Given that litigation is consistently on the rise, regulatory bodies continue to ramp up investigations, and local law enforcement is increasingly aware of the ease at which it can source evidence electronically, electronic discovery (e-discovery) is an area that businesses need to consider, review and improve.
The process of disclosure of evidence to the Post Office Horizon IT Inquiry demonstrates a lack of oversight and accountability, poor communication protocols and a flawed understanding of the corporate data landscape.
On the face of it, the process of discovery or disclosure in response to litigation or regulatory investigation is simple:
- Find all the communications, documents and data relating to the issue.
- Relevant parties (most commonly lawyers and/or investigators) review, deciding what is relevant to the issue.
- Send the relevant, not privileged, documents to the other party.
Unfortunately, businesses are increasingly reliant on misleading information provided by large enterprise and cloud-based platforms that would have you believe they will take care of this process for you. This leads to the overconfident assertion that “we can do e-discovery”, by virtue of a module provided with a button to push. For example, look at Microsoft’s Purview or Google’s Vault.
The reality is, as witnessed in the Horizon inquiry, the process can be extraordinarily complex and resource-intensive.
Reviews of relevant evidence can be hampered, for example, by:
- The ever-increasing volume and complexity of data: The sheer volume and variety of data generated by modern organisations poses a significant challenge in e-discovery. This data, often dispersed across various sources and formats, becomes increasingly complex to identify, collect and review effectively. Think: Microsoft Teams, Slack, WhatsApp, large language models (LLMs) such as ChatGPT, Microsoft Copilot, SAP to name but a miniscule number of sources.
- Legacy data: As technological progress marches on, it forgets about data created in 1997, stored on backup tapes in 2010 or sitting in an accounting system that was live in 2015. For many litigations, the time periods being considered are typically at least two years old before they reach courts or inquiries, and in my experience often relate to issues from five or more years ago. Legacy data formats can be challenging to collect and review.
- The evolving legal landscape: Disclosure guidelines for courts and regulators are constantly evolving, making it crucial for organisations and their counsel to stay abreast of the latest changes. Failure to adhere to these evolving requirements can lead to legal consequences and reputational damage. Regulatory priorities are constantly shifting and anti-money laundering (AML), fraud investigations and dawn raids are all on the increase. Great corporate liability for criminal offences, including the Failure to Prevent Fraud as an offence, due in 2024, should all be of concern to any business.
- The multitude of interested parties: The subjects of the litigation or investigation and their need for privacy; their individual legal counsel; your in-house legal counsel, or outside legal counsel; third-party IT, software-as-a-service (SaaS) and cloud providers; e-discovery suppliers; law firms, the regulators, the courts.
- The need for robust e-discovery tools: The complexity of e-discovery necessitates the implementation of reliable and scalable e-discovery tools. These tools (should) seamlessly manage data collection, processing, review and exchange of documents, ensuring compliance and efficiency. Technology use should accelerate the review process.
- The risk of spoliation: Spoliation, or the accidental or intentional destruction of potentially relevant evidence, can have severe consequences for organisations. It is essential to establish clear e-discovery policies and procedures to prevent spoliation and protect the organisation’s legal interests.
- The cost of e-discovery: E-discovery can be a costly process, especially for large organisations with vast amounts of data. Optimising e-discovery strategies and using technology in a legally defensible manner can help reduce costs and streamline the process.
- Privilege, privacy, business secrets: There are a whole host of legitimate concerns around the disclosure of data. The data needs to be assessed for risk as well as relevance.
- Strategic abuse of the disclosure process: In the matters I have personally been involved in, the parties look to make disclosure a core focus, often at the cost of making meaningful progress with the core legal issues. Small discrepancies coupled with a lack of transparency can be exaggerated and used to call into question the evidence, the corresponding legitimacy of legal arguments and the trustworthiness of those involved. A cynical individual could suggest that sometimes these arguments are brought about to distract from the less convenient legal matters at hand.
What at the outset seems like a simple task can very quickly become a full-time job for dozens of people. This complexity could suggest that a degree of error is excusable, but this is far from the truth.
Parties must sign a “statement of truth”, or equivalent, as to their understanding of the disclosure process and it’s accuracy. If such statements exist, but there are fundamental errors with the approach, there are obvious and significant questions that need to be asked.
Back in 2006, I wrote a blog about proactive approaches to electronic evidence disclosure. It sought to address many of these perceived issues, and the essence of that article has not changed over the past 18 years.
A proactive approach is still needed, much in the way boards are beginning to organise their approach to managing cyber. This could include things such as:
- Tabletop exercises.
- Data mapping.
- Detailed incident response guidelines and appropriate technical systems.
- Ensuring the involvement of all relevant employees, including those who really understand the data of the organisation.
To assist in addressing these concerns, consider the following recommendations for addressing e-discovery risks:
- Develop a comprehensive e-discovery policy: A well-defined e-discovery policy should outline the organisation’s procedures for preserving, collecting and reviewing data for e-discovery purposes. Regularly review and update the policy to reflect changes in the law and technology. This should be closely aligned with existing IT and security policies, such as retention guidelines.
- Educate employees on e-discovery: Provide regular training to all employees on the organisation’s e-discovery policy and procedures. This training should emphasise their responsibilities in preserving and handling data that may be relevant to legal proceedings. This can in turn help to reduce the costs and risks associated with disclosure issues.
- Identify effective e-discovery software: Invest in robust e-discovery software or vendor relationships that can effectively manage the identification, collection, review and production of relevant data. Choose software that aligns with the organisation’s specific needs and data volumes.
- Request management: Mechanisms to appropriately manage inbound requests should be considered where there are frequent or complex requests being generated by larger or numerous matters. The recording of what is being requested by whom is vital, and should not just be left to, for example, a junior individual in the IT department who understands how to export emails using the basic functions provided in your email system.
- Regularly review e-discovery procedures: Conduct periodic reviews of e-discovery procedures to ensure they remain effective and compliant with the latest legal requirements. Evaluate the effectiveness of e-discovery tools and make necessary adjustments – this is especially true of legacy data.
- Seek expert guidance when needed: For complex e-discovery matters, or those with potentially significant legal implications, consider engaging experienced e-discovery consultants and appropriate legal counsel. Their expertise can help navigate the complexities of e-discovery and minimise risks.
What should I include in a policy to address e-discovery?
Larger organisations with sizeable or numerous litigation, investigatory or regulatory requirements should have in place a robust e-discovery policy, either standalone or as part of other information systems or legal policies.
In addition to preparedness for litigation and regulatory investigations, the focus on the disposition of data can help minimise risk in the context of data privacy. Also, by the recording of IT systems through data mapping and providing a historical journal of IT systems, it will enable employees to access and learn from the corporate memory, which is often spread far and wide in an organisation. This could in turn lead to lessons learned from previous organisational activities.
This high-level overview is intended only as a starting point for items you may want to consider as part of any information security/legal policy framework and is by no means comprehensive. Any such policy should also consider its alignment with broader policies and data management practices.
Purpose and scope
Defining the purpose and scope is an important exercise to establish guidelines for managing legal data request/e-discovery processes effectively and consistently to meet legal requirements and minimise risks. The scope of the policy might define the source and types of data and the organisational units covered by the policy.
Roles and responsibilities
Making sure that each staff member is aware of their obligations regarding the policy. For illustrative purposes, although your structure may vary:
Legal team
- Oversee the e-discovery process, provide legal guidance, manage communications with opposing parties.
- External counsel may just be a facilitator or take a more active role, although ultimately you will likely bear responsibility for signing off the completeness and accuracy of the exercise.
IT department/service provider
- Identify, collect and preserve relevant data, ensure data security, provide technical support for e-discovery tools.
Business unit responsibility
- Identify custodians, respond to legal requests, provide access to relevant data.
Documentation and audit trails
A particular emphasis should be the importance of maintaining detailed documentation throughout legal data request or e-discovery process. This includes audit trails for data handling and processing, and review activities to enhance transparency and ensure defensibility of the approach and the evidence.
Data identification and preservation
In the context of any legal inquiry, a process of legal hold should exist, whereby employees, IT staff, vendors, and so on, are informed of their legal responsibility to preserve data as soon as legal action is “reasonably contemplated”. Any pause on destruction or deletion of data should not continue, whether or not a formal request has been made.
- Clearly define the process for initiating, maintaining and releasing legal holds.
- Specify the triggers for legal holds, responsibilities of individuals involved, and communication protocols.
- Ensure “corporate memory” of legacy systems, by implementing change management procedures that record the impact of any outage and test the results of any migration of data thoroughly.
In most instances, defining what exactly is being requested, and what is appropriate to preserve may depend entirely on the context of the specific request. For each request, you may want to define the types of data subject to preservation (typically that data you feel may be relevant to the request, whether it is ultimately used or not). As data becomes more transient in nature through messaging, cloud-based systems and LLMs, etc, it becomes even more necessary to keep reviewing the approach to identifying and preserving relevant data.
Data collection and custodian identification
Establish operational procedures for collecting preserved data from various sources. Is there someone that will be responsible for making a request to a particular team, or an IT vendor? What information would they need to fulfil the request? How will it be tracked and recorded.
The identification of specific custodians (the owner or controller of the data) will be based on the specific request made. The custodian could be a person, an IT system or storage system, or even a chatbot. This section might assign responsibilities for data collection, approvals and…