Corporate Compliance: A Convergence With Electronic Discovery

Tuesday, January 1, 2008 - 01:00

Editor: What is the current trend in corporate compliance?

Ballou: I see a trend for the convergence of record retention compliance programs into an overall compliance readiness posture. Various regulations such as the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA), the Gramm-Leach-Bliley Act of 1999 (GLBA), and the Sarbanes-Oxley Act of 2002 (SOX) have similar or overlapping requirements for document retention and preservation. In addition, there are conflicting or redundant recordkeeping requirements, such as contained in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Federal Trade Commission's (FTC) Hart-Scott-Rodino (HSR) Act guidelines. Most recently, record retention compliance programs must now also be designed to comply with the amendments to the Federal Rules of Civil Procedure (FRCP) as well as new state rules as they relate to electronic discovery. Comprehensive compliance processes can facilitate greater efficiency in how organizations invest or allocate resources and, more importantly, can also help to minimize risk and cost.

Editor: Why not just wait until you receive a preservation request to handle electronic discovery?

Ballou: Up until recently, most corporations would not think about eDiscovery until they received a preservation request or court order. However, this approach began to change after such landmark rulings as Zubulake v. UBS Warburg, LLC (Zubulake VI) in which significant sanctions were imposed as a result of an organization's failure to produce potentially relevant evidence. Many corporations now appreciate the importance of preparing for eDiscovery just like they would for any other regulation mandating document retention and preservation.

Editor: Are corporations beginning to internalize their eDiscovery compliance solutions?

Ballou: While some corporations are moving to internalize their eDiscovery compliance solutions, many corporations actually lack the needed resources or expertise to implement such systems. It is important to understand that corporations are not only required to maintain access to records but also must have the ability to produce these records, potentially on very short notice. Many corporations today simply lack the infrastructure needed to process and produce large volumes of data. These corporations are instead looking to achieve eDiscovery compliance through one of the following two approaches:

1. Utilizing national eDiscovery contracts with electronic discovery providers, or

2. Establishing request for quotation (RFQ) processes for individual projects, which will ultimately be managed by the internal legal team.

By implementing one of these approaches, corporations gain a consistent, reliable solution to eDiscovery compliance and can limit investments in infrastructure or personnel. Either approach can also provide considerable flexibility to scale corporate processes while limiting the impact to existing resources.

In addition, there is the potential need for expertise from a computer forensic or discovery consulting professional. Often times humans are the critical factor in what amounts to appropriate or inappropriate electronic discovery actions. Corporations planning for eDiscovery compliance are well advised to consider their corporate data policies and associated enforcement, data locations, volume and user access controls (data mapping), data collection plans, processing and review strategies.

Editor: Is an email archiving system sufficient to meet the requirements mandated by federal and state rules?

Ballou: While email archiving is a valuable component in a corporation's ability to address eDiscovery compliance, it should not be the sole answer to complying with governing bodies. Since there are many aspects to consider regarding enterprise content management, it is critical to consider areas such as document management systems, backup tape management systems, and web and collaboration repositories. Because responsive electronically stored information could reside in the format of an email, a voicemail, an instant message or even a structured database, consideration of all of these areas are critical to complying with federal or state rules.

Even after one does identify all the potentially relevant data, there is still the matter of reviewing that information to determine what is privileged or responsive. Electronic discovery providers, such as ONSITE3 , have taken steps to improve document review efficiencies through implementation of improved foldering solutions, mass tagging capabilities, reporting, production management, privilege log management, and other features. ONSITE3 's eView review platform, for example, has improved reporting features that allow legal teams to monitor the progress of individual or teams of reviewers to determine their productivity. Armed with that information, legal teams are then able to modify review strategies as they see fit to ensure that productivity is maintained throughout the review process.

Editor: How should document review best be performed? Is an outside hosted repository a better approach for storing electronic evidence?

Ballou: Depending on the specific organization and the goals of the review, there are potential benefits to both internal and external hosted solutions. In certain cases, a corporation's security protocol may require internally hosted solutions. ONSITE3 can comply with corporate requirements by providing hosted solutions that are modeled to enable these corporations to minimize their investments in personnel and technology infrastructure. The value of this type of approach positions the corporation to rely on our hosting infrastructure, which has proven to be a very widely accepted and successful model within the industry.

Editor: Should the protection of corporate information be among the first steps a corporate counsel should undertake in considering a company's compliance needs?

Ballou: This is an extremely important component of compliance. It is critical for the legal team to discuss security considerations with their security officers to ensure that the corporation's standard guidelines are followed during provider selection, preservation, collection, data transportation, and ultimately document hosting. If the legal team considers this aspect initially, it will save time and minimize risks as their internal experts will have defined the standard protocols to follow regarding their electronically stored information.

Editor: Should corporate attorneys call upon eDiscovery providers such as ONSITE3 to assess their eDiscovery practices and develop responses should there be a reason for future discovery?

Ballou: While outside service providers probably don't understand your infrastructure as well as your internal teams, they do understand eDiscovery and the requirements that are necessary to create a sound program. Therefore, when properly engaged, an outside provider adds an enormous amount of value to alleviate the risks and costs associated with eDiscovery. For example, eDiscovery providers, such as ONSITE3 , are adept at assessing the state of corporate eDiscovery responsiveness through proprietary methodologies, interviews and tools. Through these assessments, the corporation receives an unbiased expert opinion, which could ultimately address gaps in the program that could have otherwise gone unnoticed.

Editor: What else might be important to consider for eDiscovery compliance?

Ballou: Even after data is produced, it might be necessary to defend the processes or methodologies used to collect and produce that data. Organizations like ONSITE3 have experts on staff who are qualified to certify or testify in court regarding chain of custody or other important issues regarding electronic evidence. Support from an expert witness is important should the admissibility or defensibility of produced data be challenged. From a risk management perspective, this is also just one more way to help minimize the potential for spoliation or sanctions.

Corporations should also plan for how to handle data from international locations. The European Union for example has privacy laws that limit the transport of data to outside countries. This can affect decisions on how and where data will be processed. Some providers like ONSITE3 can go on-site in Europe or elsewhere to process and produce data at the client's facilities. In addition, some providers, such as ONSITE3 , are also Safe Harbor certified with the U.S. Department of Commerce for the handling of data from the European Union. This certification allows providers to transport data to a central processing facility in the United States, if needed.

Editor: How do you differentiate ONSITE3 from the three or four leaders in this field?

Ballou: ONSITE3 distinguishes itself from other providers in the market as follows:

ONSITE3 's single point of contact and accountability versus a multi-vendor approach, assures absolute data and process integrity and rapid issue resolution.

Our robust electronic and paper production capacity in 5 regional locations enables a productive interface for our clients.

Our superior data ingestion capability enables clients to begin reviewing documents within 24 hours.

We offer a user facing data reduction solution where clients can retain the ability to change search criteria on the fly. This eliminates the need for iterative vendor involvement and data processing which will improve speed and the relevancy of output, as well as reduce cost.

We have the highest capacity and lowest cost tape restoration and indexing solution in the industry.

Our robust eView reporting and flexible workflow capability enables a highly productive and cost efficient review process.

For information on services from ONSITE3, visit