By Thomas Shaw, CIPP
This is the first article of a three-part series exploring litigation exposure and readiness for Asian companies. Part two of the series will explain how non-U.S. companies, particularly those based in the Asia/Pacific region, can analyze and deal with the risks of U.S. litigation exposure to pre-trial discovery data requests.
Due to expansive rules on discovery, jury trials, and the size of damage awards, plaintiffs worldwide choose to bring their claims in U.S. courts. So it is important that non-U.S. companies consider their exposure to U.S. litigation. After an Asian corporation has determined their exposure to U.S. litigation, they must take steps to analyze their current readiness to deal with requests for pre-trial discovery. Because response to discovery requests under U.S. rules is time sensitive, respondents must have the ability to fully describe their responsive data within about 100 days of the initiation of a lawsuit. Failure to respond appropriately can lead to fines and/or other types of sanctions, as an Asian manufacturer recently discovered. This means that companies must proactively set up a series of information-governance protocols and discovery procedures that allows for rapid response. Asian companies must know what data they have, where it is located, how long it is retained, who owns and controls it, how to preserve it, what automated or manual deletion processes exist, how to halt them, and how to collect information in its original state for discovery.
But it is no longer just U.S. litigation that will drive the needs for this type of information governance. Each country in Asia has its own discovery rules based on their respective legal heritage and several have undertaken to create special rules for the discovery of electronically stored information (ESI), as U.S. federal and state courts do. For example, Australia’s Practice Note 17 and Singapore’s Practice Direction No. 3 spell out guidance for dealing with e-discovery under litigation filed in those countries. Other Asian countries will likely follow. In addition, a variety of regulatory requirements, privacy laws, and information-security requirements mandate much more rigorous information governance practices. Audit attestation needs, such as local versions of Sarbanes-Oxley (SOX) or service provider audits (e.g. SAS 70) or internal investigation needs further push Asian companies toward an information-governance framework that controls corporate data and provides the ability to respond to any information-based request, be it litigation, regulation, statute, audit, or other.
The Electronic Discovery Reference Model (EDRM) is a multi-phase reference model that documents the steps required to respond to litigation discovery requests for ESI. The nine phases in order are: Information Management, Identification, Preservation, Collection, Processing, Review, Analysis, Production, and Presentation. Because the phases from Processing forward typically involve specialized external resources and procedures, such as large volume processing, vendor software, and teams of lawyers, this article will focus only on what most corporations can initially undertake themselves, the first four EDRM phases. This is also in accordance with two industry trends. The first is that, to save money, firms are looking to in-source parts of the EDRM lifecycle and the first four phases represent that which they can most easily handle, assisted by appropriate best-practice procedures and vendor software. The second is that companies are moving their focus to the left side (earlier phases) of the EDRM model. Firms realize that if they proactively understand their data and understand how to preserve, find, and collect it, this will go a long way in reducing their discovery tasks and so their litigation, regulatory, audit, and compliance expenses and exposures
This EDRM phase should be initiated before any litigation is known or anticipated. It involves the establishment and maintenance of infrastructure, processes, and training surrounding a corporation’s body of information. This includes all information—structured and unstructured—used by the corporation in pursuit of its business objectives and is much more than just the accounting database or the e-mail system. The infrastructure includes all systems, applications, and devices, including servers, PCs, laptops, tapes, DVDs, USB drives, mobile phones and networks, and more, that store and transmit this business data. The processes include those to record business information, store, retrieve, use, and then, finally, delete it. And to effectively use the information, a corporation’s employees must be trained to implement and maintain the infrastructure and processes, and to deal with any changes.
To begin to understand whether a corporation’s information management program is “litigation ready,” a number of high-level questions must be asked and answered about the corporate data, infrastructure, processes, and people.
- Is there a complete and current inventory of the corporate data sources and physical (hardware, software, network) infrastructure?
- What ESI is contained in non-active IT systems (e.g. archival or legacy systems)?
- What metadata exists and is it fully documented for each type of ESI?
- Are there fully engaged data custodians and IT technical leads for each type of ESI and each technology component?
- What legal access is there to data (and metadata) stored with third-party vendors?
- Are there information management/ security policies originating from top leaders?
- Are there record retention/disposal timeframes and processes for all record types that comply with all contractual, statutory, and regulatory obligations?
- Are archiving and backup processes implemented and documented?
- Is records management implemented (e.g. record declaration and deletion)?
- Are all the policies and procedures actually in use by skilled people trained to use them?
It is important to understand the possible different data sources includable as ESI to see the broad scope an inventory must cover. The data in the table below are data sources subject to discovery.
Unfortunately, to grapple with the disparate ESI sources and information management processes, there is no one over-arching framework. But if a company has implemented a program structuring or protecting corporate information, such as records information management or information security, this should provide a sufficient framework upon which to build. As an example, the ISO 27001 information security certification standard and its related ISO 27002 controls provide a valuable set of requirements and tools that should ensure sufficient rigor not only for the security of information but also can be extended to information management as needed. ISO 27002 includes certain controls addressing:
- Assessment of risks
- Documented corporate policies
- Ongoing management commitment to these corporate policies
- Inventory, ownership, and acceptable use of information assets
- Classification and handling of information
- Training and awareness
- Exchange of information
- Protection of organizational records
- Auditing for compliance with the policies and standards
These controls can be adapted and expanded for information management purposes. The risk assessment (as further expanded in related standard ISO 27005) can be used to evaluate the risk that any data sources will be subject to a discovery and how that risk would be treated by altering the preservation rules. An information management policy and management commitment to those policies would set the tone and direction for the corporation. Training and awareness-raising about the information management policies and procedures ensures that the whole corporation gets involved and stays engaged on an ongoing basis. Cumulatively, the ISO 27001/27002 information security controls with certain extensions can provide the corporation with a sufficient initial depth to the information management function to reasonably respond to discovery data requests.
To create an information management policy, corporations can begin by considering the guidelines set forth in the Sedona Conference document about managing records and information. Among the many guidelines, the following two provide some initial insight. First, the organization will have to create something that works for its particular situation, as “no single [information and records management] standard or model can fully meet an organization’s unique needs.” Second, corporations will have to determine what data to retain or to discard, as “defensible policies need not mandate the retention of all information and documents.” Finally, for those organizations with the resources to implement true records management (records are a subset of information that is retained in a format and for a timeframe based on legal, regulatory, or contractual requirements), use of the ISO 15489-1 records management standard may be appropriate.
When a corporation becomes aware of a lawsuit, either when it is initiated or anticipated, it must identify the data that would be responsive to that certain matter. While the specifics of any particular lawsuit cannot be known until receipt of the complaint, discovery request, retention letter, or court order, a company can and should prepare. The corporation can develop the processes that it will utilize to form and engage a discovery response team, identify key witnesses and people of interest, and scope the sources of information that may be relevant to the lawsuit. Because all data sources, infrastructure, and custodians have already been previously identified in the information-management phase, it is then only a matter of verifying that they remain current and determining what, if any, additions have taken place.
In addition, if a company finds that any data source is of the type that would be considered difficult to access at a reasonable cost or effort, and so be the basis of a not-reasonably-accessible argument, it could document those reasons for all such data sources. When responding to an actual discovery request, the litigation-hold process and the related interviews would start during the Identification phase. The litigation-hold process will be discussed below in the Preservation phase, but it would be appropriate to create interview checklists for data custodians/owners, key IT personnel, and persons of interest to the subject matter of the lawsuit now, well in advance of needing them for discovery response.
A party to a lawsuit must ensure relevant ESI is preserved and protected against destruction or alternation. To do this, a corporation must prepare and circulate a litigation-hold communication to all relevant parties. It may also need to copy the e-mail and other files of persons of interest, image their hard disk and removable drives, or even image forensic data for deleted/hidden files or encrypted data. As part of notifying parties of their preservation obligations, it is critical that any routine processes that delete or modify ESI be stopped or altered. This might include various system procedures, such as overwriting of system logs or daily transaction files, certain archiving processes, or the overwriting of backup tapes sent offsite as part of a disaster recovery plan. Communicating and working with the IT team is key, but all employees will need some training on their preservation duties under legal holds.
The specific ESI and persons of interest will not be known until actual litigation arises, but again a company can prepare in a number of ways. First and foremost are the legal-hold procedures. Guideline 9 of the Sedona Conference document on legal holds states: “The legal hold policy and process of implementing the legal hold in a specific case should be documented considering that both the policy and the process may be subject to scrutiny by the opposing party and review by the court.” So a company should proactively document, based on their data and systems inventory: the retention periods for all data, the deletion procedures (manual or automated), how to stop deletions or quarantine data, the steps needed to take a forensic backup of a device as required, and who to notify about the preservation of data. Besides creating policies and procedures for legal hold, a template legal-hold letter should be drafted in advance, taking into account all data sources, data and IT custodians/owners and their responsibilities. In addition, acknowledgement forms from legal-hold letter recipients that demonstrate an acceptance of their responsibilities and completed tasks for preservation within the stated scope should be drafted in advance.
There is an important question on when the duty to preserve attaches. The U.S. federal procedural rules do not address this directly, but the Sedona Conference legal holds Guideline 1 states that: “Reasonable anticipation of litigation arises when an organization is on notice of a credible threat it will become involved in litigation or anticipates taking action to initiate litigation.” In Zubulake IV, the court stated the typical starting point is when a party knows or should know it is relevant to imminent or ongoing litigation. Courts have had to fashion their own interpretations, which are usually fact specific, of when they should have known. In a recent case involving an Asian corporation, a Taiwan company’s duty to preserve was started long before (six years) the actual notice was received, as the court viewed the fact that there was other litigation involving the same patents belonging to the plaintiff as putting the company on notice to preserve relevant evidence. As such, corporations need to proactively review any available information on possible litigation and then implement timely legal holds as appropriate. And companies can create in advance the process and triggers for releasing a legal hold when it becomes appropriate to do so.
Finally, it is important to analyze the inventory data regarding the records retention/destruction timeframes, policies, and procedures, and ensure that they are in compliance with applicable rules. Under U.S. federal procedural rules, there is a safe harbor from being sanctioned for destroying ESI if the destruction happens as part of a “routine, good faith operation.” The Sedona Conference legal holds Guidelines 2 and 3 state that: “reasonableness and good faith” are demonstrated by a records-retention policy and by reporting potential threats of litigation. So it is critical that corporations begin and maintain these programs long before any legal action is initiated so that they become routine. To remain in good faith, these destruction operations must stop when the corporation is aware of litigation.
This phase occurs when preserved information that is not relevant or is inaccessible can first be filtered out, where appropriate search terms, date ranges, and file types are determined and data is collected under valid chain-of-custody and authenticity protocols. Again, this cannot be performed in advance, but the processes to do so can be derived proactively. Processes that detail whom collects what ESI using which tools to what media types, plus the appropriate chain-of-custody and authentic protocols can all be determined in advance. Collection is the phase when the transition from in-sourcing to outsourcing should start, as if any of the collection is done improperly (e.g. altering metadata, losing chain of custody), it may make the ESI evidence inadmissible. Outsourcing is especially valid when forensic collection is required (e.g. deleted/hidden files), if sensitive information is involved, when there are staffing or skill shortages or project management needs, and if there are large volumes, short timelines or internal biases within the corporation. The division between in-sourcing versus outsourcing during the Collection phase should be determined in advance.
When performing collection, data protection laws and contractual confidentiality commitments come into play. The requirements to safeguard personal information of employees are required under a number of Asia/Pacific statutes. For example, Japan’s Personal Information Protection Law requires that any personal information stored by corporations holding information on more than 5,000 persons obtain their consent before transferring the data to a third party unless an opt-out mechanism is provided. Australia’s federal Privacy Act requires anyone transferring data to a third party to ensure that the third party reasonably complies with the Act’s privacy principles. Hong Kong’s Personal Data (Privacy) Ordinance also has a requirement that the third party recipient is acting under similar privacy provisions. Most Asia/Pacific countries have or will have shortly some statutory data privacy protections. It is also important to verify that all contractual confidentiality commitments have a provision that allows for an exception in case of litigation demands.
Asia-Pacific e-discovery laws
Corporations doing business in multiple countries will need to understand local and foreign e-discovery rules. In Asia, local e-discovery rules are beginning to emerge in 2009. Under Australia’s Practice Note 17, parties are encouraged to agree upon the scope and timetables for discovery and strategies for preservation, reasonable searches (including not reasonably accessible information), and the management of ESI and the related document-management protocols. Singapore’s Practice Direction No. 3 is amended to include discovery and inspection of electronically stored documents, computer databases, and electronic media or recording devices. Parties are encouraged to agree on discovery protocols and utilize reasonable searches. Provisions also cover metadata, forensic discovery, and factors to consider if needing to order discovery. Hong Kong’s Practice Direction 5.2 tells parties to exchange documents without having to prepare lists of documents. Because parties can now litigate commercial contract disputes in Hong Kong and enforce those judgments in China, this may open China, itself, to these procedural rules.
Asia-Pacific parent corporations do business in an increasingly litigious, multi-jurisdictional business environment, with overlapping litigation, regulatory and various compliance data requirements. To be able to respond to all of these competing demands for information, corporations must first proactively undertake to implement best-practice information-governance procedures. This will allow them to respond both promptly and accurately to requests for this information from plaintiffs, government agencies, and auditors. Based upon this common foundation of information governance, procedures specific to each external source of demand can be implemented, such as those to deal with litigation in the various forums in which they do business. For litigation, firms can follow the general steps outlined above to start to set a high-level direction and then can enlist the proper expertise to help them through this multi-disciplinary process. This includes technically adroit attorneys, IT expertise, information custodians, and external resources, including vendors whose software can enable a number of the EDRM phases and discovery consultants who can shape the many processes needed. Finally, Asian corporations can and should take advantage of the “quiet” pre-litigation time to designate executive leadership for e-discovery, appoint cross-functional teams representing all stakeholders, prepare needed processes, tools, and project management techniques and then perform the walkthroughs and tests to be ready to respond to data discovery requests from the all-too-likely litigation.
Thomas J. Shaw, Esq., is an attorney, CPA, CIPP, CISM, ERMP, CFF, CISA, CITP and CGEIT based in Tokyo, Japan, who works with corporations across Asia to develop their legal, e-discovery, information security, data privacy, compliance, and information governance policies and procedures to assess, prepare for, and respond to litigation and technology risk. He can be reached at
or on the Web at www.tshawlaw.com.