In light of long-standing requirements to maintain a regular records-retention schedule for each agency’s mountains of paperwork, you might think federal organizations had a leg up on the rest of the world when it comes to handling legal discovery requests or a Freedom of Information Act inquiry.
Sadly, judges in a few U.S. government cases found otherwise. Fast-forward to the present world of e-discovery and the need to now comply with various amendments to the Federal Rules of Civil Procedure — it’s enough to make even the most stalwart CIO tremble as thoughts turn to IT preparedness for legal holds, preservation requests and the ongoing production and protection of a wealth of electronically stored information (ESI).
Where to start? What pitfalls to avoid? Experts offer some rules of thumb to minimize e-discovery’s impact on federal IT operations and running business as usual.
1 GO Digital
Surprisingly, many agencies have grown so accustomed to keeping their records in paper form, their first hurdle may be making the move to digital record-keeping. Jason Baron, director of litigation in the Office of the General Counsel for the National Archives and Records Administration, has come across this scenario more often than he’d like to admit in the talks on e-discovery and records management he gives around the Washington Beltway. “Many organizations’ records schedules are still based on paper. For e-discovery, that’s a terrible conundrum and places agencies at great risk for noncompliance,” he says.
Although Baron says that government now works in a “born-digital world,” the same cannot be said of agencies’ record-keeping policies. “The vast majority of federal agencies still have paper as their official record-keeping default,” he says. “That’s true for e-mail, word processing and many other applications on the desktop as well.”
The result? An agency ends up “six steps behind” the moment a request comes in for all the e-mail and associated metadata on a given subject, Baron says. He recommends that agencies check out NARA’s online resources and toolkits to help with the transition from paper to electronic record-keeping.
2 MAP Your Apps
When it comes to navigating the realm of systems, databases, applications and e-mail messages, another e-discovery directive emerges: Before you can respond successfully to any legal request, you need to first get your own IT house in order. Increasingly, initial “meet and confer” discussions between opposing and defense counsels now rely on the availability of a content-rich (and context-sensitive) “data map” that describes not just where certain systems are, but also the type of data they contain, how often the data is backed up and the policies usually in place to automatically archive or delete data.
Think twice before you rely on a traditional IT architectural map or network topology diagram for the task, says Jonathan Redgrave, chairman of law firm Redgrave Daley Ragen & Wagner and editor-in-chief of The Sedona Principles, one of the Sedona Conference’s industry-leading works on e-discovery and the FRCP.
“You need to be able to pull together some type of mapping of applications, databases and systems most likely to be called upon or looked to in either FOIA requests or discovery proceedings,” he says. “Instead of having an IT architectural map, however, you need a description of each of the data sources so that a nontechnical person can understand what and where the data is, and if the data is subject to any auto-deletion.”
At the Federal Deposit Insurance Corp., Senior Counsel James Barker refers to it as a map or survey of data across the enterprise, which offers something akin to a layman’s “data dictionary” for each system. “The new [FRCP] rules prescribe that the parties to litigation meet and confer soon after the litigation commences. At that point, you should be able to exchange what amounts to data maps, including what you have stored and where it’s stored electronically.” Further details about data maps can be found at EDRM.net, an industry organization with ongoing development of an Electronic Discovery Reference Model.
3 FOCUS On the Low-Hanging Fruit: E-Mail
Because no agency can do everything at once, experts suggest first getting a handle on an IT area that is often the source of most discovery activity: the e-mail systems in the organization. “E-mail is still the killer application. … With the growth of the Web, it’s become even more so,” says Baron.
At the FDIC, the enterprise infrastructure team began its multiphase e-discovery initiative by first establishing a policy-based e-mail archive, complete with a central repository. Using Symantec Enterprise Vault archiving software to help enforce the organization’s evolving protocols for e-mail, Deputy Director Russell Pittman in the FDIC’s Infrastructure Services Branch explains how the organization’s current technical requirements around e-discovery led to a number of new e-mail practices now being enforced:
- 180-day policy. E-mail messages in their native, unaltered form are available for 180 days.
- E-mail journaling. This feature is turned on, a factor that Pittman admits offers better e-discovery readiness but also requires significantly more storage capacity and the use of clustered servers to help bolster e-mail system availability. Overseeing the output of a smaller number of employees, Pittman can scarcely imagine the amount of storage that might be required for an entity like Health and Human Services or Homeland Security.
Searchable, centralized e-mail archive. The archive should be able to be searched by either keyword, themes or phrases. The FDIC’s e-mail archives are stored on a storage area network for ready access and also replicated to an offsite disaster-recovery facility. Access to this type of data for faster recovery and e-discovery were just a few of the reasons Pittman opted to move to a disk-to-disk-to-tape backup paradigm.
Conducting initial electronic searches to reduce the bulk of data requiring analysis is an increasingly popular practice often agreed to by both parties during the meet-and-confer process, according to Chuck Williams, chief technology officer at MetaLincs, a Seagate Technology company. He refers to this practice as “pre-culling” and claims he’s seen customers save millions of dollars a year by doing early case assessment and pre-culling with in-house tools. Many backup, archiving, e-discovery, and content-management software vendors offer various built-in search and tagging capabilities, including ZyLab, CommVault, EMC and Seagate’s MetaLincs.
Straightforward process to apply legal holds to key items or subsets. Currently dealing with a handful of legal holds itself, the FDIC knows the importance of being able to suspend ongoing archiving or deletion policies for key e-mail that falls under a specific legal inquiry.
According to Williams, how the software you use handles such exceptions to ongoing retention policies is a key criterion for e-discovery. “Whatever technology solutions you put in place for archiving and backup, you have to have retention policies that allow for exception,” he says. “You’re not allowed to apply retention policies for any material subject to litigation.”
- Ability to export archived e-mail with attachments in native format. “Lawyers want it with all the headers, footers and routing information, including attachments,” says Pittman. “That’s how business is done now. You need to include those.”
- Ability to establish a secure chain of custody for data under review. Pittman opted to limit who could search the archive to a small subset of individuals using a combination of Active Directory credentials and the creation of specific user accounts. FDIC legal counsel also helped Pittman’s team establish specific rules, timeframes and logging procedures to ensure individuals would search the archive just for those items under scrutiny and nothing else.
The ability to access individuals’ e-mail .pst (Personal Storage Table) files from within a shared folder. Pittman acknowledges the next phase is to move employees’ local e-mail .pst files into a shared folder to make them easier to search.NARA’s Baron wants to see organizations move away from the common practice of asking individuals to search their own e-mail accounts, their own folders and their own hard drives after an agency receives a FOIA request or legal inquiry. “I have termed this ‘fractal record-keeping,’ going to every branch and every twig of the organization’s tree,” he says. “It would be so much more consistent with NARA [regulations] if the enterprise as a whole could search for e-mail and insist that the record copy be in electronic form and able to be searched by all, not just by individual people. People come and go. Where do the records go when I leave if there’s not a process to transfer all 18,000 e-mail messages I have in a folder?”
4 DON’T Confuse Backup With Archiving
Besides e-mail, risks lie in the disposition of backup tapes as well. “If you had to triage your problems, risks and things that get agencies into trouble, it’s e-mail, it’s backup tapes,” says Baron. Distinguishing between backup processes and those used for archiving is key. “Backup tapes shouldn’t be viewed as record-keeping systems. They should just be for disaster recovery.”
Redgrave shares this view, which is also discussed in Sedona Principle #8. “You really need to have a good handle on what is being done, both in the archiving of information for medium-to-long-term storage as well as [what’s being done in the area of] backup,” he says. “Data should be kept only as long as necessary for backup, and then those tapes and media should be truly destroyed or rewritten — unless there is a legal hold. A lot of times, people use backup tapes for archive and preservation.” In the area of information management programs and policies, the Electronic Discovery Reference Model shares criteria you can use to apply to data used for backup versus archiving.
5 WORK Short Term, Think Long Term
Experts acknowledge that the process of “getting there” may seem unending, but maintain that agencies can accomplish much groundwork in the first nine months, simply by creating an interdisciplinary team of legal personnel, records managers and IT folks who meet regularly to hammer-out policy.
The key to success, says Redgrave, is to view the process as an opportunity instead of a challenge. “It’s an opportunity to say, ‘We have legal requirements in terms of preserving data and preserving it for an investigation. How can we do that well?’” The answer to that question, he says, may lead to putting new applications or tools in the budget stream for forensic collection, or even searching and analysis of data stored on desktop or notebook computers.
“IT is no longer an island,” Redgrave says. “You need to look at it as a process of three to five years before you get a good, solid marriage of business, legal and IT processes.”
Baron also would like to see IT include legal, record-keeping and preservation issues as part of its initial checklist and solicitation process at the front-end of the procurement cycle. “In terms of litigation risk, it would be quite unfortunate to build out a system that doesn’t have any type of record-keeping functionality,” he says.