On Wednesday I attended a discussion entitled, “The Living Dead of E-Discovery”, a session at the 2016 ACEDS E-Discovery Conference at the Grand Hyatt in New York City. The panel included Alex Ponce de Leon, the discovery counsel for Google; Rachel See, the Lead Technology Counsel for the National Labor Relations Board; Cindy MacBean, law firm litigation support manager, and Chris Dix, an attorney with Smith Hulsey & Busey who focuses on e-discovery issues.
While this session was to focus on when law firms and their clients should delete data from case productions, the group began by noting the vulnerability of data on law firm networks. The Australian Signals Directorate (the NSA down under) has monitored the email communications of an American law firm with respect to its representation of Indonesia in trade negotiations – something Edward Snowden helped to disclose. Large law firms like Cravath Swaine & Moore LLP and Weil Gotshal LLP have been hacked.
But confidential information may be vulnerable for reasons other than cyber security breaches. Businesses face a great challenge in riding themselves of ESI they are not legally required to keep, and which should be deleting according to their own information governance policies. A case study by DuPont took a large document set that had been reviewed by contract attorneys and trained a different group of lawyers on its document retention schedules. The second group's job was to determine which documents should and should not have been in the review set – not what was responsive or non-responsive. The document retention schedules would have required 50% of the documentation to be discarded and if this had been done, DuPont would have saved $12 million.
The new version of the Electronic Discovery Reference Model has been issued which includes an enhanced verison of the information governance module, which includes a component for the disposal of data.
Rachel See noted the array of difficulties facing firms that aim to destroy data they are no longer required to retain. Litigation support departments may have stores of unlabeled electronic media; determining if data is really gone is more complicated than just taking down production databases. Aside from disaster recovery archives, data may on many other types of storage devices. There need to be policies in place to ensure back-up tapes are only kept for a reasonable period of time, and data destruction protocols should be incorporated into Master Services Agreements.
The group brought up the ethics opinion of the California State Bar (I believe they were making reference to Cal. State Bar Formal Opn. 1992-127) that a client can request data held by a law firm at any time, but may be required to pay reasonable costs.
Ponce de Leon noted how common the practice has become of clients controlling access to document databases which remain on their networks and allow them to revoke access at any time. An overall approach can be taken of minimizing how much data is released to law firms.
A member of the audience discussed how he had managed to save a client a lot of money by shutting down portions of a database which were not in active use.
Chris Dix lauded the use of the National Institute of Standard and Technology's Special Publication 800-88, Guidelines for Media Sanitization, last revised in December 2014. The guidelines are a useful reference point for talking with opposing counsel about what needs to fall under the terms of a protective order. He in particular called the groups attention to an appendix to the guidelines which is a good neutral source on how to remove data from a variety of sources – mobile devices, SCSI hard drives, ATA solid state drives, etc. - listing standards on how to either clear, purge, or destroy each type of storage device.
Mr. Dix advised that protective orders be tailored to specific cases, and not be abused. He referred to Procaps S.A. v. Patheon, Inc., Case No. 12-24356 (S.D. Fl., July 20, 2015) a case in which the court ordered the re-designation of a production after a party designated 95% of this production highly confidential – which under the terms of the protective order would prevent anyone other than an attorney from reviewing the documents. It's not hard to get data destruction provisions in protective orders.
He recommended NAID certified destruction of data (see the Tip of the Night for April 26, 2015 ) and noted that the Legal Technology Professionals Institute is preparing a guide on how to close out a case.
Developments in technology are impacting the way data is retained as well. Solid state drives don't possess moving parts and data on them will not be effected by magnetic forces (although the more traditional hard disk drives usually shield magnetic platters in metal cases). SSDs will not retain data as long as hard disk drives when they are powered off, and it is more difficult to recover deleted data from them.
Ponce de Leon noted that there are five prerequisites for sanctions to be imposed for lost data under FRCP 37(e):
The data has to be Electronic Stored Information.
It must be within the scope of what should have been preserved in the first place.
It actually has to be LOST – it cannot be located after a thorough search.
The responsible party must have failed to take reasonable steps to preserve the data.
The data cannot be restored or replaced.
An example of a reasonable step to get data back would be restoring just the directory structure of magnetic tapes, which can be done very cheaply.