Lower E-discovery Litigation Costs by Implementing a Decent ESI Governance Strategy

Businesses need to be proactive and improve their processes of storage and release of information rather than be reactive. It is better to have basic retention and storage policies in the event of litigation. I have performed too many collections where the IT department has not idea where the data is stored, this is usually the case in smaller firms where they outsource the IT department. Having well organised easily locatable ESI electronically stored information will not only save you money and time in the likely event of litigation it may also have other effects such as being able to source key IP intellectual property assets in the event of an employee investigation or disastrous loss as the result of rogue malware or hardware failures.

What Businesses Need to Consider Prior to an E-discovery Exercise

• Invest Time Preparing Now The amount of time spent organising a proper governance strategy and migrating to an E-discovery friendly office platform will greatly reduce costs in the future. It is a false economy not to invest time money and resources into this endeavour now.
• Record Trail Policies of must be in place, you must record when they were approved and by whom. Example "We backup the exchange server every 8 months, it is stored in this location and is deleted after X amount of time." This will display to litigators that you are well organised leading to them giving you less hassle as the case progresses.
• Deletion Policy It is not efficient to hold onto ESI forever but you must adhere to retention that has met the regulatory requirement. The deletion should be documented explaining why an archive was deleted and the action must adhere to the particular requirement in your industry or country. Missing project emails, gaps in dates and undocumented deletions are all unacceptable.
• Intentional Withholding Hiding or withholding information with cause you added hassle and undermine you organisations credibility. You must explain why certain emails were withheld from a date range or a custodian's data has been deleted before the time that has been allocated. If a forensic preview discovers ESI that was not disclosed after the pre-collection questionnaire this it undermines the credibility of the company and can lead to further financial losses. I have worked on a case where they denied an email was sent by an ex-employee. Other custodians that have left the company emails were archived but this person's emails were not available. I was presented with a drive that they said this individual used. They were bluffing as no user profile belonging to this person existed, they handed me a computer that was never used by this individual. Additionally, they stated that they migrated servers and didn't bring forward the custodian in question but the other employees that had left the company before this custodian exited had their PST email archive files in the migration in a PST backup folder. I actually discovered that the custodians PST file was on the server at some point, it had been present after examining migration logs and other records. As a result, they received a hefty fine for hiding this information and had to pay back the claim.
• Standardisation of Backups I have worked on a case where sometimes emails were available on the server, others were in a backup folder, other on the custodian's hard disk and even some in VHD disk clones. This is haphazard. Each forensic image had to have every archive and backup examined for case ESI. Users had the admin rights to take emails off the server when they backed up leading to fragmented loci of the documents and email files involved in the case. The outsourced IT firm involved in the business had no backup policy in place. This leads to an expensive long drawn out investigation, extraction and comparison process to ensure I had the full range of emails and ESI. For the forensic collector, the process should be is simple as work files are stored on this location, backups here and the rest is on the server along with all the logs and audits. It should all be auditable and defensible. Only admins should be allowed to perform backup tasks and logs must be kept to show a full transversal expired. If this isn't the case then the email system used should automatically retain all the emails sent and received regardless of the user actions.
• Using BYOD in an Organisation Allowing your staff to use their own devices not only opens up the door to security risks but leads to the embarrassing prospect of having to encroach on their privacy and investigate their personal device in order to source potential ESI that may be stored in personal Gmail or online Outlook accounts. This lowers staff morale and gives the impression of lax policy. Just look at the recent Hilary Clinton scandal where she used personal email for government matters. A leak here could cost your company embarrassment for the sake of not allowing them to use their home mobile phone or computer. Just fork out for the devices. Prep and provide digital work items for staff that have been selected for security and retention in mind. iPhones backup to iCloud this way ESI can be retrieved from the iCloud location using iPhone Backup Extractor and searched for ESI even if the phone has a forgotten code or the custodian is unavailable. Configure laptops to retain data and perhaps install monitoring software that tells you if certain non-complaint action has occurred.
• Consider Migrating to Gmail or Office 365 for Business These cloud-based options reduce time in collecting ESI and retention can be performed via a click of a button in the settings. Make sure devices have two step authentication and mobile devices synced with these services have decent passwords to enter your assets as you are exposed to the web using these services. In many ways, these webmail platforms can act as review tools in themselves allowing you to triage and keyword search certain projects involved in the case reducing preview time prior to a collection which can be done remotely. In some cases, this reduces costs for a manual collection. It must be noted though these searches don't recognise characters in documents and don't have the raw power and options of tools like my personal favourite Nuix. The knock effect is this will improve efficiency and stability in your business compared to using something debunked such as Lotus notes. The only drawback is your data is stored offsite in Google's or Microsoft's server this my go against clients wishes in certain sectors.
• Keep Asset Lists for Data Mapping A simple spreadsheet detailing hard disk serial numbers, locations of ESI, users assigned to a domain and if more than one user uses a certain computer cut time when handed to an E-discovery company and save costly second collection attempts because of gaps in the contiguous layout of the ESI in terms of date range. It may even be useful to produce directory listings periodically of all your devices so one can quickly find where ESI is stored. This can work in harmony with your security audit as well. Early case assessments can then be conducted with precision and in a timely manner. Compute Forensics can aid in this.
• Regional Issues Some multinationals have actually used a 'one size fits all' for all the countries they are based and have opened themselves up to litigation. The governance programme must be suited to the particular jurisdiction. It is worthwhile to consult a local lawyer to run through the nuances of that particular jurisdiction or industry.

Please contact me if you need any advice regarding this topic, a few days consultation could save your firm a small fortune in the future. Add me as a connection [email protected]. Like and share if you found this useful.