Thursday, January 28, 2010

Flying through THE CLOUD with a Lawyer on Your Back.

Just about everything I hear lately has something to do with “THE CLOUD”. I am just wondering is that like outsourcing or the ASP (application service provider) model of the dotbomb era? Don’t get me wrong, I like jingoisms as much as the next guy. I just need to know what they mean and their implications. Cloud computing is using the internet to bring technology or more likely software application to you. And it is not really bringing them to you it is making them available to you over the internet. For me they are really like the ASP model of yesterday year. So I take no issue with the name Cloud Computing. In fact I don’t think “THE CLOUD” is inherently good or bad. But it is different and you should consider how it is different from using software you pay for within your computing environment. Just a few things to think about when using someone else’s software application on their environment for business purposes—in other words, “Cloud Computing”.
1. Sometimes relationships go bad or even end and when they do how will you get your information back or have access to it without their “Cloudware”
2. You can’t delegate your legal responsibilities so remember privacy, security, records retention, tax filing support , etc. don’t go away just because your data is floating elsewhere.
3. If you need to have access to your Cloud data for litigation purposes, will your provider accommodate the request and in a timely and defensible fashion?
4. When a regulator wants to see the data or check to make sure it is being stored in accordance with regulations (if they exist for the industry or type of data at issue) will the government deem the environment OK for the task for which they were hired?
5. The rules the Cloud Co. may be following may be different than yours so make sure they follow rules you can live with or contractually make them follow your rules.
6. Anticipate new governance, risk and compliance risks.
7. Make sure the Cloud Co. deals with your disaster recovery requirements.
8. Make sure your litigation response process and e-discovery plan can be accommodated in the Cloud.

Thursday, January 21, 2010

Lawsuits Happen No Matter The Size of Your Company

We now live in a modern litigation world in which the unearthing, securing and producing of electronically stored information (“Electronic Stored Information” or “ESI” as it is referred to by the new Federal Rules of Civil Procedure) changes the balance of power in litigation. If you are an organization with lots of information in various forms, in various places, your organization has exposure. Practically speaking, companies now routinely make “business decisions” to settle cases rather than spend large sums on discovery and thereafter to litigate the dispute. Cases with underlying business disputes can cease being about the legal claim and turn into an expensive, painful public discovery circus, where the 50,000 pound elephant causes injury to all who enter the fray. The business decisions impacting organizations goes something like this: “If our people will be inconvenienced, the IT department needs to be taken off their projects and IT systems taken offline, and we still need to spend $100,000 on “experts” just to do discovery, then perhaps it is prudent to make the case go away for $50,000, even if the legal merits are questionable”. Enter the world of e-discovery. No matter how hard you try to find and produce anything and everything for a lawsuit, it will be a challenge—perhaps an impossibility. But why?

Why is discovery such a headache?

We live in an expanding universe of data with distant parking lots housing company information that may not be logically located. According to IDC there will be 988 new exabytes of data by 2011. To put that in context, it is said that one exabyte of data is the equivalent of 50,000 years of DVD video content. All of a sudden 988 exabytes of data looks like the information equivalent of the distance the Hubble takes us into space. And that information universe is expanding rapidly. Most businesses have lost centralized control over all data and computers. More and more information can be stored on smaller and smaller devices. Businesses use the wrong technology for the job, which is why disaster recovery back-up tapes may create way more disasters than they fix. Employees decide where to park info and when bad company policy dictates a purge of data due to limited storage capacities, employees park company records at home, on a thumb drive or a third party storage network. They’re making the perfect information mismanagement storm that will no doubt cast its shadow on your organization if you have any sizable litigation.

One Bad E-discovery Event is All the Religion You Need

When trying to motivate clients to be proactive with information management, we regularly hear that they have very few lawsuits and they are not worried. The score after the first round is “confidence”-1, and “stoooopidity”-100. Right answer to the wrong question. Getting trounced by the e-disco dancing elephant is not about having many lawsuits. Rather it is about having one lawsuit where enough money is at stake to make life miserable for you by playing the discovery card. It’s the corporate “go-fish” exercise where the pond is seemingly boundless, and the pound of flesh exhumed may be tangentially relevant or harmful or just outright embarrassing. Either way the exercise of looking just to see if something is relevant is both inconvenient and expensive saying nothing of how the contents you find will impact the case.

So, if you are likely to have to produce lots of electronic information or look in lots of places for ESI even if your revenue is not huge and the numbers of employees is only a few thousand, don’t be complacent.
Being proactive is how you tame the discovery tiger. (I am looking for yet one more metaphor to annoy you the reader, so if you can think of one that I missed please send me an email at )

If you are going to minimize the headache from discovery this is a beginners’ roadmap to help the non-behemoth company on your way.

1. Make sure you have good Records Management rules and apply them to the business content. It allows business records and information to be properly disposed of when no longer needed according to documented policy. Make the rules easy and simple and high-level. If you need help, call. We are happy to provide a little free advice. The less unnecessary around to manage and look through, the less painful discovery will be.
2. Once your company is retaining records, you need to make sure you are doing so on the right medium. Disaster recovery tapes are great technology to park huge quantities of stuff in the unlikely event of disaster, but if you need to find a record, you need an archive or RM or DM software application.
3. Have a Legal Hold Policy for all employees to follow that is issued by lawyers telling the rest of the company what information needs to be preserved, when and in what form. It does not need to be big and complex but it does need to deal with basics-- who should preserve, what information Is affected and where to put it.
4. Develop a Litigation Response Plan which can reflect the size and formality of your business. Don’t build the Taj Mahal if you don’t need it. Document who will do what and how the IT and lawyers will interface. Maybe you will need some technical guidelines of how to preserve, and rules for employees but make it useful and simple.
5. One of the things the New FRCP requires to know is your source of ESI. Some folks call it a Mapping of Sources. Whatever you call it, you need to document what you have, where you have it, in what system it resides and who controls it.
6. Legal Hold Mechanism (Notice and Issuance documentation). After it is determined that you need to tell some or all employees to preserve information, thereafter you need to document the effort. If something slips through the cracks, and stuff always does, at least you can show what a good company you are by what you did undertake. So retain proof you did the right thing.

Being littler has its privileges—you don’t need to build it like the big guys. You can be less formal, less proscriptive, but in the end, you need the things above to get through discovery in the bad case with your pocket book intact and your employees bruise-free.

“Not my problem, we don’t have a ton of litigation” is not an appropriate response. The first time you get sued, you may have the e-disco elephant sitting on your head and that smarts. The question is—“do you feel lucky”.

By Randolph Kahn, ESQ.

Monday, January 18, 2010

Why do you think it’s called back-up?

Why do you think it’s called back-up?

So begins a story that seems to rear its ugly head at just about every organization, large or small, private or public. The act of having information is rather different than managing it. The act of storing data on back-up media, while essential, is rather different than retaining it in an archive. The differences are far more than location or semantic. Unless and until everyone understands the issues, the world of e-discovery pain or records management failure will continue to be felt again and again, seemingly without end in sight.

So what does the enlightened leader know to be true.

Disaster recovery is an essential activity—making sure that vital records are available to the business in the unlikely event of disaster. The way in which disaster recovery is done is by taking huge chunks of data and parking it in a device that maximizes the amount of stuff to be stored but generally does not provide functionality to promote finding the “needle in the haystack”. Thus unearthing an individual record for business purposes or a piece of potentially relevant evidence for an audit or lawsuit is not best accomplished with the typical disaster recovery back-up tapes for example. They just weren’t built for this purpose.

In the context of a lawsuit no doubt the litigants will have to ask whether or not information exists that may be relevant to a lawsuit. But actually that is not really the best question to ask. The better question is if information exists, where is the information located, and how can we find and preserve it as efficiently as possible? Further, in reality the best time to ask any of the questions is before you are forced to do discovery because you can prepare and make sure you have the right technology for the job. So often companies in a lawsuit learn the hard way—yep, we technically have the information but it is locked in disaster recovery back-up tapes for which we no longer have the software or hardware to open the tapes. In other words, it is there but opening the doors to have access is made very complicated and expensive due to the technology we chose to store it on.

So what are the takeaways

• Disaster recovery back-up tapes are essential but for backing up data, not for retaining one of a kind records.
• Having information that is not readily available is not proper management.
• For records you need to have an archive that promotes access and good efficient business
• Not all technology is the same—know what you seek to solve and find the right tools to make it happen.