December 07, 2007 | Comments: (0)
IT will get the blame in the e-discovery game
Since this is the first anniversary of the Federal Rules for Civil Procedure [FRCP], I thought I would help light a fire under those companies that are still ditzing around, as we used to say in Brooklyn, about a solid ESI [Electronic Storage Information] policy.
In a survey conducted by Canvasse Opinion among in-house legal departments at 200 of the Fortune 500 companies, 18 percent of the attorneys said that IT has primary responsibility for the development of an ESI [Electronic Storage Information], aka e-discovery, strategy/policy within their organization.
Let me add that FRCP covers only litigation. Government regulations and ensuing investigations would more than likely make an even greater demand on e-discovery than the new Federal Rules, according to Kristin Nimsger, Kroll Ontrack president, the company for whom the survey was conducted.
The next statistic is even scarier. Asked who should be held responsible if their organization’s ESI policy strategy resulted in government fines, court imposed sanctions or damage to the company’s reputation, 9 percent of the in-house attorneys answered IT should be held accountable.
And what kind of dollar figures are we looking at that IT might be held responsible for costing the company?
Let’s see: $1.4 billion levied against Morgan Stanley, $253 million levied against Merck, and $29.2 million levied against UBS Warburg in litigations that required e-discovery of documents.
Yet, 76 percent of the responding attorneys believe that "inefficient ESI proce-dures" will have no financial impact or only a minimal financial impact on the organization.
A full 19 percent of the in-house attorneys from the F500 companies responding said that enforcement of ESI policies are an IT function, not a legal department function.
Nimsger makes the point that complacency on the part of IT leadership is not an option.
"IT thinks it is not their business and yet all of the data and policies that directly impact the risk are controlled by IT such as document retention, preservation, archiving and email management policies."
Add that to the fact that a lot of lawyers will be pointing their collective fingers at IT, and the message is clear.
There is a lose-lose situation waiting to happen.
If your legal department, CEO, and board of directors aren’t taking an active role in helping to define an ESI policy, the CIO and the IT department must take the leadership role in getting something done.
Whether IT and the CIO take that role or not, if something bad happens, it is going to be blamed anyway.
Posted by Ephraim Schwartz on December 7, 2007 09:42 AM
December 04, 2007 | Comments: (0)
Zero tolerance for zero retention
One year after FRCP laid down e-discovery guidelines, and the courts are clear: hammer out a retention policy posthaste
Dec. 1 marked the first anniversary of the new Federal Rules for Civil Procedure. Although it did not codify the rules for e-discovery, FRCP certainly clarified for companies what their e-discovery policies should be.
I spoke with Alan Armstrong, vice president of business development at Fortiva, an e-mail archiving company, about the FRCP milestone and asked him whether we've learned anything new in the past 12 months.
"Effectively, the court is carrying out FRCP to the fullest extent possible. There is no such thing as undiscoverable information," Armstrong responded.
Actually, we know that there were about 105 e-discovery legal opinions issued since Dec. 1, 2006, thanks to Kroll Ontrack, a company that offers computer forensics services.
The breakdown of those cases is fascinating.
Twenty-five percent of the cases -- which covered a variety of issues, including copyright infringement, fraud, and breach of fiduciary duty -- dealt with discovery requests and court motions to compel discovery.
Twenty-four percent addressed the issue of "spoliation."
Michele Lange, director of legal technologies at Kroll, says in these cases there was a court sanction for an act of document or data destruction.
With a nod to Armstrong's point about discoverability under FRCP, only 6 percent of the cases addressed the question of the admissibility of electronic evidence.
Here's a quick summary of a few of the most significant cases heard this year.
In the case of Columbia Pictures Industries v. Justin Bunnell, the suit claimed copyright infringement, and the plaintiff sought user IP addresses along with dates and times of user requests.
The defendant argued that the data was stored temporarily in RAM and therefore did not come under the new FRCP guidelines that say only ESI (electronically stored information) is discoverable.
Guess what?
The court said data held in RAM constitutes ESI.
In Peskoff v. Faber, the suit alleged fraud and breach of contract, and the plaintiff argued that the ESI produced contained "unexplained gaps."
The plaintiff therefore asked for additional discovery of e-mail. The court ruled in favor, stating that "accessible data must be produced at the cost of the producing party, unless the producing party can prove the documents are inaccessible."
The case of Qualcomm Inc. v Broadcom Corp. is especially interesting as far as the court's opinion is concerned.
In this case of patent infringement, during testimony by one of the very last witnesses for the plaintiff, the witness revealed the existence of relevant e-mails that were not discovered.
The judge characterized this as "an organized program of litigation misconduct" and asked the plaintiff attorneys why they should not be personally sanctioned.
What can we learn from these cases? While some may say there needs to be a fundamental discussion of whether retaining e-mail is an asset or a liability, I think that horse is out of the barn, so let's move on.
Assuming a company, your company, is well intentioned, the real fundamental issue is the disconnect between legal and IT, say both Armstrong and Lange.
"The most frequent complaints I hear from the IT side is that they are always looking for legal to make a decision on policy and to tell them what their requirements are," Armstrong says.
But if you know anything about lawyers, they typically hate making definitive statements. I suppose that comes from the fact that our legal system is based on case law rather than codified into inflexible statutes.
One of the solutions Armstrong suggests is to get all of the concerned parties in a company together to lobby for a truly centralized e-mail system. Say the legal department wants a two-year retention policy for e-mail. IT has storage issues to consider and may have an even shorter time frame in mind.
IT is embroiled in the never-ending nightmare of collecting Microsoft PST (Personal Storage) files that sit all over the network, created by end-users who want to save all of their e-mail as an invaluable knowledge base forever.
Armstrong believes managing e-mail centrally has benefits for IT, users, and legal departments because it addresses all of the problems of each stakeholder.
This is more than likely a better approach and should be considered part of an overall best practice for e-discovery.
As Lange says, "An enterprise needs a litigation response team that brings together all of the key players, including outside and inside counsel, IT, executives, and service providers."
One year later, we have a more sophisticated perspective on e-discovery along with a better educated bench and bar. Given that, companies need to become more sophisticated as well.
Additional FRCP coverage
New litigation rules put IT on the front lines of data access
The art of e-discovery
Court rules content of RAM memory is discoverable
Businesses slow to adopt e-discovery rules
Posted by Ephraim Schwartz on December 4, 2007 03:00 AM
August 02, 2007 | Comments: (0)
Government orchestrates 16-state raid on behalf of Microsoft and others
We all live with limited resources -- individuals, businesses, and yes, even governments.
If the limitation isn't monetary, as it never seems to be for the government, it is at least limited by the number of available employees.
With that in mind, why does the Federal Government,under the Immigration and Customs Enforcement (ICE) agency spend its time and the limited time of the Customs agents in a 16-state raid on homes and businesses in search of so-called "mod chips?"
Mod chips or "swap discs" allow gamers to play pirated titles or counterfeit copies on Sony's PlayStation 2, Microsoft's Xbox, and Nintendo's Wii video-game consoles.
I don't think I have ever seen a bigger sting operation for illegal drugs. Or, for that matter, the number of personnel required to pull this off used for the inspection of goods coming into our country by air, land, and sea.
I admit I don't know this for a fact, but if the equivalent has been done, it would be news to me.
I wonder how much time and effort was spent on undercover operations and coordinating this operation? Wouldn't the same number of agents and the same amount of time be better spent on trying to stop drug trafficking? Or potential terrorist attacks through our ports?
It appears that the mod chips violate the Digital Millennium Copyright Act of 1997. Estimates by the Entertainment Software Association put losses due to counterfeit or pirated copies at $3 billion.
Whose losses? Not mine. Frankly, I could care less. Microsoft, Nintendo, and Sony are doing quite well, thank you, without the government spending what is probably millions of dollars in executing this raid on mod-chip manufacturers and sellers.
Why does the federal government seem more concerned with protecting Microsoft, Sony, and Nintendo than they do you and me?
As a taxpayer who works in high-tech, I just think high-tech and consumer electronics companies get enough breaks from Uncle Sam and enough dollars from me that the Customs Enforcement agency should spend my money on something more important.
Posted by Ephraim Schwartz on August 2, 2007 01:57 PM
June 26, 2007 | Comments: (0)
With terminology in the FRCP left vague, companies need to create their own archiving strategy
There's a new buzzword and acronym to go with it, and if you haven't heard of ESI (Electronically Stored Information) yet, you'd best get up to speed.
ESI is born of changes brought about by the Federal Rules for Civil Procedure (FRCP), which went into effect on Dec. 1, 2006. I've written about FRCP several times, including an in-depth article on FRCP preparedness.
The problem is, ESI is more a term of art than a deliberately defined set of rules.
Ralph Losey, an attorney specializing in e-discovery at law firm Akerman Senterfitt, tells me ESI is not defined on purpose in order to cover future technologies that haven't been invented yet.
"We only change these rules every 50 year or so, so they deliberately make things vague," Losey says.
So vague in fact that a judge in Columbia Pictures Industries v. Bunnell ruled that content stored in RAM falls under the definition of ESI and is thus discoverable under FRCP.
When you probe a bit deeper into this case, it turns out the defense tried to get cute, Losey says. The defendant, TorrentSpy, was accused of being part of a conspiracy to allow users in a peer-to-peer network to use its site to find content and then violate copyrights by downloading that content. TorrentSpy did not offer the content, rather they were the search engine used to find it.
To prove its case, the plantiff had to show that TorrentSpy sent users to these sites. To do that the plaintiff wanted the log server information.
"Without the logs you cannot show a conspiracy to violate copyrights," Losey says.
The defense contended that saving the logs could not be done. But TorrentSpy didn’t fool the court. Losey blamed the inexpert expert IT witnesses the defense put on the stand for angering the judge.
"She [the judge] was smarter than everybody in the IT department," Losey told me. The defense made it look like retrieving the logs was impossible, and that simply is not true.
Since Dec. 1, there have been thousands of motions pertaining to e-discovery, so we can expect that definitions of what is and is not discoverable will be determined over time by case law.
You can find a complete discussion of e-discovery cases on Losey's blog. In two particular cases, an employer requested to obtain a mirror image of an employee's home computer. One judge, in Hedenburg v. Aramark American Food Services, ruled against the employer, saying it was just a fishing expedition; while the other, in Ameriwood v. Liberman, ruled in favor of the employer, saying the content on the home computer was relevant to the case.
Losey believes the new FRCP rules actually encourage inefficiency rather than efficiency in document archiving. He says this because in some court rulings if the defendant can show that the data is not easily accessible and that discovery will cost an inordinate amount of money there's a good chance that the judge might agree.
However, this can depend on how good your expert witnesses are. As I said in the case of Columbia v. Bunnel, it was the expert witnesses that angered the judge and helped determine her ruling on RAM.
The point is, even though the lack of specific rules may encourage inefficiency, Losey says it is probably too high a risk.
I invited Matt Smith, president of LiveOffice, a company that provides tools for archiving and retrieving Web content, e-mail, IMs, voice mail, and other ESI, to add his comments on the lack of definitive rules for e-discovery.
Smith says that, whereas an attorney might have advised a client not to archive content, with e-mail and other electronic data, there is both a sender and a receiver. That makes all the difference. Because of this, companies will be best served by being efficient in how they save content despite any hard and fast rules on what to save and not save and for how long.
"You need to have all the information you can in order to avoid shooting yourself in the foot," Smith says.
However, in some cases, discovery rules are quantified, such as in the financial services industry. Here the SEC requires that electronic documents be held for three to five years. If deemed relevant to the case, documents created in past three years must be retrievable within 48 hours.
That’s what LiveOffice does, and the secret is not to put in a system on the cheap, Smith says. Just because Smith has a vested interest in saying that doesn’t mean he isn't right. One must-have feature is real-time indexing, which can produce documents in short order rather than trying to field requests for e-mails from 20 different employees from three years ago and having to reindex the entire archive for each person.
Finally, I asked Losey, What is the biggest mistake companies make when devising their e-discovery strategy?
"In-house lawyers and IT people never have lunch together," Losey answered.
Not only do they often not understand each other, they often don't like each other. This is not good. Losey says they need to be close partners because each has to understand the needs of the other.
The FRCP may not be revised for another 50 years, but it looks like the courts and companies will need that time to figure it all out. Or as one office wag at InfoWorld suggested to me, "Why don't companies just cc: the Justice Department on every e-mail and get it over with."
Posted by Ephraim Schwartz on June 26, 2007 03:00 AM
May 22, 2007 | Comments: (0)
Major revision planned for Sarbanes-Oxley
By taking a top-down approach to ferreting out fraud, Auditing Standard No. 5 will ease up on IT oversight
On May 24, the Public Company Accounting Oversight Board (PCAOB) will vote on Auditing Standard No. 5. If approved, this new standard for audits of internal control will bring about significant changes to Sarbanes-Oxley regulations, which now operate under Auditing Standard No. 2.
In particular, Section 404 of the Sarbanes-Oxley Act of 2002 requires companies to assess their internal controls over financial reporting and offer an auditor's report on that assessment. To bring this to fruition, Auditing Standard No. 2 was adopted by the Securities and Exchange Commission.
However, in its latest report, the PCAOB admits that although the oversight has "produced significant benefits" with an increased focus on corporate governance, these benefits "have come with significant cost." If approved by the PCAOB, Audit Standard No. 5 will then be sent on to the SEC, which will decide how long the regulation will be open for public comment before it votes on the standard.
The SEC's goal, according to a PCAOB representative, is to finalize the new rules in time for the next cycle of audits of internal controls for fiscal years ending after Nov. 15, 2007.
I spoke with Patrick Taylor, president and CEO of Oversight Systems, which provides security systems for financial business processes.
The purpose of Sarbanes-Oxley remains the same, to identify fraudulent earning and/or fraudulent financial reports. The difference, however, between Audit Standard No. 5 and Standard No. 2 is the approach. And that difference will have an appreciable effect on IT, in a good way.
"From an IT perspective, [Audit Standard No. 5] will take a lot of the bureaucracy out of compliance," Taylor told me. After four years of dealing with the issues surrounding Section 404, the SEC is actually getting more pragmatic.
The PCAOB admits that the current standard encourages auditors to "perform procedures that are not necessary in order to achieve the intended benefits."
Taylor offers a simple example to explain what that means: Under current Sarbanes-Oxley rules, a company must log every transaction the DBA (database administrator) performs. The DBA can't log in to a database without a trouble ticket. So, when the auditors come in, they want to see that someone at the company verified all DBA transactions against trouble tickets, a huge waste of time considering that no one will know whether the DBA, who may have written in his notes that he went into the database to reindex a column, actually performed the task.
Rather than getting lost in minutiae, the new standard will look at the bigger picture. In a sense, the SEC will relax some nitpicky procedures in favor of a top-down approach. Which is probably a good idea, given that the real risk lies at the top. According to an Aberdeen study, 73 percent of all fraudulent activity is initiated by executives and managers rather than the employees who answer to them.
Fraudulent financial reporting most likely stems from someone manipulating the general ledger or during revenue recognition. Because of this, the new proposals will direct the auditor's attention to financial statements and company-level controls rather than "process-level aspects of control."
One more example from the PCAOB proposal that put a smile on my face was the suggested rewording of the definition of a control deficiency from one that is "more than inconsequential" to a "significant" deficiency.
Proof once more that the pen is mightier than the sword!
If you haven't looked at the full full 131-page proposal, I suggest you do so.
ODF vs. OpenXML redux: If you are interested in ODF (Open Document Format) and Microsoft's counter proposal, OpenXML, I would point you to last week's column and suggest that you read the comments from readers. They are thoughtful and raise many good issues that I did not cover when I wrote the original column.
Posted by Ephraim Schwartz on May 22, 2007 03:00 AM
