EDiscovery is a multi-billion dollar industry, and the market gets bigger every year. Competition is notoriously fierce, and vendors will do whatever they think they need to do to get and keep your business. Sometimes that means providing “above and beyond” service. More often, though, that means working to create or maintain the illusion of excellence.
Whether you’re sifting through RFP responses, listening to a sales pitch or asking questions about a live “in-progress” project, a good portion of what you hear from your vendor is designed as much to obscure the truth as it is to reveal it. Half-truths, “spin” and even outright puffery are common, and if you don’t ask the right questions before and during your project, you’ll be wearing rose-colored glasses without even knowing it.
Forewarned, of course, is forearmed, and asking tough questions at the outset of a vendor relationship can save you time, expense and frustration when a project goes “live.” Critical thinking about communication is the key to successful management of outsourced eDiscovery services. Keep in mind that everything you hear from your vendor serves a sales function – the good is always trumpeted while the bad and the ugly are minimized and obscured. Pushing a bit harder for real information is a fundamental best practice in eDiscovery vendor relationships.
To that end, here are five key questions every eDiscovery consumer should be asking of their vendors. Keep in mind, of course, that the "right" answers depend on the situation. Interpreting the answers does require some additional critical thinking and expertise, which you may apply yourself or gain from an eDiscovery consultant.
1. What can I really expect from my project managers?
Project management is the key to client service in eDiscovery, and it’s an area where you’re very likely to hear exactly what you want to hear whether or not it’s true. You’ve probably been told that you’ll have a “dedicated” project manager who will be available to you any time you need him or her. Your nonsense detector should be on overload already – the notion that a project manager will be assigned exclusively to your project day and night should never pass the smell test.
Ask your vendor what the actual staffing structure will be – how many project managers will be assigned to your matter? What coverage hours should be expected? How many other projects will they be working on? How can you be sure that the project managers are all well-informed about your particular requirements? What’s the usual workload of the vendor’s project managers? What do they do to ensure retention and knowledge transfer?
2. Which processes involve manual intervention?
Good software and automation are the foundation of any robust eDiscovery process. Repeatable results are the cornerstone of your ability to effectively represent that you’ve complied with discovery demands and orders. You can be sure that your vendor strives for automation in the pursuit of accuracy and efficiency. You can be just as sure that their efforts do sometimes fail, and that manual processes fill the gaps.
Every manual process is a potential point of failure. Every situation in which human intervention is required presents an inevitable risk of human error. Pushing your vendor to identify these potential points of failure puts you in a position to press for particular accuracy and completeness in these areas.
3. How are hosting charges calculated?
Hosting charges for large matters can become significant and are a common area where expectations fail to connect with reality. That’s because your vendor’s sales people are trained to underestimate items like hosting and your vendor’s operations team is trained to bill for everything.
You might expect that the 100 GB of .pst files you sent for processing will generate 100 GB of hosting fees every month. That expectation is reasonable, but in most cases it’s wrong. That 100 GB of .pst data is likely to result in 150GB of hosting without even tiffing the data. Litigation databases typically have records linking to separate native files for both parent emails and their attachments, which means that you are likely paying to store attachments twice – once embedded in the parent email, then again as a separate attachment file. In addition, many vendors charge you for storage of the database itself, which can ultimately become quite large. If you add tiff images, the storage footprint for your 100 GB of email could grow to 200 GB or more.
At the outset, ask your vendor how hosting costs are calculated. Then hold them to their answer by requesting a monthly report detailing the sources of your hosting charges. In this way you can avoid unexpected costs that can tip your project over budget in a very short time.
4. What types of files are not handled natively?
Good processing software should handle common file types natively without conversion. Any conversion process risks spoliation, data loss, or alteration of metadata. It may surprise you to learn that many vendors can’t handle some common email formats natively - .ost files are a common example, and some vendors can’t process .nsf, mbox or other common types without converting them to .pst. Most vendors also employ Microsoft’s “scanpst” utility to repair .pst files that appear to be corrupt. What’s disturbing is that conversion or repair processes are often undertaken without notifying the client. Bearing in mind the possibility of data loss and spoliation, clients should be notified of any conversion or repair effort. And yet, if you don’t ask, vendors most likely won’t tell. Request a list of any and every common file type that your vendor can’t process natively, and you’ll be well aware of the risks before they turn into issues.
5. How are indexing and search results validated?
Complete and accurate search results are essential to every eDiscovery effort. Search terms are often used to cull data at the outset, which means that data without search terms falls out of the process completely. This is wonderful if and only if you’ve successfully captured everything you may need to review. Missing documents and data can result in sanctions and adverse inferences, so the completeness and accuracy of searches is absolutely vital.
Ask your vendor how indexes are updated and how analysts and clients are kept informed of indexing status. In addition, ask how indexing exceptions and errors are logged and reported. Searches are not complete until they’re actually complete.
More importantly, ask your vendor how search syntax and results are validated. Search execution is both an art and a science, and incorrect searches are an exceptionally common issue in eDiscovery projects. Asking for a documented validation process for search construction and execution puts you in the driver’s seat for this vital stage of your project.
Perfection is rarely a goal in eDiscovery. In the history of the industry, the examples of flawless project execution are few and far between. Every eDiscovery consumer should be armed with tough questions for their vendors so that the inevitable will never take you by surprise.
Insight on law and technology.
Thursday, July 31, 2014
Wednesday, July 30, 2014
No, BYOD Will Not Solve Your eDiscovery Problems
A recent article on Dell Computer’s “Tech PageOne” blog suggests that the advent and growth of BYOD (“Bring Your Own Device”) policies will serve to shield companies from eDiscovery costs. The article suggests that the use of personal devices for business purposes will place those devices beyond the control of employers, thus excusing them from the obligation to produce the data they contain. Privacy concerns, the article posits, would ultimately trump any compliance, discovery or production obligations.
Now before you rush off and rewrite your internal security policy to allow, encourage, or even require BYOD, let’s think this through. BYOD will not serve to excuse employers from their preservation and production obligations. Preservation obligations don’t arise from convenience, they arise from statutory and common law duties. For a company that allows BYOD, internal procedures and policies must address collection from personal devices – anything less would be negligent. It’s not difficult to envision a court imposing sanctions for discovery omissions created by the existence of relevant data beyond a litigant’s custody and control where the litigant should have reasonably anticipated the need to preserve and produce that data.
Instead of assuming privacy concerns and “custody and control” arguments will excuse fundamental compliance and discovery obligations, employers who permit BYOD are obliged to consider the retention implications of such a policy and to put sufficient controls in place to allow discovery of data held on those devices to occur. Requiring employees to sign privacy waivers is a far more likely outcome. Indeed, a waiver policy would also serve important data protection goals for such situations as departing employees whose personal devices hold proprietary or sensitive information.
Rather than reducing eDiscovery costs, BYOD is more likely to increase them, as data is stored in different formats and structures on diverse and non-uniform devices, necessitating manual collection and culling efforts. It’s also true that storage of identical data in different formats across multiple operating systems increases the likelihood that conventional de-duplication methodologies will fail, resulting in over-processing and unnecessary review.
BYOD may look great to manufacturers like Dell, who would, I’m sure, love to circumvent corporate procurement policies and discounts by selling business devices to individual employees. A thoughtful approach to the risks and rewards of BYOD should account not only for the security implications of such policies but the potential eDiscovery issues as well. Those issues are almost certain to tip the scales against BYOD without strict controls and privacy waivers.
Now before you rush off and rewrite your internal security policy to allow, encourage, or even require BYOD, let’s think this through. BYOD will not serve to excuse employers from their preservation and production obligations. Preservation obligations don’t arise from convenience, they arise from statutory and common law duties. For a company that allows BYOD, internal procedures and policies must address collection from personal devices – anything less would be negligent. It’s not difficult to envision a court imposing sanctions for discovery omissions created by the existence of relevant data beyond a litigant’s custody and control where the litigant should have reasonably anticipated the need to preserve and produce that data.
Instead of assuming privacy concerns and “custody and control” arguments will excuse fundamental compliance and discovery obligations, employers who permit BYOD are obliged to consider the retention implications of such a policy and to put sufficient controls in place to allow discovery of data held on those devices to occur. Requiring employees to sign privacy waivers is a far more likely outcome. Indeed, a waiver policy would also serve important data protection goals for such situations as departing employees whose personal devices hold proprietary or sensitive information.
Rather than reducing eDiscovery costs, BYOD is more likely to increase them, as data is stored in different formats and structures on diverse and non-uniform devices, necessitating manual collection and culling efforts. It’s also true that storage of identical data in different formats across multiple operating systems increases the likelihood that conventional de-duplication methodologies will fail, resulting in over-processing and unnecessary review.
BYOD may look great to manufacturers like Dell, who would, I’m sure, love to circumvent corporate procurement policies and discounts by selling business devices to individual employees. A thoughtful approach to the risks and rewards of BYOD should account not only for the security implications of such policies but the potential eDiscovery issues as well. Those issues are almost certain to tip the scales against BYOD without strict controls and privacy waivers.
Tuesday, July 29, 2014
Your Privileged Communications: An Open Book
A recent Lexis/Nexis survey revealed some disturbing truths about the protection of privileged communication between law firms and clients. The survey of 282 respondents in 15 practice areas across 40 states, asked attorneys what security measures they take to protect privileged communications sent via email. 77 percent said that they include the confidentiality statement with the email.
What's even more disturbing is that only 22 percent said that they encrypt privileged emails. Fewer still make use of fundamental security measures like password-protecting documents or sending links to documents rather than sending the files themselves. In fact, the survey also found that 52.5 percent of lawyers have used free consumer file sharing services like Dropbox for privileged communications.
A full summary of the survey can be found here: http://businessoflawblog.com/2014/05/file-sharing-lawyer/
Lawyers can no longer live in denial of their responsibility to use technology in a safe and secure manner. Attorneys need to recognize that their fiduciary duties to their clients include a duty to be conscious of the security requirements of communication in the digital age. No attorney should choose convenience over protecting the confidentiality of their communications and their clients' data.
Monday, July 28, 2014
Compliance Obligations: They're Not Just for Parties Anymore
It is axiomatic that parties to a litigation can find themselves on the hook for fees and sanctions when spoliation is found, but the case of Logtale, Ltd. v. IKOR, Inc. in the Northern District of California highlights the principle that counsel can be sanctioned as well, when counsel is found to have neglected their duty to ensure a client’s search for responsive documents and information is complete. In this case the defendants and their counsel were each assessed a portion of a $1.4 million sanction award.
Neither counsel nor their clients can take discovery obligations lightly - attorneys need to ask the right questions in order to fully understand the landscape of their clients' data to ensure that their own representations of compliance are true and accurate. Anything less than that exposes both the client and counsel to potential liability.
All the salient details can be found in the always interesting ELL blog.
http://ellblog.com/another-reminder-that-attorneys-are-responsible-for-the-e-discovery-behavior-of-their-clients/
Neither counsel nor their clients can take discovery obligations lightly - attorneys need to ask the right questions in order to fully understand the landscape of their clients' data to ensure that their own representations of compliance are true and accurate. Anything less than that exposes both the client and counsel to potential liability.
All the salient details can be found in the always interesting ELL blog.
http://ellblog.com/another-reminder-that-attorneys-are-responsible-for-the-e-discovery-behavior-of-their-clients/
Subscribe to:
Posts (Atom)