CIOs: Talk to your company's lawyer

An IT legal expert stresses the importance of good communication between a CIO and corporate counsel.

The joke goes something like this:

A guy goes by in a balloon and yells down to a man on the ground, "Where am I?" The man on the ground says, "You're in a balloon, 30 feet above the ground, headed from this direction to that." "You must be a lawyer," says the guy in the balloon. "You've given me information that is technically accurate and terribly useless and I'm in no better situation than I was when I came to you with a problem." The lawyer says: "And you must be an executive. I've given you accurate information, and now it's all my fault!"

More on IT and the law
IM and blogs next target for litigation

Updated record retention laws cause groans
Miscommunication is actually no laughing matter for CIOs or their companies, said attorney Erik Phelps, a featured speaker at the recent Fusion 2007 conference in the US.  The revision of the Federal Rules of Civil Procedure, which mandate the accountability of electronically stored information in lawsuits, means CIOs and lawyers need to start speaking the same language.

"Can you get sued? The answer is always yes," said Phelps, a partner at Michael Best & Friedrich LLP and former general counsel for catalog and online retailer Lands' End.

The stakes are "immensely high," Phelps said. Cases are decided on facts. Facts live in documents, in emails, on BlackBerrys, throughout the electronic archive. A well-informed attorney who goes into a case with a good handle on his company's information assets has an enormous strategic advantage over the other side.

Treat e-discovery like disaster recovery

Think broadly about existing data stores, Phelps advised. That includes everything from typical spreadsheet documents to less obvious repositories, such as USB flash drives, instant messaging, Web server logs and home computers. Every one of these data stores has been the subject of a subpoena and a mandatory obligation to produce the information in a lawsuit under US law.

CIOs need to review and document their various data stores, with attention paid to the policies applicable to them. Where is the data kept, how long, how much, does it need to be kept for everyone, is it backed up, does it involve automatic destruction and who has access, etc. More important, who owns the data -- a detail that is often overlooked.

"That is the person the lawyer has to go to and say, 'Stop, this all has to be preserved!'" Phelps said. When litigation takes place, the company has to stop the automatic deletion of certain information. It might be email or particular databases. CIOs should know how to stop the deletion if the data is put on litigation hold, and then ask themselves whether they could do that "tomorrow."

"You will be of tremendous value to your organization and your organization's risk profile if you think about these issues now," Phelps said.

Indeed, Phelps recommended CIOs treat e-discovery like disaster recovery and do periodic run-throughs to make sure data is accessible. Ask the lawyers which claims their company is most likely to get smacked with and figure out how to execute the data requests in an "orderly fashion."

"Get used to working with discovery vendors and your outside litigation counsel -- and don't change, or you go through the same learning curve over and over again," he said.

Reasonably accessible, according to lawyers

Ed Meachen, CIO for the University of Wisconsin System, said his group is embroiled in a "very major litigation hold," with no sense yet whether the case will turn into litigation. Potential costs could mount to tens of thousands of dollars not built into the IT budget. What to do?

Exercise judgment, Phelps said. Under US federal rules, organisations are obligated to reproduce reasonably accessible information. "Now unfortunately, lawyers drafted the rule and interpret it, so I can't give you a clear answer that this data server is reasonably accessible and that one is not," he said.

But this is one of the areas where good communication between the CIO and legal counsel is critical. If it's decided some of the requested information is not reasonably accessible, the burden falls to the other party to prove why they need it and "there are potential cost shifting implications," Phelps said.

He's worked on cases where backup tape exists, but the system to reproduce it no longer exists. "The plaintiff's answer is great, 'Go find a new system," Phelps said, but the rules are a "little bit more rational."

However, if the data is living on an active system, fights over whether it is reasonably accessible "will happen," he stressed. In fact, 10% or even 25% of the CIOs who were in the room at his Fusion 2007 talk will be deposed on this very issue in the next three years, he said, and may end up being called into court.

"We stand in open court all the time and say, the CIO says absolutely, this can't be restored, it will cost hundreds of thousands of dollars. 'Really?' the judge says. 'Bring her in,'" Phelps recounted. "The CIO is put on the stand, raises her right hand. 'Could she reproduce the data if her business told her to?' 'Yeah, I guess I could.'" So much for absolutely not accessible.

One bright note: The rules allow parties to agree that electronically stored information is not relevant to this lawsuit. Courts may well honour it, Phelps said -- "and now you don't have to produce anything," But, he cautioned, you have to think about this issue early, or you are going to get stuck with what the judge orders.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Read more on IT legislation and regulation