When compliance knocks

Oct. 9, 2014
How to integrate e-discovery into business processes

How to integrate e-discovery into business processes

Sheila Mackay, Xerox Litigation Services, San Francisco, CA

With little notice, corporate compliance officers, in-house counsel, and other legal professionals for organizations in the oil and gas industry may be required to hand over sensitive files in response to compliance, regulatory, or investigative requests. Most of these files are likely to be in electronic format, which can create a host of challenges. The continual increase in volumes and types of electronically stored information (ESI), including e-mail, social media, cloud-based applications, and the like, coupled with heightened government oversight and intervention, means the stakes and costs of complying with these requests have never been higher. When managed inconsistently, these requests pose a great risk to oil and gas corporations.

Therefore, as e-discovery-which involves identifying, collecting, reviewing, and producing potentially relevant data in an investigation or litigation-converges with compliance, oil and gas corporations must understand how to manage these processes to minimize exposure to extensive costs and risks while maximizing the value of their data for business purposes. The best methodology for doing so consists of five key steps that will incorporate e-discovery as a repeatable business process into the larger corporate compliance program.

Step 1: Build an e-discovery response team

An initial step in merging e-discovery with business practices is forming a multifunctional team. To imbed e-discovery in the organization's culture, executives must buy in to the value of the process. Therefore, the team not only should include senior-level managers, but also a high-level champion or advocate. In addition, to maximize transparency and facilitate communication, the legal and IT departments should be represented, along with members of any other departments involved in compliance. Thoughtful collaboration between a cross-functional team of representatives can ensure that the policies they implement are balanced and comprehensive. Finally, to manage any gaps in knowledge, expertise and/or technology, the team should recruit outside specialists, including consultants and e-discovery service providers. The best time to thoroughly vet potential partners and determine whether the scope of their services matches organizational needs is before a lawsuit is filed or before an investigation commences.

Step 2: Create a culture of information governance

Given the various urgent priorities that they must juggle, organizations often ignore their information stores until a crisis arises. And when it does, a myopic focus on individual discovery requests can mire organizations in the weeds and prevent them from taking a holistic view of better ways to manage their information.

Instead, organizations should take a proactive, universal approach to their data and create an overarching information governance program. At a minimum, this type of program consists of two elements: a records inventory and a records retention program. An inventory is a map of where the organization's data resides, identifying it by custodian, content, type, and location, so that it can be immediately pinpointed in the event of an emergent data request. A records retention program includes a schedule for retaining-and disposing of-various categories of online and hard copy documents according to legal, fiscal, or administrative requirements.

By creating a culture of information governance, organizations can move from a reactive viewpoint of merely managing requests for their data on a day-to-day basis to a more proactive stance that governs how the organization as a whole will organize and control its data. By considering the entire universe of their data, organizations can develop a coordinated system that ensures that they can retain-and easily find-critical data. Keeping unnecessary data is costly in the short- and long-term; organizations should curtail the amount of data they store that no longer serves a business purpose and shed the burdens of following a seemingly easier but much more burdensome and risky policy of keeping everything. In short, by building an enterprise-wide information governance program, anchored in reasonable record retention policies, they can transform their data from a liability into an asset.

The final step in this process is disseminating the information governance policies and procedures to all employees. But in addition to giving employees access to the policies, the team should find opportunities to train employees routinely on the policies and explain the consequences of violating their terms for both the employees and the organization itself. By doing so, custodians will be encouraged to prevent the destruction of data and to use data responsibly.

Step 3: Create a litigation readiness plan

After corralling the organization's data, the team should turn to developing a litigation readiness plan. This plan's goal should be to accelerate the organization's ability to meet its legal duties under the stress of short deadlines while limiting legal exposure in a reasonable, cost-effective manner. An important aspect of the plan is to enable the organization to avoid overly broad data collection by targeting only potentially relevant data.

One of the most critical aspects of these plans-and one that is often litigated-is what will serve as a trigger for the duty to preserve. Currently, organizations are required to preserve evidence as soon as they "reasonably anticipate" litigation. This vague standard is difficult to define, so organizations should consider the various circumstances that may give rise to their duty. The plan should also include procedures for implementing a litigation hold notice, which is a mandate informing all affected employees to preserve pertinent data, assign the responsibility for issuing that notice, and set a schedule for reminding custodians of their continuing obligation to preserve data.

Step 4: Invest in technology

To maximize the defensibility and cost-effectiveness of litigation readiness and information governance protocols, organizations must look to technology since manual search and review is no longer a feasible option when facing time-sensitive data and document requests. Moreover, delegating various decisions to employees, such as when the duty to preserve arises, when to notify and remind employees of their duty to preserve, and how to search their own documents for responsive information. Inconsistent interpretations and compliance by individual employees can thwart even the best-intended e-discovery efforts.

To facilitate carrying out these duties, the team should consider whether to acquire an e-discovery software platform that can automate a number of e-discovery-related functions, whether this technology is brought in-house or managed by a third-party service provider as a hosted model. For instance, today's software can send, manage, and track the requisite litigation hold notifications to custodians. Furthermore, advanced e-discovery tools can speed the location and review of pertinent information. As an example, using keyword search and advanced analytical tools to mine for responsive data and employing techniques such as technology-assisted review to prioritize documents can expedite review, saving time and reducing costs. Moreover, these tools can enhance the accuracy of a review, creating greater defensibility for a company's e-discovery process. Finally, they can add a layer of protection for sensitive information, such as privileged material or proprietary trade secrets, by flagging documents that contain certain keywords for a higher level of review or leveraging tools that automate the detection and redaction of sensitive information such as PII or NPI.

Step 5: Create an audit trail

Even the best processes and most effective technology are not a silver bullet. Therefore, it is imperative for organizations to create a thorough audit trail. If a court or regulatory agency questions an organization's discovery processes and decisions, a detailed log of the steps the organization took to preserve, collect, review, and produce its data can demonstrate good faith compliance with the organization's documented procedures and discovery duties. By taking these five proactive steps, oil and gas organizations can integrate e-discovery into their existing business and compliance practices, facilitate their access to critical data, and protect themselves from potential liability and sanctions well in advance of any litigation or regulatory investigation. Moreover, they will align their e-discovery initiatives with their overall corporate compliance mandates, which can limit their costs and risk exposure in the short and long term.

About the author

Sheila Mackay serves as senior director at Xerox Litigation Services and the electronic discovery consulting group. The group advises corporate clients and law firms on all aspects of the e-discovery process, including litigation readiness, data preservation, data collection and collection strategies, defensible data reduction, and strategic search and search consulting.