Enterprise networks are vast landscapes of information, with dark caverns and shadowy corners harboring data that now may be a serious legal liability. Amendments to the Federal Rules of Civil Procedure (FRCP) that went into effect in December have made unaccounted for information a nightmare for corporate general counsel, unless firms have the technology in place to turn the floodlight on their information.
The new amendments to the FRCP have codified and brought into legal procedure precedents for e-discovery that had been set in landmark litigation in the securities industry. Cases such as Zubulake v. UBS Warburg and Coleman v. Morgan Stanley have raised questions about the legal responsibility of firms to preserve and recover the totality of electronic documents relevant to litigation.
The defendant financial institutions in both lawsuits lost their cases due to their failure to adequately produce e-mail evidence, and the resulting assumption that evidence was willfully destroyed or withheld. Laura Zubulake, a former UBS employee, was awarded $29 million in 2005 in her sexual discrimination lawsuit. And billionaire Ronald Perelman was awarded $1.45 billion in 2005 based on his claim that Morgan Stanley defrauded him in the 1998 sale of his company, camping goods manufacturer Coleman. (Morgan Stanley currently is appealing the ruling.) But that was not the end of Morgan Stanley's troubles related to e-discovery.
More recently, Morgan Stanley has garnered the scrutiny of industry regulator NASD for the firm's e-mail practices. In December 2006, NASD charged Morgan Stanley with falsely claiming to have lost millions of e-mail messages during the Sept. 11 attacks on the World Trade Center, where its e-mail servers were located. The regulator says Morgan Stanley misrepresented itself in numerous arbitration proceedings and to regulators, and that pre-Sept. 11 e-mails had been restored from backup tapes shortly after the attacks. Morgan Stanley also reached a $15 million settlement with the SEC in February 2006 over similar e-mail-related issues.
Both UBS and Morgan Stanley declined to comment for this story. But Morgan Stanley issued a statement in response to the NASD's charges. "When prior management learned there were still backup e-mails from that era that might bear on arbitrations, it informed regulators, plaintiffs' counsel and outside counsel; built searchable databases; produced newly discovered e-mails; and cooperated fully with the NASD's review," the statement says. "Current management has made extensive efforts to reach a fair and appropriate settlement of this matter, but the NASD's disproportionate and unprecedented demands leave us no choice but to litigate."
While these high-profile failures may not happen every day, the massive verdicts being doled out and the immediate pressure to comply with the changes to e-discovery requirements demand the attention of the heavily regulated and litigious securities industry.
Wind of Change
The first among the major changes to the FRCP arises in the "meet and confer" sessions of a litigation, in which participants negotiate the ground rules for the case and, now, for e-discovery. The rules require "organizations to be able to, on day one, walk into their first meeting with a litigation opponent and be able to address upfront what their plan for electronically stored evidence is going to be," explains Barry Murphy, a senior analyst with Forrester Research (Cambridge, Mass.).
In the initial meet-and-confer, and within the first 120 days after a complaint has been served, all parties will define rules around materials disclosure, access privilege, discovery methods and work process prior to the onset of the actual work of electronic discovery, according to Deborah Johnson, VP of discovery and litigation solutions for New York-based electronic communications solutions provider Orchestria. "If legal can't go to that meet-and-confer and accurately convey the story around their electronically stored information, they're going to be in a considerable amount of hot water," she says.
There is a strategic advantage, however, to having a complete picture of the information that exists on a network and what portion of it is and is not accessible and relevant, Johnson points out. By knowing where electronic evidence lies, a firm can minimize its search time and volume, and dramatically reduce the materials passed on for legal review, as well as the subsequent costs for that review. The more material that the legal review team has to sift through, the longer it will take, and with lawyers' rates in the hundreds of dollars per hour, this type of litigation support is the largest addressable cost in e-discovery, asserts Forrester's Murphy.
Protection by Destruction
The other notable amendment to the FRCP is the safe harbor rule for data destruction. The rule provides an out for organizations by establishing a systematic and legally justifiable method for the destruction of electronic documents. If the institution took "reasonable" steps to preserve the information, and any destruction of records was done in "good faith" by systemized practice and policy, the firm will not face penalties for failing to produce the evidence, according to Forrester.
The key to being able to qualify for safe harbor is repeatability. If the organization has a destruction policy in place that is not met on every single record, the courts may levy penalties based on the fact that if one record was not subject to a company's destruction policy, many more may have unknowingly been preserved as well, industry sources say. Further, if a single backup tape is accessed for electronic records against policy, than the policy becomes moot and all backup tapes may become admissible evidence.
"Variation will kill you in an operation like ours, and we only operate one way. We endeavor to be repeatable every time the same way so there's very little variation," said John Ritter, VP of information security for Bank of America (Charlotte, N.C.) at a recent legal-technology conference in New York. "You have to think about what is your process going to be, and how are you going to follow that practice every single time or as close to every single time as you can."
Bank of America established its electronic discovery unit in 2002 in the wake of the Enron and WorldCom scandals. Initially consisting of three part-time forensic investigators, the e-discovery unit now employs more than 60 people devoted full-time to e-discovery. According to Ritter, the department fields more than 400 requests annually from across the enterprise.
The vague terminology of the safe harbor rule leaves the specifics of what constitutes "reasonable" efforts or "good faith" unsettled. "While the amendments provide a broad construct for e-discovery, the provisions include some undefined and ambiguous language, and that's going to be filled in by the courts' judicial decisions," explains Robert Sikellis, associate general counsel of Vance International, an Oakton, Va.-based consulting firm that offers digital investigation and litigation support services.
But the courts won't accept an excuse for waiting to develop electronic discovery functionality. "It's probably too late if you haven't already started thinking about it if you've got cases coming in the door," Bank of America's Ritter told conference attendees. <<<
Forrester's Recommendations for Finding an E-Discovery Solution
- Get the right mix of people on your retention-management team. It will take a combination of business people and records managers to determine how to retain information for knowledge needs.
- If you must, start with just e-mail. Any e-discovery solution must address all enterprise content, but you need to start somewhere. Work with your current message-archiving vendor to craft a solution.
- Force your enterprise content management (ECM) or storage provider to partner with a pure-play e-discovery solutions provider you trust. Enterprise software vendors may be missing domain expertise. Put pressure on your enterprise software providers to integrate with your pure play of choice.
- Outsource if you're not ready to address e- discovery internally. It's not always necessary to deploy technology inside the firewall, especially if you are not yet ready to manage it.
- Start planning for the long term. Make e-discovery requirements a high priority in future ECM, storage and message-archiving projects.