News Stay informed about the latest enterprise technology news and product updates.

E-discovery rules double-edged sword for CIOs

The new federal e-discovery rules show a growing appreciation for the vastness and value of electronically stored data. But don't expect them to make your job easier.

Come December, companies facing civil litigation should have a clearer, if not perfect, understanding of what is required of them regarding electronic data. That is when changes to the Federal Rules of Civil Procedure pertaining to electronically stored information, referred to as e-discovery, take effect.

CIOs, however, might want to hold off on the celebrations.

Until the case law defines these terms in a meaningful way that can have broad application, a CIO's job is potentially more difficult.
John C. Thomure Jr.
attorneyMichael Best & Friedrich LLP
"We have definitions. We have terms, but no court has interpreted those definitions. Until the case law defines these terms in a meaningful way that can have broad application, a CIO's job is potentially more difficult," said John C. Thomure Jr., an attorney at Michael Best & Friedrich LLP in Milwaukee.

Barry Murphy, senior analyst at Cambridge, Mass.-based Forrester Research Inc., said these new e-discovery rules will require CIOs to prove that their companies' policies and procedures regarding electronic information are consistently enforced and auditable.

"The hard part about this is that often the policies and procedures may not be set well, so IT will be reacting to requests."

On the plus side, the new rules acknowledge that electronically stored information (ESI) is a fact of doing business and a trove of potentially useful data in a lawsuit. They also acknowledge that in a digital age where vast amounts of information are stored, litigants cannot be expected to produce anything anybody asks for. But because the new rules also leave open to debate what exactly constitutes reasonably and unreasonably accessible data, a company's electronic information system policies will be subject to legal scrutiny as never before.

"That puts the CIO right in the witness chair," Thomure said. "They are going to be in an uncomfortable position, because they are the gatekeeper for information."

Brian Babineau, an analyst at Milford, Mass.-based Enterprise Strategy Group, recently surveyed 500 IT professionals across industries. During the past 12 months, 50% of them had been affected by a case that required electronic discovery. Babineau said 70% of those professionals had to retrieve an email as part of that electronic discovery.

Good enough?

Under the new rules and amendments, parties in a lawsuit are now required to address the issue of electronically stored data very early in the proceedings, in mandatory "meet-and-confer" sessions. The preservation of electronically stored data and its disclosure, as well as any claims of privileged information, for example, are now on the table in these early meetings, per amendments to Rule 26(f).

"It is not a given that the CIOs should be in those meetings, but they should be," Thomure said. "Having a CIO involved in the early discovery meetings to advise on how to best handle and manage e-discovery issues will help lawyers create a plan that can be implemented. It's like anything else: If you have a good plan, the plan will probably work well."

Some IT executives say having a well-laid plan is their best hope. The rule's vagueness makes it nearly impossible to be assured that firms are doing all they need to do. "It would be nice to know that where I'm going is where I need to be going as we want to make sure we are doing the right thing," said Robert Pappagianopoulos, chief security officer at Partners HealthCare System Inc. in Boston. "But at the end of the day, you just have to know that you've done everything you could."

The government's attempt to sort out what is fair game for discovery of electronically stored information is more problematic, in Thomure's view. The new rules state that a responding party is not required to produce electronic data it identifies as "reasonably inaccessible because of undue burden or cost." What is reasonably or unreasonably accessible information, however, is not spelled out and almost surely up for extensive and expensive legal debate.

"Parties will do their best to sort that out, and a party that is not satisfied with a response of a litigant in not providing access to certain e-discovery requests will go to court. The litigation and case law will have to give meaning to what is reasonably accessible and what is not reasonably accessible," Thomure said.

More is better

In the absence of clarity, companies and their CIOs would be wise to "overpreserve the rule," Thomure advises, which means CIOs should factor in litigation "holds" when planning for data storage.

The new rules do provide a "claw-back" provision, or the right to essentially get back or protect privileged material that was inadvertently produced during discovery. The rule recognizes that e-discovery can move fast and move vast amounts of information that is hard to screen, Thomure said. It should ease CIO anxiety about giving up sensitive company information.

More on IT security
ROI Insider: Cost justifying your IT security investment

Executive Guide: IT and the law
Perhaps the most controversial of the changes taking effect Dec. 1 is the safe harbor rule, 37 (f). This section recognizes that data is modified and deleted during the normal course of business. Companies that destroy information in a "routine, good faith operation of an electronic information system" cannot be sanctioned by the court. But what constitutes routine, good faith operation? Critics of the rule are worried that companies will delete relevant data under the guise of business-as-usual. But Thomure said an examination of the notes accompanying the rule suggest a narrow safe harbor.

Companies excused under the safe harbor rule could still find themselves in the hot seat about preserving data because of a provision stating that litigation "holds" attach not only at the time litigation begins, but also when the company could have reasonably anticipated litigation.

"This puts the onus on counsel to advise the company correctly, but it also puts the CIO in that witness chair," Thomure said.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer. Shamus McGillicuddy, news writer, and Kate Evans-Correia, senior news director, contributed to this story.

Dig Deeper on Risk and compliance strategies and best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.