Given that litigation is consistently on the rise, regulatory bodies continue to ramp up investigations, and local law enforcement is increasingly aware of the ease at which it can source evidence electronically, electronic discovery (e-discovery) is an area that businesses need to consider, review and improve.
The process of disclosure of evidence to the Post Office Horizon IT Inquiry demonstrates a lack of oversight and accountability, poor communication protocols and a flawed understanding of the corporate data landscape.
On the face of it, the process of discovery or disclosure in response to litigation or regulatory investigation is simple:
- Find all the communications, documents and data relating to the issue.
- Relevant parties (most commonly lawyers and/or investigators) review, deciding what is relevant to the issue.
- Send the relevant, not privileged, documents to the other party.
Unfortunately, businesses are increasingly reliant on misleading information provided by large enterprise and cloud-based platforms that would have you believe they will take care of this process for you. This leads to the overconfident assertion that “we can do e-discovery”, by virtue of a module provided with a button to push. For example, look at Microsoft’s Purview or Google’s Vault.
The reality is, as witnessed in the Horizon inquiry, the process can be extraordinarily complex and resource-intensive.
Reviews of relevant evidence can be hampered, for example, by:
- The ever-increasing volume and complexity of data: The sheer volume and variety of data generated by modern organisations poses a significant challenge in e-discovery. This data, often dispersed across various sources and formats, becomes increasingly complex to identify, collect and review effectively. Think: Microsoft Teams, Slack, WhatsApp, large language models (LLMs) such as ChatGPT, Microsoft Copilot, SAP to name but a miniscule number of sources.
- Legacy data: As technological progress marches on, it forgets about data created in 1997, stored on backup tapes in 2010 or sitting in an accounting system that was live in 2015. For many litigations, the time periods being considered are typically at least two years old before they reach courts or inquiries, and in my experience often relate to issues from five or more years ago. Legacy data formats can be challenging to collect and review.
- The evolving legal landscape: Disclosure guidelines for courts and regulators are constantly evolving, making it crucial for organisations and their counsel to stay abreast of the latest changes. Failure to adhere to these evolving requirements can lead to legal consequences and reputational damage. Regulatory priorities are constantly shifting and anti-money laundering (AML), fraud investigations and dawn raids are all on the increase. Great corporate liability for criminal offences, including the Failure to Prevent Fraud as an offence, due in 2024, should all be of concern to any business.
- The multitude of interested parties: The subjects of the litigation or investigation and their need for privacy; their individual legal counsel; your in-house legal counsel, or outside legal counsel; third-party IT, software-as-a-service (SaaS) and cloud providers; e-discovery suppliers; law firms, the regulators, the courts.
- The need for robust e-discovery tools: The complexity of e-discovery necessitates the implementation of reliable and scalable e-discovery tools. These tools (should) seamlessly manage data collection, processing, review and exchange of documents, ensuring compliance and efficiency. Technology use should accelerate the review process.
- The risk of spoliation: Spoliation, or the accidental or intentional destruction of potentially relevant evidence, can have severe consequences for organisations. It is essential to establish clear e-discovery policies and procedures to prevent spoliation and protect the organisation’s legal interests.
- The cost of e-discovery: E-discovery can be a costly process, especially for large organisations with vast amounts of data. Optimising e-discovery strategies and using technology in a legally defensible manner can help reduce costs and streamline the process.
- Privilege, privacy, business secrets: There are a whole host of legitimate concerns around the disclosure of data. The data needs to be assessed for risk as well as relevance.
- Strategic abuse of the disclosure process: In the matters I have personally been involved in, the parties look to make disclosure a core focus, often at the cost of making meaningful progress with the core legal issues. Small discrepancies coupled with a lack of transparency can be exaggerated and used to call into question the evidence, the corresponding legitimacy of legal arguments and the trustworthiness of those involved. A cynical individual could suggest that sometimes these arguments are brought about to distract from the less convenient legal matters at hand.
What at the outset seems like a simple task can very quickly become a full-time job for dozens of people. This complexity could suggest that a degree of error is excusable, but this is far from the truth.
Parties must sign a “statement of truth”, or equivalent, as to their understanding of the disclosure process and it’s accuracy. If such statements exist, but there are fundamental errors with the approach, there are obvious and significant questions that need to be asked.
Back in 2006, I wrote a blog about proactive approaches to electronic evidence disclosure. It sought to address many of these perceived issues, and the essence of that article has not changed over the past 18 years.
A proactive approach is still needed, much in the way boards are beginning to organise their approach to managing cyber. This could include things such as:
- Tabletop exercises.
- Data mapping.
- Detailed incident response guidelines and appropriate technical systems.
- Ensuring the involvement of all relevant employees, including those who really understand the data of the organisation.
To assist in addressing these concerns, consider the following recommendations for addressing e-discovery risks:
- Develop a comprehensive e-discovery policy: A well-defined e-discovery policy should outline the organisation’s procedures for preserving, collecting and reviewing data for e-discovery purposes. Regularly review and update the policy to reflect changes in the law and technology. This should be closely aligned with existing IT and security policies, such as retention guidelines.
- Educate employees on e-discovery: Provide regular training to all employees on the organisation’s e-discovery policy and procedures. This training should emphasise their responsibilities in preserving and handling data that may be relevant to legal proceedings. This can in turn help to reduce the costs and risks associated with disclosure issues.
- Identify effective e-discovery software: Invest in robust e-discovery software or vendor relationships that can effectively manage the identification, collection, review and production of relevant data. Choose software that aligns with the organisation’s specific needs and data volumes.
- Request management: Mechanisms to appropriately manage inbound requests should be considered where there are frequent or complex requests being generated by larger or numerous matters. The recording of what is being requested by whom is vital, and should not just be left to, for example, a junior individual in the IT department who understands how to export emails using the basic functions provided in your email system.
- Regularly review e-discovery procedures: Conduct periodic reviews of e-discovery procedures to ensure they remain effective and compliant with the latest legal requirements. Evaluate the effectiveness of e-discovery tools and make necessary adjustments – this is especially true of legacy data.
- Seek expert guidance when needed: For complex e-discovery matters, or those with potentially significant legal implications, consider engaging experienced e-discovery consultants and appropriate legal counsel. Their expertise can help navigate the complexities of e-discovery and minimise risks.
What should I include in a policy to address e-discovery?
Larger organisations with sizeable or numerous litigation, investigatory or regulatory requirements should have in place a robust e-discovery policy, either standalone or as part of other information systems or legal policies.
In addition to preparedness for litigation and regulatory investigations, the focus on the disposition of data can help minimise risk in the context of data privacy. Also, by the recording of IT systems through data mapping and providing a historical journal of IT systems, it will enable employees to access and learn from the corporate memory, which is often spread far and wide in an organisation. This could in turn lead to lessons learned from previous organisational activities.
This high-level overview is intended only as a starting point for items you may want to consider as part of any information security/legal policy framework and is by no means comprehensive. Any such policy should also consider its alignment with broader policies and data management practices.
Purpose and scope
Defining the purpose and scope is an important exercise to establish guidelines for managing legal data request/e-discovery processes effectively and consistently to meet legal requirements and minimise risks. The scope of the policy might define the source and types of data and the organisational units covered by the policy.
Roles and responsibilities
Making sure that each staff member is aware of their obligations regarding the policy. For illustrative purposes, although your structure may vary:
- Oversee the e-discovery process, provide legal guidance, manage communications with opposing parties.
- External counsel may just be a facilitator or take a more active role, although ultimately you will likely bear responsibility for signing off the completeness and accuracy of the exercise.
IT department/service provider
- Identify, collect and preserve relevant data, ensure data security, provide technical support for e-discovery tools.
Business unit responsibility
- Identify custodians, respond to legal requests, provide access to relevant data.
Documentation and audit trails
A particular emphasis should be the importance of maintaining detailed documentation throughout legal data request or e-discovery process. This includes audit trails for data handling and processing, and review activities to enhance transparency and ensure defensibility of the approach and the evidence.
Data identification and preservation
In the context of any legal inquiry, a process of legal hold should exist, whereby employees, IT staff, vendors, and so on, are informed of their legal responsibility to preserve data as soon as legal action is “reasonably contemplated”. Any pause on destruction or deletion of data should not continue, whether or not a formal request has been made.
- Clearly define the process for initiating, maintaining and releasing legal holds.
- Specify the triggers for legal holds, responsibilities of individuals involved, and communication protocols.
- Ensure “corporate memory” of legacy systems, by implementing change management procedures that record the impact of any outage and test the results of any migration of data thoroughly.
In most instances, defining what exactly is being requested, and what is appropriate to preserve may depend entirely on the context of the specific request. For each request, you may want to define the types of data subject to preservation (typically that data you feel may be relevant to the request, whether it is ultimately used or not). As data becomes more transient in nature through messaging, cloud-based systems and LLMs, etc, it becomes even more necessary to keep reviewing the approach to identifying and preserving relevant data.
Data collection and custodian identification
Establish operational procedures for collecting preserved data from various sources. Is there someone that will be responsible for making a request to a particular team, or an IT vendor? What information would they need to fulfil the request? How will it be tracked and recorded.
The identification of specific custodians (the owner or controller of the data) will be based on the specific request made. The custodian could be a person, an IT system or storage system, or even a chatbot. This section might assign responsibilities for data collection, approvals and notifications.
Data processing and review
Processing of data to be searched, analysed and reviewed in a legal context can be a black box exercise, but anyone involved in managing the legal request should ensure they are aware of the specific processing options chosen. For instance, how should all deleted, corrupt or encrypted data be dealt with? Should data have any duplicates removed, and on what basis should this be performed? There are many options to consider at this stage, and having a defined standard can help in demonstrating the robustness of any approach.
Once the data is being reviewed in a legal context, consideration should be given to the technologies available to help to lessen the overall burden. Define standards and templates for any legal review workflow for assessing relevance, privilege and other issues, and make sure the approach is agreed between all involved parties.
- Specify acceptable methods and parameters for identifying and eliminating duplicate data or utilising machine learning or other advanced technologies to reduce the volume of information for review, thus minimising costs and streamlining the process.
- Provide guidance on the use of technology-assisted review using machine learning or generative AI and other available technologies and protocols, while ensuring defensibility in the process.
- Address issues related to the selection, validation and monitoring of these technologies. Despite what many would have you believe, there is no magic bullet.
Data production and chain of custody
Courts and regulators expect that due care and attention is taken when dealing with data. A “forensic approach” is necessary to ensure an audit trail and show the provenance of any “evidence”. That is to say that any process employed should be defensible and repeatable with the same outcome. This can only be the case if you have established procedures for ensuring the robustness of any data collection process. For instance, you may want to:
- Identify and number each data extract from a system and ensure a digital fingerprint is recorded at any stage of creation, manipulation, or movement of data.
- Maintain a clear chain of custody (who had access to the data and when) to ensure data admissibility in court.
Any such process can have the added benefit of enabling the reuse of data, eliminating the performance of re-collection of the same data for other purposes.
Security and confidentiality
Implement measures to protect data confidentiality and integrity throughout the e-discovery process. For example, as with any movement of data, employ encryption protocols, access controls and data loss prevention measures.
Outside counsel involvement
Address the role of outside counsel in managing e-discovery processes by outlining the circumstances when outside counsel should be consulted, the scope of their involvement, and the coordination between internal and external resources. Ultimately, you will be responsible for the process, and outside counsel are there to consult and provide guidance.
Compliance with court or regulatory rules
Emphasise the importance of complying with relevant court or regulatory rules governing e-discovery. In particular, provide specific guidance on adhering to local, national or international requirements related to the cross-border flow of data, data preservation, collection, review and production. Include measures to ensure compliance with data protection regulations and safeguarding personally identifiable information (PII). Consider other applicable regulations.
Training and awareness
Establish a training programme for employees to educate them on e-discovery obligations, data preservation procedures and their role in the process. Regularly communicate e-discovery policies and guidelines to maintain organisational awareness.
Emerging technologies and trends
Incorporate a mechanism for staying updated on emerging technologies and industry trends in e-discovery. This ensures that the policy remains adaptive to changes in the legal and technological landscape.
Communication protocols during legal challenges
Establish clear communication protocols with legal and IT teams in case of legal challenges or disputes related to the legal request or e-discovery process.
Continuous improvement initiatives
Periodically review and update the e-discovery policy to reflect changes in legal requirements, technological advancements, and organisational needs.
Integrate a framework for continuous improvement, encouraging feedback loops from e-discovery experiences. This could involve post-project assessments to identify areas for enhancement and lessons learned.
Use of counsel, vendors and external consultants
Select experienced outside counsel, ensuring that senior individuals will maintain oversight and responsibility for the process.
Outline the criteria for determining when to seek external e-discovery assistance, such as matter complexity, internal resources, and the use of specialised experts.
Establish clear guidelines for vendor selection, scope of work, confidentiality and security, communication and oversight, and cost management.
A legal data request and/or e-discovery policy provides a comprehensive framework for organisations to manage the process effectively, mitigate risks, help ensure compliance with legal obligations, and optimise the involvement of any external resources.
Boards, legal, compliance and technology departments can help their organisations manage any risks effectively, thereby avoiding unnecessary costs, and protecting the organisation’s legal interests.
• Also watch: ITV’s Post Office scandal documentary: The real story.
• Also read: What you need to know about the Horizon scandal.
Martin Nikel is an acknowledged expert in e-discovery. He heads Thomas Murray’s Cyber Risk Advisory e-discovery and litigation support practice.