LITIGATION SUPPORT TIP OF THE NIGHT

In October 2023, the SEC's Director of Enforcement Gurbir Grewal addressed the New York City Association.   See the transcript posted here.  In remarks which emphasized the need for businesses to be proactive in complying with financial regulations, the Director stressed the need to preserve electronic data.  In the past two years

the SEC has fined more than 40 companies over a $1.5 billion for failing to preserve electronic communications.  Most of the noncompliance was a result of employees failing to follow data preservation policies.   A key problem was that communications were being conducted outside of official channels.

In December 2021, J.P. Morgan Securities had to pay a $125 million penalty because its employees were communicating about business using text messages, personal email, and WhatsApp, and no steps were taken to preserve the data.  The violation was particularly egregious because the individuals responsible for implementing J.P. Morgan’s policies communicated outside of official channels themselves.   In this press release, Gerwal warned businesses to, “scrutinize their document preservation processes and self-report failures”.   Businesses that find their data preservation processes fall short of the requirements of securities laws are encouraged to report the problem by emailing BDRecordsPreservation@sec.gov.

Gerwal pointed out that the ability of a company to provide the SEC with summaries of financial analyses, locate key documents, and make data custodians available for interviews may lead to a mitigation of the amount of penalties that they are ordered to pay.

Thanks to Amy Sellars of CBRE for pointing out Gerwal’s remarks at yesterday’s ACEDS webinar on the 2023 Legal Industry Collaboration Data Survey.

Here's a quick checklist on how to get custodians to be more cooperative based on the advice provided by Claira Hart and Lindsey Tsai of ZApproved on the ACEDS webinar, How Lean Teams Can Increase Custodian Compliance With 5 Easy Tips .

1. Simplify the language of the litigation hold -

   1. Don't use a lot of legal language.

   2. Don't force the potential custodian to review a long set of instructions. Consider cutting any unnecessary language. This is given as an example of a notice which is too short:

This is an example of a notice which is too long:

This is just right:

2. There should be a clear 'call to action'

a. The custodians shouldn't be confused by the notice.

b. A notice shouldn't prompt the custodians to ask a lot of questions.

c. Litigation hold software should prompt the custodian to accept the notice.

d. Compliance should not be difficult.

e. Give contact information for a real person to answer any questions.

3. Make sure the notice has good formatting.

a. Put custodians' obligations in a bulleted list.

b. Highlight particularly important instructions.

4. The litigation hold notice should be clear.

a. Provide detail on the data sources which should preserved

b. Use an eye-catching subject line with a phrase such as 'ACTION REQUIRED'.

c. Specify a date range for the data to be collected.

d. Prepare a log of where data has been collected from.

5. Make clear who the legal hold notice is from, whether it's the general counsel or someone else.

6. Give a deadline by which a response is required.

7. Provide suggestions on where data can be found.

8. Provide automated reminders to the custodians reminding them of response deadlines.

9. If there is no response, escalate the effort to collect data to a custodian's manager, or the system admin.

10. Use a single message consolidating multiple holds for more than one litigation matter.

11. Track custodian compliance with metrics showing the percentage of employees who have responded.

12. Make sure that you are focusing on active employees, and are aware of who has been terminated.

13. Provide training on litigation holds which are tailored to specific departments.

14. Be sure the hold notice is not misinterpreted as spam or a phishing exploit.

15. Work with IT to confirm that the email with the hold notice is not flagged as an external notice.

16. Prepare a defensible, easy to replicate template for your legal hold.

17. Make sure that hold notices follow a consistent format and 'cadence' with standardized intervals for reminders.

18. Identify someone who will draft the hold notices, and someone who will give them final approval.

19. Not closing out holds in a timely fashion can create risk for a business.

20. Provide contact information for a subject matter expert.

21. Ask about data stored on devices not provided by the company.

22. Ask each potential custodian if they know of anyone else who should be a custodian.

When tasked with collecting data from multiple storage drives, keep in mind that devices exist which can image multiple drives simultaneously. A forensic imaging device such as the ICS-JMR's RRoadMASSter-3 X2 Forensic Hard Drive Acquisition/Duplicator/Analysis Lab, or Media Clone's SuperImager Plus Desktop NVME Gen-3 can image multiple drives at the same time.

These devices should support the following operations:

1. Create forensic images of multiple drives saved on to one single drive used to collect data.

2. Wipe drives using protocols such as the Department of Defense's 5220.22-M standard (see the Tip of the Night for February 26, 2016), or Secure Erase standard (see the Tip of the Night for February 28, 2016).

3. Encrypt data using AES-256 encryption. See the Tip of the Night for May 13, 2017.

4. Hash collected files using the SHA-1 and MD-5 algorithms.

5. Capture cell phone data.

6. Analyze the data using common forensic software from industry leaders like Encase, NUIX, and FTK.

7. Run parallel operations on USB and SATA ports. A Serial ATA port connects a drive to the motherboard. See the Tip of the Night for January 22, 2016.

8. Operate in write block mode to allow read only access to collected data.

9. Run a keyword search of the source data.

10. Capture data from the source drive sector by sector (for a discussion of sectors see the Tip of the Night for October 31, 2015), or only capture allocated space on a drive.

NVMe (nonvolatile memory express) ports on a forensic imaging device will allow for the fastest access to solid state drives.