If the FBI showed up on your door with a search warrant to examine your electronic files, would your employees know how to respond?
If you received a subpoena requesting emails, text messages, calendar entries, voicemails or other electronically stored materials, would you know where or how to start looking?
If your answer to either or both is no, it is time for an electronic discovery, or eDiscovery, audit.
While no one likes to think about litigation, the best time to do so is before being served. Understanding how your company stores data and your policies governing email and devices now can save you time, money and heartache down the road.
Five areas of focus
When it comes to litigation, the single biggest cost is discovery. With the proliferation of our devices and the explosion of big data, we’re generating more electronic records than ever. A single gigabyte of data equates to approximately 100 bankers boxes of paper documents. Your smartphone alone can hold over 350GB of data – 35,000 bankers boxes. Your laptop, smart watch, tablet and other electronic devices will only increase the size of that data collection.
Conducting an eDiscovery audit can allow your organization to identify and leverage your strengths while simultaneously assessing and managing your weaknesses. After an audit, you’ll be in better shape to identify opportunities for costs savings.
What’s involved in an eDiscovery audit? The first step is to meet with your team — in-house counsel, information technology staff, human resources and other interested parties — to identify where your information is stored, what is stored and for how long, and what your document collection, review and production processes are. The audit will focus on identifying areas for improvement and efficiency to save you time, effort and money.
Have a notification team: Before you can tackle the “what” of eDiscovery, you need to assemble the “who” — as in who you’ll want around the table. Your notification team should be led by legal counsel, either a knowledgeable in-house attorney or experienced lawyers outside your organization. The team should include those responsible for information technology, records, human resources, security and relevant departments where documents may reside. Be sure to engage your communications team; if using professionals external to the organization, having your law firm retain them gives qualified privilege to their work.
Understand where your data is kept: After you pull together your team, it’s time to get your arms around exactly what data you have and where it is kept. In addition to hard documents, such as letters and memos, you’ll want to have a good understanding of where your electronic data is stored. And we don’t mean just online documents and emails — think more broadly to include text messages, instant messages or chats, voicemails, security footage, social media posts and responses, etc. When it comes to storage devices, you’ll need to know how to access cloud servers, laptops, desktops, external hard disk drives, flash drives, CDs, DVDs — maybe even floppy disks, magnetic tape or microfiche, depending on how far back your data storage goes. You also will want to look at your policies when it comes to personal emails and devices.
Review retention policies: After you complete the second step, now might be a good time to review your records retention policies. Too often, organizations don’t pay close enough attention to the types of documents they store nor the lengths they store them. This can result in an overly burdensome discovery process that is needlessly expensive. Federal and state laws mandate certain records be kept for certain lengths of time. For example, attendance records should be kept for seven years while OSHA logs must be kept for six. Some records, such as patents and deeds, should be held permanently. Take this opportunity to review retention policies and shed documents and files you no longer need to keep.
Recognize liability and privacy concerns: You have an obligation to ensure you safeguard the privacy of your stakeholders, so you’ll also want to understand what type of protected health information and personally identifiable information you collect and hold for employees, donors, vendors and others. If your company employs international team members, realize you’ll be subject to the laws of the countries where they live and you operate, which may have far more strenuous privacy measures than U.S. law.
Ask for help: Organizations may not have the internal capacity or expertise to manage an eDiscovery request. Using outside help can save you time, money, frustration and headaches in the long run — and ensure you’re not missing something critical. Outside organizations such as Warner’s eDiscovery Center can use technology assisted review and suggest other cost-saving strategies to streamline the process.
Scott Carvo and Madelaine Lane are both litigators and partners with the law firm Warner Norcross + Judd LLP. They are co-partners-in-charge of the firm’s eDiscovery Center. They can be reached at email@example.com and firstname.lastname@example.org