some may argue that these social business applications are too simple to afford any real help at the office, I disagree. Historically, more technology has failed in business because user-adoption never grew due to the software being too complex and difficult to use. As Dr. Griffith reported, "about half of company knowledge-management initiatives stagnate or fail." Simple tools that actually work are adopted at a higher rate and therefore, can lead to a much better increase in productivity. This is especially true when compared to those elaborate tools that were never rolled out and are sitting on the shelf collecting dust.

When you begin reviewing social business tools, you will notice that the user interfaces are very straightforward and easy to learn. Consider Facebook. There are many grandparents and parents, with little or no computer experience, now enjoying communicating with their families and friends on Facebook. Even computer newbies can snap a picture on their phone, and click the button to “share.” Simple works, but it can be very productive too.

Back to the office. Imagine being able to review a marketing campaign that includes a web page, a video, pictures, and maybe some sound bites, all on one web page in an application? Pretty neat. And, it is far more efficient then having to download separate email attachments to your computer and open them with separate programs to view them. Plus, co-workers can post their comments right there, under the picture or video. No longer will you have to review the comments buried in tens of emails from 6 co-workers, all desiring to share their thoughts. Sure sounds like a productivity tool now, doesn't it?

There will be challenges to “social business.” Open communications with peers will need to be balanced against security, privacy, and privilege concerns. You will need well crafted and thoughtful user policies. But, there are definite advantages in the design of many social business networking applications that will make adhering to a corporate data retention policy ultimately easier and more effective, than with many of those other "old-school" technologies, like email...

Need More Justification to Update Your Data Retention Policies? Here are a few benefits, on the side...

2011-04-20T12:52:00.000-07:00

An article on today's San Francisco Chronicle's website, SFGate.com, covers a computer mishap with the Division of Emergency Services. When their main computer system lost internet connectivity this past New Years, they discovered they could not switch over to a backup system because...(drum roll please)...no one had the password to get in. Only one person knew the password, and they were not on duty! Now why is this related to DREDLaw? Because in every company, as a part of the usual DREDLaw Assessment process, we have uncovered problems and potential problems related to Information Management and Governance.

Frequently, these were not obvious issues with DRED, but rather, they were jaw-dropping surprises to the clients. For example, I uncovered an instance of only one person knowing critical passwords, just by asking some of my standard interview questions to a department manager? In organizations, large and small, some information is more guarded, more remote, or maybe just seldom accessed. Without understanding who uses the resources and why, similar data traps can remain hidden, until it is too late. The solution may be simple. Redundancy can work just as well for people, as it does for computers.

Here are a few other "benefits on the side" that may be uncovered when you undergo an Assessment:

PST files that store business information off the network, where it is not backed-up
PST and other locally stored files that do not get searched for Legal Holds
Self-designed backup systems or workers who keep "everything" on a flash drive in their pocket
Search tools used by some employees, but not others
A separate hidden email server kept by a department (not making this up)
Instant Messaging records of communications with outside vendors or customers
Multiple copies of Records kept by many departments
No copies of important Records being kept because everyone thought another department was supposed to keep them
Personal copies of non-company authorized software applications-Yes, World of Warcraft can slow down a network...

So, just in case the obvious benefits of a better Information Management program are not enough motivation to persuade those who control the budget, maybe the above "benefits on the side," will help.

Did You Keep or Delete Those Emails? Mark Zuckerberg of Facebook has to be wondering

2011-04-12T13:58:00.000-07:00

Very interesting new allegations in a lawsuit against Mark Zuckerberg, the founder (or at least a founder) of Facebook. (article here) Allegedly, new emails introduced show that Paul Ceglia may have been promised 50% ownership of Facebook. The emails being introduced as new evidence are from 2003. Could you defend or prove a claim from that many years ago? Not sure? Well, then my suggestion would be to avoid taking the approach that email can just be deleted quickly. In fact, quit thinking of email as simply email. IF you have not already done so, it is time to realize that your email may be a contract, a modification, or some other written legal instrument.

In the past, I worked with a few "consultants" purporting to provide "Best Practices" in this area and I used to argue vehemently against their approach. They liked to give simple answers to their clients and frequently guided them towards policies where they would delete/destroy all email after a set period of time, one year, 18 months, or 3 years. This was to avoid having to manage it according to a record retention schedule or, having to consider it as potential relevant information for a potential future lawsuit. These "consultants" really did not understand the law, but that did not stop them from offering "litigation readiness services."

Previous blog posts here (search Skupsky) discuss why it is not a "Best Practice" to simply consider all email, as email. It is arguably the main written correspondence method utilized today. Accordingly, any policy covering email usage and retention should be reviewed and set in light of your legal and business requirements and based on the content that might be contained in the email. This can be tricky. So, if you need help with this, get some. Even when not mandated by laws or regulations, like Sarbanes-Oxley, there are still rules that may apply to your emails.

What Arnold Palmer and Jack Nicklaus Can Teach Us About eDiscovery

2011-04-07T09:09:00.000-07:00

by Cary J. Calderone

It's Masters week. As every golf fan knows, it is the first major tournament of the year and for even the casual golfer, a reason to watch some golf on television and daydream about hitting the links soon. As I watched Arnold Palmer and Jack Nicklaus hit the ceremonial "first tee shots" to start the tournament I recognized a golden opporunity to push for you and your organization to improve your company, and specifically, your eDiscovery response capabilities. The inspiration came to me when I realized that the pre-shot routines of these two golf legends were the same as when I watched them as a young child about forty years ago. Can thinking about this really help you promote better DRED in your organization? Absolutely! And here is why.

Every accomplished golfer has a pre-shot routine, a certain way of getting ready and focused to hit a shot. It can involve a thought process, breathing routine, and even physical motions like, hitching up their pants, touching their glove, or taking the same number of practice swings while visualizing the shot they want to hit. This goes on before they step in and take their stance to hit their shot. Every shot! And while every golfer's pre-shot routine, just like their swing, is unique, they all have one. It is universal. They even practice their pre-shot routine so when the pressure is on, like at the Master's Tournament, they can rely on their pre-shot routine to get them focused to perform, even for a ceremonial tee shot in front of millions of viewers.

This is a fantastic way to think about your eDiscovery policies and procedures. Too many companies fail to prepare to hit the shot. Do you have a litigation response team ready? Do you have eDiscovery policies and procedures in place? When they pressure is on, can you flip the switch and feel confident that your team knows what to do and how to do it? My favorite part of my legal and consulting business is working with smart people who are being proactive and getting ready for that potential but inevitable legal crisis. But this has also been the source of much aggravation because as Peter Keane, one of my old Law Professors reminded me, "Cary, people are not pro-active." True. But learning about your electronically stored information and email systems and your eDiscovery responsibilities on the fly is not the best approach. It will be stressful, difficult and possibly very expensive to "deal with it" when the lawsuit has already been served. Does this describe you and your company? Are you prepared? When it comes to eDiscovery and litigation preparedness, look to Mr. Palmer and Mr. Nicklaus or, any of the other amazing golfers you notice on television, and get yourself a pre-shot routine too.

Who are you talking to? Who's your geek....

2011-04-04T23:45:00.000-07:00

by Cary J. Calderone

For this post, we will once again look at differences between attorneys and IT people and describe those times when a technology consultant might be more help than your lawyer. As DredLaw readers have learned, on legal points, your lawyer is the final word. But, when it comes to organizing and managing your computer data, is your legal department or law firm the best source of advice? Although I have a unique background with both law and technology experience, most lawyers do not. As one frustrated attorney told me, "They do not teach computers in law school." At a recent Legal Roundtable a speaker started to rave about a "new" product, Index Engines, (covered here) that could really help pull relevant e-discovery from backup tapes, without having to restore the entire tape. Sounds great but, "new?" I mentioned it on this blog in the summer...of 2008, almost 3 years ago. It is not even "newish" technology. When I mentioned this to the speaker he claimed, "It is new technology to this crowd."

Attorneys and law firms are trying to learn more about technology quickly so they can help their clients be litigation ready, or, better respond, once litigation has started. However, there have been quite a few problems because in far too many cases, lawyers do not know what they do not know. Smart litigators routinely digest very massive amounts of law and facts to prepare for trial. Sometimes they do so in only a few weeks and by the time they are in front of a judge and/or jury, they sound like life-long experts. However, technology, and the language around technology, is more like learning to speak a foreign language, and you simply cannot become fluent in a matter of a few weeks.

In my work, I seldom come across attorneys who are geeky enough to understand most corporate IT structures and data flow. So how are they supposed to understand what to ask about your data? How can they give you best practices to stay prepared? There is a reason there are so many eDiscovery companies assisting as go-betweens for the law firm and litigants. And, this trend is probably not going to change, no matter how many companies consider moving eDiscovery in-house, or law firms evaluate the potential profits by providing the service themselves.

At the same time, there is a still a need for every attorney to learn enough to handle some small-case basic eDiscovery principles, even if they do not require learning it in law school...yet!

The Hype About Cloud Computing is Wrong! John Hagel Explains Waves of Disruption at Cloud Connect

2011-03-10T14:49:00.000-08:00

by Cary J. Calderone

This week was my first time visiting the Cloud Connect event in Silicon Valley. The event offered a great selection of tracks and speakers. Some speakers came from established companies that are trying to be leaders in the Cloud (Microsoft, Amazon), and others came from new Cloud companies. Opinions and projections were delivered in a variety of formats. For example, unlike typical single-speaker Keynotes, Tuesday included 10 different speakers, most of whom gave quick 10-minute presentations. The Wednesday Cloud Industry Summit presentation by John Hagel (another bio), one of the most respected technology thought leaders in the history of Silicon Valley, had no PowerPoint slides, and lasted only 20 minutes. But that was plenty of time for Mr. Hagel to explain the disruptive nature of the Cloud and to make his most important point. He believes the current "hype" about the Cloud is wrong. "We have underestimated the impact!"

In this short talk he outlined a condensed or, "CliffsNotes" version of his full working paper, "Cloud Computing, Storms on the Horizon." In brief, Hagel presented three ways the Cloud is disrupting business:

Economies of Innovation
Economies of Growth
Enterprise Economics

The Economies of Innovation are now different with the Cloud. Instead of the old innovation model, with large up front costs and long lead times (while still facing the ultimate question, "will it work?"), the new Cloud model provides companies with the potential to innovate with much lower costs. The infrastructure is already in the Cloud, and with the "pay per use" model, it is less expensive to get started, to test, and ultimately, to expand. New innovations can be tested faster, cheaper, and even in parallel.

Once you find a new idea that works, the Economies of Growth allows you to adopt it and scale it up faster and easier than ever before. A big strength of the Cloud is that it provides virtually unlimited capacity for expansion. You do not have to build data centers and expand network bandwidth to keep up, it is already there and available. You simply add users. Hagel gave examples of companies, like Rearden Commerce, Inc., that have used the Cloud, and specifically the Cloud's incredible computing power, to combine service offerings, that in the past, could not have been cost-effectively combined. Under the old model, frequently there was insufficient overlap and revenue potential to justify the extra cost and resources necessary to bring in content and features from disparate systems. In the case of Rearden, it provides a Personal Assistant feature that gives location-based information for airlines, hotels, restaurant, car service, parking, meetings, and communications channels, all on your smartphone. It does the work of aggregating the information from unconnected sites, collects and filters it with your specific needs and preferences, and delivers it to you.

Third, the Cloud provides an Enterprise Economics advantage. An enterprise can pull apart its business units and can better focus and redistribute resources. In regulated industries, like Finance and Healthcare, they can rely on Clouds with service grids that meet the pre-determined standards for data control. This frees the business to focus their resources in other ways, and, with perhaps, more and better innovation to their service offerings.

Mr. Hagel did briefly cover a fourth, and the most obvious disruption, the restructuring of the IT industry. This disruption brings about lower costs and different ways in which IT services can and will be delivered. It is the main reason that every corporate CIO is currently considering Cloud offerings.

How can this affect your DRED projects? How may the Cloud disrupt data retention and information management? We could and should see a fundamental change. Instead of having to organize and manage data for a particular sector, like the Health Industry, and then considering the Cloud as a place to store the data, we may end up simply moving it to a Health Cloud Data provider. Ideally, the data will be safely stored according to the rules and there will be infinitely more network, storage, and processing capabilities available to crunch the data. This Cloud-enabled capability to use and protect the data will far exceed that of any one individual company, especially if you are a small or mid-sized one.

On balance, my blog post of Mr. Hagel's condensed talk does not do it justice. I urge you to read the full working paper (available here). The disruptions are explained in much better detail. In comparing this talk synopsis to the complete paper, I believe my description of a "CliffsNotes" version above, was spot on.

Hagel's last bit of advice was to Cloud providers and all C-level executives. You need to talk. The Cloud offerings and potential for innovation have to be reviewed by all the executives, and not just the CIO. The Cloud economies mean most businesses cannot just continue with "business as usual." You either disrupt, or you will be disrupted.

Location and Privacy. Say what you do and do what you say

2011-02-21T10:24:00.000-08:00

by Cary J. Calderone

I had the pleasure of attending an event sponsored by the Churchill Club on Location and Privacy, Where Are We Headed? The panel members (listed below) represented a diverse group of very knowledgeable people connected to privacy law. They ranged from attorneys and privacy officers working for location based social networking companies, to a representative from the FTC concerned with regulating the players. After listening to the very interesting discussion can I provide a quick summary of the law for you? Not really. This is because the law is in flux and not very settled. Here is a video of part of the discussion on finding a balance between usefulness and safety.
Even the FTC has requested comments on its Proposed Framework for Businesses and Policymakers because they realize they may need more information to determine how technology can help or hurt their efforts to inform and protect consumers. With constant innovations to location-based technology, it will be even more challenging, but there are things you can do to be better prepared.

In trying to protect consumers, the policymakers and players are constantly struggling to "get it right." It is akin to the challenge of Goldilocks and the Three Bears; is the porridge too hot, too cold, or just right? There is value to information collected around a consumer's location, but how dangerous might it be? What about those who happen to be with the person who is posting pictures and checking in? The "second-hand smoke" of privacy? What about the risk faced by a potential criminal enterprise posing as a legitimate player in this space? Now let's compound this challenge by the Catch 22 that the policymakers face. The FTC has required more and more complete disclosure from companies whose websites collect information, but what are the odds the consumer will understand the disclosure, and be able to make an informed consent? This is a daunting challenge. We lawyers are trained to be specific and thorough when we write. But, easy for consumers to understand? Not so much.

The only downside of having a panel that is so well-informed and focused on the tricky details is that they did not mention a more mundane problem in this area. I know first hand that many of the decision-makers at technology startups, do not understand even the basics of privacy law. They do not know what information they want, need, or should avoid. For example, when helping one company create a privacy policy, the client kept insisting I select, "what everyone else is doing," and give them a "standard" privacy policy for their website. This is an area where there is no "cookie-cutter" solution and yet many companies only know they need a privacy policy. So, they publish one that "sounds good," even without understanding their new legal obligations. A good privacy policy depends on many factors like the business model, the targeted consumer, available technology, and their risk tolerance. Moreover, if the policy is not audited, there is a very strong likelihood that new technology will soon enable their website to track and collect data that has yet to be considered. The designer says, "now we can collect this information" and "do you want it?" They usually say "yes" without the slightest consideration that their new tool has potentially exceeded their stated privacy policy and they may be out of compliance and at risk. On balance, educating businesses will be just as important a goal and outcome of the FTC Framework, as is educating consumers.

A related, and critical potential problem was illuminated by Laura Berger. She explained that she had been asked to review a privacy policy and determine whether it was acceptable. Unfortunately, she cannot judge whether it is acceptable, unless and until she determines that the company is actually following their privacy policy. It is a two-step process. This is a theme that is common with DRED and other compliance projects. Policies can be well-reasoned, well-written and well-intended, but if nobody follows them? They will not help you!

The panel touched on another important issue that is caused by the fact that the location-based technology is evolving so quickly. Definitions have to be specific and yet open to future innovations in technology. For example, a company's policy may collect location based GPS information from a person who is aware of it. But what about recognizing that whenever somebody logs in from a computer, the header information and meta-data probably reveals more about the user's whereabouts than the user would ever believe? Does consenting to an obvious location based technology also include the less obvious technology utilized in the background? Or, what about the facial recognition capabilities that can find pictures of you in the background of pictures posted by complete strangers? And the pictures may be geographically tagged, letting people know where you were on a certain date and time? Call in sick and head to a ball game? Not a good idea if your friend decides to memorialize your outing with status updates and pictures. Or, it may be that stranger sitting in front of you with a camera phone who likes to post pictures? Or, how about the fact that your Smart Phone will send an email through a cell tower or Wi-Fi network that is at the ball park, and not your home or office? That too can be tracked! It really can start to sound scary. What information should remain private?

There were quite a few other interesting questions debated by the panel:

Will there be a "do not track" list similar to the "do not call" registry?
If you block all collection of data, do you effectively kill the value of the user's web experience?
Where is the line? How can people have access and still be protected?

The panel also weighed in with their 5 year predictions:

Laura Berger - There will be some established uniformity and consumer understanding of what happens to their data.

Jim Dempsey - We will have a Federal baseline privacy law with flexibility to support innovation (FTC and Commerce Dept. reports) because location technology is here to stay.

Brian Knapp - Business opportunities will abound like Virgin Airlines when it opened up routes to Cancun with a "Flash bomb" award of a companion ticket. Hugely successful.

Brendon Lynch - Wow we will look back and think we were naive. There will be RFD tags and ID addresses, or both, on everything! There will be a self-regulatory model that is tested, trusted and works.

Owen Tripp - 1) The company that wins in the next few years will have a better privacy model and use it as their competitive advantage 2) There will be a very large privacy company to manage these choices for consumers (multiple players).

For a blogger who has attended far too many legal seminars where the materials and the speakers can be rather dry, this was an especially enjoyable event. The area is new and exciting and the speakers were passionate and entertaining. I will look for more DRED related topics at the Churchill Club and keep you posted.

Laura Berger, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission
Jim Dempsey, Vice President for Public Policy, Center for Democracy & Technology
Brian Knapp, Chief Operating Officer, Loopt
Brendon Lynch, Chief Privacy Officer, Microsoft
Owen Tripp, Chief Operating Officer, Reputation.com
Moderator: Melissa Parrish, Research Analyst, Forrester Research

Legal Tech 2011: An Overview

2011-02-09T10:37:00.000-08:00

by Cary J. Calderone

I am tempted to summarize this show and call it, "the year of the canceled flight." Having to return from an airport because your flight has been canceled due to snow is an inconvenience anyone who travels hates. Having it happen twice during the same business trip? Priceless! I cannot blame my bad luck with snowstorms on Legal Tech, but I will add another big plus in the pros column for attending Virtual Legal Tech and those conferences that are closer to home, like Legal Tech West. In spite of my bad luck with travel the show did not seem to suffer an attendance drop and had quite a few interesting items. Here are a few:

Interesting panels

Proactive Information Governance to Reduce the Pain of eDiscovery

A Game Show: Top Concerns of the General Counsel
Cloud, SharePoint and Social Media: Discovery on the Next Data Frontier
Toys and Tools: How the Latest Technology is Changing How Lawyers Lawyer
Plenary Session: A View from the Bench

In future posts I will share details of some of the great lessons taught during these panels.

Product Shouts
Autonomy-After spending 30 minutes looking at updates to the product I walked away more impressed than ever and I believe I understand one of the main reasons they have been selling so well. There is almost always a trade-off with software. Either you get powerful and feature-rich or, you get easy to use. This product is an end-to-end eDiscovery solution and yet it feels as though anybody with a basic understanding of what they want to do, and 5 minutes to learn some basic things, can use it and be productive. The User Interface (UI) is incredibly straight-forward and easy to follow. It puts a lot of information in front of a General Counsel, or legal assistant, and gives them a fantastic way to perform early case assessments or other parts of the EDRM.
The other product that impressed me was Bloomberg Vault. They have data management and retention functionality built in to their cloud solution. This kind of functionality was an afterthought with many cloud providers who just offered space and perhaps an email application. It never made any sense to me that so many Cloud providers offered storage or applications without much, if any, additional data management capabilities or compliance tools. It seems like a big plus to help justify moving your data to the clouds. As a newcomer to this space, they are using their background in the highly regulated financial arena, and the extra attention to staying compliant by managing electronic information, and offer this same capability to non-financial customers. I like what they say:

Bloomberg Vault features for e-discovery, records retention, and legal hold allow companies to manage retention with customized policies, as well as support e-discovery processes quickly and cost-effectively. They also ensure a traceable chain-of-custody, and help avoid inadvertent deletion of potentially responsive data."

My Favorite Keynote
Michael Rogers-A Look at the Law: 2020: A Radical Perspective on how Technology will Shape the Legal Industry 10 years from Now. Will you be Ready? Just like in 2010, where I went in wondering if futurist Malcolm Gladwell would make any critical observations on the law and technology, and was amazed, I was very happy I attended the Michael Rogers talk. Hint, hint-look at how WebMD.com and other health web portals have changed medical diagnosis and understanding. Social knowledge transfer will play a significant role in the legal profession.

My last comment is that if you did not attend, you would not believe just how much "eDiscovery" dominated at Legal Tech. A quick review of the exhibitors and panel sessions should leave no doubt that eDiscovery is what people think is important. The market has spoken and the vendors have responded. There were more eDiscovery service and product vendors than any other and by a wide margin. This is good news for you and your DRED projects as the products have matured and there is a much better understanding of how to be prepared for litigation in this age of electronic data. The downside is that I don't get to see as many new and interesting products.

More Legal Tech 2011 posts to follow...

Up In the Cloud and the Risk from the Other Guy's Mistakes

2011-01-19T11:45:00.000-08:00

by Cary J. Calderone

Today I listened to Dr.Herbert Thompson speak about Security and Privacy Issues in the Cloud and one of his points really hit home. One of the factors to consider when weighing your move to the Cloud is the data security on your network versus the data security of your Cloud provider. Frequently, the Cloud provider's dedicated team and latest technology will be much better than anything your company could afford to employ. However, there is another real security threat to your Cloud computing. What about the other guy? If another Cloudy in your Cloud gets hacked, can it affect your service? Yes, and here is why.

In prior posts, we discussed potential slowdowns that occur when your fellow Cloudys over-burden your Cloud. I have witnessed Cloud slowdown first-hand simply because the Cloud provider was uploading the data for a new customer. Now, what if that new customer gets hacked with something like a DOS (denial of service) attack? In a DOS attack a virus causes the network server to keep cycling on the virus-chosen activities, like sending and receiving fake emails. The virus replicates and grows and continues the process until the server slows down and/or crashes. In the past, when another company got hacked, it probably did not affect your company network. However, if the unfortunate hack victim is on your Cloud, it may very well affect you and your network.

This is great example of a not-so-obvious risk to consider when selecting a provider for your move to the Cloud. Do they have provisioning controls? Do they have bandwidth vulnerability? In short, can they protect you from the other guy's mistakes?

Judge Richard A. Kramer comments on the California Electronic Discovery Act, one year later

2010-12-21T09:27:00.000-08:00

by Cary J. Calderone

This blog covered the California Electronic Discovery Act (CEDA) when it was signed into law, more than a year ago. Now that a fair amount of time has passed, we may wonder whether it has helped, hurt, or had any effect at all on discovery proceedings and litigation in California state courts? To find the answer, I went to the Honorable Richard A. Kramer to ask his opinion. Judge Kramer's department handles Complex Litigation for the Superior Court and he is nationally known for his rulings on same-sex marriage. However, I selected him for this piece because I had the pleasure of listening to Judge Kramer speak about electronic discovery and in particular, his practice of requiring litigants in his courtroom to agree to a “bring your geek to court day.” He is one of the most knowledgeable judges on the current issues surrounding electronic discovery and this makes him one of the very best sources for follow-up comments on the CEDA. After 3 weeks of pleasant, yet persistent pestering, the Judge was able to speak with me on Friday December 17. Here is the interview:

Calderone: More than a year has passed since CEDA was enacted and signed into law. Have you noticed any changes? Can you say if attorneys and litigants are better or worst prepared to handle electronic discovery?
Judge Kramer: No difference. The attorneys who were familiar with the discovery of electronically stored information before, still are. And, those who did not understand it, still don't.

Calderone: Has the general understanding of what is necessary to comply improved?
Judge Kramer: The CEDA clarified a few concepts and some of the issues with electronic discovery. The law really did not change but those attorneys who were not very techno-savvy have now at least heard of the concepts and definitions. So perhaps there are fewer who look like a deer in the headlights when we discuss these matters in Court.

Calderone: Has anything with electronic discovery gone from bad to worse? Are there more disputes and accusations of inadequate production?
Judge Kramer: No difference under CEDA. The Court already had and has broad powers and discretion around discovery matters to protect the parties. If I could give one bit of advice to attorneys it would be, "if you don't know, fess up!" Do not make up unsubstantiated claims of cost or not being able to access the data.

Calderone: Can you comment on whether certain subject matters or types of litigation have had more or fewer issues with electronic discovery?
Judge Kramer: No difference.

Calderone: Where would you like to see continued improvement? Could the Act be clarified? Are lawyers still lacking in their understanding in some specific areas?
Judge Kramer: The CEDA is fine. It did not really change any law, just clarified some of the issues.

Calderone: Do you have any other particular hopes for the continued evolution of electronic discovery in litigation?
Judge Kramer: I would like to see attorneys subscribe to the Sedona Cooperation Proclamation, be more cooperative, and be more like a geek. A geek is the person who, when asked to fix your computer, he starts doing it. He is not always able to fix the problem completely, or, give you exactly what you ask, but the geek gets started and makes progress. Attorneys need to be more willing to indicate what they can do and can provide, instead of just claiming “it can't be done” or "it will cost a million dollars!" Eventually a smart geek on one side or the other will probably prove the attorney wrong.

In closing, let me express my great appreciation, respect, and gratitude to Judge Kramer for taking time from his busy schedule to speak with the DredLaw.com blog simply to help us better understand the CEDA and the state of electronic discovery in California today. In return, we hope that a few more of those attorneys and litigants who enter his, and other courtrooms in the state, will be a little better prepared for electronic discovery.

Breaking tradition-A review of my Asus Eee PC netbook, a great tool for the Cloud

2010-12-20T12:51:00.000-08:00

by Cary J. Calderone

Over the past year and a half I have written about the move to the "Cloud" but covered primarily the Cloud providers and the move to hosted applications. Now, as I sit typing away on my ASUS netbook, there is another reason to move my data skywards. This computer is so small, sometimes I have trouble finding it on my cluttered desk and I worry about leaving it behind at the coffee shop! I would not feel safe carrying this around unless my data was stored someplace else, like the Cloud. Let me disclose, I have no connection to ASUStek Computers, Inc. or ASUS. I do not want to start reviewing hardware and software products or become the Walt Mossberg of the West. While many of you may not recognize the ASUS name, I know it to mean quality computer components. I used ASUS motherboards when configuring clone desktop computers in the 1990s but I have not been in that business since 1999. Since an article I wrote in 1995 for Law Office Computing Magazine, I have not reviewed a hardware product. So,why am I breaking with this tradition? Because this netbook was inexpensive (under $400), surprisingly powerful, has an advertised 10.5 hours of battery life, and I love it!

Back when I reviewed the first “component laptop” with upgradeable features like RAM, micro-processor and hard drive, upgradeable meant it could serve you longer before becoming obsolete. This could save you money. From today's perspective, 1995 was still the dark ages of laptop computing. Think about a weapons dealer describing how effective his pointy stick would be back in 1995, and today describing the range of unmanned drones equipped with missiles. That is what the leap feels like between my review of a $2100.00, 386 20 Mhz Kiwi laptop then, (abstract of the article here) and this ASUS Eee 1005HA model equipped with an Intel Atom N280 1.66Ghz processor now. It also has a quiet 250G hdd, and the typical built-in networking and USB ports.

Pros

It has worked reliably for a year. Yes that is correct. I purchased this unit in December of 2009. So this is not the typical review one week after somebody gets their new electronic toy and is in the honeymoon phase. I used this netbook almost every day for the past year.
When I blog at a conference, the battery lasts me all day. I never have to worry about finding an outlet or resorting to paper and pen. I know I have used it on battery life for 8 hours before running low.
Unlike an iPad, I can use it like any full-sized laptop. It can sit on my lap, on a table, or, on the counter at the coffee shop. I felt I had the superior work tool while I typed on my Eee netbook while sitting next to someone whose iPad was teetering precariously on the multifunction cover/stand and would fall over frequently while he was reading it. My netbook stayed put!
Touch pad controls to scroll, zoom or shrink fonts and pages depending on your mood. (Think of shrinking or enlarging your view on an iPhone or iPad simply by moving two of your fingers closer or further apart) How do I know I like this feature? When I am on my full-sized laptop connected to my desk monitor, I find myself trying in vain to use this feature and it does not exist on my other computer. Fortunately it usually only takes a few seconds of trying before I realize this, and then I think fondly of my netbook.
The keyboard is large enough to type on. Some netbooks really make your fingers feel cramped.
Inexpensive and free offerings for cloud storage for your backup or data. Nice to have for those who have not yet tried other cloud options.

Cons-

Better video resolution would be nice but if it shortened the battery life too much, I am not sure I would like the trade-off.
Tried video chatting and it worked, but was not even close to a typical desktop video chat experience. Will look to see how newer Eee models can improve this.
When it is not plugged in and is working in battery mode, it is noticeably slower. Once again, this has to be balanced against increased battery life.
It took a while to get used to the touch pad features that I now love. When you have fairly large hands, you may have one or more pieces of your hand or thumbs accidentally touching the touch pad. So it is occasionally frustrating to be working and have an unexpected zoom or shrink of the page.

On balance, I had high hopes for this Eee PC, and they have been exceeded. It proved to be a fantastic tool that helped me work more effectively and efficiently, in the Cloud.

What's that up in the Cloud? It's better infrastructure by EMC Atmos

2010-12-17T07:24:00.000-08:00

by Cary J. Calderone

In a follow up to a few other posts on Cloud computing I am happy to report that EMC has been focusing on improving your Cloud experience. Their latest Atmos Cloud Delivery product line will enable Cloud providers to meter and provision Cloud usage. How does this help you in your DRED work? As mentioned in my previous Cloud articles, Cloud providers, even the biggest names, have had a difficult time avoiding bottlenecks and slowdowns as Cloud usage grows. (What's that up in the Cloud?) They have not been able to adequately anticipate or control how and when some users will over-burden their equipment and cause a slowdown for all their Cloud users. If Atmos works as advertised, it will go a long way towards eliminating one of the biggest concerns companies face when considering a move to the Cloud; "will it work fast when we need it to work?"
Up until now, the Cloud providers have not been able to sufficiently monitor (and report) usage and data flow statistics. So they were faced with the very challenging task of trying to persuade a company to move to the Cloud while they could not actually show that availability and throughput would not be a recurring issue. Now with better monitoring and provisioning tools available, Cloud providers should be able to offer better availability and more reliability to their new and existing Cloud customers. Readers of this blog may ask, "who is EMC?" Well, EMC is the largest providers of data storage technology and I would put in the category of a company like Cisco Systems. Even if you have not ever heard of them, if you use a phone or computer on the internet, then you use EMC products. This is good news for the evolution of the Cloud.

Follow Up Conversation with Don Skupsky. The offer I couldn't refuse

2010-11-19T14:27:00.000-08:00

by Cary J. Calderone, Esquire

After my last blog article, I wanted to follow up and share some of the items that I discussed with Donald Skupsky, JD, CRM, FAI, MIT, after his presentation. It seemed like we had very different ideas on email management best-practices for organizations. Just to be fair, open and up front, I shared my concerns with him and in typical fashion, once we had a more in depth discussion on the issues, it turns out we agreed on quite a bit. For example, we agreed that most employees keep far too much email.

The numbers he presented estimated that only 5% of email actually includes content substantial enough to be considered a Record. I would add a few more percentage points for material related to Records. He also explained that there are some companies, a few, that do have a policy to tag and keep business record emails and have the rest deleted in 30-45 days, and they have been successful in defending their practices. They use a folder for Work-In-Progress but the main inbox gives the user a very short period of time to decide if an email is a Record, and then to move it to another location or repository for safekeeping, otherwise, it gets deleted. There are a few companies that purport to use this policy, but I sure would like to see if they actually adhere to the policy in sufficient fashion to have it withstand legal scrutiny.

Mr. Skupsky also believes too many companies use a fall-back policy where they end up keeping pretty much everything, and this is a terrible practice. I have witnessed this policy in action quite a few times. One company kept so much electronic information that when they needed to search its email archive, they were limited to 4 concurrent searches and it would take upwards of 12 days to get the first search results back. Not a very good system for Early Case Assessment or a Litigation Response team, to be sure. So we both agree that when it comes to email, keeping everything, is a bad policy.

Ultimately Mr. Skupsky described himself as a bit of a devil's advocate. By challenging a company with a 45 day email deletion policy, he believed it was more likely that ultimately, even if they would not agree to 45 days, they would agree to a relatively short deletion period of 6 months or a year. He explained that if they were not challenged early, so they had to act to manage their email, users always defaulted to retention periods that are too conservative and too long or, they never take any action at all. The end result would once again be email inboxes that are not managed. His position is that if they are not going to manage it, then they are better off not keeping it. So, while I cannot argue with Mr. Skupsky's goals, I will still persuade my readers to consider employing a different tact. I prefer to suggest simple and straight-forward policies and guidelines that will help them eliminate upwards of 50% of their non-record and non-business related email quickly. Too many users have stated that they would love to delete many emails but they were not sure if they could or should, so they kept them all. Mr. Skupsky and I are both shooting for keeping less mismanaged information, but my method is likely to err on the side of keeping more business emails rather than fewer. The lawyer in me wants you to keep information that may help us understand your case. Is it a perfect system? No. But making users affirmatively move Records, to safeguard them from deletion seems riskier. After the first 50% is removed from the inbox, we can then work on managing the next 30-45%, which will likely be more challenging, but can be better managed with some department and function-specific policies and procedures, and perhaps some of the great new search and management tools that are available. Either system correctly employed and monitored will reduce a great deal of email clutter. And, this, in and of itself, will provide a huge cost-savings for the over-stressed IT department. It will also enhance any Litigation Response program that needs to address eDiscovery. I just want to be more comfortable that the Litigation Response team will find relevant information on their own servers, before they see it produced by an adverse party in litigation!

My approach comes from the basic belief that the use of technology is critical to an organization's success and they must keep up with new productivity features to stay competitive. So, I want to allow for expanded usage, and less effort to manage that usage. Mr. Skupsky believes records retention practice actually can help support the use of technology too. He just abhors mismanaged data growth. So while on the surface we agree, I lean toward recommending any Retention and Records and Information Management policy will be flexible enough to be updated, and amended to reflect the ever-changing needs of the users. And, whenever possible, allowing the users more use of the data and any new technology enhancements. The new reality is many companies are now contracting and performing other substantial business functions via email, electronic exchanges, and even Social Networking sites. So if the RIM program is too limiting on the use and retention of electronic data, it runs the risk it will become impossible for employees to follow it thereby making it irrelevant. The days of following simple static rules that worked fine for slow moving paper are gone. It is time to keep up with email, Facebook, Twitter, and whatever may come next.

Special thanks to Donald Skupsky, for taking the time to consider and respond to my comments.

ARMA Session-Retention for Electronic Records-Or, Don Skupsky, some of your tips should sleep with the fishes

2010-11-11T08:53:00.000-08:00

by Cary J. Calderone, Esquire

Donald S. Skupsky, JD, CRM, FAI, MIT is certainly one of the most respected and recognized Records Management thought leaders. If he is not the Godfather of Records Management, he is certainly a Godfather. His book/treatise is still the foundation for many corporate Record Information Management programs. However, coming from my background as a lawyer and IT consultant, (see blog post "Who are you talking to?") some of the RIM ideas he presented in this talk are really not applicable in the 21st century world of managing electronic data. Case in point, he suggested companies have a policy to delete email after only 30-45 days? Whoa! This is really not a "best practice" for most companies.   Let me explain.

When I started helping companies update their RIM programs and become DRED ready, I found some challenges with the old guard Records Managers who cut their teeth, and perhaps their fingers, on paper. The drill was, declare a Record, protect it for the retention period and shred the other convenience copies. Simple. As readers of this blog already know, there are many reasons why this approach no longer works for email and other fast-moving electronic forms of communication. (see Shout out to Records Managers)

While Mr. Skupsky has expanded on his original definition of what is a "Record" to allow companies to define it to include various electronic forms, at other times during his presentation, he seems to completely forget the main reasons companies have and use technology. For example, let's consider his suggestion of as little as a 30 day retention period for email. Under his 30 day policy, users are supposed to take any email that qualifies as a "Record," (defined by the company policy) and move it to another document management system or, print it out for safekeeping and storage. Even if your company does not already have a specific legal requirement (like SEC 17 a-4, or Sarbanes-Oxley) to retain email communications, there is a very good chance employees who use their email as a work productivity tool have a habit of keeping them for later reference for at least a year or two, if not forever. Can you imagine how many people would not bother complying with the rule if it meant moving only select "Record" emails to another system or printing them out for safekeeping?

In today's world, employees are using search technology, like Google Desktop and other search engines and crawlers, to mine their own electronically stored information for answers. It is a basic form of Knowledge Management and in many cases, a major productivity enhancement. So, if you have a 30 day deletion rule, and nobody wants to follow it, chances are, they won't. Which means you will end up with a policy that ultimately shows at least one part of your RIM program is a sham. Not a good move if you end up in litigation someday.

Moreover, even if the 30 day policy is supported enough to pass a test in a discovery dispute in court, it is still not advisable. What about your early case assessment needs? Email that might be critical to determine if a potential matter has merit, may be deleted from your servers, but it will likely still be in the possession of your potential adversaries. Or, perhaps it was printed out, or kept in another management program. How many hours will it take to retrieve and review those stored emails?

Even assuming your employees are willing to perform all the extra work to print and/or move those potentially critical emails, some of them may have content that would show that your employee(s) made a mistake. How much effort will your employee(s) expend to store, search and retrieve those darn emails that may show they should be terminated? I would bet that at least a few employees might just let those pesky emails get deleted after 30 days and hope for the best. Once again, the result is potential discovery trouble for your company.

While I appreciated much of the presentation, it was a little bothersome to hear Mr. Skupsky's dismissive description of "groupware tools" which he "does not like." In the tech industry these might be separate development applications or wikis or even Instant Message comment threads. Does Mr. Skupsky believe that all of these amazing advances in the area of software and collaborative development will just go away because they are difficult to track and maintain according to a simple Records Retention Schedule??? I am betting the answer is a resounding "No." These will be distributed and used and even more tools will be invented. And, realistically, this will be so even if these tools make records management, more challenging. Facebook, Twitter, and Cloud applications, may make managing records more difficult, but they are not going away. We have to learn to proactively manage them.

I understand and respect the established industry protocols and efforts of any company in maintaining a working RIM program, but without a better understanding of how and why the new technologies are employed, creating "dream world" easy-to-manage electronic records policy, is not ultimately going to be productive, and may cause very serious issues in an otherwise well-intentioned RIM program.

I could not argue against some of his ideas without giving Mr. Skupsky a chance to explain himself, so I spoke with him after the session. The next blog post will cover our discussion.

ARMA Show-A couple of useful new products and upgrades for your DRED project

2010-11-10T17:16:00.000-08:00

by Cary J. Calderone, Esquire

Here are a few interesting product offerings I noticed at the ARMA Show this week. This is not a product review. I have not tested the products but just looked at their demonstration modules. However, I like to point out when I find a product that can and will fix specific challenges for many companies. The two products I noticed come from, Page Freezer, and ZL Technologies Inc.

Page Freezer simplifies the task of maintaining and tracking copies of your website and other online representations and communications. In my experience I have found many organizations need or want to keep copies of their website information and twitter feeds. These may include representations of service or product features and sometimes they must be tracked in order to comply with a Public Information request or Legal Hold. Either way, it is difficult to keep and track a website that may be updated daily by many different departments and authors. Who is responsible to archive all the changes? Page Freezer can automatically archive selected pages or entire websites on the fly according to the rules you setup. The product also tracks Twitter updates and supposedly will be able to archive Facebook updates as well. I know quite a few organizations that would like to be using this tool right now.
ZL Technologies Inc. has added new features that allow its customers to "manage in place." Many companies operate internationally, and are faced with very challenging and frequently conflicting laws concerning email communications and electronic data storage and retention management. ZL technologies has added features that will allow its users to archive and manage electronic data in place, even in a location like Japan. There are many solutions that can managing data in the US, especially when it is all in English. But when information is collected from many places and in many languages, there are extra challenges to the solution, and there may even be prohibitions against moving some types of data, i.e., across country borders. In these instances, managing in place can be a most useful feature. Many companies have tried to move all the electronic data to one central location, to be managed according to one set of rules. Not only does this mean potential bandwidth and regulatory problems, but how many people in your main U.S. office can read and manage information that is in Japanese or some other language? Usually, the answer is nobody. So you have moved the data away from the very people who are most capable of managing it because they can read it and know the local rules that apply to it. ZL Technologies is trying to give you, a better way.

Computer Forensics Show

2010-11-03T12:54:00.000-07:00

by Cary J. Calderone, Esquire

I was able to spend limited time at The Computer Forensics Show in San Francisco this week. I understand when a show is debuting in a new city it may have issues, but the acoustics at the Herbst Pavilion at Fort Mason were pretty awful and, I am not the only one who noticed. It's too bad because the show did have some very good speakers and covered interesting DRED topics. Still, it was challenging to enjoy their presentations due to the acoustics. Background noise notwithstanding, here are a few highlights:

Dean Gonsowski, Vice President, e-Discovery Services at Clearwell Systems, presented "Compliance in the Cloud and the Implications on eDiscovery. He provided a very nice overview of many issues that need to be considered when looking for a solution in the Cloud. Even when I asked about a tricky issue, i.e., "what to do when your data may be co-located across international borders?", he provided a thoughtful and practical approach. He had other terrific "checklists" to use when you look at Cloud solutions, but I am not listing them here. You'll have to see one of his presentations yourself.

I also enjoyed the session run by Michael Glick, Vice President of Encore Discovery Solutions "How Advances in Modern Electronic Discovery Practice are Changing Commonly Held Notions About Conflicts of Interest." He described the advantages to litigants following the Sedona Conference Cooperation Proclamation and waiving some potential conflict issues, and cooperating with adversaries during electronic discovery. There area even times when using a single provider and platform can save everybody money and hassles. I asked if Encore had protocols conflict checks for their eDiscovery clients? Much like lawyers and law firms, Encore follows high standards and protocols to ensure they do not represent parties with adverse interests. Pre-engagement conflict checking is too often an afterthought with some consulting groups in the DRED space and it shouldn't be.

On balance, I hope that this conference grows, finds a better location, and returns to San Francisco next year. If they continue with legal tracks that include good DRED discussions, I will attend again.

Attending the Computer Forensics Show

2010-10-28T14:51:00.000-07:00

by Cary J. Calderone, Esquire

I will be checking out The Computer Forensics Show Nov 1 and 2 at the Fort Mason Center right here in San Francisco. (You know San Francisco, where the Giants play World Series baseball...) It is my first time attending this particular event but I expect it to be worthwhile. As my readers know, there is a very important relationship between DRED and computer forensics, so I will observe the legal tracks and hopefully learn more about when and what specific factors trigger forensic investigation, and how forensic tools may be used proactively, to avoid pain and greater costs later.

Given some of the panel discussions they have scheduled, I am sure I will find some "blog-worthy" material.

Who are you talking to? You talking to me?

2010-10-26T12:01:00.000-07:00

by Cary J. Calderone, Esquire

Here comes a little rant. I try to be nice, really I do. But it is very frustrating when my energy and efforts to help a client are thwarted or, challenged by more aggressive and "less informed" consultants and sales representatives posing as consultants. Attorneys, sales reps and consultants usually have different education backgrounds, different experiences, and different motivations. So I wanted to devote this blog post to summarize and distinguish these three professionals who may be employed to assist you with your DRED project.

First, there is the sales representative who makes some or all of their salary by making a sale. They have to get you to say "yes" to their product or service in order to earn their commission. Accordingly, they are not the most motivated when it comes to telling you how their product might fail you or how over-simplified their "form data retention policy" might be. Most seasoned customers recognize the motivation of the nice and helpful sales rep and view their information as potentially inaccurate.

Next there is the consultant, (and not one that is really tied to a specific product which makes them a sales rep disguised as a consultant) offering you "best practices." The consultant needs to make you happy with the service and/or product they select so getting you to say "yes," is not always enough. If it doesn't work out as advertised, you probably will not want to pay for it. So, where a sales rep might proclaim a product definitely can handle your needs, the experienced consultant will hedge a bit, to avoid possible fallout later on. I get quite a few questions from "consultants" asking me to explain some point of law to them so they can explain it to their client. I typically do not help them. It is their intention to take complex legal points and simplify them because, "that is what their clients like." Needless to say, simple is not accurate and frequently will cause their client more harm than good. A little information truly can be a dangerous thing.

Lastly, there is the attorney (cue dramatic background music). The attorney is risk-adverse and picky about simple statements of the law. We learn that words have meaning and appreciate that even when sales reps and consultants use our words or case law appropriately, they often find a way to mess up the scope or analysis of the legal principle. While attorneys are often derided for making the simple seem complex, in our defense, frequently things that appear simple, are simply not. And, when it comes to your legal obigations, we attorneys are the ultimate and best source to evaluate your legal hold, data retention and eDiscovery policies and procedures. Most good sales reps and consultants agree with this. even if they occasionally forget it while they try to "help" their client.

So, who are you talking to? When it comes to legal points, I hope it is your very wise and well-informed attorney. Can you hear me now?

ARMA International Conference and Expo in San Francisco November 7-10

2010-10-18T13:19:00.000-07:00

The ARMA (Association of Records Managers and Administrators) Show is coming to San Francisco November 7-10 and should be excellent. Although I was not able to attend the show in Orlando last year, I attended the Las Vegas Show in 2008 and found the panel discussions and presentation to be very worthwhile. The highlight for me is that the speakers are often practitioners with a gift for educational presentations, and not just sales gurus and product marketers.

The guidelines for ARMA prohibit speakers from simply selling their services. The end result is that they offer more "real-world" examples of tackling and succeeding with Records Management, Litigation Preparedness and e-Discovery projects. I have participated in local ARMA chapter events in Silicon Valley, San Francisco and Contra Costa County but will just blog about this event. The local and national organizations are a great resource for anyone interested in learning more about Records and Information Management, or DRED. For more information you may go to their website www.arma.org. See you at the show.

Virtual LegalTech- Neat technology but where are my t-shirts and snacks?

2010-09-28T09:55:00.000-07:00

Last week I checked out Virtual LegalTech for the second time this year. In brief, it employed very cool technology and some of the presentations used streaming video and the new technology very effectively. Others, not so much. On the bright side, a boring Powerpoint presentation can be put in a smaller window to the side and I can surf the web while the boring speaker drones on. In person at typical conferences, escaping a boring presentation can be much more challenging. While some features of a "virtual conference" mirror the real world experience, others are missing.

If you loiter near a booth, or, even walk by a little to slowly, at a conference, a sales representative will jump out at you, scan your data to get you on an email list, and then strike up a conversation or try to show you their demo and maybe get you on a path towards a sale. At Virtual LegalTech, you are only bothered by the occasional pop-out chat window asking if they can answer any questions. Less bothersome to be sure and not a bad way to type hello to a few people you may already know. And, they already have your name and email. Do I believe this technology will replace live, in-person conferences? No. Business people will always need excuses to network and showcase their wares and trade shows are still the superior showcase. However, I do believe this technology will reduce the frequency of the live events and perhaps dramatically so. During the past two years during this dismal economy, everyone involved has noticed an overall decline in attendance. Virtual conferences have to be significantly more cost effective and that alone will make them an alternative, or an add-on to marketing budgets. I did hear some excellent presentations and received Continuing Legal Education credits for some of them. But it is still kind of sad that I attended two of these Virtual LegalTechs and didn't get a candy bar, snack, toy, or even one single t-shirt as a memento. Maybe as the technology improves...

Do you Tweet? Are you on Facebook? You need a policy!

2010-09-27T16:30:00.000-07:00

Some companies have really benefited by using Twitter and Facebook accounts to grow and cultivate their customer base. And many other companies are taking notice and making plans to do the same. But, there are some very important precautions you should be taking before you ask your clients and friends to "Like" you online. Do you have a policy or retention schedule that covers your social media interactions? If not, you need one. This type of communication is potentially "relevant" material to any matter dealing with customer representations and advertising. Depending on your industry, you may be specifically required to manage and retain this information or, your lawyer might just suggest it as a good idea. I know there are more lawyers who are learning about this new area of business communication, but there are still too few. Please find one who understands it and speak with them, or, contact us so we can help.

IQPC eDiscovery Panel-Protecting Privileged Communication

2010-05-18T10:18:00.000-07:00

by Cary J. Calderone, Esquire

Moderator, Mark Michels, Managing Attorney, Cisco Systems, Inc.
Craig Carpenter, Vice President and General Counsel, Recommind, Inc.
Martin T. Tulley, Partner and E-Discovery Practice Chair, Katten, Muchin, Rosenman, LLP

This panel was focused on Federal Rule of Evidence (FRE) 502 which governs attorney-client privilege and work product; limitations on waiver. 502 was drafted specifically to cover electronic discovery and inadvertent disclosures. I have had the pleasure of listening to Mark Michels at other presentations and, as an audience member, I always appreciate that he tries to make his panel discussions interesting, lively, and a little bit fun. After sitting in on 5 or 6 eDiscovery sessions over the two days at the IQPC eDiscovery conference, I believe anybody sitting in this audience appreciated that he made the panel discussion entertaining, as well as informative.

The first hot topic was protective orders with claw-back provisions. The panel was interested in whether people had ever had a "quick peak" (i.e., noticed that your opposition sent you privileged information and had to report it to them) and made the following points:

Mistakes will happen. We are dealing with an enormous volume of data. There is fear of privilege waiver but there is also significant cost in taking precautions.
FRE 502- Now with 2 years of precedent it is better understood.
502(d) limits waivers of attorney/client privilege, promotes certainty and reduces litigation risks.
502(e) indicates that a Protective Order is still prudent.
There is a big presumption against broad subject waiver.

Mark asked, "when is a disclosure not a waiver of privilege?"
Martin provided a checklist of factors:

Privilege?-Was it privileged to begin with?

Inadvertent?-Was the disclosure inadvertent? Some courts not-intentional equals inadvertent. Other courts have a checklist of factors to consider.

Reasonable?-Advisory committee notes to 502 do not define it. Rather, the Committee notes list factors to consider such as precautions and steps taken after disclosure to attempt to rectify?

Extent of the disclosure?-Overriding issues of fairness. Was there a defensible Records Management program? For example, was it 4 out of 10,000 documents? Did the disclosing party take quick action? Court found it reasonable and therefore there was no waiver of the privilege.

Best practice-Always have a protective order with a claw-back provision.

Waivers have been found where the producing party could not describe what they did...so document your procedures.

Perfection is not expected.

It was pointed out that whether FRE 502 would be binding in state courts, has not been tested.
Citing the Victor Stanley case and Judge Grimm be prepared to answer, "did you do enough to find the privileged documents?"

The panel also mentioned the Amobi v. District of Columbia case where Judge Facciola discussed "inadvertent." The Judge's analogy was paraphrased; "while 502b would allow me to round up the animals and put them back in the barn, were reasonable steps taken to avoid letting the animals out?"
One of the precedents was clear. When the data had been produced to the expert witness for review, privilege was waived.

The panel then examined what would be considered "reasonable" efforts to find and protect your privileged information. Keyword search alone is usually not sufficient as it finds only 25% of documents, so you should add in sampling. The type of vendor you are working with can make a difference. Do they understand the methodology and work flows around it.

Craig Carpenter provided an extensive list of search features that could help. He mentioned threading, email de-duping, visualization (being able to see who spoke with whom and when on certain topics), concept search (relate documents that are substantively similar but may not share keywords), clustering-(particular set of keywords-take first few documents that relate to the category), grouping-(more sophisticated clustering-take all documents that relate to the category) automatic categorization (the tool does it for you), amd predictive coding (form of automated review). Not surprisingly, Recommind's impressive products are capable of helping you with all of these search techniques. Craig was in "teaching mode" and not in sales mode and his examples and explanations were excellent.

The panel discussed an instance of dealing with 2.5 million documents and the client did not want to pay for privilege review but rather, instructed outside counsel not to turn over anything privileged. LOL! Obviously it would cost too much. So, with client's consent, they used automated review tools with some direction from knowledgeable people. They were able to save 3 or 4 months of processing time and several million dollars.

Mark Michels said "hypothetically," what if he was the "impecunious client?" "How could they be reasonable and save money too?" The panel proposed technology search with Bayesian models and sample seed sets to help cull down the data but then made it clear that "at some point, you have to put some eyes on it." 100% automated tools or 100% manual and people-powered processes have not been favored by the courts.

The last "best practice" was to re-iterate that it was critical to define "reasonableness" or, through agreement with the other party(s), take "reasonableness" out of the equation by agreeing what both parties would do for production and what would happen in the event of any inadvertent disclosure. They closed with one of the best lessons for those who would rely solely on FRE 502 to save you from waiving privilege during disclosure: Crediting Judge Grimm for the analogy, 502 was "like a bungee cord. It can save you, but it is still a terrifying experience."

IQPC eDiscovery Panel-Global Issues

2010-05-17T18:05:00.000-07:00

by Cary J. Calderone, Esquire

David C. Shonka, Esquire-Principal Deputy General Counsel, Federal Trade Commission
Benton Armstrong - Principal, Analytic and Forensic Technology, Deloitte Financial Advisory Services LLP

David Shonka stressed from the beginning, "if there is one takeaway best practice from this session-get local advice. European Union directives are not the last bit of advice. Each nation has its own interpretation of it. Local law firms in Europe and Asia are much more sophisticated now and can offer better advice."

Initial considerations for global eDiscovery:

Who has Jurisdiction?

Who has control of the data?(maybe a 3rd party?) (Where is that party sitting?)

Duplicate copies in the US?

Where does the data sit?

If you can get it, can you move it? Lot of restrictions on transfer (personal and sensitive data)

(Source-Sedona Conference Framework for Analysis of Cross-Border Discovery Conflicts August 2008)

Companies are employing new mobile technologies to go in with a small data center to process out personal and private data, then you can negotiate for collection/transfer from that point. For example, data sitting on server in Eastern Europe but it is Austrian employees' data. It was treated as though they were doing a collection in the Czech Republic. They ultimately collected what they needed but it was a very long and difficult process-got consent from the Data Privacy officer in the Czech Republic. Since this is a relatively new phenomenon, they are being extra cautious. Multinational organizations need to anticipate this.

There can be problems when parties do not want to cooperate but ultimately they do. Preservation process- while the consent process is going on the data is not preserved. Employees delay and then 5000 deletions will occur just before the data is supposed to be preserved.

We are getting better and more sensitive to private data in the US but still not equal to the EU. Convergence going on-don't think they will ever meet-but the realities of dealing with a global economy is forcing people to cooperate. Reminder that under the EU directive, looking at data equals "processing" and there are different stages:

Retention

Disclosure

Onward transfer

Secondary use

There are also international collection considerations such as:

Who collects? Employees? Can cause problems

In what form? Native or a forensic copy? Physical or logical? Remote or direct connect?

Best practice from Benton Armstrong-"get all stakeholders together at the outset."Records Managers, Legal, IT from many if not all different offices and locations. Get the potential roadblocks out in the open early so you can plan for some of them. It will make the process much faster.

One positive thing I learned from this panel is that, since I first started this blog, the best practices for international eDiscovery have evolved. While certainly not simple and without potential pitfalls, there are now better operating procedures and protocols for negotiating this tricky area. I suspect as more and more global companies implement policies and procedures and have better trained and more experienced practitioners involved, the potential pitfalls will continue to dissipate.

IQPC eDiscovery Panel-Roles of In-House Counsel and Outside Counsel

2010-05-17T16:14:00.000-07:00

Vincent Miraglia, Chief Counsel - Employment Litigation & Electronic Discovery International Paper
Vickie Lee Clewes, Senior Manager, Commercial Legal Affairs, Gilead Sciences, Inc.
Moderator, Wayne C. Matus, Partner Pillsbury Law Firm

Wayne Matus started the discussion rolling by asking the panel, "What keeps you up at night?"
There were two answers:

For things like government subpoenas and investigations, it is very hard to have processes already in place, so managing the discovery is very challenging.
For inside counsel, it is very difficult to manage many legal holds and keep mindful of when they "anticipate" new litigation.

The panel noted it was difficult to have a cohesive company-wide plan. They still had to address the individuality of each office/department while balancing the tie between discovery and risk.

Vinnie thought that "less is more" and that he does not want all of the data, just the relevant stuff.
He gave an example of PST files. They had established a delete policy (60 or 90 days) and used legal hold and archiving tools to move and archive necessary email.

They referred to the Zubulake case (6) and explained that since "terminating employees" could lead to litigation, a best practice would be to freeze all data for terminations for a set period of time.

Question from Wayne-What about the fact that they may get hit with a lawsuit in a new area? The panel believes in meeting and discussing potential new stuff often with outside counsel. They also found that, almost always, outside counsel is conservative about when legal holds are necessary.

What keeps Wayne up is the eDiscovery process maps he creates with his clients do not say all decisions should be documented. For example, "this is why I did or did not issue a legal hold."

Vicki thinks they do need to document more. Since we are shooting for "reasonableness" better to show what you considered at the time.

Question from Wayne-How important is communication between inside and outside counsel?
Vinnie's response-Keep it like a working partnership so Vinnie may respond to some discovery requests and outside counsel may respond to others. He thought that the legal bills go down with better communication.

IQPC Judges Panel on eDiscovery

2010-05-06T12:29:00.000-07:00

by Cary J. Calderone, Esquire

Readers of this blog know that I am always happy when we have the opportunity to learn about DRED issues directly from judges. I had the privilege of attending the Judges Panel on eDiscovery at the IQPC eDiscovery Conference in San Francisco. This was a very worthwhile session and attendees learned some great insights about the "Real World" of eDiscovery that occurs in actual court cases. And, by actual court cases, I mean the majority of cases you will probably never read about because they do not involve extreme examples of eDiscovery misconduct and multi-million dollar sanctions. Hopefully, these are the cases that your legal matter will most closely resemble. Moderated by Craig Carpenter, V.P. and General Counsel, Recommind, Inc., U.S. Magistrate Judge Robert B. Collings, District of Massachusetts, and U.S. Magistrate Judge Elizabeth D. Laporte, Northern District of California, provided updates to the law. I am happy to report that in the 3-plus years since I have been working almost exclusively with eDiscovery issues, there has been evolution and progress, and there are now better guidelines to help keep your business or department DRED-ready.

Some of Judge Collings recommendations included:

Reading the article by Judge Facciola-Federal Courts Law Review on privilege review

Urging counsel get a court order with respect to a Section 502 waiver

Whittle eDiscovery down the the issues you have actually have in dispute

As an Observer to the Sedona Judicial Working Group-Courts are looking for more cooperation between counsel and less adversarial posturing during the Meet and Confer process

Parties need to be more transparent about what, how, and where their data is located

Don't take expensive 30(b)6 depositions unless necessary

Bring your IT experts to the Meet and Confers

A reasonable proposal and approach will get the Judge's support

Settling cases for purely economic reasons has always occurred -eDiscovery is exacerbating this

Judge Laporte also provided some important insights:

There is a wide range of parties and sophistication-She has given attorneys eDiscovery homework

Lawyers who typically do not deal with eDiscovery now have to learn it

Client is responsible for getting it right-Courts look to see who is really engaged in the wrong-doing (citing Qualcomm case where the court found no bad faith on the part of outside counsel)

Standard is what is reasonable at the time

If you agree with opposing counsel as to procedures, and reduce it to writing, you should be safe from sanctions

Get a section 502 claw-back provision embodied in a court order

Sanction cases-Repeated misrepresentations and a failure to be careful cause most of the sanctions, regardless of the provision the Judge may cite as authority for imposing sanctions.

The best practice comments were interrupted when Wayne C. Matus, Partner, Pillsbury Law Firm, asked a question from the audience that caused a noticeable "pause for reflection" by the Judges before they could answer. He asked if there was ever a situation where the standard for Legal Holds was going to be always on hold? He gave the hypothetical of a construction company that knows there will always be litigation with a certain size development project, so from the beginning, they can "reasonably anticipate litigation." After giving it some thought the Judges, while not answering the hypothetical directly, did point to similar industries, like pharmaceuticals, and technology development, where future litigation is always a consideration. Since I have advised clients in this area, I commented to Wayne afterward that it was almost an "unanswerable question" and jokingly asked if he had ever been banned from participating in Q&A with Judges Panels because he asked such tough questions? The truth is, tough questions like that are the best part of these panel discussions.

Judge Collings clarified the role of inside versus outside counsel: "What is subject to legal review is the role of outside counsel." He recognized that making money for the corporation and keeping money for the corporation (a penny saved is a penny earned) is a major goal of inside counsel, but noted they will run into problems if Legal Hold notices are not going to the correct custodians or they are not being issued on time.

Judge Laporte referred to the Pension Committee case to remind us that Circuits have different standards for issuing Legal Holds. She also commented on Judge Shira Scheindlin's recent dicta about always issuing a written hold. Judge Laporte observed that "when you have a small family or small business litigant, it could be a very different situation and standard. On the other hand, why wouldn't you issue a Legal Hold?"

Patrick Oot, a well-known eDiscovery expert and Sedona Conference participant made an interesting point from the audience about wage and hour disputes and when you may not want to issue Legal Holds in the standard fashion but might choose to separate the Legal Hold policy from the class certification.

Great point from the Judges on reviewing your own Legal Hold procedures: "Imagine if you have to explain what you are doing to the Judge later." For example, even an email is now a written record of what you did to issue a Legal Hold and it creates a trail. Discussing the Quan case and text messaging, there were conflicting views on what the company policy was. The Judges recommended audits regarding private versus company usage. Best practice, "Have a clear cut policy" and people need to know it!

I had one what I like to call "cringe moment" when Judge Collings mentioned that lawyers are going to have to learn about technology to adequately represent their clients in court. He mentioned the long tradition and ability of lawyers to be able to learn a great deal about a particular subject matter in order to prepare for trial. They can study and learn an amazing amount of information in order to explain the subject to a judge and jury. While judges are never "wrong," they are only "misinterpreted," my worry is that too many techno-deficient lawyers will believe they can learn the technology and its language in a few weeks. They can not. To them, in addition to offering my expert services (shameless plug), I suggest a more appropriate analogy would be like trying to learn to speak French in a few weeks. In other words, learn what you can, but bring your expert interpreter along. Merci beau coup...

What's that up in the Cloud Part 2? Do you have a Policy?

2010-04-09T11:16:00.001-07:00

by Cary J. Calderone, Esquire

In the first article on the subject I presented an overview of some of the risks with moving your company data and/or applications to the Cloud (link to Part 1). This article is about moving to the Cloud whether you want to or not. Let me explain. Do you think you are in control of your companies' data? Maybe, or maybe not! Companies like Dropbox, Mozy and many others are offering free cloud storage to users. And, we are talking about free gigabytes of storage. Enough to hold far too much of your important, privileged and/or proprietary company information. These new product offerings are simple to use, and extremely easy to setup in a matter of a minute or two. This means that if you do not have a policy on storing your work product off site, like on USB flash drives or tapes, then you had better at least get one for Cloud storage. USB ports can be disabled. Stopping user access to all the Cloud storage sites would be very challenging. This means all a user has to do is download a small application, setup a folder on their desktop computer, and from that point forward, anything they place in that folder gets copied to the cloud. As a warning to all my potential clients, you do not want your first knowledge of this new technology coming after you have been served with a Request for Production in a lawsuit.
Now, personally I think this is the greatest thing since sliced bread, or, at least the greatest thing since free personal email accounts. I have setup test accounts with both Mozy and Dropbox. Having the latest copy of my draft blog post available on my netbook, my laptop, or my desktop machine, is a great time saver and backup mechanism. In the past, and even though I seldom need to share my information with another person, I have wasted countless hours and email storage space moving my data from one of my computers to another of my computers via USB or email. I no longer have to do this. Additionally, if I am ever away from one of my computers, I have the option of getting to my data by using any computer that has internet access. In conclusion, two quick words of advise: 1) If your company policies do not cover Cloud storage, they should. 2) If you are a lawyer making a discovery request or taking a deposition, you should know how to ask about this stuff.

IQPC eDiscovery Summit in San Francisco coming in April

2010-03-05T09:11:00.000-08:00

by Cary J. Calderone, Esquire

For those of you who do not think that a couple of my blog articles will be enough information for you, then consider attending the eDiscovery Summit in San Francisco on April 26-28. I plan on covering the Judges Panel on eDiscovery with U.S. Magistrate Judge, Elizabeth D. Laporte, and another session focused on Cloud Computing and eDiscovery. In 2008 I covered a keynote delivered by Judge Laporte. (link to 2008 keynote article) so I am looking forward to getting an update from her. As I have mentioned on this blog previously, it is a rare treat to be able to get eDiscovery information and education directly from judges, as opposed to interpretations by other "experts" and "pundits." U.S. Magistrate Judge Robert B. Collings is also scheduled to speak. Additionally, there will be quite a few inside counsel who will share their "hands-on" experience with eDiscovery.

Legal Tech 2010-Best Practices in Compliance and Email Management in the Cloud

2010-02-25T15:01:00.000-08:00

by Cary J. Calderone, Esquire

The participants (listed at end) on this panel had many years of eDiscovery experience and came from a variety of backgrounds including legal, consulting and product vendor. This was like getting a "Quick Tips" guide to eDiscovery because they chose to a conversational approach instead of doing a lecture and presentation. They started off first, by agreeing with Malcolm Gladwell's keynote comment, "we are in massive information overload." Then they got right at some important distinctions for the new language describing eDiscovery and, in some cases, updated the definitions for some of the old labels. For example, they talked about the "Cloud" and basic definitions, but the panel thought it was necessary to be more specific now and gave examples:

Public cloud-3rd party provider
Private cloud-you set it up yourself
Storage Cloud-as opposed to applications
Infrastructure-the network behind the Cloud

The driving force behind the use of the Cloud is that "head count is expensive."
Peter Lesser believed that private cloud is the safest way to store and use data because then users keep it off their laptops, etc.

The panel drilled down on Infrastructure and asked about variables like:

International considerations.
Where is the data really stored?
What about Virtualization?
Can you identify and distinguish between "primary" and "backup" data?

Tom Gelbman commented that the de facto Policy might be just to keep everything forever.

They noted some of the really difficult questions. How are you going to apply your Retention Policy? Where is the data? For example, a Swiss based parent company with data kept in Arizona? Is it now subject to Arizona and US jurisdiction?

What happens when a broker-dealer uses Facebook but can't capture the Facebook data-that is a problem under the current rules. And, if Corporations think they are just going to shut these things down “they are delusional.” Between, Twitter feeds and text messages etc., even with policies in place, they may be unenforceable. "Behavior does not change because you have a policy." This author would disagree. I believe that you can change some behavior with a well designed policy and training but agree that just having a policy, is seldom enough.

They claimed that without some sort of auto-classification tool, the management of the data is impossible due to the volume. They also recognized the sobering fact that it is much easier to get money budgeted for eDiscovery than it is for Retention. No arguments from me! Oil changes and routine maintenance seem to get quickly cut from budgets, but once the car breaks down, you have no choice but to call the tow truck and prepare for a big bill from the mechanic. Is your company being "proactive," with litigation preparedness, or, will they have to be "reactive" and pay for the blown engine when litigation erupts?

Tom Allman's Cloud checklist:

Can you suspend all auto deletion and move the data to an eDiscovery location?
What about meta-data?
Do you have backups to the cloud?
Neither Google nor Microsoft will implement legal holds. There is no Microsoft product to stop users from deleting a message. Journaling is the only option. Do you have it?
Does the Cloud help with cleanup of the digital landfill? Yes, it can.

Rosenthal and Lesser noted that the move to the Cloud has a positive effect in that it “Forces companies to engage in legacy retirement programs.”

Allman added one of his favorite funny-but-true tips, If you have backup tapes that are 25 years old, make sure when you sell a division, all the tapes go with it!

Weiss believed for many instances of email, you keep it 10 years then delete it, because access to it becomes more and more difficult.

Rosenthal added that legacy program are linked to applications and clients. So how would you ever be able to sample, search and analyze the data?

They posed another great question: Can you determine the value of the data?
Lesser-Storage is getting cheaper every year but the cost of the people to organize it far outweighs the cost of storage.
Brian Weiss added that yes, storage is cheap, but retrieval is expensive. Moreover, to scale up to index large amounts of data is still very expensive.

The final thoughts or hopes were that in five years from now, there would be no applications stored locally on computers and there would be much better search tools.

We shall see!

Panel participants:
Tom Gelbmann, Managing Director, Gelbmann & Associates
Tom Y. Allman, Editor, The Sedona Principles
Peter Lesser, Director of Global Technology, Skadden, Arps, Slate, Meagher & Flom, LLP
John J. Rosenthal, Partner, Winston and Strawn, LLP
Barry Murphy, Principal, Murphy's Insights
Moderator:
Brian Weiss, VP eDiscovery and Information Governance, Autonomy

Legal Tech 2010-A couple of neat new DRED products even smaller businesses can afford.

2010-02-25T10:45:00.000-08:00

by Cary J. Calderone, Esquire

Let me start by hedging a bit. I am not recommending these products. I played with only demonstration versions. I do not test and review products unless I have been specifically hired by a client to help them decide what product they should purchase for their particular needs. However, at this past Legal Tech Show I was happy to demo two new products that smaller companies could afford to use. This is good news because in the DRED space, most of the initial products released targeted large clients and installations and had pretty large price tags. It is hard to imagine a smaller business working with a product that starts at 300k to solve a retention or eDiscovery problem. The two products I noticed: 1)Legal Hold Pro by Zapproved and 2) BitFlare by SunBlock Systems.

These are both products that may help many smaller businesses. Legal Hold Pro allows a customer to track Legal Holds, and more importantly, all the communications around the Legal Hold (LH). There are many challenges with issuing LHs. The obvious issues involve when the LH should be issued and what it should cover. However, it is also critical that the LH is adequately communicated to the correct custodians and that you can validate the communication for compliance with your LH policy. Legal Hold Pro is a SaaS product (in the Cloud) that helps users track not only the initial distribution of the LH but also, subsequent updates. I think the best feature may be that it helps users remove the LH when it is no longer necessary. This is an issue that has not been discussed as much. Even those who are proficient at the initial LH process will admit that they are much more disorganized when it comes to removing the LH. And, if you are holding data, whether you need to be or not, it now may be subject to a new discovery request and/or a new LH. So the product may help you legally "clean house" a little better.

Similarly, BitFlare gives smaller companies the ability to lock down computers for LH or data forensic purposes. There are other forensic tools, some of them more affordable than others, but the focus of BitFlare is that a non-techy can follow simple instructions and secure data on a computer, in a fashion that Bitflare claims (I do not know if it has been tested in court) will preserve the chain-of-custody and accordingly, preserve its use as evidence. BitFlare is not a Cloud or SaaS product, but rather is a software product that comes on a bootable CD disc and can be run on any laptop or desktop computer (not sure about Operating System limitations).

They have an interesting pricing schedule. You can download the software for free and use it (provided you know how to burn an ISO cd) but then if you want the spreadsheet that lists the content on the computer, it will cost you $250. My hunch is they use this approach so when you think you might need contents for a LH you can lock it down. Then, and only if and when you need to analyze the data, you can pay $250 to see what is actually on the computer.

Once again, I have not used either of these products other than the demo versions, so you will need to test and verify that they will work for you. Still, it is very nice to see a few products capable of helping smaller companies tackle issues around DRED law. Let's hope this is just the beginning and there will be more affordable products to help companies become and stay DRED ready.

Legal Tech Keynote by Mark Howitson of Facebook-Social Media and eDiscovery

2010-02-16T17:25:00.000-08:00

by Cary J. Calderone Esquire

I had the pleasure of listening to Mark Howitson (aka Howey), Deputy General Counsel of Facebook, Inc. deliver the keynote address on Day 2 of Legal Tech. He started off with some staggering facts about Facebook:

Currently, ½ of all Americans over the age of 14 use Facebook.
350 million users have logged into Facebook, in just the last 30 days.

If you think this social networking thing might just be catching on, you are right!

Howey came to Legal Tech to talk about Social Media and eDiscovery or, as he described it, dealing with Social Media and the information that he provides for discovery requests. He divided his presentation into two responsibilities of managing data at Facebook:

1) Social media and discovery

Social media is going to be all around us-There is already an application (Forceware) that uses the iPhone GPS to provide live location reporting
The technology is everywhere
The technology is here to stay

Howey mentioned things he can't and won't do. He distinguished between when the law “allows” disclosure versus what it “requires” for civil discovery and this is a critical distinction because Facebook is dealing with huge volume.

In this regard, Howey relies heavily on the Electronic Communication Privacy Act (ECPA) and the Stored Communications Act (SCA) CA 18 USC 2701 for wire intercepts, and Section 2702a for “covered provider,”“remote computing,” and “electronic communications services.” He noted that there is an issue of when Facebook may provide information to a requester under Section 2702b and the substantial legal necessity of having “lawful consent.” Customer Records would be covered by Section 2702c for example, if a subpoena is asking about User X and all communications. In that instance, even with a subpoena, Facebook can only give basic subscriber information.

Howey is “itching for a fight” as he wants user information to be declared “content” and therefore completely protected from disclosure. The SCA was created in 1986 so Howey believes it is time that the Federal Court clarifies the rules with case law that involves present day fact patterns and current technology.

He discussed the Colgan Air case involving Workers Compensation (WC) for a flight attendant. The WC appeals board sanctioned Facebook $200 a day for not providing the data about the flight attendant to Colgan Air but the appeals board later backed off because they recognized that Facebook was never provided the required consent.

Howey really had the audience pondering the question of what is “lawful consent?” For example, was compelled consent of parolees adequate under the SCA? And what about students subject to random drug testing?

There was also a case from Bozeman, Montana where job seekers were wrongfully required to list their social network screen names so they could be searched! And he talked about another case in Houston where they where the interviewers asked for the interviewee's Myspace password in order to review their Myspace page. The interviewee sued and won.

He believed the way to circumnavigate this law would be for a interviewer to ask the applicant to, “be my friend on Facebook?” This would appear to be a lawful approach as long as it is not coerced.

2) Managing Discovery at a Communications Company

We now live in a world with chat and Wikis which need policies written and enforced company-wide.
Howey described the basic tenets of discovery when it came to corporate material, which is a “yes” for discovery, versus personal material and items protected by the SCA, which would be a “no.”
There are still some gray areas, like email notification about Facebook communication which is residing on your computer system. Is it covered by SCA or not?

As a basic precaution to protect your privacy, he mentioned, “don't connect your business email to your Facebook account.”

When it came to the second item, “Managing all this Content” he had the following suggestions:

Fee arrangements with law firms
Single discovery counsel for all firms (I found this interesting but would really like to know how this could work given conflicts of interests and competition amongst law firms)
Flat fees that delineate responsibility
Companies first need to cut a deal with their outside counsel.

He mentioned some innovative firms and thought it was “insane” to pay law firms full freight. Howey also believed that the days of rooms full of people and monitors doing document review should end. He championed leveraging technology to keep costs down.

One of the high points of the entire conference for me was that Ms. Zubulake of the seminal eDiscovery decisions was in the audience. I have personally been involved in many debates about the correct pronunciation of her name. To his credit, once Howey found out she was in the audience he asked her. It turns out the first syllable sounds like “zoo” and the last syllable rhymes with “cake.” Lawyers and judges who read this may now rejoice!

On balance, Howey gave a very fun and informative keynote. He provided some answers and supporting authority and most definitely raised awareness to many of the critical issues going forward with eDiscovery and Social Media.

European Union data: What are the rules?

2010-02-02T12:45:00.000-08:00

by Cary J. Calderone, Esquire

Those who attended this session at Legal Tech learned some interesting things about data protection in the European Union (EU) from a very impressive panel of experts (bio information and links below). My first foray into this area, the conflicts between EU and US rules governing electronic data, began about 3 years ago. While researching this subject for a particular client, I learned that international corporations had virtually impossible responsibilities to balance and implement. It became apparent that most issues would remain unresolved even as the best of international companies made progress towards becoming compliant company-wide. I was very interested in hearing about the current state of the EU and US data rules.

Nigel Murray offered some background information:

January 28, 2010 was the 4^th European Data Protection Day – they have made it a holiday!
The EU Data Protection Directive will be updated to reflect new technology.
EU Data Protection rules will be written so users know when their personal data may be stored and that they have the right to say “no!”
The European Union has 27 member countries-No Norway, Switzerland, or Lichtenstein.
Bulgaria, Romania, and Turkey are not in the EU, but they are trying to join.

Judge Peck began by describing why the EU and US rules are in conflict. He explained that in the US the standard for discovery is information that is “reasonably calculated to lead to the discovery of admissible evidence.” In the US, even a claim of Confidentiality is not a basis for refusing to disclose or produce data. Sensitive items relating to HIPAA, Social Security Numbers, or credit card information would be redacted in accordance with a protective order or agreement, but the information is discoverable. On the other hand, under EU rules, Privacy is a fundamental right and anything that contains personal information, broadly defined as anything that can be used to identify a person, (see Definition Personal Information) can not even be searched, let alone collected or disclosed without the individual user's un-coerced consent. Judge Peck commented that “in the ideal world, a US Judge does not want to have to worry about EU or Asian rules” but we are not in the "ideal" world.

A few legal cases were discussed by the panel to show that the trend has been, if data is in the US, then Courts have been very hesitant to use EU Data Protection rules to keep it out.

Other observations:

Within EU jurisdictions, moving data from country to country also causes problems. If it seems odd to us in the US, remember that the US does not have a history of countries crossing borders to expand their empires.
There are times when cooperation can work. George Rudoy described one instance when the representatives of a company made him take a drink with them to show that his data collection would be used for only legitimate purposes. It may have been water. It may have been vodka. His willingness to participate reassured them.
Maura Grossman shared that no matter what your risk profile, it would be a best practice to establish relationships and get input from local counsel. She explained that there are many data protection rules where the exception for litigation is specific to litigation in that country. If your matter is filed in another country, even another EU country, the exception simply does not apply.
Consent is sometimes an option but not always. There are stringent standards to follow for gaining consent, and in some cases, consent of the individual is irrelevant.
Another best practice is to be “super-surgical” in targeting requests at specific data, and keeping the scope of the request bound by the borders of that particular country. What makes this very tricky is that it is not just moving data that causes a problem. Merely accessing the data can violate the rules! If data is hosted in Germany, a lawyer violates the rules if he accesses the data from his office in NY.
If a corporation has been freely operating with its worldwide data in an “open” fashion i.e., journaling all email communications in the US then Judge Peck believes it is more likely a US Judge will not protect that information from disclosure under EU data protection rules. Judge Peck says that “if it is here”, it comes in subject to comity with foreign countries.
George Rudoy and Browning Marean echoed that we should follow local rules and implement the safest technology we can.
Nigel Murray also stresses that it is critical to have “local boots on the ground.”
Maura Grossman pointed out that there are some very specific and important differences in the International community. For example, before heading to China to take a deposition she learned that American lawyers are not allowed to take depositions in China. She would have been jailed!
Browning Marean mentioned that the Pension Committee (Judge Scheindlin) case reminds us that failure to issue a Legal Hold when litigation is reasonably anticipated is gross negligence. He also added that Legal Holds are more effective when created and dispersed internally than when an outside law firm issues them.

The panel considered quite a few other issues that make EU data discovery more complicated, like:

Where is the data housed?
What if it is in another country in a cloud?
Who controls the data in a parent-subsidiary situation?
What is considered “reviewing or accessing the data?”

In conclusion, the rules are still evolving and for now, you need very competent and probably local advise to perform a risk/reward analysis to determine what you may or may not do with EU and other "non-US" data. After 3 years of following this tricky legal area, I had hoped there would be a few more straight answers and solutions, but not yet.

Panel Members:
George I. Rudoy, Director, Global Practice Technology & Information Services, Shearman & Sterling
Nigel Murray, Managing Director, Trilantic
Honorable Andrew J. Peck, Magistrate Judge, Southern District of New York
Browning E. Marean, Partner, DLA Piper LLP
Maura Grossman, Counsel, Wachtel, Lipton, Rosen and Katz
Senior Master Steven Whitaker, Senior Master of the Senior Court of England and Wales
Chris Dale, E-Disclosure Information Project
Vince Neicho, Litigation Support Manger, Allen & Overy LLP

Legal Tech 2010 Begins-First Keynote

2010-02-02T07:45:00.000-08:00

By Cary J. Calderone, Esquire

This is the first post from Legal Tech 2010 in New York. Russell Stalters delivered the first keynote entitled "Don't build your E-Discovery Program on a Digital Landfill." Mr. Stalters discussed some of the very real-world issues that occur when companies try to manage their data better. More and more, companies realize their attorneys and IT professionals do not have the necessary skills to manage data from the other's perspective. They often lack an understanding of the technology, law or the business reasons and realities around information management. Mr. Stalters believes companies would be wise to create a new C level position specifically in charge of RIM. Others have commented that Discovery Counsel or Information Czar types of positions are critical to success but he insists that they be at the C Level to get the job done well. He claims that even CIO's have had a different focus than what is necessary to apply best practices to managing information company-wide. He gave a brief overview of the Greenfield approach and how it can be employed. In conclusion, he never mentions the word "easy" but he insists that a fully compliant and functioning system can be achieved.

Golf, Tiger Woods and ESI???

2009-12-02T10:11:00.000-08:00

by Cary J. Calderone, Esquire

Even though I have been a golfer (those who know me might say golf nut) for quite a while, I never thought I would be blogging about a famous golfer here. When does golf ever have a connection to Document Retention and Electronic Discovery? Never, right? WRONG. Enter Tiger Woods and the media circus that has grown due to his recently admitted "transgressions." Of course there are many of the typical "he said, she said" stories dominating the media outlets, much like they do when Tiger is dominating a golf tournament. After all, Tiger Woods is always big news. However, what is most interesting to me is that if lawsuits are eventually filed, will Tiger be in even more trouble for attempting to destroy the evidence of his "transgressions?" Has he failed to preserve relevant Electronically Stored Information (ESI) relating to a reasonably foreseeable legal matter? If the answer is yes, then Tiger may have exacerbated his problems. Let me explain.

Tiger initially claimed the news stories of marital problems and affairs were unfounded and he issued a statement on his website www.tigerwoods.com. Did that mean litigation could be "reasonably anticipated?" Did his wife mention "divorce" in one of their private "discussions" about his "transgressions?" If the answer to either of these questions is "yes" and he then went and tried to delete any damaging text, voice or other messages that would have made him look guilty, he may be in serious trouble. Tiger may face civil and/or criminal penalties under the Federal Rules (FRCP), and many state laws, that prohibit spoliation (i.e., destroying or altering) of potential evidence.

For example, there may be an issue with the voice mail Tiger allegedly left (it sure sounds like his voice but you be the judge) for his "friend" wherein he instructed her to change her voice mail message because his wife "went through his phone" and "may be calling." On the one hand, he has publicly claimed outrage at the press: "the many false, unfounded and malicious rumors that are currently circulating about my family and me are irresponsible." Moreover, one of his alleged mistresses hired the famous attorney, Gloria Allred, and issued a statement that the rumors are not true. Sure sounds like a lawsuit is brewing if it has not already been filed! On the other hand, Tiger is trying to get rid of messages that connect him to the alleged mistress and would indicate that the stories and "rumors" are actually fact-based and true.

Attorneys under the old rules and paper documents, would almost always go public and threaten to sue the newspapers and magazines on behalf of their celebrity clients. That may have been the standard operating procedure historically, but today, that kind of public condemnation means your client shouldn't also be going through their phone, and email accounts to try to delete potentially relevant material, no matter how much they would like to do so. In the days of paper evidence, lawyers might interview their client at the outset and ask if any damaging material "could be located?" The client could honestly answer "no" to that question when they knew they were completely innocent or, they had done a fantastic job of shredding, burning and burying any damaging documents before meeting with the lawyer. Nowadays, the new rules and technology have changed the question and perhaps the best initial public course of action because it is not a matter of if, but rather, when the damaging material will be "located."

This blogger will continue watching and reporting to see if and how Tiger navigates his way out of this "hazard."

What's that up in the Cloud? Is it a bird? Is it email? Or, is it a Health Club?

2009-09-27T22:57:00.000-07:00

by Cary J. Calderone, Esquire

Cloud computing is HOT! Hosted exchange solutions are being advertised to every small, medium, and large business. Google, Microsoft and other big players are promising their cloud solutions will provide security and hassle free email and applications without having to worry about more infrastructure and personnel investments. They may even include archiving and record retention management features to help with DRED (Document Retention and Electronic Discovery). Lower cost and more service, it sounds great, but is it?

Time for a confession here: I have been in the Cloud for years. In fact, I have been operating in the Cloud since long before it was called “the Cloud.” Years ago, I decided I wanted to be able to travel on vacation to Europe or to Hawaii, without lugging a laptop. So I hosted my business account through Yahoo. This meant I kept my email at Yahoo (while using my own domain address) and only downloaded copies of my email as backups. Therefore, wherever I was, if I had access to a computer in an internet café, or a library, or could borrow a friend’s laptop, I could access my email and attachments and work. I even started to store my “working documents” in a secure online briefcase so I could review and edit work product if I had the need and if it was not already in my email box as an attachment. Even though this was years before Blackberrys and iPhones made transportable email commonplace, I was mobile.

Chances are some of you have been Clouding too. If you have an email account with Yahoo, Hotmail or Gmail, then it is likely you have been in the Cloud. Or, as I describe it, you do not need your “personal computer” and installed applications to work with your email. Any computer with internet access will suffice. And yet, as a self-proclaimed longtime happy Cloudy, why am I not ringing the bells, extolling the virtues, and pushing companies to make the move to the Cloud? The answer is because, I workout. Or, more importantly, I have always had a membership at a health club. Non-sequitor you say? Please keep reading.

Back in the health club boom of the 1980s, many health clubs sprouted up creating an ample supply for those people who decided that a healthy and active lifestyle was desirable. However, I noticed a problem with almost all new clubs. When they first opened they had new equipment, reasonable membership deals and a few members. I remember going at 6:30 pm, jumping on the machines I needed, and in 45-60 minutes, I was out of there. But with the success of the new health club came more sales and more memberships. Over time the equipment ran down and the lines to use it grew longer. At some point it became necessary to schedule workouts for non-prime times, or just skip them. Do you still feel like this analogy is misplaced? Then check out this article by Brett Winterford, "Stress tests rain on Amazon's cloud" or the followup article, "More data released on cloud stress tests." The report following testing of three big service providers for seven months indicates that among these very big Cloud providers (Amazon, Google and Microsoft), there are already noticeable performance issues with on-demand services, especially during peak hours. And, even more distressing, the report finds these performance and accessibility issues are “regular” and that the Cloud providers do not provide performance monitoring tools so that Cloud customers may track performance. The report is enough to make this happy Clouder worry a little that the health club analogy is spot on.

There are other critical issues in considering the Cloud, like security. How secure is your company data in the Cloud? On this issue, I would need more information to know if the Cloud would decrease or increase your security risks. How experienced, well-staffed and well-funded is your IT department? Perhaps your data is actually more secure in the Cloud than it is on your old and out-dated servers. The best argument I have heard for mistrusting the Cloud is that, if a security breach occurred, would you even know it? Do we trust the Cloud providers to quickly stop any breach and report it? Do we trust them as much as we trust our internal IT and security staffs to report a breach? This is a very good question to ponder before making the move to the Cloud.

Truthfully, I feel odd writing this post. Here I am, a long-time Clouder writing about potential pitfalls with Cloud computing. I have been very happy with my Cloud experience and have had only extremely rare instances of any problems or issues and these issues would have likely occurred with even the best internal IT department running my email server. Still, happy as I have been, I have always had the option to use another email account if one Cloud account quit working. When the health club became too crowded, I just joined a different gym. Your company cannot easily just switch and join a different gym or Cloud! Yogi Berra could have been speaking about our modern Cloud solution providers when he commented on a restaurant: “Nobody goes there anymore. It’s too crowded.”

New E-Discovery Rules in California: What does this mean for you?

2009-07-31T09:24:00.000-07:00

by Cary J. Calderone, Esquire

With no fanfare our Governor, Arnold Schwarzenegger, signed into law AB 5, the California Electronic Discovery Act ("CEDA") (Full Text). The only surprise to those of us who practice in this area was that it did not get signed into law last year. Most believe it was delayed solely due to California's pressing budget problems. California is the home of Silicon Valley and the High Tech industry so the laws in our state typically lead the way when it comes to considering their effect on technology and business. In California email correspondence has been legally enforceable as a "written instrument" since the mid 1990s. It made no sense that one state after another, except California, was adopting rules to mirror the e-discovery rules contained in the Federal Rules of Civil Procedure and thereby, acknowledging that business disputes were now dominated by Electronically Stored Information ("ESI") such as email, word-processed documents and databases etc. These states recognized the importance of having specific discovery rules around ESI and yet, California did not. Now that California has acted what does this mean for your company when it operates in, or is subject to legal proceedings in state courts in California?

First, all those stubborn attorneys who used to tell me that they did not need to worry about Legal Hold Notices, Email Procedures and Record Retention Schedules, because they never were involved in Federal disputes, no longer have that weak excuse. It was a weak excuse because under the old California discovery rules, litigants and their lawyers were affirmatively charged with the duty to protect potentially discoverable materials. In most cases, destroying "evidence" can be charged separately as a crime. There was never any exclusion for emails and ESI and in fact, emails and ESI have been critical pieces of evidence in many criminal and civil matters for at least a decade.

Second, not only is that lame excuse gone, the California rule requires that attorneys from all sides of a litigation matter will need to "meet and confer" 30 days prior to the Case Management Conference. This means they will need to discuss ESI and what/how it will be preserved and exchanged during the discovery process for state legal matters, just like they already must do for Federal matters. Do you know how much ESI you have on your network and in other places you control? Do you know where it is? Can you search it? You should be able to answer a resounding "YES" to these questions. Otherwise, it means you may end up litigating from a weakened position.

Some commentators believe the CEDA modifies the Federal Rule around "inaccessibility" of data as it may be used to defend from producing materials in a litigation matter. I believe the CEDA merely does a better job of explaining the real world arguments that occur in front of the judge. Namely, the judge will ultimately decide whether or not the information is "reasonably accessible" on a case by case basis. Judges have never been fans of an attorney conducting a cost escalating "fishing" expedition during discovery, but if there is a likelihood that important information is only available in one location, there are very few circumstances when a judge will not want that information to be retrieved and searched. The idea is that "Justice" is about finding the truth, not about being able to hide the truth from the judge.

Now it pains me to admit this, but in some ways, if your company has procrastinated and delayed having an Assessment Report and updating its ESI policies and procedures, you have benefited in that the software programs and procedures for accomplishing these tasks are better now and, in some cases, even cheaper. The bad news is that you have at least 2 more years of data to organize, review and remediate. So the longer you wait, the more likely the process will become more difficult and more costly. Will your company be like so many others out there that waited until they got tagged by losing a legal matter or got sanctioned for mishandling ESI? Or, those that had to settle a matter because they could not find their evidence to prove their case, or, they could find it but it would be cost-prohibitive to produce it in a defensible manner? Or, will your company need to feel the sting of a hefty discovery sanction to be motivated to organize their ESI? In a prior post, I mentioned performing a Google search for "million dollar discovery sanctions." There are even more now than there were the last time I mentioned it!

Kermit was right: It’s not that easy, being green

2009-06-12T10:54:00.000-07:00

by Cary J. Calderone, Esquire

At a recent ARMA Golden Gate chapter meeting presenters gave real-life accounts of two law firms that had taken on the challenge to become “Green Certified.” Even if you do not believe Al Gore’s reasoning for going Green and that “the debate is over,” going Green may serve an unintended but very useful purpose. It is one more justification for updating the document retention practices and policies in your organization. One obvious and continuing hurdle to becoming document retention and electronic discovery (“Dred”) ready is the cost. IT, Legal, Compliance may need to make significant investments in new technology to better manage electronic data. Even if you have adequate hardware and software, employees may have to devote more time and effort to help the company achieve and maintain this goal. Even though it is less obvious, the work involved can be substantial and it may affect HR, IT, Legal, Compliance and every other department in your organization. Unless your company is currently operating with under-worked and under-utilized employees (LOL-very doubtful) the people in these departments already have full-time responsibilities and making the move towards Dred-ready means a lot of extra time involved in reviewing and updating retention schedules, policies and procedures. It would be nice to be able to dangle another reward carrot and justification for doing the work. Going Green can really help justify the cost and effort of this often arduous undertaking.

At this talk, I expected to learn of great new paperless approaches to records management but instead the “real-life” examples centered on trying to save paper by mandating duplex printing, while at the same time demanding that 100% consumer recyclable paper was being used. I was surprised to learn that this type of recycled paper can cost 3-4 times more than standard copy/printer paper. This conflicted with my stated purpose of using “greening” in connection with Dred to make it more compelling. However, from my perspective, pushing towards Dred compliant and avoiding most of the printing of electronic documents would make for a much “Greener” approach and avoids the issue of spending extra money for more expensive paper. I certainly can respect that law firms would have an awful lot of time, money and focus on paper, so firms in less paper dominated fields should find it easier to pursue Green Certification.

And, although I was hoping to learn about some new groundbreaking scanning technologies or other methods to avoid using paper, we all should recognize that paper will continue to fade away in importance as better electronic document and email management systems are adopted. These types of systems work pro-actively which is by far the best way to avoid the need to print and store information on paper. For example, the Federal Courts have used the Pacer system for electronic filing for a number of years. California law has recognized email is the equivalent of a “writing” since about 1998. California has been considering adopting rules simlar to the Federal Rules of Civial Procedure demanding that Electronically Stored Information ("ESI") is exchanged to perform litigation discovery. These changes to the law, and the practices that are modified to comply with these changes to the law, will continue to reduce the need to focus much time and investment on scanning and other paper management technologies. The obvious flip-side to this is that file and email management and archiving will continue to grow in importance.

Since this blog is focused on Dred, I will not bore or disgust you with the helpful hints about recycling and composting office waste for the achieving a rating of Green. It is always nice to avoid waste but in a word, yuck. And you thought keeping the company lunch area clean and odor-free was difficult before! Given the volume of articles written and the number of presentations scheduled at trade shows, one thing becomes certain; in this day and age going Green has become hip. In summary, I will close with more of the insightful and, as it turns out, prophetic lyrics sung by Kermit the Frog, “Green can be cool and friendly-like.” (For Kermit singing on you tube : ) .

RSA Conference 2009-Mock Hearing and Appeal re: Spoliation of Digital Evidence

2009-04-22T11:30:00.000-07:00

by Cary J. Calderone, Esquire

This was a treat. The Mock Hearing and Appeal, presided over by the Hon. John Facciola at the trial level and the Hon. Shira Scheindlin and Hon. Richard Kramer at the Appellate level, examined a spoliation challenge, its defense, and had an interactive discussion after the decision. It is very rare to get a chance to observe and learn about the decision-making process of any active Judge, let alone have veritable "rock stars" of electronic discovery, walk you through a hypothetical case and explain the issues as they rule, but that is exactly what the Mock Trial and Mock Appeal sessions provided. For those who do not have a legal background, all active Judges are governed by strict rules of professional conduct and must avoid "even the appearance of impropriety." This, in addition to the fact that they are monumentally busy, is why we seldom hear from these brilliant and experienced people on the evening news or talk shows. We are generally limited to reading their opinions and using them as precedent to argue similar case facts follow or can be distinguished from those previous cases. However, these mock trials are hypothetical and accordingly, the judges are at liberty to point out why the lawyers and witnesses won or lost their arguments. I implore anybody who is in the Legal, IT, Compliance, Records Management or Risk departments and, is in any way responsible for or involved in Records Retention or Electronic Discovery at their companies, to seek out this type of session at an upcoming conference and attend. Short of going into real court and observing (See Federal Court for Discovery-Be a Boy Scout) this type of presentation provides the best opportunity to learn why we are dealing with Record Retention Schedules and Policies in the first place.

In brief, the hypothetical involved an airline, who had an incident allegedly occur between a disgruntled passenger and an angry flight attendant. The airline had a document retention policy where handwritten Incident Reports from flight attendants would get entered into electronic format. Then the handwritten original would be destroyed. Also, there was a court ordered Legal Hold in place and the flight attendant shockingly had no recollection of the events that happened. It is not necessary to go through all the details that were discussed but a couple of important items relevant to Document Retention and Electronic Discovery are that: 1) Check to see if your company is actually following its Policy? Judge Scheindlin commented that "if you follow a policy that allows for routine destruction of data, before a duty to preserve it on Legal Hold arises, you are safe." 2) Is your policy reasonable or will it look like it is designed to eliminate any potentially relevant and/or harmful evidence? 3) Know your facts when it comes to claiming or defending claims of spoliation. For example, the Second Circuit does not require malicious acts. Mere gross negligence will be sufficient to justify an "adverse inference instruction" from the Judge.

At the trial level Judge Facciola ruled that the airline had disobeyed the Legal Hold when it destroyed the original handwritten document. Further, he found that the electronic version did not include a signature or an attestation from the flight attendant so the electronic version was not "complete" which violated the airline's own retention policy. He ordered an adverse inference instruction be given. An adverse inference instruction means the before the jury deliberates, the Judge explains that because this evidence was destroyed they may assume that it meant it was evidence harmful to the airline. Not good for the airline! On appeal, the panel overturned the lower court and found that given it was negligence and not malicious acts, the adverse inference instructions was too harsh and monetary sanctions would be more appropriate. Better for the airline, but they did not discuss the amount of the sanctions so it might not have been that much better.

When I expressed my condolences to Judge Facciola for getting reversed by the mock Appeal panel he said that he was very confident that the Appeal would have been reversed back in his favor at the mock Supreme Court level. :)

Panelists: Honorable John Facciola, United States Magistrate Judge
United States District Court for the District of Columbia
Honorable Shira Scheindlin United States District Judge
United States District Court for the Southern District of New York
Honorable Richard Kramer San Francisco Superior Court Judge
Stephen Wu, Esq. Partner Cooke, Kobrick & Wu, LLP
Hoyt Kesterson II Consultant
Randy Sabett Attorney Sonnenschein Nath & Rosenthal
Joseph Burton Attorney/Managing Partner
Duane Morris LLP
Moderator and Counsel for Mock Plaintiff: Steven Teppler, Esq. Senior Counsel Kamber Edelson, LLC

"Reasonable" is graded on a scale

2009-04-15T11:43:00.000-07:00

by Cary J. Calderone, Esquire

The Silicon Valley chapter of ARMA International held an ITRIM (Trim your data) one-day conference recently and I was fortunate to attend the lunch panel discussion. The panel members, Grant Law, Esquire of Shook Hardy & Bacon, Nathan Walker, Senior Technical Marketing Engineer of NetApp Corporation, Lisa Ripley, CISSP, Electronic Discovery Manager of Sun Microsystems, Inc., and Greg Lipptez, Esquire of the Jones Day law firm, gave brief presentations covering many familiar data retention and electronic discovery ("DRED") themes: 1) You will get sued therefore having a Data Map that explains what you have and where you have it is critical.. 2) Legal needs to be able to listen to IT and vice versa.
3) There is a constant struggle between lawyers who prefer to keep very little data and IT personnel who keep as much as possible. 4) Too many organizations have too many employees who are “surprised” to learn they actually have a record retention policy (and this is especially bad when their legal team learns of this fact during sworn testimony). And finally, 5) the law requiring what you need to keep, is not static, it changes. While it is nice to know that concepts that I have previously covered in this blog are out there being discussed and adopted by more data managers and professionals, I would almost have declined to write about the discussion but for one really great quote from Nathan Walker. Answering a question on "how best to avoid getting into trouble" with the production of Electronic Discovery for Meet and Confer conferences and motions to compel hearings, Nathan said: “The more you appear to know what you have and where you have it, the more your threshold for “reasonable” goes down.” This comment was cheered by the audience and maybe the best simple explanation for why Records and Information Managers, IT, Compliance and Legal departments need to make retention schedules, train people to follow them, and continually monitor them. To paraphrase the famous Billy Crystal character Nando, on Saturday Night Live, when it comes to electronic discovery, it is more important to appear to “look absolutely marvelous” than actually "feel absolutely marvelous." Bottom line-it is always best to know what you have and where you have it.

Industry Blurb Follow Up: Symantec Discovery Attorney Annie Goranson

2009-02-28T22:15:00.000-08:00

by Cary J. Calderone, Esquire

Last summer I commended the move by Symantec Corporation to create a Discovery Attorney position in their Enterprise Vault applications group (See, Smart Move by Symantec). From my own personal experience, the often used phrase, “bridging the gap” does not adequately describe the lack of understanding between the Legal and Information Technology departments. In many organizations, the “gap” looks more like the Grand Canyon. After applauding the fact that Symantec recognized that someone with a legal perspective, Annie Goranson, could be a useful addition to a technology team, I wanted to take the opportunity to discuss some real world experiences with her. After all, she has now served in the position of Discovery Attorney for approximately eight months and indicated she was ready to describe some of her findings, both good and bad, learned from her attempts to help bridge the gap between Legal and IT.

Calderone: Why was the position of Discovery Attorney created? Goranson: It was determined that there was a need to add an electronic discovery educational resource on the sales side to better explain general legal issues around email archiving and the e-discovery process. In the past, before e-discovery was the driving force, sales was driven by IT and Legal was out of the loop. Now that has changed. Legal may be the driving force for the sale, and legal compliance is a critical component to satisfying the customer with their implementation of Enterprise Vault.

Calderone: What interested you in the position? Goranson: I thought it would be fun to help customers understand the bigger issues and the different ways they might accomplish their goals with Enterprise Vault. I also wanted to help the sales team understand some of the bigger legal issues as well.

Calderone: Any general comments on what you learned working with customers? Goranson: While they often ask about “Best Practices” around legal compliance, in reality there is a huge range of sophistication in the way technology is used and employed from customer to customer. This depends on how the legal department is structured and the frequency with which it is involved in litigation or investigatory matters.

Calderone: What surprised you the most in dealing with customers? Goranson: Many customers just think it is a good idea to keep everything forever. They are really afraid to delete something they may want to look at in the future.

Calderone: What retention or electronic discovery issue was present most often? Goranson: Customers really struggle with retention requirements questions. They would like a simple Best Practices answer but I cannot answer that for them. We try to raise issues that should be considered, but at the end of the day, every organization will have unique considerations, so we refer them to their own Legal Departments or outside counsel or e-discovery consultants to develop their processes.

Calderone: Any other issues you noticed frequently? Goranson: Having good Legal Hold processes is a big driver for email archiving, due, in large part, to the many court cases in the news recently where there were big discovery sanctions awarded. But, similarly to retention practices, customers may not realize that good Legal Hold strategy is about the tools, the processes, and the training, and not simply having a written Legal Hold policy.

I wish to thank Annie Goranson, for taking time to answer some interesting questions and to provide her perspective as a Discovery Attorney, to this Document Retention and Electronic Discovery blog. Her opinions are a welcome addition to the insights of others (not just my own) that have been published here.

A Shout-out to Records Managers: Don’t forget the lecords and becords

2008-12-03T15:26:00.000-08:00

by Cary J. Calderone, Esquire

No, this was not an attempt to increase my Blog’s page visit time by using a few strange typos in the title. Rather it is my well-intentioned plan to add some new words to our Electronic Discovery language. Records managers have been using the term RECORD for decades to separate a mere copy, draft or scribble from an important company document that needs special attention. The RECORD copy was subject to retention schedules and possibly higher security and archiving protocols as well. Non-RECORDS were largely considered unimportant. Two things have changed to make Record and Information Managers' (RIM) jobs a bit less fun.

Firstly, we have the introduction of the desktop computer as an office productivity tool and with it, email. RECORD and Non-RECORD distinctions simply do not work very well with email. For example, does an email that has a RECORD attached to it, or a copy of a RECORD attached to it, and may discuss the subject matter of the RECORD, get the same treatment under the Retention Schedule? Secondly, the lawyers got involved (do we ever make things any easier?) and have been directed by State Courts and the Federal Rules of Civil Procedure to work with Electronically Stored Information (“ESI”). To the Courts and the litigants what is important is not whether an email is a RECORD or non-RECORD but whether it might be a “business record” or “legal record.” If it falls in either of those two categories a company may need to preserve it as part of its reasonable computer record keeping practices. This is especially true when a particular industry is highly regulated or the company is preserving data pursuant to a Legal or Litigation Hold. Hence, I thought it was time for newly invented ESI Retention words to use because when legal discovery documents refer to “Records” they mean lecords (legal records) and becords (business records).

These new words work well with the modern rule that says anything that documents how a company makes business or legal decisions, i.e., lecords and becords, are determined by content and not whether they are a word document, an email message or an old fashioned piece of paper. They may even include telephone voicemail messages that are stored on a computer or PDA. Also, lecords and becords may include all copies that appear to be identical and previously would have been distinguished and separated from the RECORD copy but now need to be treated as potentially important evidence. Sometimes this is because of the content and the distribution list, but other times copies may be important because they contain hidden meta-data that reveals things like who opened or edited the document and when. The world of RIM was never designed to capture this type or volume of information. Even a separate log document to determine who checked out or edited a RECORD will not work nearly well enough.

Moreover, thinking about lecords and becords helps one to understand why an Instant Message, where one co-worker asks another co-worker out to lunch might be important enough to keep. There is not RECORD category for seemingly innocent chit chat between co-workers. There is no Retention Schedule covering Instant Messages about lunch dates. However, if the message said, “want to get together for lunch to talk about why we might miss our quarterly numbers” it may certainly be considered a becord. Or, if it was the 4th IM from the same employee asking out another employee who complained to a supervisor about sexual harassment, then it would be a lecord. As a becord or lecord there could arguably be a duty to preserve these messages, even if according to the rules of RECORDS and non-RECORDS and the Retention Schedule, these messages do not merit special attention. By thinking about becords and lecords, a company can stay a little safer. I have used both these examples with Records managers to illustrate my point, and while they do not necessarily like the new perspective, and obligations it creates, it does make sense to them given our usage of email and IMs.

In my dealings with Records Managers, this has been a very difficult distinction to comprehend and appreciate. I understand their frustration and hope that the idea of RECORDS, lecords and becords may make their jobs easier. I want to keep Records Managers involved in the retention management process because there is nobody in a corporation, who has more experience tagging and organizing information. True, the tagging and organizing processes have changed from paper to the new world of ESI, but I believe RIMs will be the most important part of the solution moving forward.

How to Modify a Form Data Retention Policy for Your Company's Use

2008-08-14T09:13:00.000-07:00

By Cary J. Calderone, Esquire

Do you have a Records Retention Policy (“RRP”) form we can work from? Without question, this is the most frequent favor request from friends and associates and occasionally, even from relative strangers. So this article explains five steps to follow to take some other company’s form and make it your own without having to use an attorney, like myself, or a reputable document and management or eDiscovery consulting firm to assist you in the process.

1) Start by finding a form that might be a relatively good fit. While RRPs all generally look similar and contain descriptions of computer content and timelines for retention, the ideal situation would be to have a form from someone in your industry that is about your size, with offices and products that cover the same legal jurisdictions. Also, they should have about the same technology as your company. Some may consider looking at forms used by a competitor.

2) If it is well written and thorough then you will need to make sure your other company documents that may overlap with or refer to information in this form, conform to it. Check your employee manuals, your technology, Email, Instant Messaging, PDA and cell phone policies to make sure they are consistent with the language of your new RRP. If not, you may need to acquire copies of those documents from the same source as the RRP. Also, be sure to replace the custodian names from the source document with the people from your company, who are likely to be called as witnesses and placed under oath to verify that the retention procedures are regularly followed. Be forewarned, some of your co-workers may feel uncomfortable with accepting this new responsibility.

3) Upper management needs to sign off on your new documents. The CEO, CFO, General Counsel and other high-ranking executives will be the ones who may face criminal penalties if the new policies do not pass muster in a court or audit proceeding-so get their signatures. Caution-they may not really want to know all the details of the source of the new RRP.

4) Now that you have your policy paperwork in order you need to make sure all the employees will understand and follow it. This may involve re-arranging your company’s current data file structure on the network and any current retention and records review habits, but it is a necessary step. It would also be preferable if you have the same archiving and backup procedures to match your form.

5) Warning Warning Warning. Now that you have saved money by modifying someone else’s forms all you need to do to complete the procedure is protect against the following missteps: a) Your company’s software applications must work the way the source company’s do. So if your applications are less capable you will need to purchase upgrades, or if you have better software, you may need to disable some of the features to comply with your new RRP. b) Check that your electronic storage also matches in capacity and security features, otherwise, follow the same routine as for software and upgrade or disable accordingly. c) Make sure your business group leaders understand that any growth plans or upgrades may need to be delayed unless they match those of your source company. d) Always a good idea to check your source company to find out if the form you have borrowed was successfully tested in court and did not lead to sanctions of a few million dollars. e) If it was tested in court than verify that the source company is the source company and used best practices to develop their Policy. Otherwise, it may have been copied and adopted from a dubious source and not be all that great a starter form. f) Lastly, make sure you do a very good job with search and replace for the source company and your company’s name because there is a good chance that this policy form contains confidential and privileged and/or trade secret information that may make it a crime for your company to have it in its possession. This would be especially bothersome if the form did come from one of your competitors.

In conclusion, my writing approach for this post was in honor of the late professor Dr. Randy Pausch who’s YouTube video, The Last Lecture, made him a celebrity. In following with his style of teaching, did you catch the head-fake? This was not really a way for you to work off somebody else’s form but rather a list of real-world reasons why you should not even attempt it. Records Retention Policies and Legal Hold Policies are like fire escapes and exit procedures for emergency evacuations. They really need to meet the needs of your particular building, layout and people. This is simply not an area where cookie-cutter form documents will do the job very well, if at all.

Industry Blurb: Smart Move by Symantec

2008-08-01T10:21:00.000-07:00

by Cary J. Calderone, Esquire

Symantec has made a very interesting move in creating a new Discovery Counsel position to work with the Enterprise Vault team. Annie Goranson, an attorney from their legal department, has been promoted to this position. She will work with the Systems Engineers and Enterprise Vault clients to help with system design and implementation. This is a bold strategic move in an effort to address....
the legal issues around email archiving that typical Systems Engineers and consultants can not or may not handle. Her real-world e-discovery experience should help Symantec keep their people operating within the rules that prohibit non-lawyers from practicing law while providing clearer advice to the customers who want to use E-Vault to be better prepared. I would not be surprised to see other companies in the electronic information management space follow suit and utilize more knowledgeable legal personnel to avoid potential problems in this area. While we lawyers do deserve some of the criticism directed at us, sidestepping legal traps and distinguishing critical legal facts and issues is not usually handled best by sales people and systems engineers without extensive legal backgrounds. Score one for the lawyers!

Who Makes the Decision: Or, why I sometimes feel like Dr. Phil

2008-07-21T21:47:00.000-07:00

By Cary J. Calderone, Esquire

Sometimes I miss just being “the lawyer.” Working as a pure lawyer, I outline the facts and the issues, the laws provide the foundation for my analysis and whenever possible, I explain the conclusions we may reach. And, with very few exceptions, that is that.

Largely, the lawyer is focused on the facts, the rules and precedence. There are certain requirements and frequently, there is little room for variance. In this rather new area of Document Retention and Electronic Discovery (“DRED” for short) this is changing.

More frequently the law around DRED has set forth guidelines of “reasonableness” and then, depending on the particular company structure, industry, and the current state of technology, there may be more than one approach that would bring about an acceptable level of risk for the desired legal compliance. With DRED consulting, I have to play the role of a consultant, which means I need to know and understand why things are the way they are on a technological and business level, before I can suggest a path for change. Good lawyers in this space recognize that they have to take on some of the tasks of consultants, even if we do not like it.

So who decides what is reasonable? In practice, a judge would want to see a set of policies that have been created by considering structure, industry, technology, and business needs. As I mentioned in Best Practices for Managing Electronic Data: Chickens or Eggs whatever the policy, it needs to be followed and enforced company-wide for it to withstand legal scrutiny. So now instead of a lawyer dictating the rules, the consultant must elicit information from various department heads and members. Collaboration, which may be a common realm for Dr. Phil lead counseling may not be with the newly enlisted stakeholders in corporate document management, and it is crucial.

Many books and articles that describe best practices for management consulting explain methods and available tools for collaborative creation. And while I believe that “negotiated implementation” a specific form of collaboration brings about higher rates of adoption, i.e., success, too many consultants, management gurus, and how-to books fail to adequately examine and/or describe the people at the table. Let me explain. The best example I have came from a Business School professor Dr. Terri Griffith ( one who focuses on negotiated implementation). She presented an exercise to her class where they were divided into teams and each team was to work together to create a jungle survival plan. Everyone felt they needed to contribute and share their opinions or collaborate. However, in one group, no one asked about the experience and background of their members. It turns out, one student was a Navy SEAL with survival training expertise and the rest of the group members had absolutely no real-world experience in wilderness survival and quite possibly had never even been camping. So, why did everyone need to share their opinions equally in this collaborative exercise?

In the world of document management, we have a minimum of two worlds colliding, and frequently 3 or more. Authors Randolph A. Kahn and Barclay Blair describe 4 quadrants in their highly regarded book Information Nation. We have legal and IT and depending on the size of the organization and the particular industry, perhaps compliance and records management departments. Regardless of the number of people at the table, when it comes to designing a company-wide policy there will be no initial consensus on even the basic policy terms. For example, “Dr. Phil, how long should we keep email?” Legal might say 3 months is plenty of time if it is not something that needs to be retained according to a Records Retention Schedule. Knowledge managers would like to keep good stuff for many years, if not for ever. Most others will have ideas somewhere in between those two extremes.

For negotiated implementation to work best, I believe we need to know the “whys” and realistic limitations of any policy. The “whys” are important because when people know “why” it makes it easier for them to remember and because they can see that their and the organization’s needs have been considered they are more likely to adhere to the policy. Somebody who has made a valid suggestion for improvement feels better knowing it was not adopted because the technology was not able to accomplish it or it was cost-prohibitive, as opposed to feeling like their idea was not seriously considered.

There are many advantages to collaboration, but it may not be necessary or even advisable if you have the document management version of a Navy SEAL in your group. If you do, then the most efficient way to move forward is by starting with their best idea, understanding why it works, and fine-tuning it or not, with your group’s suggestions – these will be based on their needs so even by merely listening you are increasing their motivation for compliance. Dr. Phil might refer to this as “being heard.” It is still negotiated implementation but it is a shortcut to good results and will avoid protracted fruitless meetings and the need for someone to sooth over hurt feelings. We know that department heads who previously were separate and isolated must be involved and sign off on this process, sometimes because the law actually requires it. We know these participants may not have previously worked together or get along very well. So if we can get good results quickly, everyone will benefit by saving the company money and, being able to get away from the document management negotiations table, and back to their separate, primary job functions.

Last From Legal Tech West 2008-Keynote by Magistrate Judge Laporte

2008-07-01T16:43:00.000-07:00

By Cary J. Calderone, Esquire

Judicial perspective on E-Discovery- by the Honorable Elizabeth D. Laporte, Magistrate Judge, U.S. District Court, Northern District of California

Judge Laporte addressed an audience that understood that in the last year about 100 billion gigabytes of business information was subject to compliance regulation. Emails, which included business and personal email, were now fodder for lawsuits and criminal indictments. So, the Judge noted, “litigation readiness is more important than ever.” She gave examples that explained when meta-data should probably be produced and examples of when native versus non-native formats might be necessary. My favorite observation the Judge shared was that, if you are going to claim you were surprised by this litigation matter, and that was why you did not have a litigation hold in place and any data that was destroyed or altered hold was purely accidental…you should not also try to make the argument that you should not be required to produce data because it is protected as attorney work product, prepared in anticipation of a legal matter. Scary that Judge Laporte believed she should remind the audience that while these were two legitimate points they should be raised separately. If argued together they become an oxymoron and cancel each other out. Perhaps all lawyers need the occasional reminder not to suspend logic and common sense when making multiple arguments in their efforts to aggressively and completely represent the interests of their litigation clients.

The Judge commented that the obligation for when a party must start to preserve evidence is when litigation is “reasonably anticipated” and that this was not a “bright line.” She also reminded the audience to review the Local Rules for each Federal District Court as they would likely contain important e-discovery information. For example, in the Northern District of California local rules require that parties at the Meet and Confer discuss whether voice mail needs to be preserved. She also quotes another Judge explaining that there will be no “drive-by” Meet and Confers and that real effort of all parties is expected to meet and resolve any discovery challenges. To accomplish this Judge Laporte recommends the parties be: 1) reasonable, 2) candid, and 3) credible, in their e-discovery efforts. For the Meet and Confer she pressed for lawyers to know enough to make accurate representations to the court and have alternatives for collection of discoverable materials. This can involve the in-house IT personnel, outside experts and the in-house General Counsel and sometimes the outside lawyers will bring outside IT experts to the Meet and Confer. There should be no uncertain terms and lead counsel must be acquainted with what they need to know, which includes what data is in your custody and control and what data is likely to be relevant. Furthermore, you must be willing to make mid-course corrections and adjustments to the legal hold as the case unfolds. Otherwise, she believes Courts will continue to use sanctions to keep the litigants “honest and trying to do their best.” Although I had not visited Judge Laporte’s courtroom while researching my “Federal Court for Discovery? Be a Boy Scout!” article, I am happy to note that doing so would not have altered the conclusions I reached and most likely would have bolstered my arguments for litigants to “be prepared.”

More Legal Tech West 2008

2008-07-01T16:37:00.000-07:00

By Cary J. Calderone

Data Privacy Issues for Multinational Corporations. Or, what kind of food do they serve at your jail?

Data compliance in the USA and EU is an important and evolving area of document retention and electronic discovery law. One of my first research projects involving electronic data was for a company looking to pro-actively set and maintain good e-document retention policies and plans for their multi-national company which included a publicly traded US Corporation. On the one hand, we have Sarbanes-Oxley requirements for managing corporate computer data that contains content and processes of a company’s financial record keeping and technology systems. On the other hand, we have European Union privacy-protection rules prohibiting even the collection and review of emails which contain personal information.

So I raised my hand and asked a question. The very informed panel, which included Amor Esteban, Partner, Shook Hardy & Bacon LLP, Mark Smith, Senior Associate, Winston & Strawn LLP, Tom Hopkinson, Director, Forensic Technology, KPMG Europe LLP and Moderator, Omid Yazdi, Managing Director, Forensic, KPMG LLP explained part of the reason for this divergence was due to the history of European countries and their experiences with Totalitarian governments. They commented that I raised a good question, even though I added my tongue-in-cheek observation to advise General Counsel to pick the countries with the harshest jails, and follow their rules first. I expected they would laugh and then propose a valid work-around. They sort of agreed that it was virtually impossible to be totally compliant with the letter of the law in the EU and US in the area of email retention. One noted that recently a French lawyer was criminally charged for violating French Blocking statutes and faced jail time for working with US lawyers to produce materials in a way that violated French law. So apparently considering the jails and penalties is a valid approach to setting a Multi-National electronic document policy. Yikes!

More from Legal Tech West 2008

2008-06-30T11:09:00.000-07:00

by Cary J. Calderone, Esquire

1) Best Practices for Email Retention and eDiscovery Seminar sponsored by Mimosa Systems, Inc.
2) Index Engines Inc.-Technology can change the law.

1) Best Practices for Email Retention and eDiscovery Seminar sponsored by Mimosa Systems, Inc.-An informative session on best practice consideration for archiving email and files that presented persuasive data on why businesses need to have retention policies and plans in place. Was very impressed that this session, which I went in assuming would be a modified sales presentation for Mimosa’s Nearpoint and other products, was really a well thought-out and delivered educational seminar. I don’t believe Mimosa has the only product in this space but Bill Tolson, the speaker, lectured the audience on best practices first and foremost. Maybe that was part of his low-pressure sales technique because it resulted in giving me a high opinion of the company and their concern for their potential customers.

2) Index Engines Inc.-Technology can change the law. Claiming your data is inaccessible may now be a much weaker argument against producing electronic data in a court or investigative proceeding. “Inaccessible” is not a defined or static concept. It is merely an argument that due to technology incompatibilities, costs and time, it is not worth the effort to retrieve data from tape archives and backups. Index Engines, Inc. Tape Engine product has technology that allows targeted search and extraction from many kinds of offline backup tapes. No restore required. The expense and hassle of restoring entire backup tapes and then finding legacy or compatible products to search for potentially relevant email and file content has been greatly reduced.

Legal Tech West

2008-06-26T21:05:00.000-07:00

by Cary Calderone, Esquire

Electronic discovery, electronic document and email management, strategies and technology are all hot topics of discussion at Legal Tech West Coast 2008 in Los Angeles. More reports will be posted but for starters, it was most enjoyable to hear the keynote delivered by Charles A. James, Vice President and General Counsel, Chevron Corporation. He openly described the trials and tribulations his department experienced while successfully growing Chevron's award-winning legal technology systems. He humbly noted that he had been overly seduced by the idea of automation while under-estimating the value of change management to lead to successful implementations. He even described that now they are reaping other rewards like being able to use data collected from their web, litigation management, and direct payment systems to streamline and focus their resources in cost-effective and efficient ways. If industry vendors listen to his advice and address his "Three Vendor Gripes" every worker in a corporate legal department around the country will be happier. Gripe number 1, ("G1"), is that vendors are overselling
the practical, compatible and functional capabilities of their products. This can lead to delusions of "automated" systems that replace the people in the process but in reality, Mr. James teaches that people need to work with the technology to have the best results. For G2 Mr. James paraphrased Rodney King's famous plea, "Can't we all just get along." Phrases like "complete solution,""enterprise" and "seamlessly" should be banned from all sales literature until the multitudes of products that are advertised as "open" and touted as part of "inter-operable solutions" do, in fact, work together in more than a limited and concocted fashion. My personal experience in the world of "enterprise solutions" had me nodding my head in agreement with Mr. James, along with many other members of the audience. For G3 a challenge was proposed that there would no longer be a need for e-discovery for lawsuits, Attorney General actions and other legal and criminal inquiries because compliance rules would be logical and specific, and technology would serve to illuminate electronic data to the point where people in corporations would simply do their jobs while staying fully compliant. In other words, there would be no need for e-discovery if technology worked pro-actively with automatic audits and controls for content and process. One of my favorite sayings is appropriate here: if you are going to dream, dream big. I hope your wish is granted soon Mr. James.

Best Practices for Managing Electronic Data: Chickens and Eggs

2008-05-16T10:42:00.000-07:00

Policies first then procedures or procedures then policies: Or, what comes first -- the chicken or the egg of document retention?

By Cary J. Calderone, Esquire

“Should we create our policies or our technology procedures first?” This is a question I am asked frequently by data consultants, lawyers, and IT people. At first I believed the question was a sign that people were looking to shift responsibility for document retention management away from themselves and onto someone else. (Who could blame them given all the new regulations and rules now in effect? See FRCP Changes) While shifting responsibility is a valid real-world motivation, in reality, the question itself raises good issues to consider by anybody considering implementing or updating an electronically stored data retention policy . Like many good questions, the answer is not a simple one.

My general rule would be to create a good policy according to your legal and compliance requirements and then coordinate personnel and technology to support that policy. This would put the burden on Legal and/or Compliance to set the policy and then IT to deliver it. However, by “good” policy I mean something that should take into consideration the capabilities of the current hardware, software, and usage. Too many times in my early technology consulting days I would be retained to find and recommend a software program that could do XYZ and I would research the client’s existing applications and discover they already had programs with the ability to do XYZ, or something extremely close to it. However, nobody knew enough about their own applications to work towards the desired result. So, I saved them some good chunks of money and everyone would conclude that I had brought value-added service to the gig.

Given that background, setting policies without looking at current systems, usage, and the reasons behind them is not a prudent practice. One could argue that Google provides a good example of one end of the spectrum. Their overriding company policy is “don’t be evil .” It follows that every action by every employee would be in an effort to support that policy. Sure must be nice for an attorney to represent a client with that honorable and well-published policy in place…makes for a great opening argument in any case or hearing. On the other hand, what might be an acceptable policy for your current “technology” (or lack thereof) may not fit well with your company’s plans for growth and innovation, and as I like to recommend, becoming a “lean, mean, litigation-ready fighting machine .” If the drivers behind policy are more related to operations, company image, security and other non-technology factors then you may indeed need to make an investment in new software and hardware and possibly personnel and training too in order to adequately support any re-aligned policies. And until the infrastructure is in place, changing your existing policies would not make sense, especially if they have already been approved, followed, and battle tested.

Furthermore, the ultimate goal is to manage your electronic data according to reasonable standards for your industry and under the legal requirements that govern it. The greatest sounding “policy” in the world will not help you if your practices and procedures do not support it or, at worst, conflict with it. If one policy statement says “X” and another policy describes, “Not X but Y”it will not withstand even a cursory legal challenge and therefore will have failed you in one of its basic functions. And, while I would not ever champion a mediocre policy, one that is strictly followed and supported would probably protect you more than a grandiose policy that is thrown out as a sham because it was not followed or was contradicted by other company documents and policies.

In conclusion, the answer to the question of what comes first is: it does not matter – and it does. Both Legal and IT, and other supporting departments will need to work together to make any policy legitimate. So, bringing both/all groups into the process early is the best and most prudent practice. Start by determining what your current policies are, where they are published, and why they were created. Then you can work to edit/modify/replace them with joint understanding of the likely overall costs and benefits.

Federal Court for Discovery? Be a Boy Scout!

2008-04-30T21:02:00.000-07:00

By Cary J. Calderone, Esquire

During a recent lull between my legal business and document retention consulting, I visited my nearby Federal Court for an afternoon’s entertainment and to once again witness live the trench warfare litigants know as discovery disputes. I sat and observed a few discovery and case management hearings and in addition to being thoroughly entertained I found I had some very interesting things to report to those who would like to be prepared should litigation or a government hearing come their way.

Federal Court is still run as a dictatorship (notice I did not use the word benevolent as an adjective before dictatorship). For example, one judge explained that if there was a discovery dispute between the parties and the parties could not work it out themselves, he would allow them to file a joint letter no longer than 4 pages in length describing their respective arguments and then he would decide the outcome and which party would be sanctioned. I could not help but wonder what this judge might be like on a bad day after somebody perhaps submitted a 6 page letter to describe their dispute.

In another matter, lead counsel sent in a surrogate or “pinch-hitter-attorney” to take his place for the case management hearing. This resulted in a visibly irritated judge and an immediate issuance of an Order to Show Cause as to why that absent attorney should not be sanctioned. Ah, I remember what it felt like to appear in Federal Court…even as I quietly sat in the audience I started to feel a little of that old familiar stress in the pit of my stomach.

Much to my chagrin, I did not get to hear the arguments in a big discovery dispute over disclosing information about document retention policies and litigation hold practices because the parties were sent out like school children and told not to return to the judge until they could learn to get along and share their toys properly. In other words, when there were “issues” of contention presented by opposing parties, the judges immediately sent them off to “meet and confer” in the nearest available conference room. We are talking about seasoned, confident and high-priced attorneys getting ordered about and when they scurried out of the courtroom, one could not help but imagine that if they had tails, they would be drooped down between their legs like a family dog that had just been sternly reprimanded and sent off to the kennel.

If the end result of the hearing was that the Judge determined a follow-up hearing/conference was necessary, it was scheduled for 10 days out. Not a lot of time.

Now that you are more convinced than ever that you need to be prepared to head into litigation, I noticed one additional item that may serve you well when you undertake to map your company's electronically stored information. There is no set format required for this procedure. Some find it easier to work with word-processed documents. Others prefer to prepare spreadsheets and others might run a report from a database. After reviewing approximately 60 pages of the moving and response papers to see how these particular disputes concerning disclosure of retention and compliance policies would be argued I noted that they discussed transferring information between the parties via "spreadsheets." So apparently spreadsheets were the preferred format for this large case, and might serve you well if you are searching for a format for your own company's data map. Of course this does not mean you do not need to seek out your own local counsel to make sure they are happy with your format. After all, they are charged with the affirmative duty to become “familiar” with your computer systems so that they do not mislead the opposing party and the court when they propose discovery scope and methods.

Could There Be Even More Lessons?

The only hope for a party not entirely prepared to discuss the what, where, how much and the protection and collection of their discoverable material is that the other side is equally or preferably worst “not prepared.” Otherwise, if sanctions don’t immediately issue, Rule 30(b) (6) depositions will be scheduled expeditiously to find out specifically who knows where to look for discoverable material and how it is and will be protected from alteration and deletion. Although I did not witness a party getting sanctioned, sanctions were frequently mentioned. There was a study recently that found sanctions and/or inappropriate discovery conduct was found in almost 25% of cases of their survey sample. I don't need to run down a list of million dollar discovery sanctions here...a simple Google search of "million dollar discovery sanctions" will provide you with ample examples and words like "continuing trend" will often be found in the articles.

It also became apparent that companies contemplating their retention plans and policies need to understand better (especially if they have not previously spent time in Federal Court) that if you try to take an easy way out and present minimal information and hope for the best, there will be another high-priced lawyer or team of lawyers there to expose your efforts to the judge. And, if the judge is persuaded you have not taken your discovery obligations under the Federal Rules absolutely seriously, you will be in serious trouble. Federal judges were never known to have an abundance of patience. And now, the Federal Courts are extremely understaffed and at the point where one judge recently quit his post on the Federal bench to take a position with a state appellate court. I had the distinct feeling that the Judge relaying this story from the bench completely understood and related to the motivations of the defector. If you don’t believe this is an accurate observation please look at the size of the discovery sanctions being handed down (did you perform that Google search mentioned above?) and rethink your position. Defenses of negligence, oversight and malfunctioning technology have not saved litigants from multi-million dollar sanctions from mishandling their electronic discovery and those defenses will not work for you either. Especially now that with every new headline-grabbing sanction reported it makes it even more difficult for you to claim ignorance of the consequences.
Conclusion
As an attorney who appeared in Federal and State court many times to argue discovery motions, it was really fun to be able to listen and observe for an afternoon, and not have to think about making my own arguments on behalf of a client. It made me reflect about many companies I have worked with as legal counsel or as a consultant. Without question, some companies from my past would be prepared and would be easy to represent during discovery proceedings. Then there were those I would prefer to refer to other counsel rather than represent them in a crisis-reactive-mode to dig them out of an otherwise avoidable discovery mess. On balance, the most important lesson learned from my afternoon of observation to relay to you can best be described by the motto of the Boy Scouts of America, “be prepared.”

Instant Messages as Business Records

2008-02-01T13:59:00.000-08:00

Instant Messages as Business Records-A Common Sense Approach to Instant Messaging and Electronic Document Retention Policies

By Cary J. Calderone, Esquire

January 7, 2008

The motivation for this article occurred few weeks ago. I was sitting in the audience of a continuing legal education seminar on patent strategies. One topic that was of interest to me was a discussion of document retention policies and electronic discovery related to patents. A panelist, a senior attorney for a very large technology company, addressed email management as it related to litigation discovery. I raised my hand for clarification and asked, “When you say email, are you including instant messages in that definition or will you discuss them separately?” One of the most well regarded and experienced patent litigators in Europe, who was sitting nearby, leaned over and whispered to me, “excellent question!” The panelist however, rolled his eyes and said quickly, “we just don’t believe IMs are business records and don’t treat them as such.” My jaw dropped. According to the most recent Federal Rules of Civil Procedure (“FRCP”), instant messages certainly can and should be considered ESI “electronically stored information.” (See, FRCP Rule 26(f).) What constitutes a “Business Record” is defined by its content as well as its form and industry business practices. Current email retention policies were developed because using email to conduct business became a standard operating procedure. Similarly, use of facsimiles to create binding legal agreements developed over time. Although IM is not yet at that level of acceptance, some industries (just talk to your friendly stockbroker) already specifically track and retain IM to remain compliant with SEC and other regulations. In fact, many email applications track or “journal” instant messages in the same manner as email and in the same in-boxes.

I approached the panelist at the lunch break. He recognized me and quickly said, “maybe I misspoke.” He claimed that his company had just set a policy to not conduct any business via IM so they would not have to worry about managing or retaining IM messages for compliance and litigation purposes. This raises an important question: Is banning or severely limiting IM usage the best way to avoid having to manage it for document retention and legal discovery purposes? I don’t think so and here’s why:

IM is becoming more prevalent in research and development, marketing, sales and customer service. In fact, there are those who would argue vehemently that IM is becoming the most important business productivity tool within corporate enterprises. Perhaps you do not believe that IM is important to your organization. Here is a quick test. Have your legal department send an email to your department heads requesting comments on whether you should just discontinue or severely limit the use of all Instant Messaging applications on your corporate network given the complexity of the document retention and potential legal issues. A General Counsel I know did just that. Within 30 minutes responses indicated the regular use of 10 different IM applications, in addition to the company provided and managed application -- and that it would be very disruptive, if not impossible to prohibit IM use. These emails responses were real eye openers. Her reply was, what if we just did not have an IM policy, and we let people use whatever they desired and just told them nothing was to be used for official business and nothing should be saved. (In essence treating IM chat sessions just like a phone call, and when you hang up from a phone conversation, there is no written record.) Not even considering that the likely response from your IT director and other employees responsible for network security would want to quit their jobs rather than try to manage security for your new “open” (read exposed to viruses and security breaches) network, there is an overriding problem that IM deletion is not under the sole control of your organization. Trying to prohibit the use of IM to avoid having to manage IM does not work in the real world. The use of 3rd party IMs through, Yahoo, AOL, and Microsoft are a potential loophole to this type of IM policy because stopping their use is incredibly difficult (think about trying to control all applications on all network computers, laptops, smartphones, and PDAs) and data and journals for these IMs can also be stored on the 3rd party servers. This data can be brought in as evidence via a 3rd party subpoena. Moreover, the other parties to the IM chat, whether a co-worker from your organization or someone outside your organization, can save the IM chat thread to their local hard drive. As one very experienced and technology adept litigator friend of mine likes to say about his cases, “If there is an IM out there, we will find it, and we will get it admitted into evidence.” (This highlights issues in my next article: the too often neglected practice of scrubbing or wiping server and local hard drives so computer forensics will not be able to easily “undelete” even properly deleted IM and other electronic data. Perhaps I should title it, “Don’t Worry About Monitoring Deleted Stuff -- The Easy Route to Losing a Lawsuit or Being Invited to Club Fed.”) Based on these issues, you will be best served by an IM policy that considers realistic corporate employee IM usage and a plan for effectively managing that policy.

So the question remains: can you implement an official IM policy where all IMs are deleted immediately and avoid any IMs from becoming a part of your business records -- In effect treating them like a phone conversation that isn’t worth the paper it isn’t written on? Possibly. But here are some of the arguments against taking this approach.

Firstly, I like to refer to IMs as “Instant Emails.” This is because if you print out an IM thread, it looks pretty much just like an email thread. You can readily identify the parties, the subject matter, and the time of the messages. Pretty good to excellent foundation for having that IM or a printout of it submitted as evidence in a legal proceeding, especially when it contains critical evidence (old trial lawyer taught me a valuable lesson for litigation, never lose sight of the forest for the trees -- Judges can really bend the rules in favor of just results.) Do you think your lawyer wants to stand in front of a judge and argue that the IM thread in question, which contains critical evidence to your legal proceeding, is not admissible because it was created and kept against corporate policy? The answer is no. And as more and more of our younger attorneys come on board experienced with IM technology, and more and more judges understand the use of IMs in the workplace, this argument to exclude IMs as evidence is going to be more and more difficult to win.

Secondly, even if the content would not be considered critical, or a smoking gun, and appears only moderately negative to your case, you now have a problem because you have made it look more important than it is. If you have submitted that your policy is to immediately delete all IMs, and a printout of an IM thread is submitted based on the fact that one of your employees or a third party thought it might be important enough to warrant saving on their hard drive, it will appear like you have a sham policy which can no longer be trusted. The evidence looks more damning because you tried to delete it, and someone saved it in spite of your efforts to keep it from the trier of fact. You have now opened the door to opposing counsel or investigators making a motion to expand the scope of discovery to examine more of your electronic data in search of material reasonably likely to lead to the discovery of admissible evidence because your electronic data disclosure cannot be trusted.

It is not hard for counsel to raise this issue. One simple deposition or interrogatory will ask if the answering party knows of anyone who perhaps saves IMs or emails that are supposed to be deleted. When, under penalty of perjury, someone answers yes, the door is nudged open, and additional discovery will likely be ordered. Your usual arguments in defense of limiting expanded discovery (i.e. it is overly burdensome and too costly) could be outweighed and defeated when to the judge it looks like you have either negligently or intentionally failed to produce requested materials that you should have. In the discovery battle, or as attorneys sometimes refer to it, the war within the war, you are now in a weakened position.

Lastly, IM technology is progressing and converging towards a single ubiquitous user interface. It will become more common that a single application will handle all your email, IM, phone chat and perhaps even video chat based on a simple click of a mouse on a tab on your computer screen. So eventually your counsel might be forced to argue, “well your honor, we agree that if this employee had been having an email thread, this information would be readily admissible and we would have needed to save and produce it to the other side, but because our employee had selected the IM chat button instead of the email button, this information is not admissible.” Good luck with that argument!

Now that you better understand why you need an IM policy, even if it is to strictly limit its usage, and can recognize the many pitfalls in implementing a sound policy, I will leave you with one last bit of free and non-legal-relationship-forming advice. It is true that IMs are more difficult to manage due to the variety of 3rd party IM applications, and the lack of management software designed to handle all the different options, but there are tools available that can help with this. The important thing to keep in mind is that in order for any good electronic document plan to be effective and provide your best protection, it must be created with attention to documentation, the people responsible for maintaining it, the technology tools you will use, and, your schedule to review and test your plan on a regular basis. Is this the best approach for managing IMs? Yes. On balance, even if the standards for your document retention plan are not specifically covered by the SEC, HIPAA, Sarbanes-Oxley or other industry-specific regulations they will still be controlled by the FRCP Rule 26(f) and general state or local discovery and evidentiary rules. These frequently include balancing tests based on standards of reasonableness. Therefore, as the technology to manage IM and the rest of your electronically stored information becomes easier, faster, cheaper, and more readily adopted, it will be less reasonable and more potentially dangerous for you not to manage it in a similar fashion. The last bit of good news is that your competitors, and potential litigation adversaries, will face this same burden.

Welcome to my blog.

2008-01-16T11:56:00.001-08:00

Company electronic data management has changed dramatically. As companies adopted technology to move from paper documents to electronic data stored on company servers, the main concerns were safekeeping their data and growing and managing their electronic "knowledge. " Now, they must actively monitor their electronic data so they will be able to comply with government regulations and the Federal Rules of Civil Procedure. Information techies used to worry about guaranteed uptime and having plenty of space to store years and years worth of emails and memos. Now, legal is making them delete the excesses as soon as practical, and lawful, so in the event they have to, they can cost-effectively search and retrieve relevant material. This blog is going to examine how the IT, legal, and other departments can work together in this new world of electronic information management.