Too Much Information
BEFORE THE COURTS CLARIFIED civil litigants’ rights to know relevant case information in advance of a trial, lawsuits were often tried by surprise. Victory frequently hinged on evidence revealed for the first time in the courtroom. That changed with the advent of what we now call discovery, which was codified in 1938 with the implementation of the Federal Rules of Civil Procedure (Federal Rules). The Federal Rules mandate that the parties voluntarily disclose all of the information that they have or control and may use to support their claims or defenses. The Federal Rules have been amended over the years, most recently in 2006 to address discovery of electronic information. While no one doubts the fairness of having these procedures, compliance can be burdensome, and that burden has grown now that information exists digitally in so many formats and locations.
Security professionals can help ensure that their companies are prepared to comply by understanding what’s discoverable, mapping the company’s data, and devising an information management plan that addresses how information will be gathered, preserved, accessed, searched, and processed in response to discovery requests.
The Federal Rules require the parties to make voluntary disclosures early in the discovery process and to implement procedures to preserve all types of discoverable information. Courts take discovery-rule violations seriously. For example, in Qualcomm, Inc., v. Broadcom Corp. (U.S. District Court for the Southern District of California, 2008), Qualcomm failed to produce more than 46,000 documents, including e-mail. This violation cost Qualcomm more than $8.5 million in penalties.
Given the volume of information that a company might have to produce quickly, it makes sense for every organization to put a system in place for meeting this legal obligation long before there is even a dispute that could precipitate a court case.
The first step is to determine which information could be discoverable and to develop a map showing where and how that information is maintained by or for the company. Under the Federal Rules, any information that is relevant to the topic of a case is discoverable unless it is protected from discovery by a recognized privilege.
Information may also be exempted from discovery if it is not reasonably accessible because of undue burden or cost. If this decision is challenged by the other party, the court may specify conditions for its discovery, but the court must limit the frequency or extent of discovery if certain conditions are met. For example, the court must limit the discovery requirement of electronic data if the information can be obtained from another source that is “more convenient, less burdensome, or less expensive.”
Similarly, discovery must be limited by the court if “the burden or expense of the discovery outweighs its likely benefit.” The court determines this by considering various factors, including the controversy of the case, the resources of the litigants, and the necessity of the discovery to the issues at stake.
In comments to the 2006 amendments, the Judiciary’s Advisory Committee on Federal Rules, reminded the courts to be wary of abusive or overreaching requests. The comments noted that testing and sampling electronic information does not mean that one party has direct access to another’s electronic information systems. In the comments, the committee noted that “courts should guard against undue intrusiveness resulting from inspecting or testing such systems.”
Ultimately, what is discoverable will be determined by the courts based on the facts in each case. In planning how to comply with future discovery requests, companies should simply assume that all information could be discoverable.
The company must be prepared to access and search information wherever it is stored locally or remotely—whether on servers, PCs, laptops, cell phones, phone systems, Web sites, or any other storage media—including backups and archives. Management must also have a plan for recovering deleted information if that becomes necessary and accessing and searching legacy data, defined as information that is maintained in obsolete formats or on obsolete media.
One tool that can help in meeting these objectives is an information map. An information map helps legal counsel efficiently oversee the company’s discovery obligations. When prepared at the request of counsel, the information map and related discussions may be protected from discovery by the work product doctrine or attorney-client privilege. When not prepared at the request of counsel, however, the information map can become a powerful tool for opposing counsel.
Every company should also have a record retention and destruction policy. Once an information map has been developed, lead information security personnel should review the company’s record retention and destruction policy to ensure that each type of information is covered and that the policy is followed. Security should help to make sure that the destruction practices employed by the company are effectively purging the company’s records of unnecessary information. Doing so will reduce the volume of information the company retains, making discovery more manageable should it have to be carried out.
Companies must also ensure that relevant documents aren’t destroyed after the commencement of litigation or a government investigation. The company’s retention and destruction policies should address that issue and should be used by counsel and security. Along with the information map, the retention and destruction policy will help counsel quickly identify and gain control over repositories of potentially discoverable information.
The next step in the preparation process is developing a plan to manage the information maintained by or on behalf of the company. Ideally, the plan should be tailored to address each type of electronic information identified on the information map because it is difficult to predict what electronic information will be relevant in any given case. The plan should include, among other things, the names and contact information of those both inside and outside the company who are charged with maintaining each type of electronic information on the map.
Accessibility. The plan must address how information will be accessed to meet a discovery requirement. The methods for doing this vary from manual review to keyword searches to sampling, depending on the type and volume of information to be searched. The search criteria will vary by case, but the litigants’ counsel will almost always want to search by relevant dates and by matching relevant information to individuals who had contact with that information.
One challenge is having a process for accessing information maintained for the company by third parties. The plan must address this issue. The company should make sure that contractual arrangements with third parties address how discovery requests will be handled. The agreement with the third party should include language requiring it to provide an effective means for the stored data to be accessed in readable form should the need arise. A thorough provision would describe the procedure for accessing the data, response times, responsibility for costs, and any other issued dictated by the type of information being maintained.
Another challenge is the use of nonbusiness e-mail accounts for business. Companies should include language in their employee manual stating, at a minimum, that no business is to be conducted using personal e-mail accounts. It is even possible to have employees sign a document granting the company the right to examine an employee’s personal e-mail account without first having to obtain a subpoena if the company has reason to believe that the employee has violated this policy.
If such a search is necessary, the company should have it conducted by a third party who is instructed to disclose only business-related content. That process protects the privacy of employees and anyone else using the private e-mail account.
Also a concern is that business information may be on personal cell phones that aren’t available to information managers. For many companies, cell phones are an essential business tool, so they cannot simply be banned. In light of this, the best practice is to include language in the employee manual (which employees should have to sign) that gives the company the right—again, without first obtaining a subpoena—to temporarily take and examine the cell phone and associated voice mail, call history, e mail, text messages, contacts, and memory cards upon request if the company suspects that the cell phone was used for business purposes. As with nonbusiness e-mail, company policy should call for the examination of cell phone records to be conducted in confidence by a third party who is instructed to disclose only business-related content to the company.
The volume of discoverable e-mail can routinely run into the thousands of pages, and in some cases, it can be overwhelming. For example, 32 million e-mails were sought in the RICO lawsuit filed by the United States against various tobacco companies in 1999. And that was before e-mail became ubiquitous.
Fortunately, the Federal Rules are adapting to these special challenges. For example, the rules recognize sampling as an acceptable means of determining which document sets may contain relevant information. Use of sampling techniques, which determine whether certain topics are likely to be present in documents based on the analysis of a representative sample, can greatly narrow the body of electronic information that needs to be produced, which can reduce the cost of discovery significantly.
Legacy information. Legacy information maintained on backup media presents a challenge because it may be stored in an old format and at remote locations maintained by third parties. Annual testing and maintenance of proper equipment or contracts with third parties who have the proper equipment is advisable to ensure that this information is accessible.
Instant messages. Instant messages can be particularly problematic as they are usually not saved anywhere. Saving them isn’t technologically necessary as they can’t be sent unless the intended recipient is logged on to the instant message service. In this sense, they are more akin to telephone conversations than e-mail. They can be saved, however, so it is imperative that the company set policies regarding their use, such as whether they must be saved. Steps should be taken to ensure that the custodians, if any, of recorded instant messages know what their obligations are with regard to preventing spoliation of evidence if their company is sued or subjected to a government inquiry.
Companies should have a policy regarding the retention of instant messages, and they should enforce that policy. However, because the technology is relatively new and the case law has not yet been established, no one policy has been deemed a best practice. It is my view that if it is practical for a company to ban the use of instant messages, it should do so.
If instant messaging is necessary, managers must decide whether to retain the messages on the corporate server. If it is impractical to record all conversations at all times, managers should start recording them when they suspect an employee is disclosing confidential business information or engaging in improper activities, such as sexual harassment.
While there is no right of privacy in the business setting, sign-in screen notices that remind users that their communications are subject to being monitored and that they do not have an expectation of privacy in their e-mails and instant messages are also advisable. If instant messages are recorded, they should be covered in the information map and the record retention and destruction policy.
Protected information. Not all information is equal. There will be confidential business information that may require protection by the court, privileged information that should be excluded from discovery, and private information, such as personal medical data, that may require special steps to protect.
There is no mention in the Federal Rules of a right to refrain from producing otherwise discoverable information—in any form—because it is confidential or subject to privacy laws. The authority for this is grounded in case law. Courts in the United States have been managing the conflicts caused by a clash of discovery and privacy rights for decades. They do so today by balancing the privacy interest with the interest of the requesting party.
Courts use the approach set out by a federal appeals court in In Re: Motion to Unseal Electronic Surveillance Evidence, Howard J. Smith, Appellant v. Donn H. Lipton, Appellee (U.S. Court of Appeals for the Eighth Circuit, 1992). In the case, the court noted that litigants may obtain “discovery regarding any matter, not privileged, which is relevant to the subject matter involved in the pending action.” The court also noted that the rules of discovery allow intrusions into the private affairs of those involved in the case as well as third parties.
While this case was decided in 1992, the explanation remains applicable to the discovery of electronically stored information. In balancing the public interest in discovery against the right of privacy, courts take into account that not all so-called “private” information merits the same level of protection. The privacy interests in names, addresses, and phone numbers are not given the same level of protection as the intimate details contained in medical records and personal histories, for example.
Typically, courts seek to protect privacy interests by authorizing redaction of private information and granting protective orders. The problem with electronically stored information is that it is so voluminous and our electronic communications practices are so informal that it is often hard to locate information that should be redacted without spending a prohibitive amount of money having each communication analyzed. Good information maps that flag repositories of private information can help control costs.
Crossing borders. The situation is even more complex when the privacy interests of foreign nationals are involved. The courts take a markedly different approach when information sought in discovery would not be discoverable if the action were brought outside of the United States. For example, in Société Nationale Industrielle Aerospatiale et al. v. United States District Court For The Southern District Of Iowa (U.S. Supreme Court, 1987) a French litigant maintained that the court was obligated to block discovery because the Hague Convention governed the information, not the Federal Rules, and the production of the information would not be required under French law. The U.S. Supreme Court disagreed and held that U.S. district courts have the power to order a foreign national party to produce evidence physically located outside of the United States. It warned U.S. courts, however, to supervise these cases closely to prevent discovery abuses, noting that high transportation costs could improperly be used to induce settlements.
Since the Court’s decision in Société Nationale, U.S. courts have repeatedly held that those opposing discovery of foreign-based information must prove that its disclosure in discovery will violate a foreign law before the litigant will be allowed to argue that it should be exempted from disclosure. However, the court may still order production of the information, thus placing the litigant in the difficult position of having to choose whether to violate the court order or foreign law.
Because of this issue, it is important for companies to be able to identify and flag information sources that are likely to contain private information related to foreign nationals so that they can be carefully monitored and analyzed by legal counsel.
Electronic discovery poses many challenges because of the wide variety of forms, difficulties of complete erasure, and sheer quantity. But with the possible exception of complications related to the attempted discovery of private information located outside of the United States, these challenges can all be managed. Careful advance planning is the key. Companies with successful plans in place will be prepared to face the challenges posed by electronic discovery.
R. Mark Field is a shareholder of Evans Petree Bogatin, PC in Memphis, Tennessee. He serves as co chairman of his firm’s Corporate Practice Group, co-chairman of the Information Services, Technology, and Database Protection Committee of the American Bar Association’s International Law Section and chairman of the Online Security and ePrivacy Committee of the association’s Intellectual Property Section.