E-discovery rules double-edged sword for CIOs

By Linda Tucci, Senior News Writer 05 Oct 2006 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

CIOs, however, might want to hold off on the celebrations.

Until the case law defines these terms in a meaningful way that can have broad application, a CIO's job is potentially more difficult. John C. Thomure Jr. attorney, Michael Best & Friedrich LLP

"We have definitions. We have terms, but no court has interpreted those definitions. Until the case law defines these terms in a meaningful way that can have broad application, a CIO's job is potentially more difficult," said John C. Thomure Jr., an attorney at Michael Best & Friedrich LLP in Milwaukee.

Barry Murphy, senior analyst at Cambridge, Mass.-based Forrester Research Inc., said these new e-discovery rules will require CIOs to prove that their companies' policies and procedures regarding electronic information are consistently enforced and auditable.

"The hard part about this is that often the policies and procedures may not be set well, so IT will be reacting to requests."

On the plus side, the new rules acknowledge that electronically stored information (ESI) is a fact of doing business and a trove of potentially useful data in a lawsuit. They also acknowledge that in a digital age where vast amounts of information are stored, litigants cannot be expected to produce anything anybody asks for. But because the new rules also leave open to debate what exactly constitutes reasonably and unreasonably accessible data, a company's electronic information system policies will be subject to legal scrutiny as never before.

"That puts the CIO right in the witness chair," Thomure said. "They are going to be in an uncomfortable position, because they are the gatekeeper for information."

Brian Babineau, an analyst at Milford, Mass.-based Enterprise Strategy Group, recently surveyed 500 IT professionals across industries. During the past 12 months, 50% of them had been affected by a case that required electronic discovery. Babineau said 70% of those professionals had to retrieve an email as part of that electronic discovery.

Good enough?

Under the new rules and amendments, parties in a lawsuit are now required to address the issue of electronically stored data very early in the proceedings, in mandatory "meet-and-confer" sessions. The preservation of electronically stored data and its disclosure, as well as any claims of privileged information, for example, are now on the table in these early meetings, per amendments to Rule 26(f).

"It is not a given that the CIOs should be in those meetings, but they should be," Thomure said. "Having a CIO involved in the early discovery meetings to advise on how to best handle and manage e-discovery issues will help lawyers create a plan that can be implemented. It's like anything else: If you have a good plan, the plan will probably work well."

Some IT executives say having a well-laid plan is their best hope. The rule's vagueness makes it nearly impossible to be assured that firms are doing all they need to do. "It would be nice to know that where I'm going is where I need to be going as we want to make sure we are doing the right thing," said Robert Pappagianopoulos, chief security officer at Partners HealthCare System Inc. in Boston. "But at the end of the day, you just have to know that you've done everything you could."

The government's attempt to sort out what is fair game for discovery of electronically stored information is more problematic, in Thomure's view. The new rules state that a responding party is not required to produce electronic data it identifies as "reasonably inaccessible because of undue burden or cost." What is reasonably or unreasonably accessible information, however, is not spelled out and almost surely up for extensive and expensive legal debate.

"Parties will do their best to sort that out, and a party that is not satisfied with a response of a litigant in not providing access to certain e-discovery requests will go to court. The litigation and case law will have to give meaning to what is reasonably accessible and what is not reasonably accessible," Thomure said.

More is better

In the absence of clarity, companies and their CIOs would be wise to "overpreserve the rule," Thomure advises, which means CIOs should factor in litigation "holds" when planning for data storage.

The new rules do provide a "claw-back" provision, or the right to essentially get back or protect privileged material that was inadvertently produced during discovery. The rule recognizes that e-discovery can move fast and move vast amounts of information that is hard to screen, Thomure said. It should ease CIO anxiety about giving up sensitive company information.

More on IT security ROI Insider: Cost justifying your IT security investment Executive Guide: IT and the law

Perhaps the most controversial of the changes taking effect Dec. 1 is the safe harbor rule, 37 (f). This section recognizes that data is modified and deleted during the normal course of business. Companies that destroy information in a "routine, good faith operation of an electronic information system" cannot be sanctioned by the court. But what constitutes routine, good faith operation? Critics of the rule are worried that companies will delete relevant data under the guise of business-as-usual. But Thomure said an examination of the notes accompanying the rule suggest a narrow safe harbor.

Companies excused under the safe harbor rule could still find themselves in the hot seat about preserving data because of a provision stating that litigation "holds" attach not only at the time litigation begins, but also when the company could have reasonably anticipated litigation.

"This puts the onus on counsel to advise the company correctly, but it also puts the CIO in that witness chair," Thomure said.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer. Shamus McGillicuddy, news writer, and Kate Evans-Correia, senior news director, contributed to this story.

Tags: Information technology laws,  Compliance strategies and best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information technology laws Health care security, HIPAA compliance on deck for CIOs in Obama era Avoiding gotchas of security tools and global data privacy laws Information security and IT governance guides for CIOs E-discovery and litigation guide for CIOs Document retention and disposal strategy Top 10 reasons to give thanks you're in IT PCI compliance deadlines have retailers scrambling Customized e-discovery tool lightens law firm's litigation load Firms bridging the gap between IT and the law Avoid lawsuit nightmares: New rules of engagement for e-discovery Compliance strategies and best practices Email archiving solutions and strategies for enterprise CIOs Miscues abounded in Boston email retention policy, practices Health care security, HIPAA compliance on deck for CIOs in Obama era Enterprise risk management solutions for CIOs Addressing compliance requirements in cloud computing contracts Avoiding gotchas of security tools and global data privacy laws Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Economic downturn hits IT budgets

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary