November 2007

Facing the E-discovery Challenge: A Proactive Approach

As e-discovery continues to play an increasing role in corporate litigation, internal auditors need to develop data retention policies that ensure the safe storage and accurate retrieval of electronic data.

Shawna Scharf
Contributing Staff Writer

The modification of the Federal Rules of Civil Procedures in 2006 sent U.S. companies scrambling to retain, classify, label, and compartmentalize the vast amounts of data that had, until this point, been retained or deleted haphazardly. Corporate litigators were now faced with relying on IT departments to aid in e-discovery, which can include all types of electronically stored information (ESI) such as database archives, e-mails, instant message (IM) logs, Word documents, scanned documents, and more. As a result, many IT departments and internal auditors are struggling to keep up with the stricter guidelines and are now becoming more familiar with case law surrounding e-discovery. However, by studying e-discovery law, recommending the implementation of sound data retention policies, investing in the right software tools, and working with the company's legal counsel, auditors can reduce the risk of coming up empty handed in the e-discovery process.

LANDMARK CASES

Litigation Trends Survey Results

E-discovery methods:

  • Seventeen percent of companies represented in the survey lost their right of document privilege due to inadvertent production of ESI. Financial and retail firms rated at nearly 40 percent.
  • E-discovery plays a frequent role in legal matters in 13 percent of billion-dollar firms surveyed.

Preserving records:

  • Eighty-nine percent of surveyed firms have procedures to ensure preservation of all data related to a legal or regulatory action.
  • Eighty-one percent of U.S. companies said they have reviewed their retention policies in the last 12 months.
  • Twenty-eight percent of companies retain IMs routinely or in certain cases, while 40 percent of billion-dollar firms do.
  • Thirty-one percent of companies surveyed store employee voice mail for at least two months.
Litigation remains a daunting fact of doing business. Lawsuits with US $20 million or more at stake are on the rise, according to a recent Litigation Trends Survey of in-house council in the United States and United Kingdom. According to the survey conducted by international law firm Fulbright Jaworski LLP, e-discovery is playing an increasing role in the outcome of these multi-million dollar cases, placing those responsible for data retention and production — namely litigators and IT professionals — in the hot seat. In fact, several landmark rulings addressing failure to comply with e-discovery requests influenced the amendments to the Federal Rules of Civil Procedures.

Zubulake v. UBS Warburg is considered to be one of the most important cases, partly because of the e-discovery expertise of Judge Shira A. Scheindlin. In this case, Laura Zubulake sued her former employer, UBS Warburg, for gender discrimination and retaliation. Much of the critical evidence in the case centered around e-mail correspondence that turned up deleted or missing from UBS backup tapes. As a result, the court granted an adverse inference instruction that instructed jurors to assume the missing e-mails would have negatively impacted UBS' case. Ultimately, the jury found that UBS had discriminated against Zubulake, who was awarded more than US $29 million in damages. This decision had far-reaching legal implications in that it allows courts to deduce facts from missing or destroyed data.

A second landmark case was that of Arthur Anderson v. The United States, in which Enron's accounting firm (i.e., Arthur Anderson) instructed its employees to destroy documents relating to Enron after Anderson officials knew that they were about to be investigated by the U.S. Securities and Exchange Commission (SEC). Although Arthur Anderson was convicted of obstruction of justice, the U.S. Supreme Court overturned the ruling stating that while the firm did instruct employees to destroy documents, these actions were within their document retention policy. Therefore, the firm was not knowingly in violation of the law. The outcome of this case reinforced the need for organizations to have well-documented retention policies and procedures.

HOW MUCH DATA IS ENOUGH?

Zubalake v. UBS Warburg

This landmark case took on a number of e-discovery issues:

  • The scope of a party's duty to preserve electronic evidence during the course of litigation.
  • Lawyer's duty to monitor their clients' compliance with electronic data preservation and production.
  • Data sampling.
  • The ability for the disclosing party to shift the costs of restoring inaccessible backup tapes to the requesting party.
  • The imposition of sanctions for the spoliation (i.e., destruction, damaging, altering, or destroying) of electronic evidence.

How can internal auditors determine how much and which data to retain? As a general rule, a reasonable destruction and retention policy should not require the retention of everything. As Francis Bueb, a CPA and technology professional at Ueltzen & Company LLP, explains, the industry itself is the best indicator of what data should be retained and for how long.

"As part of the securities trading industry, online brokers, for example, may retain data by the minute or a fraction of a minute, whereas a construction company focused on long-term projects can back up data much less often without assuming risk." He adds that most industries have a range for what is acceptable and what is not, and auditors should make sure that their organization falls within that range.

Another important factor for data retention, according to Bueb, is consistency. "If a company's data retention policy requires the back up of a certain function every month, and then for some reason, skips a month, they could be in trouble if that information is required for litigation."

Finally, the actual content that needs to be retained should be considered as well. As Bueb explains, this content will change when the company is aware of a pending lawsuit in which ordinary document destruction is suspended. "Your data retention policies might be the same. For instance, the company backs up its data everyday on tapes, but instead of reusing those tapes, the company is required to save them for possible inclusion in the discovery of the lawsuit." Failure to do so can result in serious consequences including monetary sanctions.

E-DISCOVERY TOOLS

These hefty judgments and complex e-discovery rules have created a boom for the electronic data discovery business. Dozens of companies have positioned themselves as a "one-stop shop for all e-discovery needs," while other vendors have been capitalizing on the fear surrounding e-discovery in more of a "buy now or pay later" pitch, with allusions to the huge monetary damages companies can expect without the proper software — or hardware or consultants — in place. Taking the approach that the right tool will fully satisfy a company's requirements for e-discovery is short-sighted, according to Dave Canfield, managing consultant for KrollOntrack.

Questions to Ask When Assessing In-house or Vendor-managed Tools

  • How robust is the company's search capability?
  • Does the tool search within container files, such as .zip, .jar, and others?
  • Does the tool search within all of the file types likely to be encountered in the company's IT environment?
  • Does the tool support an online review by multiple reviewers?
  • What production formats are supported by the tool?
  • Does the vendor stand behind the tool with support and constant testing?
  • Has the vendor defended the tool in court?
  • What is the total cost of ownership, including hardware, connectivity, and specialists such as database administrators?

"The first thing auditors need to understand is that an effective e-discovery approach involves three things: a combination of tools and software, effective processes and procedures, and education." What ends up happening, Canfield says, is that auditors purchase a tool, and it works fine — it searches data in the way that it is supposed to — but it doesn't handle all of the processes around it — it doesn't collect the data in a forensically-sound manner or in a way that will stand up in court, for example. Therefore, once a gap analysis is performed to determine what went wrong, Canfield says, IT managers realize that they need another tool to fix what the first tool didn't, and the process continues until what started out as a few tools in a small department ends up with 100 people supporting dozens of tools and pieces of software. Because most companies don't consider that there is a potential risk anytime a company brings a search tool in-house, auditors must ask themselves how much money, time, and effort they will expend in creating a control data set around the new tool.

"We find that a lot of search tools will stop processing data whenever they hit certain types of HTML code or certain types of formatting characters, especially in legacy content, such as older WordPerfect documents and Lotus spreadsheets. All the while, this auditor may be asked to defend the tool in court by saying 'Yes, your honor, our tool picked up everything required in this discovery.'"

Canfield says most of these situations can be avoided with the implementation of a comprehensive program up front that uses tools the company already has combined with processes and procedures or an outsourcing agreement with a vendor.

Another dilemma facing IT auditors is how much of the e-discovery can be done in-house. Canfield says auditors should objectively consider a series of questions when deciding what can and cannot be done in-house: What is the IT department capable of doing? Is the staff trained in preserving the data correctly, as well as running and testing the search tools? And, ultimately, who is the company going to put on the stand? If, after an objective risk assessment, the auditor is not comfortable with the in-house scenario, he or she should say so during the planning phase.

E-DISCOVERY AND LITIGATION

Ensuring that adequate controls and data retention tools are up and running is only the first step in the legal process. As Bueb explains, internal auditors with the necessary background and experience may be called on to aid the organization's attorney and information systems personnel by:

  • Planning for discovery.
  • Determining accessibility of ESI.
  • Developing a list of records to be requested from opposing parties.
  • Identifying files and records that may contain privileged information.

The production and discovery of privileged information is an especially sticky area for litigators and auditors. When documents are produced for discovery, Bueb comments, privileged records are not discoverable, such as board meeting minutes with correspondence involving the organization's counsel on the pending litigation. In cases like these, there is often a "clawback," or non-waiver, agreement, under which inadvertently produced material is returned without a waiver. However, it may be disastrous to allow certain documents to be viewed by the opposing parties. Because the process of producing documents must be managed in conjunction with the ability to identify records deemed to be privileged, auditors must examine the controls that are in place to identify what material is or is not considered privileged information.

LOOKING FORWARD

"E-discovery is not just an IT issue, it is a business issue. It affects every part of an organization to the highest levels," states Robert Hallberg, a manager at Chicago-based IT consulting firm Acquity Group. "What is often lacking in a company's methodology is a governance risk compliance overview and a proactive approach." Companies should take a risk-based approach to e-discovery policies and procedures and then make decisions based on its risk assessment," he adds.

When considering current case law, being unprepared can be a costly mistake. Hallberg cites an example of a company that was ordered to produce ESI over a six-week period it was unprepared to retrieve. Consequently, the company spent US $10 million on disclosure in a US $50 million fraud investigation. As Hallberg explains, well-crafted retention policies could have limited this company's exposure to seemingly endless disclosure. Ultimately, Hallberg says, auditors need to establish a close relationship with the company's legal team. This will enable auditors to help senior managers understand every facet of the law and its implications, as well as provide recommendations that meet e-discovery compliance requirements.

In the largely untested waters of e-discovery, evolving case law is confirming that it is imperative for IT, legal, and internal audit departments to cooperate to ensure the safe storage of electronic documents and data, while guarding against deletion or periodic destruction. With so much at stake, a risk-based proactive approach to e-discovery is well worth the effort.

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

 

 Write for Gaming Auditorium

Write for FSA Times

 

 Twitter

facebook IAO 

IA APP