E-discovery laws: Having an information governance framework matters

A recent increase in privacy litigation proves that UK companies, too, need e-discovery and data governance plans.

Ever since December 2006, when the US government introduced amendments to the Federal Rules of Civil Procedure (.pdf) for the discovery of electronically stored information, E-discovery has become a major issue for UK information security professionals working in American corporations. Unfortunately, many UK infosec pros don’t realise how important e-discovery is.

Some Europeans think [e-discovery] doesn’t matter here, but the fact is that the rules of disclosure and discovery are no different in any jurisdiction.

Debra Logan, analyst, Gartner

The rules stipulated that, when a lawsuit begins, the two parties must meet and agree on which electronic files, including emails and other electronic communications, might be relevant to the case, and then decide on how much information needs to be produced as potential evidence. That put a new burden on companies to manage their information more systematically and store it in a way that it could be effectively searched.

So why should this worry anyone working in the UK? According to Debra Logan, an analyst with research and advisory firm Gartner who specialises in the field of e-discovery, most UK organisations believe e-disclosure is an American phenomenon, and of no concern to them. But they are wrong.

“Some Europeans think it doesn’t matter here,” Logan said, “but the fact is that the rules of disclosure and discovery are no different in any jurisdiction.”

Furthermore, with increased regulations and laws covering factors such as privacy and corporate bribery, there is a growing level of litigation in Europe. According to Fulbright & Jaworski, a law firm that tracks litigation trends in the US and UK, 50% of UK companies faced at least one legal dispute in 2010, compared with 45% the year before.

A company facing a lawsuit may be required to surrender huge amounts of data and trawl through years of emails if the information is deemed relevant to the case, as demonstrated by the recent News International litigation and allegations of deleted and misplaced emails. If the organisation on the receiving end of the suit is ill-prepared for the task, then the process can be messy, long and extremely expensive.

Unless companies have a proper information governance framework in place, with policies for the retention and deletion of data, they may be in for huge legal bills every time they receive a lawsuit.

“What’s different now is the sheer volume, velocity and variety of information we have to handle,” Logan said. “Electronic data is so easy to replicate. In the old days of paper, you might have 10 or 12 copies of a document – but now it’s a lot more.”

The UK courts are already aware of the problem. In April 2011, the Ministry of Justice issued Practice Direction 31B – Disclosure of Electronic Documents, which spells out in some detail what lawyers need to consider when discovering and disclosing electronic evidence.

According to the Direction, the main guiding principles should be as follows:

  • Electronic documents should be managed efficiently in order to minimise the cost incurred by e-discovery.
  •  Technology should be used to ensure document management activities are undertaken efficiently and effectively.
  •  Disclosure should be given in a manner that gives effect to the overriding objective [of getting to the truth].
  •  Electronic documents should generally be made available for inspection in a form that allows the party receiving the documents the same ability to access, search, review and display the documents as the party giving disclosure.
  •  Disclosure of electronic documents that are of no relevance to the proceedings may place an excessive burden in time and cost on the party to whom disclosure is given.

In short, the company holding the information must be able to provide relevant data in a form the opponent’s law firm can analyse easily. The main purpose of the e-discovery rules is to keep down legal costs, which is why the directive emphasises the use of technology to help streamline the task.

According to Logan, money is well spent on specialist tools to meet the demands of e-discovery laws. “Lawyers will normally want to search by keyword/custodian/day range, and a simple tool to do that will cost around £25,000,” she said. “Do you know how long it takes a lawyer to bill you for £25,000? Not long. Lawyers make software look cheap.”

In the end, the amount of time, effort and money you put into this kind of system depends on the risks associated with your industry. Logan said the highest risk of litigation lies in pharmaceuticals, insurance, oil & gas, utilities, technology and the media.

However, there are some basic steps all organisations can -- and should -- take in order to limit exposure to long and costly disclosure exercises.

The first and most important of these, Logan said, is to have an effective document retention scheme. She said if an organisation adopts a clear policy that all emails are deleted after six months, for example, then the law cannot ask for emails sent seven months ago.

But deciding on a policy needs to be a joint effort. “It’s always been easier to keep data than delete it. There needs to be a conversation between IT, security and the legal department about what to get rid of,” Logan said. “Companies and individuals currently keep far too much information because they can, and because they don’t define their information needs.”

Once that communication begins between the legal and technical departments, then companies can decide on policies, acquire relevant tools to mange the data and train people to use it.

And don’t just think it’s a question of archiving emails. As a recent study by Symantec revealed, e-disclosure requests can cover a wide range of file types. Files and documents (67%) are the most frequently requested, followed by database or application data (61%), email (58%), SharePoint files (51%), instant messages and text messages (44%), and social media (41%).

For those wondering where to start in preparing for handling this kind of request, Logan suggests following the Electronic Document Reference Model, which lays out some basic guidelines, and provides standards and some valuable resources.

Read more on Regulatory compliance and standard requirements