In December 2006 the US Federal Rules of Civil Procedure were amended to address electronically stored information, with the result that ESI is now subject to discovery, meaning it can be requested as evidence in court cases.
Most corporate legal departments understand these changes, but many company management teams and departments that create and manage ESI may not be aware of their exposure should they get involved in litigation. The consequences of not creating a proactive electronic discovery (e-discovery) process can be fines, unfavorable judgments and increased operating costs. All of these can result in diverting attention from running the business, as well as costs in money, time and corporate reputation.
ESI is defined as a distinct category of discoverable information, separate from print documents. ESI includes structured data (such as database archives) and unstructured data, which may include e-mails, instant message logs, Word documents, PowerPoint presentations, scanned documents and more.
E-discovery is the process of identifying, collecting, preserving, reviewing and producing relevant electronic data or documents as evidence for use in financial investigations and/or litigation. Knowing what ESI is relevant can be complex, and standards for handling ESI are still emerging. One thing is clear, however: The ability to quickly access the right ESI and identify authors of the information is critical to limiting risks.
E-discovery risks range from quantitative (such as fines, unfavorable judgments and increased operating costs) to qualitative (such as corporate reputation and loss of intellectual property):
- Fines and unfavorable judgments: Courts can impose large fines for noncompliance with production requests for discoverable information. Furthermore, companies unable to provide proper discoverable information assume a plea of guilty.
- Increased operating costs: Companies taking a case-by-case approach to e-discovery risk facing costly, repeat fire drills when litigation comes up. One unprepared company was given six weeks to come up with ESI and had to assign 10 people to work 50-hour weeks (some of them lawyers charging $600 an hour). Disclosure for this $50 million fraud investigation cost the company $10 million.
- Disclosure of competitive information: Turning over unnecessary ESI may result in releasing privileged information with serious consequences on future strategies or product plans. There are procedures for reclaiming information, defined as "claw back," but companies still risk putting themselves at a competitive disadvantage if they disclose sensitive information.
Just like any type of risk-management exercise, companies need to determine how much e-discovery can affect the business before they go overboard on mitigating these risks.
What can be done
Knowing what can be done to prepare for e-discovery is key. Due to the number of departments typically involved in e-discovery activities (legal, compliance, sales and marketing, corporate audit, IT), determining the appropriate procedures and who needs to manage the data is critical. It's a business issue, not just something an information technology security officer can handle alone. IT can provide solutions that help with ESI, but e-discovery is something that affects an organization at the highest levels -- it affects everyone.
Companies need appropriate retention policies and governance strategies for the growing number of electronic records. In the course of normal business operations, comprehensive retention policies reduce the burden every time discovery is necessary. What's more, explicit procedures can limit a company's exposure to seemingly endless disclosure. A company should turn over only what is required and no more.