10 Steps to Litigation Readiness

Rapidly growing data volumes, constantly changing data types, evolving legal mandates and regulatory burdens have all greatly increased the cost and burden of electronic discovery (eDiscovery). As a result, many organizations are unable to appropriately respond to discovery requests in a timely manner. According to a September 2008 report by the American College of Trial Lawyers, these burdens have forced many organizations to settle cases due to costs rather than merits.¹

eDiscovery requirements are also having a negative impact on production IT systems, as litigation holds wreak havoc on document retention policies carefully designed to maintain high performance for production systems. Today’s organizations need a better way to respond to modern eDiscovery requirements and minimize the risks of non-compliance. The answer is for organizations to proactively prepare themselves for litigation by following best practices and put in place automated solutions that simplify compliance with discovery requests.

But where do you start? The following are 10 best practices that organizations can follow to proactively prepare themselves for eDiscovery and litigation.

Know Your Data — Create a Data Map
The ability of many organizations to comply with eDiscovery demands is compromised by their ever-growing volumes of electronic documents and by the fact that information is scattered across email, enterprise content management (ECM), enterprise resource planning (ERP), database and storage systems. The nature of this infrastructure significantly complicates the cost and effort to execute a search. To prepare in a proactive manner, organizations need to create a map of where all their documents and data are stored before litigation occurs. This map should list the types and locations of all data and documents across the organization.

To prepare this map, organizations should create an inventory of all of the organization's sources of data and documents, including content management systems, database systems, email systems, data repositories, etc. They must also create a map of the IT infrastructure that shows where the data stores are located.

For both the data sources and the IT infrastructure, organizations should understand:

• What is the data source? What does it do? What data does it store or use?
• Who is responsible for the data source? Who has access to that source?
• When was the data store created? When is it backed up? When can it be destroyed?
• Where is the data stored? Where is it backed up?
• Why does the source exist? With this information, organizations can rest assured that they will be prepared to locate all relevant data in a timely manner during discovery.

Create a Data Retention Policy
The organization needs to develop document retention policies that identify which content needs to be managed and incorporate the organization’s data retention philosophy, responsibilities, procedures and timeframes. The document retention policy should be consistently applied across all content and records in the organization. Such a policy allows organizations to delete electronic documents to meet their business requirements and applicable regulations. At the same time, such policies allow the organization to persuade a court that documents were destroyed only in accordance with a well-established and routinely executed retention/destruction policy.

Organizations should begin by developing guidelines for which content the different types of documents should contain. To illustrate, organizations should define which types of documents can and can’t be sent via email — for example, some organizations may not want to send contracts through email. They also need to spell out the language documents should or should not contain.

Organizations will also need a way to enforce the content policy. Best practices include:

• Put in place a system that automatically scans for email policy violations and/or assigns an employee to periodically review content
• Define the length of time the organization will keep different types of business records and other documents
• Take into account the retention requirements of any relevant regulations, i.e. Sarbanes-Oxley Act (SOX), Financial Industry Regulatory Authority (FINRA), Health Insurance Portability and Accountability Act (HIPAA)
• Consider the retention requirements for various roles within the organization

Get Executive Buy In
Organizations charged with litigation readiness must be sure that executives are engaged in the process of developing and putting in place a litigation tion readiness process. This is necessary to:

• Obtain approval for the funds to get the project going
• Obtain the requisite buy-in and support from executive management
• Make it clear to all employees that litigation readiness is important to the overall success of the organization and not something to be addressed after “the important stuff” is completed
• Resolve any political battles that occur during the course of the project 
• Make internal resources from IT, legal and other departments available to the project Without executive support, it can be difficult to procure the employee resources needed to make the project successful.

Know Your End Users
Following a document retention policy has the potential to change existing work processes and even increase the number of tasks workers need to perform each day. End users may need to classify content, store it in specified folders, refrain from storing documents in personal folders and so on. Those in charge of litigation readiness projects must be aware of the culture of the organization to determine whether the policy has a realistic chance of being followed. One way to increase the likelihood that end users will adopt the policy is for the litigation readiness team to engage end users in providing input into policies before they are implemented. The team also must provide proper training to verify that end users understand the policy.

Build Your Team
As part of a proactive approach to litigation readiness, organizations should put in place a team to help produce documents during the discovery process. To accomplish this, the organization needs to define the following:

• Who’s involved (likely the head of litigation, IT personnel to help recover and restore data, an eDiscovery expert to help guide the process, lawyers and paralegals, business representatives and vendors)
• Clear roles and responsibilities for each team member
• When the team should meet
• An internal marketing team (people won’t use the resource if they don’t know it exists)

Use Technology to Automate Policies and Track Decisions 
The more automated your retention policy, the more defensible it is. Automated records and email management systems can verify that the policy is followed in a uniform and consistent manner, while included auditing capabilities prove that the policy was followed. Automated systems also improve case and legal hold management, case production speed and the ability to purge old messages on the appropriate date, yet maintain messages subject to a legal hold when necessary. This enables organizations to more easily comply with legal holds while deleting unnecessary documents to maintain high IT system performance. Specific characteristics of an optimal automated Information Governance system that improves litigation readiness include:

• The ability to apply business policies to control and manage physical, electronic and email records throughout the enterprise via a federated architecture
• Fine-grained retention capabilities that allow organizations to retain individual emails according to specific criteria or as required by legal holds
• Facilities to produce an inventory of information sources available
• The ability to mask private information
• Capabilities to support eDiscovery, classification and search of email, voicemail, IM and other unstructured documents and records

Take End Users Out of the Preservation Loop 
To comply with preservation obligations in the eDiscovery workflow, organizations must verify that all potentially relevant electronically stored information (ESI) that exists at the commencement of the preservation obligation (some people call this the “triggering” of the hold obligation) is kept and not changed. Yet today, many organizations rely on end users to make decisions about what email or other ESI to keep. This often burdens them with too many processes outside their core competency and impacts their productivity even as it reduces the likelihood of overall compliance with the hold obligations. To illustrate, the user may be required to use a Web interface, save an email to a specific folder or use an application plug-in to specify metadata. Automated systems can take end users out of the preservation loop to preserve relevant ESI.

In addition to putting in place automated systems, organizations need procedures to prevent end users from circumventing these systems. Many employees in organizations without automated email archiving create their own “personal archives” (referred to as PSTs for Microsoft Exchange users; competing email platforms offer similar options) for future reference, reuse and other reasons. Locating data on the local hard drives of users throughout a large organization is a time-consuming and expensive process.

Get Started Now – Don't Wait for a Perfect Plan
Sometimes organizations wait to develop the perfect policy or eDiscovery process. While waiting, the organization may operate without effective controls and put itself at risk. The unpredictability of litigation means that an organization can be caught unprepared without a process for responding to it if they are continually evaluating policies and on the verge of being litigation ready, but are not actually ready. Organizations are better off deploying a good policy and process today, and improving it over time, instead of waiting for the perfect policy that may never come. Policies and processes are inherently imperfect. The courts and regulators generally expect reasonable efforts, not perfection. The best way for an organization to minimize risk is to create a policy, publish it, train to it, follow it, demonstrate that the policy has been followed and adjust the policy as necessary over time.

Have a Growing and Flexible Process
The best policies and processes eventually will become dated and even obsolete. This can be due to a variety of reasons. New applications are launched. Old applications are retired. New storage is deployed. Users move around. Regulations change. Companies should therefore periodically review and audit their policies and processes. An audit should validate that the policy or process is being consistently followed. A review should verify that the policy or process addresses the current legal and business requirements. Organizations are encouraged to keep records of these tests to demonstrate their reasonable efforts. The key here is for organizations to know that they are doing what their policy says they are doing and to verify that the policy and processes are up-to-date with legal and other business drivers.

Centralize Where Possible
What complicates litigation readiness isn’t only the ever growing volume of electronic information, it’s also the fact that information is scattered across a wide range of disparate systems, from applications to data repositories to email systems to content management systems. Content is sometimes created in one format, archived in another and submitted as evidence in a third. The nature of this infrastructure significantly complicates the cost and effort required to execute a search. By centralizing data as much as possible, organizations can minimize this effort and cost.

Conclusion
By following best practices for litigation readiness, organizations can prepare themselves in advance for litigation that may occur. This allows organizations to produce relevant documents quickly, reduce costs, lower risks of sanctions or exposure for unintentionally mishandled documents — all while allowing IT to maintain the performance of production systems.

Reed E. Irvin is vice president of product management for Information Governance at CA, responsible for CA's records management and discovery solutions. Reed has nearly 20 years of experience in various aspects of records management and information governance. He founded On-Line Records Storage, one of the first commercial offsite storage companies to offer real-time, remote access to information. Reed also served as vice president of business development and chief operating officer of a leading records management software and services firm. For more information, see the CA Information Governance Blog . Twitter: @CAInfoGov

Sources: 1. “Interim Report & 2008 Litigation Survey of the Fellows of the American College of Trial Lawyers,” September 9, 2008, by the Institute for the Advancement of the American Legal System and The American College of Trial Lawyers Task Force on Discovery.