E-Discovery Tip Sheet: A Game of Risk

Constant readers of the Tip Sheet may recall a few years back (May 2014), when I addressed electronic discovery risk management in terms that any Lannister or Targaryen would understand. Seeing that it’s mid-summer, and that Game of Thrones is surging toward a 7th season climax, I thought I’d bring this back for re-consideration or, for those newer to the party, a first look at how the game is played.

Enjoy your summer!

Andy

==========================================================

       “If you play the game of thrones, you win, or you die.”

           Who can forget Cersei Lannister’s bit of advice to Ned Stark in George R. R. Martin’s A Game of Thrones? No spoilers here for House Stark’s state of play; this caution serves to open a subject that, while less dire, does have real consequences for individuals and firms: risk management.

           So let’s say that you’re the Hand of the Corporation, a/k/a the General Counsel, and you have been charged with developing a plan to manage risk. First of all, what is “risk”? –

> Possible exposure of personally sensitive information

> Possible exposure of sensitive company information

> Correspondence or documents which could expose the company to liability or administrative action

> Potential for compliance failure

> A board game of world conquest.

           Discounting this last facetious example, you are essentially being asked to defend against hidden dangers in your own bailiwick. The first order of business is to unearth and identify these dangers, and make finding and analyzing potential problems a regular part of your record management protocol.

A Map of Your Digital Westeros

           Before you can exercise any control over a landscape, you must have a map. In our world, this is a document that identifies all possible places where information can reside, from corporate datacenters to users’ own handhelds and thumb drives. Just as a campaign map must show relief details such as elevations, swamps and watercourses, a data map requires the following elements:

> Type of storage container (including model, software and firmware if available)

> Total capacity of storage container

> User or group of users to which the container is accessible

> Logical organization of storage container, including

-          Locations of User files

-          Locations of Group or Department files

-          Locations of Client files

-          Locations of application, operating system or other non-user content.

> Types of user content most commonly found, including application version

> Whether business data is known to be kept in a private container (such as a “bring your own device” (BYOD) handheld).

           Now, at least, you know the lay of the land to be covered.

White Walkers

           Does your firm have a document retention policy (also known as a document destruction policy)? The purpose of a policy is to define different classes of documents generated or used by a firm, and to set out rules for preserving, archiving, or destroying these different categories of information.

           We’re all hoarders at heart: this scrap of fabric or that spreadsheet or this other email may be valuable someday. The problem is, information builds up. It’s not that expensive to buy more storage (or rent a POD), so we do. This leads to the next and larger problem, which is when a supposedly dead document returns to bite the firm during litigation.

           If a firm has a declared, documented and faithfully followed document retention policy, an inability to find an eight-year-old memo is simply business as usual, not spoliation. The matter was closed, the document was correspondence, correspondence is archived at the close of a matter and that archive is deleted six months later. If there is no policy, everything ever generated by the firm is fair play, and defending the Wall gets a lot trickier.

Hidden Dangers

           Now we know the territory, and we know at least one of the dangers. What other perils await us in the file system, and by what means may we expose them? Some examples:

> Credit card numbers

> Social Security or Tax ID numbers

> Bank or other account numbers

> Dates of Birth

> Medical Records

> Trade Secrets and proprietary information

> Password lists

           The individual aspects of this category of information are collectively termed personally sensitive information (PSI) or personally identifiable information (PII). While these would have to be produced in redacted form in litigation (if not flagged as privileged and withheld completely), many should not be found in general document records at all. What possible reason could there be to have a whole credit card number in a Word or Excel document? And yet, they exist.

           How does one come to grips with these foxes? Increasingly, technology is being employed to solve the problems that technology causes. Software crawls file systems to identify and help classify data: think Nuix, or Recommind Axcelerate, or Equivio Zoom (now part of Microsoft Office 365 Enterprise), or EMC SourceOne eDiscovery Kazeon, for example. In addition to grouping and filtering by date range, file type, users and keywords, these products are making greater use of concept clustering to pull like documents together for deeper analysis. Filters may also be created and applied based upon regular expressions, which is a syntax employing defined symbols as masks for number, upper or lowercase letters and punctuation (among other attributes) to be retrieved.

           With these tools, exposure to a threat can be analyzed in hours rather than days.

Defense Against Dragons

           There is yet a threat to the firm’s safety and well-being: non-searchable documents, such as images or image PDFs, may yet contain elements of the forbidden. This alone should provide an argument for a document retention policy where images are purged regularly. As we examine file systems with sophisticated tools, we do however become more familiar with locations of possible perils, so these may be examined more closely. For example, if we know that user RBaratheon liked to keep PDF printouts of receipts and transactions in his personal folder, we could filter his space to look for non-searchable files, and focus in on PDFs in that group.

           We’ve just scratched the surface of this discussion. There are still handhelds, which must be collected individually, home computers, which may have captured some work product when Jon Snow left his laptop in the office, and personal email accounts used to swap attachments in excess of the firm’s allowance. We shall leave these discussions for another day. 

           In the meantime, know your risk, and don’t lose your head.

-- Andy Kass / [email protected] / 917-512-7503