Lorman Data-Mapping & November 4, 2009 Electronic Information … · 2018-11-19 · Data-Mapping &...
Transcript of Lorman Data-Mapping & November 4, 2009 Electronic Information … · 2018-11-19 · Data-Mapping &...
© 2009
Robert D. Brownstone, Esq.
Data-Mapping & Electronic Information
Management (EIM)
Lorman November 4, 2009
Risk Management for Daily Efficiency
and Litigation-Preparedness
EIM
GR
OU
P
©
2
Agenda/ Outline
I. Technology and Information -Risk-Management (IRM)
A. Electronically Stored Information (ESI) Liability Risks
1. “Smoking Gun” Content
2. Information-Security Risks
B. Records-Retention & EIM Regimes
1. Over-Saving Costs
2. Under-Saving Risks THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL
UNDERSTANDING OF CURRENT LAW ND PRACTICES. THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.
EIM
GR
OU
P
©
3
Agenda/ Outline
II. Benefits to be Derived from Data Mapping
A. eDiscovery/Litigation Prep. and Risk-Insulation 1. Costs-Reduction
2. Destruction “Safe Harbor”
B. Governance, Risk-Management and Compliance (GRC)
C. “Going Paperless”
EIM
GR
OU
P
©
4
Agenda/ Outline
III. Data-Mapping Approaches/Processes
A. WHO should be involved?
B. WHAT is the scope?
C. WHY has the task at hand arisen?
D. WHERE are the key locations?
E. WHEN to start, stop, update, etc.?
IV. Descriptions and Excerpts of Different Kinds of Maps
EIM
GR
OU
P
©
5
INTRO – ESI’s pre-eminence . . . Only 0.01% of newly created information
is stored in paper (UC Berkeley Study 2003)
Trillions of e-mails sent annually
PLUS: Posts on blogs/wikis/social-networking sites
Twitter tweets
Other Internet activities
I. Tech & IRM – A. ESI Liability Risks
EIM
GR
OU
P
©
6
Under amended Fed. R. Civ. Pro. (@ 12/1/06), Initial Disclosures, Interrogatories, RFP’s and Subpoenas now all encompass ESI
Similar changes to Cal. C.C.P. & Cal. R.C. now in place. Growing trend among states.
Compare enacted – and pending – state law procedural rules:
<www.applieddiscovery.com/ws display.asp?filter=State%20Courts>
<www.krollontrack.com/rules-statutes/>
Biggest data set always e-mail
I(A). Tech & IRM – ESI Risks (c’t’d)
EIM
GR
OU
P
©
7
E-mail communications generally less formal and less thoughtful than other, pre-21st-century correspondence
"Candid comments" can have significant impact
CAN’T GO BACK IN TIME TO “TERMINATE”. . . See “E-mail’s Nine Lives” (available from presenter)
See also Correy Stephenson, Advising clients before they hit 'send' (Lawyers USA Jan. 2009)
<http://fenwick.com/pressroom/5.1.1.asp?mid=606&loc=FN&p2=23&f=2.23.3&s=1055>
SO USE BEST EFFORTS TO REFRAIN FROM WRITING AND FROM OVER-SAVING . . .
I(A). Risks – “Smoking Gun” Content
"Quick, delete that e-mail before Eliot Spitzer sees it!"
(Corante NY 7/29/05)
EIM
GR
OU
P
©
8
I(A)(1). eInfo Evidence – “Multiple Audiences”
Multiple Audiences ("Green Eggs & Ham") Test: Would you like to see it in the press?
Would you like it on a competitor’s desk?
Would you like it in the government’s hand?
Would you like to read it on the witness stand?
If the content will get you slammed, then . . . .
DO NOT SEND IT, SAM I AM © Fenwick & West LLP; Mark Ostrau; Robert Brownstone
<www.fenwick.com/services/2.23.0.asp?s=1055>
EIM
GR
OU
P
©
9
Not just live E-mail . . . also . . . E-mail Archives (company-
wide and individual)
Databases (DMS, etc.)
Shared Network Drives
External Websites; Intranet/Portal
Blogs and Wikis (authorized), both external and internal
IM (company-provided) and Voicemail
Hard Drives of local machines
Portable-Devices/Removable-Media
I(A). Tech & IRM – 2. InfoSec. Risks
EIM
GR
OU
P
©
10
I(A)(2). InfoSec. Risks – Data Leakage
Sites/Networks Attacked/Hacked
Extranets – misuse of access rights settings
E-mailing an attachment whose metadata contains confidential information
<http //www.newsfactor.com/story.xhtml?story id=52124>
EIM
GR
OU
P
©
11
II. Ways Information Can Get Exposed (c’t’d)
Portable-devices/removable-media lost or stolen
Laptops
Smartphones (alert IT Helpdesk to send “kill” signal)
DVD’s, CD’s, USB sticks, thumb-drives, etc.
Viruses, Worms and Malware, Oh My
Attachments not only potential culprits. So are:
files downloaded from suspect websites
P2P file-sharing software
.pdf attachments from unknown sources
links taking you to suspect websites
<www.getrichslowly.org/blog/2006/10/31/reader-story-coping-with-theft>
EIM
GR
OU
P
©
12
I. Tech & IRM (c’t’d)
B. Records-Retention & EIM Regimes
INTRO – Big Picture: Divide information universe into
• legal and/or business need to retain
• EVERYTHING ELSE = dispose/delete
• Key goals:
• Know – > high level – what you have and where
• Substantial compliance with a routine
EIM
GR
OU
P
©
13
I(B). Tech & IRM (c’t’d) – Retention & EIM
1. Over-Saving Costs:
retrieval capability
storage fees
efficiencies in:
operations
projects
transitions
collections/productions
EIM
GR
OU
P
©
14
I(B)(1). Over-Saving Costs/Risks (c’t’d)
Aim for effective and cost-efficient collection in response to government- inquiry or lawsuit because:
eDiscovery costs staggering
Cost-shifting iffy at best
Unavoidable services expense for litigant, especially when outsourced by law firm via an .asp model (pay-per-gig or per-click)
EIM
GR
OU
P
©
15
I(B). 2. Under-Saving Costs/Risks
“Must Keep” Various Statutory/Regulatory Periods, e.g.:
Safety Statutes/Regs
Tax
EMP/HR Periods
Cf. Statutes of Limitation (SOL)
EIM
GR
OU
P
©
16
I(B)(2). Under-Saving Costs/Risks (c’t’d)
Litigation-Hold (Preservation): Sarbanes-Oxley Federal Criminal
Obstruction of Justice Crime(s) See generally 3/10/08 N.L.J. article at
<www.fenwick.com/docstore/Publications/EIM/SOX Litigation-Hold Triggers.pdf>
Attorney Ethics Rules
Case-Law Preservation (Destruction-Suspension) Duty See generally 5/11/09 Give P’s a Chance (“Policies . . .
Protocols . . . [and] Preservation”) article at
<www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202430718101>
EIM
GR
OU
P
©
17
I(B)(2). Under-Saving Costs/Risks (c’t’d)
Not meeting Business Needs, e.g., . . . Corporate/historical records
IP (including engineers’ records for patent conception proof; invention assignments, etc.)
Contracts (until performance end dates plus SOL?)
Contractually imposed requirements (audit rights)
EIM
GR
OU
P
©
18
A. eDiscovery/Lit. Prep. & Risk-Insulation
1. Costs-Reduction, given estimates of eDiscovery $ in U.S. commercial lit.:
2008 = $ 3.4 Billion
2009 = $ 4.0 Billion
2010 = $ 4.6 Billion
George Socha & Tom Gelbmann, Mining
for Gold, Law Tech. News (Aug. 2008) <www.lawtechnews.com/r5/showkiosk.asp?listing id=2117297>
II. Benefits to be Derived From Data-Mapping
EIM
GR
OU
P
©
19
THE GOAL: avoid the triple- whammy of eDiscovery costs:
1) a vendor charging per Gb and/or per click to process an unnecessarily large data set
2) attorneys doing bloated review of duplicative email strings and eFiles
3) legal and tech teams racking up even more costs and fees in protracted litigation
Early analysis enables clients to assess a case’s strength or weakness . . . and decide much earlier whether to litigate or settle
II(A)(1). Benefits – Costs (c’t’d)
EIM
GR
OU
P
©
20
So-called Safe-Harbor in Fed. R. Civ. P 37(e) (@ 12/1/06)
• "Absent exceptional circum-stances, a court may not impose sanctions under these rules for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system."
<www.uscourts.gov/rules/EDiscovery w Notes.pdf>, at 40
II(A). 2. Destruction “Safe Harbor”
EIM
GR
OU
P
©
21
“AN electronic information system.” Not just a party’s
Federal Rules Report, at App. C-89 <www.uscourts.gov/rules/Reports/ST09-2005.pdf#page=174>
Sword and shield. Id.
So, to extent data storage outsourced, litigant should have synched up schedules and stop-the-presses lit- hold notices, etc.
II(A)(2). eDiscovery – Safe Harbor (c’t’d)
EIM
GR
OU
P
©
22
To extent data storage out- sourced, synch up schedules
Assume your organization will ultimately be held responsible for production of any pertinent records in discovery
Cf. Tomlinson v. El Paso Corp., 2007 U.S. Dist. LEXIS 64783 (D. Colo. 8/31/07) (given that ERISA imposed duty to ensure employee benefits records were accessible for inspection, compelling production – under Fed. R. Civ. P. 26(a)(1)(B) – of information as to record-keeping system of third-party hired to administer benefit records)
<http://Tomlinson-DColo-8-31-07.notlong.com>
II(A)(2). eDiscovery – Safe Harbor (c’t’d)
EIM
GR
OU
P
©
23
GRC defined as “system of people, processes and technology that enables an organization to:
. . . . set business objectives congruent with values and risks;
achieve objectives while optimizing risk profile and protecting value; [and]
operate within legal, contractual, internal, social and ethical boundaries. . . . ”
Melissa Klein Aguilar, Red Book Alert: OCEG Revises GRC Manual, Compliance Week (4/21/09) <www.complianceweek.com/article/5373?printable=1> (quoting OCEG’s FOUNDATION "RED BOOK” v 2.0)
See generally <http://www.oceg.org/view/RB2Project>
<http://www.oceg.org/resources>
II. B. Governance, Risk & Compliance (GRC)
EIM
GR
OU
P
©
24
Implicit benefits: More interaction, sympatico and, ultimately,
cohesiveness between [sub-]departments, e.g.:
Compliance
EEO
Facilities/Operations
HR
IT
Legal
Records
Risk Management
II(B). Benefits – GRC (c’t’d)
EIM
GR
OU
P
©
25
II(B). Benefits – GRC (c’t’d)
KUMBAYA?! Clear, well-thought-out policy language on which multiple constituencies have weighed in . . .
© TOSHIBA
EIM
GR
OU
P
©
26
Access/Retrieval Efficiencies
Huge speed increases and risk reductions to be gained from – and legal support* for – an all-electronic environment
Electronic vs. Paper: SEDONA PRINCIPLES; Best Practices Recommendations & Principles for
Addressing Electronic Document Production (June 2007), at 2-5 (.pdf pp. 15-18) <www.thesedonaconference.org/dltForm?did=TSC PRINCP 2nd ed 607.pdf>
W. Fenwick & R. Brownstone, Efiling, 19 Santa Clara Computer & High Tech. L.J. 181 (2002) <www.fenwick.com/docstore/publications/Litigation/efiling.pdf>, at .pdf p. 25 (comparing retrieval times of 25 minutes and 20 seconds)
* list of authorities available on request
II. Benefits to be Derived – C. “Going Paperless”
EIM
GR
OU
P
©
27
Start with old boxes of PAPER: unlabeled and not retrieved or looked at for years
whose labels and/or indices reflect no need to retain
“duplicative” of searchable electronic information
Assess workflow re: all documents and information (letters, invoices, receipts, etc.)
created within your organization
disseminated by your organization
As to incoming documents: wherever possible, get buy-in re: electronic form
to extent control is not possible, develop – and train on – scanning/imaging protocol for all incoming paper
II(C). Paper – Low- Hanging Fruit
<http://evolutionofbpr.com/tag/technology/>
EIM
GR
OU
P
©
28
III. Data-Mapping Approaches/Processes
INTRO: Weather Vane Approach
Context
WHO/ WHAT/ WHY/ WHERE/ WHEN
EIM
GR
OU
P
©
29
IT Multiple key leaders wherever appropriate
Key systems/environments:
E-mail (live AND archive)
Back-ups
Databases (incl. DMS)
Shared Network Drives
Intranet/Portal
External Websites
Blogs/Wikis/Forums (internal and external)
Web-2.0
III. Approaches – A. WHO
EIM
GR
OU
P
©
30
Legal In-house or “out-house”
High-level official Someone who will ultimately
“lay down the hammer” as to compliance with new regime/policy
Translator/project-manager
Other Key Stakeholder(s)
III(A). Approaches – WHO (c’t’d)
EIM
GR
OU
P
©
31
Key considerations: Ultimate new and/or revised policies/protocols
Realities re: maintenance/updating
How many policies will change and/or be synched up with key new(ly revised) one?
Risk: creating “compliance gap” Legal obligations & IT frameworks often vague
So, to some degree, developing own standards
III. Approaches – B. WHAT is the Scope?
EIM
GR
OU
P
©
32
. . . has the task at hand arisen? Bad incident-response event?
Bad eDiscovery experience in lawsuit or subpoena or government inquiry?
Cost-cutting, efficiencies and/or automation?
SOX “internal controls” audit or preparation for same?
Seeking loan and/or financing?
Going public?
IT framework audit?
D&O/E&O Insurance premium reductions?
III. Approaches – C. WHY . . .
EIM
GR
OU
P
©
33
. . . are the key locations?
In addition to any lengthy work-product/deliverable, one result should be a short chart/menu
Repositories List
See Example excerpt on slide 35
III. Approaches – D. WHERE . . .
EIM
GR
OU
P
©
34
. . . to start, stop, update, etc.?
III. Approaches – E. WHEN . . .
Three E’s:
Establish
Educate
Enforce
Three-pronged approach
Administration/Policies
Training
Technology
See Global Cisco Study Applies Reality Check to Corporate Security Policies, Draws Connection to Data Leakage Risk (10/28/08) <http://newsroom.cisco.com/dlls/2008/prod 102808.html>
“Research Identifies Gap in Policy Awareness of Employees, Shows 1 in 4 Companies Lacks Security Policies”
EIM
GR
OU
P
©
35
IV. Descriptions and Excerpts of Different Kinds of Maps
Examples of Maps (Proactive and Reactive): Short/Sweet Repository List
EIM
GR
OU
P
©
36
IV. Examples (c’t’d) – Server Architecture Diagram # 1
“accompanied the testimony of Microsoft Vice President and Deputy General Counsel Tom Burt presented during the period of public comment on the proposed changes to the Federal Rules of Civil Procedure”
From <www.ediscoveryuniversity.com/Documents/Microsoft Sample Network Diagram.pdf> or
<www.ediscoveryuniversity.com/Documents/Microsoft Client Server Architecture Diagram.JPG>
EIM
GR
OU
P
©
37
IV. Examples (c’t’d) – Server Architecture Diagram # 2
From <http://content.edgar-
online.com/edgar conv img/2007/10/29/0000891618-07-000615 F28075A2F2807501.GIF>
EIM
GR
OU
P
©
38
IV. Examples (c’t’d) – Web-ified Visio Chart of data flow . . .
• . . . between HR databases & geographical locations
© 2004, 2009 Robert D. Brownstone, Esq.
EIM
GR
OU
P
©
39
IV. Examples (c’t’d) – Others, described . . .
Spreadsheet with content-types on one axis (rows) and Dep’ts on other axis (columns)
Chart/diagram of physical locations, each with respective list of repositories
Diagrams/flow-charts of SOX internal-controls workflows
Items enabled/facilitated by map:
Records-Retention Schedules
“Pre-Collection Checklist” (available on request)
EIM
GR
OU
P
©
40
Conclusion/ Questions
Q+A
Robert D. Brownstone <www.fenwick.com/attorneys/4.2.1.asp?aid=544>
650.335.7912 or <[email protected]>
Please visit F&W EIM <www.fenwick.com/services/2.23.0.asp?s=1055>
<www.fenwick.com/services/2.23.4.asp?s=1055>
THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL
UNDERSTANDING OF CURRENT LAW ND PRACTICES. THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.