© 2009

Robert D. Brownstone, Esq.

Data-Mapping & Electronic Information

Management (EIM)

Lorman November 4, 2009

Risk Management for Daily Efficiency

and Litigation-Preparedness

EIM

GR

OU

P

©

2

Agenda/ Outline

I. Technology and Information -Risk-Management (IRM)

A. Electronically Stored Information (ESI) Liability Risks

1. “Smoking Gun” Content

2. Information-Security Risks

B. Records-Retention & EIM Regimes

1. Over-Saving Costs

2. Under-Saving Risks THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL

UNDERSTANDING OF CURRENT LAW ND PRACTICES. THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.

THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.

EIM

GR

OU

P

©

3

Agenda/ Outline

II. Benefits to be Derived from Data Mapping

A. eDiscovery/Litigation Prep. and Risk-Insulation 1. Costs-Reduction

2. Destruction “Safe Harbor”

B. Governance, Risk-Management and Compliance (GRC)

C. “Going Paperless”

EIM

GR

OU

P

©

4

Agenda/ Outline

III. Data-Mapping Approaches/Processes

A. WHO should be involved?

B. WHAT is the scope?

C. WHY has the task at hand arisen?

D. WHERE are the key locations?

E. WHEN to start, stop, update, etc.?

IV. Descriptions and Excerpts of Different Kinds of Maps

EIM

GR

OU

P

©

5

INTRO – ESI’s pre-eminence . . . Only 0.01% of newly created information

is stored in paper (UC Berkeley Study 2003)

Trillions of e-mails sent annually

PLUS: Posts on blogs/wikis/social-networking sites

Twitter tweets

Other Internet activities

I. Tech & IRM – A. ESI Liability Risks

EIM

GR

OU

P

©

6

Under amended Fed. R. Civ. Pro. (@ 12/1/06), Initial Disclosures, Interrogatories, RFP’s and Subpoenas now all encompass ESI

Similar changes to Cal. C.C.P. & Cal. R.C. now in place. Growing trend among states.

Compare enacted – and pending – state law procedural rules:

<www.applieddiscovery.com/ws display.asp?filter=State%20Courts>

<www.krollontrack.com/rules-statutes/>

Biggest data set always e-mail

I(A). Tech & IRM – ESI Risks (c’t’d)

EIM

GR

OU

P

©

7

E-mail communications generally less formal and less thoughtful than other, pre-21st-century correspondence

"Candid comments" can have significant impact

CAN’T GO BACK IN TIME TO “TERMINATE”. . . See “E-mail’s Nine Lives” (available from presenter)

See also Correy Stephenson, Advising clients before they hit 'send' (Lawyers USA Jan. 2009)

<http://fenwick.com/pressroom/5.1.1.asp?mid=606&loc=FN&p2=23&f=2.23.3&s=1055>

SO USE BEST EFFORTS TO REFRAIN FROM WRITING AND FROM OVER-SAVING . . .

I(A). Risks – “Smoking Gun” Content

"Quick, delete that e-mail before Eliot Spitzer sees it!"

(Corante NY 7/29/05)

EIM

GR

OU

P

©

8

I(A)(1). eInfo Evidence – “Multiple Audiences”

Multiple Audiences ("Green Eggs & Ham") Test: Would you like to see it in the press?

Would you like it on a competitor’s desk?

Would you like it in the government’s hand?

Would you like to read it on the witness stand?

If the content will get you slammed, then . . . .

DO NOT SEND IT, SAM I AM © Fenwick & West LLP; Mark Ostrau; Robert Brownstone

<www.fenwick.com/services/2.23.0.asp?s=1055>

EIM

GR

OU

P

©

9

Not just live E-mail . . . also . . . E-mail Archives (company-

wide and individual)

Databases (DMS, etc.)

Shared Network Drives

External Websites; Intranet/Portal

Blogs and Wikis (authorized), both external and internal

IM (company-provided) and Voicemail

Hard Drives of local machines

Portable-Devices/Removable-Media

I(A). Tech & IRM – 2. InfoSec. Risks

EIM

GR

OU

P

©

10

I(A)(2). InfoSec. Risks – Data Leakage

Sites/Networks Attacked/Hacked

Extranets – misuse of access rights settings

E-mailing an attachment whose metadata contains confidential information

<http //www.newsfactor.com/story.xhtml?story id=52124>

EIM

GR

OU

P

©

11

II. Ways Information Can Get Exposed (c’t’d)

Portable-devices/removable-media lost or stolen

Laptops

Smartphones (alert IT Helpdesk to send “kill” signal)

DVD’s, CD’s, USB sticks, thumb-drives, etc.

Viruses, Worms and Malware, Oh My

Attachments not only potential culprits. So are:

files downloaded from suspect websites

P2P file-sharing software

.pdf attachments from unknown sources

links taking you to suspect websites

<www.getrichslowly.org/blog/2006/10/31/reader-story-coping-with-theft>

EIM

GR

OU

P

©

12

I. Tech & IRM (c’t’d)

B. Records-Retention & EIM Regimes

INTRO – Big Picture: Divide information universe into

• legal and/or business need to retain

• EVERYTHING ELSE = dispose/delete

• Key goals:

• Know – > high level – what you have and where

• Substantial compliance with a routine

EIM

GR

OU

P

©

13

I(B). Tech & IRM (c’t’d) – Retention & EIM

1. Over-Saving Costs:

retrieval capability

storage fees

efficiencies in:

operations

projects

transitions

collections/productions

EIM

GR

OU

P

©

14

I(B)(1). Over-Saving Costs/Risks (c’t’d)

Aim for effective and cost-efficient collection in response to government- inquiry or lawsuit because:

eDiscovery costs staggering

Cost-shifting iffy at best

Unavoidable services expense for litigant, especially when outsourced by law firm via an .asp model (pay-per-gig or per-click)

EIM

GR

OU

P

©

15

I(B). 2. Under-Saving Costs/Risks

“Must Keep” Various Statutory/Regulatory Periods, e.g.:

Safety Statutes/Regs

Tax

EMP/HR Periods

Cf. Statutes of Limitation (SOL)

EIM

GR

OU

P

©

16

I(B)(2). Under-Saving Costs/Risks (c’t’d)

Litigation-Hold (Preservation): Sarbanes-Oxley Federal Criminal

Obstruction of Justice Crime(s) See generally 3/10/08 N.L.J. article at

<www.fenwick.com/docstore/Publications/EIM/SOX Litigation-Hold Triggers.pdf>

Attorney Ethics Rules

Case-Law Preservation (Destruction-Suspension) Duty See generally 5/11/09 Give P’s a Chance (“Policies . . .

Protocols . . . [and] Preservation”) article at

<www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202430718101>

EIM

GR

OU

P

©

17

I(B)(2). Under-Saving Costs/Risks (c’t’d)

Not meeting Business Needs, e.g., . . . Corporate/historical records

IP (including engineers’ records for patent conception proof; invention assignments, etc.)

Contracts (until performance end dates plus SOL?)

Contractually imposed requirements (audit rights)

EIM

GR

OU

P

©

18

A. eDiscovery/Lit. Prep. & Risk-Insulation

1. Costs-Reduction, given estimates of eDiscovery $ in U.S. commercial lit.:

2008 = $ 3.4 Billion

2009 = $ 4.0 Billion

2010 = $ 4.6 Billion

George Socha & Tom Gelbmann, Mining

for Gold, Law Tech. News (Aug. 2008) <www.lawtechnews.com/r5/showkiosk.asp?listing id=2117297>

II. Benefits to be Derived From Data-Mapping

EIM

GR

OU

P

©

19

THE GOAL: avoid the triple- whammy of eDiscovery costs:

1) a vendor charging per Gb and/or per click to process an unnecessarily large data set

2) attorneys doing bloated review of duplicative email strings and eFiles

3) legal and tech teams racking up even more costs and fees in protracted litigation

Early analysis enables clients to assess a case’s strength or weakness . . . and decide much earlier whether to litigate or settle

II(A)(1). Benefits – Costs (c’t’d)

EIM

GR

OU

P

©

20

So-called Safe-Harbor in Fed. R. Civ. P 37(e) (@ 12/1/06)

• "Absent exceptional circum-stances, a court may not impose sanctions under these rules for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system."

<www.uscourts.gov/rules/EDiscovery w Notes.pdf>, at 40

II(A). 2. Destruction “Safe Harbor”

EIM

GR

OU

P

©

21

“AN electronic information system.” Not just a party’s

Federal Rules Report, at App. C-89 <www.uscourts.gov/rules/Reports/ST09-2005.pdf#page=174>

Sword and shield. Id.

So, to extent data storage outsourced, litigant should have synched up schedules and stop-the-presses lit- hold notices, etc.

II(A)(2). eDiscovery – Safe Harbor (c’t’d)

EIM

GR

OU

P

©

22

To extent data storage out- sourced, synch up schedules

Assume your organization will ultimately be held responsible for production of any pertinent records in discovery

Cf. Tomlinson v. El Paso Corp., 2007 U.S. Dist. LEXIS 64783 (D. Colo. 8/31/07) (given that ERISA imposed duty to ensure employee benefits records were accessible for inspection, compelling production – under Fed. R. Civ. P. 26(a)(1)(B) – of information as to record-keeping system of third-party hired to administer benefit records)

<http://Tomlinson-DColo-8-31-07.notlong.com>

II(A)(2). eDiscovery – Safe Harbor (c’t’d)

EIM

GR

OU

P

©

23

GRC defined as “system of people, processes and technology that enables an organization to:

. . . . set business objectives congruent with values and risks;

achieve objectives while optimizing risk profile and protecting value; [and]

operate within legal, contractual, internal, social and ethical boundaries. . . . ”

Melissa Klein Aguilar, Red Book Alert: OCEG Revises GRC Manual, Compliance Week (4/21/09) <www.complianceweek.com/article/5373?printable=1> (quoting OCEG’s FOUNDATION "RED BOOK” v 2.0)

See generally <http://www.oceg.org/view/RB2Project>

<http://www.oceg.org/resources>

II. B. Governance, Risk & Compliance (GRC)

EIM

GR

OU

P

©

24

Implicit benefits: More interaction, sympatico and, ultimately,

cohesiveness between [sub-]departments, e.g.:

Compliance

EEO

Facilities/Operations

HR

IT

Legal

Records

Risk Management

II(B). Benefits – GRC (c’t’d)

EIM

GR

OU

P

©

25

II(B). Benefits – GRC (c’t’d)

KUMBAYA?! Clear, well-thought-out policy language on which multiple constituencies have weighed in . . .

© TOSHIBA

EIM

GR

OU

P

©

26

Access/Retrieval Efficiencies

Huge speed increases and risk reductions to be gained from – and legal support* for – an all-electronic environment

Electronic vs. Paper: SEDONA PRINCIPLES; Best Practices Recommendations & Principles for

Addressing Electronic Document Production (June 2007), at 2-5 (.pdf pp. 15-18) <www.thesedonaconference.org/dltForm?did=TSC PRINCP 2nd ed 607.pdf>

W. Fenwick & R. Brownstone, Efiling, 19 Santa Clara Computer & High Tech. L.J. 181 (2002) <www.fenwick.com/docstore/publications/Litigation/efiling.pdf>, at .pdf p. 25 (comparing retrieval times of 25 minutes and 20 seconds)

* list of authorities available on request

II. Benefits to be Derived – C. “Going Paperless”

EIM

GR

OU

P

©

27

Start with old boxes of PAPER: unlabeled and not retrieved or looked at for years

whose labels and/or indices reflect no need to retain

“duplicative” of searchable electronic information

Assess workflow re: all documents and information (letters, invoices, receipts, etc.)

created within your organization

disseminated by your organization

As to incoming documents: wherever possible, get buy-in re: electronic form

to extent control is not possible, develop – and train on – scanning/imaging protocol for all incoming paper

II(C). Paper – Low- Hanging Fruit

<http://evolutionofbpr.com/tag/technology/>

EIM

GR

OU

P

©

28

III. Data-Mapping Approaches/Processes

INTRO: Weather Vane Approach

Context

WHO/ WHAT/ WHY/ WHERE/ WHEN

EIM

GR

OU

P

©

29

IT Multiple key leaders wherever appropriate

Key systems/environments:

E-mail (live AND archive)

Back-ups

Databases (incl. DMS)

Shared Network Drives

Intranet/Portal

External Websites

Blogs/Wikis/Forums (internal and external)

Web-2.0

III. Approaches – A. WHO

EIM

GR

OU

P

©

30

Legal In-house or “out-house”

High-level official Someone who will ultimately

“lay down the hammer” as to compliance with new regime/policy

Translator/project-manager

Other Key Stakeholder(s)

III(A). Approaches – WHO (c’t’d)

EIM

GR

OU

P

©

31

Key considerations: Ultimate new and/or revised policies/protocols

Realities re: maintenance/updating

How many policies will change and/or be synched up with key new(ly revised) one?

Risk: creating “compliance gap” Legal obligations & IT frameworks often vague

So, to some degree, developing own standards

III. Approaches – B. WHAT is the Scope?

EIM

GR

OU

P

©

32

. . . has the task at hand arisen? Bad incident-response event?

Bad eDiscovery experience in lawsuit or subpoena or government inquiry?

Cost-cutting, efficiencies and/or automation?

SOX “internal controls” audit or preparation for same?

Seeking loan and/or financing?

Going public?

IT framework audit?

D&O/E&O Insurance premium reductions?

III. Approaches – C. WHY . . .

EIM

GR

OU

P

©

33

. . . are the key locations?

In addition to any lengthy work-product/deliverable, one result should be a short chart/menu

Repositories List

See Example excerpt on slide 35

III. Approaches – D. WHERE . . .

EIM

GR

OU

P

©

34

. . . to start, stop, update, etc.?

III. Approaches – E. WHEN . . .

Three E’s:

Establish

Educate

Enforce

Three-pronged approach

Administration/Policies

Training

Technology

See Global Cisco Study Applies Reality Check to Corporate Security Policies, Draws Connection to Data Leakage Risk (10/28/08) <http://newsroom.cisco.com/dlls/2008/prod 102808.html>

“Research Identifies Gap in Policy Awareness of Employees, Shows 1 in 4 Companies Lacks Security Policies”

EIM

GR

OU

P

©

35

IV. Descriptions and Excerpts of Different Kinds of Maps

Examples of Maps (Proactive and Reactive): Short/Sweet Repository List

EIM

GR

OU

P

©

36

IV. Examples (c’t’d) – Server Architecture Diagram # 1

“accompanied the testimony of Microsoft Vice President and Deputy General Counsel Tom Burt presented during the period of public comment on the proposed changes to the Federal Rules of Civil Procedure”

From <www.ediscoveryuniversity.com/Documents/Microsoft Sample Network Diagram.pdf> or

<www.ediscoveryuniversity.com/Documents/Microsoft Client Server Architecture Diagram.JPG>

EIM

GR

OU

P

©

37

IV. Examples (c’t’d) – Server Architecture Diagram # 2

From <http://content.edgar-

online.com/edgar conv img/2007/10/29/0000891618-07-000615 F28075A2F2807501.GIF>

EIM

GR

OU

P

©

38

IV. Examples (c’t’d) – Web-ified Visio Chart of data flow . . .

• . . . between HR databases & geographical locations

© 2004, 2009 Robert D. Brownstone, Esq.

EIM

GR

OU

P

©

39

IV. Examples (c’t’d) – Others, described . . .

Spreadsheet with content-types on one axis (rows) and Dep’ts on other axis (columns)

Chart/diagram of physical locations, each with respective list of repositories

Diagrams/flow-charts of SOX internal-controls workflows

Items enabled/facilitated by map:

Records-Retention Schedules

“Pre-Collection Checklist” (available on request)

EIM

GR

OU

P

©

40

Conclusion/ Questions

Q+A

Robert D. Brownstone <www.fenwick.com/attorneys/4.2.1.asp?aid=544>

650.335.7912 or <rbrownstone@fenwick.com>

Please visit F&W EIM <www.fenwick.com/services/2.23.0.asp?s=1055>

<www.fenwick.com/services/2.23.4.asp?s=1055>

THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL

UNDERSTANDING OF CURRENT LAW ND PRACTICES. THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.

THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.