Posted by: GuyPardon
compliance, cyberlaw, e-discovery
This post below is an email to the editor received from Robert DeFazio of Calabria Consulting, responding to Data security: The missing piece of e-discovery” by Paul Roberts. This views expressed are those of Mr. DeFazio, not this publication or its editors. Comments on its content are welcome.
In an infamous commercial in the 1970s, the actor Chad Everett, who played a handsome doctor on the television series Emergency Room, said, “I’m not a doctor, but I play one on TV.” I’m not attorney, but I have read a lot about the practice of law and how it addresses computers and electronic evidence.
Part of what I do is to provide suggestions as to how data needs to be kept to mitigate the costs of e-discovery. What I have found is that IT department heads, enabled by the very business owners who would suffer the most in litigation, often feel comfortable dismissing the idea that lawyers properly belong in the loop when it comes to making decisions about how data is stored. Instead, they point to conventional “best practices” that represent the path of least blame should something ever go awry.
The harsh realities of litigation should strike fear into the hearts of every CTO and CIO. Why? The requirements for the admissibility of evidence in court regarding electronic documents focus largely on how hearsay evidence is treated.
In some jurisdictions and courts, the Federal Rules of Evidence and Federal Rules for Civil Procedures are disregarded when it comes to electronic documents because, quite frankly, the judges and attorneys involved simply don’t understand the nature of digital data. They have no idea of what metadata is and why it is important. They don’t seem to understand why the concept of presumption, which is used so often in other areas of legal theory, is often inappropriate when it comes to the authentication of electronic documents. They seem not to understand that electronic documents in native file formats can be manipulated easily. They naïvely trust that anything that comes from a computer is accurate and not hearsay because it’s not produced with a “touch from human hands.”
In other courts, they pay attention to the rules of evidence. They want software that purports to offer factual evidence itself to be authenticated. They want real proof that a document is an original copy or that the copy offered can be shown to meet tests that demonstrate it matches, byte for byte, a reference copy that has an unbroken chain of custody. They want to see that there are specific written policies and procedures that would reasonably assure that a stored document would not be altered during its archival. They want to see things like digital signatures, asymmetric encryption key pairs being used to secure documents, and a host of other up-to-date practices that courts in other countries regard as the ONLY measures that assure the authenticity of documents.
This means that data security must be viewed from a different perspective from what the prevailing notion of best practices. Not only does data need to be retained for operational efficiency in the event of a data disaster, but it must also be managed along a separate pathway in such a way that it will meet the needs of attorneys who must defend the corporate endeavor in the event of litigation. Data needs to be cataloged at the time it is stored in accordance to its likely future legal usage. Archived data needs to be kept in two different ways: one for purposes of disaster recovery and the other for legal purposes.
Moreover, the legal archives should not be regarded as a form of “backup data.” They should be regarded as comprising a database in their own right, requiring their own disaster recovery backups.
Why? E-discovery is very expensive. In most states, it is the respondent to a demand for documents that must pay for discovery costs, not the requesting party. E-mail, backup tapes, instant messages, word processing documents, cached files from Web browsers, deleted and fragmented files, network logs, databases, event logs, contents of PDAs and cell phones, and entire disk drives from on-site servers, workstations, home computers, contractors’ computers, and much more is what is typically sought in the process of e-discovery. Litigation holds can be placed on parties even if they are not directly involved in the lawsuit that dictates. These parties then cannot add, delete or modify the contents of disk drives or other equipment not only during the discovery process but perhaps even until the litigation is finished and has gone through all appeals.
Just how expensive e-discovery can be is illustrated in specific cases and the assumptions that the legal profession has made about what is a reasonable range of e-discovery costs. In the 2002 case of Rowe Entm’t v. William Morris Agency, e-discovery costs incurred exceeded $10.9 million before the first day of the trial ever occurred. In cases of patent litigation, the common costs of litigation easily run between $4-5 million, most of that being e-discovery costs. Many attorneys now accept that the costs of e-discovery for litigation involving a small to medium-size company would range between $2-3.5 million.
E-discovery is now a multibillion dollar industry. Sharks go where there is blood. Litigation support industries spring up around the areas of litigation where there is the most confusion, with respect to evidence, and the highest likelihood of maximum billable hours. When companies keep data here, there and everywhere in ways that make sense to a tech employee whose job it is to keep the machinery of the company moving, it will require an incredible amount of time and work to reconstruct data and documents for purposes of pursuing litigation in court. A tech employee wouldn’t usually understand this, but the company’s attorney would or should. The company’s attorneys need to be part of the group of decision makers when it comes to establishing data storage requirements.
“Anathema!” you say? Get used to it, or eventually go out of business. Litigation is often not so much the pursuit of justice as it is the exercise of legal intimidation. By escalating the demands for electronic documents in the pretrial stages, the costs to be borne by a respondent can rapidly become more than the amount the party intended to recover by going to court in the first place, forcing settlement instead of resolution. Managing data so that it is easy to identify from a legal perspective may not make sense at the moment, but as soon as a suit is filed that seeks damages in the amount of $50 million, the cost of maintaining parallel archives (disaster vs. legal) would seem like a drop in the bucket.
I am sure that someone who reads this might conclude that keeping electronic data in this way is just about as expensive as keeping everything on paper. To that, respond, “You might be right.” The American mind-set always wants proof that this or that is true. If you have the original stone tablet, you can compare the chisel marks to samples of other stone tablets made by the same person to authenticate it. A stone tablet or a piece of paper represents a finished work, where further modification has ceased. The ephemeral nature of electronic data, however, erodes nearly all the traditionally understood landmarks of evidence trustworthiness. The bar is, therefore, set much higher when it comes to the admissibility and weight afforded to electronic evidence. In some cases, a man’s freedom might be at stake because of a decision about the authenticity of an e-mail message. In another case the survival of an entire corporation and all the jobs and income it produces might hang on the wording of a single sentence in a 200-page document where the opposing parties offer copies where there is a difference of one word.
Data processing costs have been traditionally viewed as being economical because the cost of litigation was never folded into the mix of expenses of running a data-centric business. E-mail, instant messages, electronic documents, databases … all these things make the operation of business much easier to achieve. They also make the defense of a business much more expensive to conduct when things go wrong.
The cost of running an IT department includes:
- high levels of security
- backup procedures for purposes of disaster recovery
- archives where the documents must be individually cataloged for future legal use
- backups of legal-oriented archives
- indexing legal documents using OLAP approaches
- retrieval of documents during litigation
- maintaining both on-site and one or more off-site storage facilities
That’s a much bigger number than one that just takes into consideration running some servers and workstations and making daily backup tapes. It is that number that needs to be stacked up against the cost of doing things on paper.