The new Federal Rules of Civil Procedure (FRCP) on electronic information discovery (e-discovery) is serving as an excuse for some scary marketing. So how scared should you be? If your company is under $100 million in sales, not very. Over $1 billion, you need to make yourself aware of policies and procedures that probably exist and that you haven’t been trained on. In between, things are a little murky.
There are three critical areas to e-discovery:
- Finding the electronic documents, graphics, emails or whatever needed for litigation, which is what we all think when we hear “e-discovery”
- Litigation hold policies
- Record retention policies
IT is responsible for performing #1, and must be aware of and following #2 and #3. The policies are not IT’s responsibility, but complying with them certainly is.
Scary Marketing
Fear, Uncertainty and Doubt (FUD) are usually used to stop people from buying. In this case the FUD is to get you to buy. Email archiving seems to be a popular choice if you listen to the folks who sell email archiving. Email archiving is probably worth doing in many companies, but not necessarily for e-discovery reasons.
Two sides to every story but only one set of facts
The international law firm of Fulbright and Jaworski does an annual Litigation Trends Survey, which is the source of some of the numbers being bandied about. So let’s look at those numbers.
Sample size
F&J surveyed 422 companies, a healthy sample size. The size is healthy in another way: fully 53% were $1 billion or larger companies. Only 20% were under $100 million in sales.
Litigation IS on the rise
Despite arbitration, lawsuits are increasing. In the US, labor/employment, contracts and personal injury are big items, while folks in the UK are more concerned about regulatory proceedings.
Insurance, engineering/construction, manufacturing and energy companies spend the most on litigation, followed by health care, tech and financial services.
Size matters: companies under $100M only averaged $190,000 on litigation spending. Big companies commonly spend millions every year. And that isn’t counting awards or penalties – just costs.
E-discovery
In the section on e-discovery in the survey, F&J notes that this is a new area and subject to further litigation:
Most companies surveyed have not yet had their e-discovery protocols and procedures tested in the courts. However, with the amended [FRCP] concerning electronic discovery, companies may face more court tests of their e-discovery preparedness where the meet-and-confer process does not effectively resolove e-discovery disputes. Amendments in the Civil Procedure Rules in England and Wales are likely to have a similar effect.
Naturally, since the e-discovery rules aren’t in effect yet, how could they be tested?
Only 19% of those surveyed thought their companies are well-prepared for e-discovery.
Who ya gonna call?
Now, remember, those surveyed are corporate attorneys. When asked where they go for assistance, 61% said “general IT resources”. Just 31% supplement them with outside e-discovery vendors, while 25% use law firms with e-discovery expertise and 13% rely to some extent on in-house e-discovery teams.
Respondents reported their statisfaction with all of these exceeded 50%, with the notable exception of the e-discovery vendors, at 44%. These numbers all seem low to me, so the lawyers must have some itch that hasn’t yet been scratched. My guess: cost, speed and completeness are the lawyer’s worries.
Hold everything
Another piece of the e-discovery is are litigation hold policies. When a company becomes aware that they may be getting sued or suing someone else, it is important that all relevant documents, including electronic ones, be preserved. Most of F&J’s US respondents have policies in place, while it is much less common among European companies.
Record retention
Over 80% of the US $1 billion+ respondents had written record retention policies, with particularly strong compliance in financial, manufacturing, retail/wholesale and tech sectors. Small companies are much less likely to have written policies.
Oh by the way, we haven’t bothered to train you
So what else is new? The survey notes that training on these issues is just about nil:
. . . nearly two-thirds of respondents (64%) say their company has not conducted employee training for records retention or litigation holds.
Ouch!
The StorageMojo take
If you work for a $1 billion + company, your company probably has
- Significant legal exposure
- Written litigation hold and record retention policies
- Not trained you on them
If you are an in-the-trenches worker, I’d make a written request for training on these topics to my supervisor. If it doesn’t happen at least you tried and your supervisor will get fired, not you, if there is a fiasco.
If you are in IT management, I’d figure out who in IT-land is responsible for working with legal and RM and talk to them. Maybe it’s you. It may be that their policies and IT procedures don’t mesh and that is a problem you’ll want to fix
What I would NOT do is go running to my friendly local storage salesman asking for help. Your company legal professionals and record management folks are responsible for policy. You need to understand those policies first. Then you can design a solution with the right requirements and put it out to bid.
Comments welcome as always. Moderation turned on to control comment spam.
Robin, I agree that there are a lot of scary messages about the FRCP. I am guilty of communicating some of them. But, even small companies ought to be concerned about some of the aspects of the changes. This is because it concerns how evidence is handled.
Lets say there is a harassment complaint at your company that involves an out-of-state employee. Good chance that could end up in federal courts. The prosecution could demand a copy of all emails from the harasser to the harassee. You say, “Ummm…. we don’t keep track of emails.” The prosecution demands under FRCP that you look in every PC and file to find them. And, to make it worse, the prosecution asks for sanctions to make your claim harder.
This is all legit. “Safe harbor” probably won’t protect you because you do not delete all emails, such as those key contracts.
In other words, for even small/medium companies, email has become the journal of record for business and it is important to find a way to keep track.
Hi Robin
Rather than look at the specifics of FRCP, I am on the personal warpath that the meta-trend is ultimately more of concern to IT professionals, e.g. IT is going to be ultimately held responsible for all aspects of corporate information management – not only the traditional cost-reduction/service level aspects, but more and more aspects of risk management (e.g. FRCP), and eventually value creation from existing corporate information.
Maybe FRCP will bite you, maybe it won’t. But if it’s not FRCP, the next legal development regarding information management certainly will.
I believe that — in the next few years — there will be a law along the lines of “if I’m your customer, and you store my personal information, I have the right to have it encrypted at all times, and to request an audit trail of who’s seen it and for what purpose, if I so desire”. With FRCP, we’re just one step closer to that world.
Good blog, enjoy reading it (except for the EMC rants). Keep up the good work!
Roger, I agree that SMB’s *can* end up in Federal courts, plus many states take their cue from the FRCP for their own rules, so it is probably best to assume that e-discovery is coming your way in some form or other.
The perception of risk issues I covered in Risk Perception in Data Centers suggests that email archivers could be successful selling to SMBs – Roger, love to get your take on that. Yet my experience with SMBs is that they are much more interested in getting more competitive than they are in buying insurance, which is essentially what email archiving for e-discovery is.
So as a matter of marketing strategy, I wouldn’t expect the scary stuff to work very well with SMBs. With the F1000 you have a solid business case – assuming you’ve done your homework – and I would focus on them. If I *were* intent on cracking the SMB market I would put together a package of services for data risk assessment that VARs could resell and then, based on the assessment, I’d expect product sales to follow.
Chuck, I agree that it appears the secular trend is moving in a number of directions, but I’m not sure I agree with you. I think that it is highly likely that within 10 years the regulatory environment will essentially insist that all publicly traded companies maintain all records, including customer data, manufacturing and distribution data, emails, financials, HR and so forth for at least seven years, while liability case law will push it out even further. At some point, CIOs will be asking which is cheaper: getting rid of old data or just storing it forever?
CIOs would be fools to take responsibility for all aspects of information management and I think there is almost no chance that the lawyers would let them, let alone the LOBs. For all the talk of “aligning IT with business strategies” over the last several decades, it hasn’t happened yet. There are very good structural reasons for why it never will absent substantial rethinking of the IT/LOB relationship.
BTW, Dave Hitz had a good post about info “ownership” at Data and Ethics.
I do hold EMC to a high standard because I believe the company has the resources to truly lead the industry. So it frustrates me no end to see EMC follow the path that led IBM into crisis. I’d love to see EMC be wildly successful again. I’m just not seeing the thinking that is going to take them there. Maybe you can prove me wrong.
And thanks for reading StorageMojo. I see I have a lot of regular readers at EMC, so I can’t fault your taste in fine storage blogging. 🙂
Robin