Legal compliance: Preparing for an e-discovery request

Does your company have a legal compliance issue? We tell you how to prepare for an e-discovery request involving physical data and electronically stored information.

Electronic discovery, or E-discovery, is a key part of legal compliance in the UK. E-discovery requests come into play when legal proceedings or regulatory requirements demand parties in a dispute provide data as evidence in court.

In this interview, Bureau Chief Antony Adshead speaks with VigiTrust CEO Mathieu Gorge about what triggers an e-discovery situation, what data can be affected and how to prepare for an e-discovery request.

You can listen to the interview as an MP3 or read the transcript that follows.

Play now:

Download for later:

Legal compliance: Preparing for an e-discovery request
• Internet Explorer: Right Click > Save Target As
• Firefox: Right Click > Save Link As In what circumstances might my business face a legal compliance request on its data? What types of data might be affected and what sort of time limits are imposed on discovery?

Gorge: The first thing to understand is that a UK regulator might ask you to produce some information. The second most common way people are asked to produce information in an e-discovery or legal discovery context is in the case of litigation between two parties. A judge may ask either or both parties to disclose information.

Due to the new powers that have been given to the Information Commissioner's Office, legal discovery requests are being enforced a lot at the moment in the UK.

In terms of what data might be affected, you're looking at physical data but also electronically stored information, which makes up about 90% of data in such cases.

It is important for organisations to understand there are different types of data, primarily unstructured and structured data.

Structured data is data you can find out of the box. It will be an invoice, a file, information on an ERP system, for example.

Unstructured data is data in different forms, maybe in one location on your network where you hold information relevant to the case.

Typically, electronic information for e-discovery requests always includes structured and unstructured data, but you should be aware that forensics data might be required especially if there is an allegation of fraud in the case.

How long you have to get the data depends on the judge. The average in the UK at the moment would be 90 days, and the challenge for you as a business is to make sure you can get it on time. How can I retain/store my data so that I can be certain of meeting legal discovery requests?

Gorge: The first thing is to be prepared for any type of litigation, and that means three things essentially. It means knowing the type of data you host, store and transmit. It means knowing who owns the data — and in legal terms you refer to a data custodian, i.e., the person who is responsible for a particular type of data. And you also need to know where the data resides.

So, it's about mastering your data ecosystem, and as a consequence of that mastering your overall information and network ecosystem.

You need to understand the flow of the e-discovery process, whether it's for litigation readiness or regulatory readiness. Typically, you'll have a large amount of data, and that data is growing every day because organisations are not typically managing it.

If an incident then happens -- for example, an allegation of fraud or a third party thinks you lost some confidential information or stole it -- at that stage a legal scoping exercise takes place. The judge will say, 'I want you to concentrate on a category of keywords. It might be 10 keywords, it might be 70 keywords and I'm giving you 90 days to produce that.'

The goal here is to reduce the scope. At that stage the two opposing parties will meet in a legal discovery meeting and try to agree on how they can reduce the scope and meet the requirements imposed by the judge, but also get the information as fast as possible.

You may need to use computer forensics, which is a way of reconstructing the data or events that have relevance to the case, and after that you actually gather the data. To do this, you have to identify the data and then collect it in such a way that it is receivable in court. Once you've collected the data, you analyse and review the data and report back to the court. At that stage both parties would argue their case.

So, the main challenge is to make sure you have all the relevant information for the case, and it boils down to one issue. The case may actually hinge on a single set of data or a single piece of information, but you need to answer: Where is it? Does it exist? Who owns it? Will you find it? Will it be relevant to the case? How will you present it and how effective will it be in court?

One of the other aspects is to understand that there is a huge cost in that process and that a proactive approach to storage, e-discovery and information management is required. The advice is to classify and index your data, train your staff in data protection and e-discovery best practices, preserve the right amount of electronically stored information and be sure you're ready for e-discovery meetings.

Read more on Data protection regulations and compliance