Legally Speaking

How CIOs can help agencies understand and meet the new legal challenge of e-discovery.

by / July 9, 2007
No one should be surprised, least of all government managers responsible for data, that legal discovery is getting more rigorous when it comes to electronically stored information.

The number of requests for production, or discovery, has been increasing for years. Some old-timers can remember when the Department of Justice launched the historic antitrust case against IBM on the last day of the Lyndon B. Johnson administration. IBM, like many other companies' regulatory-compliance responses, delivered trailer loads of paper files to the department.

Electronic records have garnered more attention as government relies more on electronic records and electronic communication (which is now designated as an electronic record). Also, attention has increased as the rules on these electronic communications expand. For example, rules on e-mails designated as public records specify that a record comprises more than just the e-mail's text. The format, editing history, forwarding history and other metadata are all considered part of that electronic record and must be accounted for.

Indeed, electronic records alone are not the only fair game for legal e-discovery. Everything a government department or agency creates is, for legal purposes, "discoverable." Photos, instant messages, voicemail messages, documents (all hard copy and electronic versions, no matter who edited them and when) and e-mail -- regardless of how trivial -- are considered "enterprise content" and must all be presentable in an e-discovery process.

There is no getting around an e-discovery process. It is in an agency's best interests to address e-discovery needs sooner rather than later. Case in point: As part of e-discovery laws, the judiciary is directed to ascertain whether an organization has adequately managed its electronic information. Organizations that can demonstrate good information management practices are granted leniency, or a "safe harbor"; those that do not are subject to direct access to their information systems.

Compliance is now law. And the consequences for not complying -- for not being prepared in an e-discovery situation -- can be devastating.

Understanding E-Discovery
The first step to understanding the e-discovery process is to define the terms.

E-discovery is the U.S. legal process through which attorneys obtain information in electronic form in response to litigation or regulatory action. The e-discovery process involves full disclosure of all electronic information relating to the matter at hand. That electronic information includes ordinary office documents, e-mails, Web sites, voicemail messages, employee cell-phone records and instant messages.

That also means every mobile device -- every notebook PC, BlackBerry, PDA, cell phone, thumb drive and flash memory card -- is considered a repository of discoverable data.

You may be asking: Why now? What has changed?

Good questions.

  • In September 2006, civil procedure rules regarding discovery were revised to explicitly cover electronic records. The rules were put forth by the Committee of Rules of Practice and Procedure of the U.S. Judicial Conference. These rules aren't just for companies. They apply to government agencies as well.
  • Federal IT and information managers now operate under guidelines in the Federal Enterprise Architecture Records Management Profile. These, plus other recent rules from the National Archives and Records Administration, rule out any investments in new IT systems until an agency can clearly specify its record management procedures.

In other words, it is no longer merely good information practice to create and store records so that they are retrievable. The ability to respond to an e-discovery court order requires more than a good records management system because e-discovery applies to all electronic content.

Meeting Demands
So how do government CIOs and IT staffs deal with it all? In three essential steps: assess, plan and implement. Within each step, you'll need to address the question of policies and products.

Step One: Assessment
The first step toward meeting the e-discovery challenge is to assess your agency's current status. What's in place now? What types of policies or products do you use to store or retrieve electronic content?

  • Do you have an organizational repository where all information is stored; a distributed system where content resides on users' devices and drives; or a myriad of stovepipe systems?
  • What information resides on your Web site and intranet?
  • Is your information saved in its native format with appropriate metadata as the federal rules mandate?
  • Do you need to search your workers' cell phones, PDAs and thumb drives?

Next, ask yourself: What would be required to be responsive to e-discovery directives? This is a much bigger question than it seems.

This second question, in particular, is often best answered through an active committee or group designed specifically to take charge in preparing your agency for e-discovery. Every agency may have different functional groups contributing to this assessment, but legal, IT, domain experts, document and records managers, and risk management personnel should participate. Ideally this group would be a permanent entity that continuously directs ongoing technology projects to assure continuing compliance.

Step Two: Planning Policies
Once your agency assesses what needs to be done, the next step is creating organizationwide policies that to control content.

Your electronic content policies derive from your agency's business rules, so the business process owners must be part of policy creation. Two key components that must be governed through an electronic-content policy are creation and retention/deletion.

  • Content creation: The most basic way to identify and track electronic information from its inception is through metadata. Metadata are "tags" that include the essential information about a file -- its title, creator, date of creation, relation to other files, etc. -- that enable its rapid and accurate identification. Metadata is also the primary means for establishing document authenticity. Therefore, policies must define how metadata will be created, accessed and stored.
  • Content retention/deletion: This can be an exceptionally complex issue, depending on the document and its use. Essential questions include: How long is content kept before being destroyed, and why? At destruction, should you retain electronic or hard-copy backups?

To elaborate on the second point, understand that a particular piece of information can have different retention schedules depending on how it's used.

For example, I worked with one federal agency in which a purchase order had multiple uses. As a file in the ordering system, it could be destroyed after two years. As an organization record, it had a shelf life of seven years. But because the product with which it was associated had a long military life cycle, the purchase order had to be retained for its life cycle plus 20 years.

As a paper document, it might be copied and placed in three different cabinets. My solution was a single electronic copy, with a pointer linking from several systems. When the retention schedule for each use came up, the link would be destroyed, but not the content.

An equally important part of planning is deciding what products and services your agency needs to put in place to ensure policies are consistently and strictly enforced.

Particularly in an e-discovery situation, your system's architecture can greatly enhance your ability to respond to e-discovery. If files can be copied and forwarded ad nauseum throughout the agency, then you risk exponential growth of discoverable versions. You've lost control.

Your overarching goal is to maintain control of an adversarial e-discovery gambit by proving content exists or was destroyed according to a verifiable policy. And if it exists and is subject to discovery, you must produce it in a format acceptable to the plaintiff and the court. Again, we're not just talking about electronic records -- we're talking about all electronic content.

Essentially you need a tool to manage e-content with discovery in mind. The most comprehensive tools will greatly assist your records management, even as they extend your policy control to all content.

The ECM Equation
Many agencies find that implementing an enterprise content management (ECM) system is a viable and relatively painless method for achieving e-discovery compliance goals. ECM is defined as "
Matt Winstanley Contributing Writer