Information has become the most compelling weapon in the world. Individuals and companies depend on it. Data is everywhere, in every form, created by everyone on every medium and its volume is increasing on a daily basis. Routinely maintaining, preserving and storing data poses serious risks which ought to be continuously assessed, monitored and planned for. This also helps if a sudden crisis occurs (e.g. a litigation or investigation) as its outcome may depend on the nature, extent and content of the data discovered.
Understand your data, implement efficient policies, procedures and controls
Individuals/companies, no matter their profile, location and sectors, need more than ever to know where their data is (location, who can access and control it), in what format and on which medium. They need to have policies, procedures, controls and safeguards in place (including regarding their communications with third parties e.g. suppliers or their customers’ and employees’ data) to keep dealing with their data effectively so that only what is necessary is created, adequately preserved and stored. These core elements need to be tested, enforced and supported appropriately. Management of information also needs to be embedded in business processes. Numerous articles exist on these topics and on the related costs and risks (e.g. fraud, theft, data security breach, industrial espionage, system failure or corruption, data loss, data becoming unreadable etc).
From internal document retention policies to document destruction policies
Some large companies, who have realised that it can cost more and be more risky to maintain, preserve and archive all data rather than deleting it on an on-going basis, have already started to move from internal document retention policies to document destruction policies. These types of policies generally contain some guidelines regarding the on-going creation and destruction of data and some schedules detailing the types of data to be preserved, for how long and for which purpose. Companies also need to have clear internal policies/procedures regarding back-up tapes, the storage/archiving of data and what happens in case of a litigation or investigation.
Obligation to preserve all potentially relevant data when a dispute or investigation occurs
In common law countries, once a litigation or investigation is in contemplation, the parties have an obligation to ensure that potentially relevant data, no matter whether it supports or affects adversely their case and no matter whether it is in hard copy format or stored electronically, is preserved and not altered or destroyed (e.g. either maliciously or accidentally due to back-up tape issues). Severe sanctions (including financial penalties) may otherwise be imposed by Courts or authorities. It can also seriously affect an individual or company’s credibility.
Importance of understanding IT systems and technical issues: the need for early scoping and data assessment
The importance of understanding IT systems on which potentially relevant data may have been stored and what may be possible on the technical/legal fronts regarding the imagining/mapping, collection review and transfer of the data has significantly increased not only for individuals, companies but also for authorities, lawyers and Courts (e.g. in litigation, since 1/04/13, parties need to complete, at least 14 days before the Case Management Conference, a Disclosure Report regarding potentially relevant data which may exist, its custodians and location, how it is stored and the estimated costs of dealing with it. They also need to discuss this with the other side. An Electronic Documents Questionnaire may also be completed further to their proportionate/reasonable search for evidence). Early scoping of the electronically stored evidence (particularly if entities use cloud-based technologies with data residing outside their IT systems and in different jurisdictions) will therefore be crucial.
Potential colossal volume of data and escalating costs
During an investigation, authorities will move fast once they have identified where the systems and potentially relevant data are. They can access not only hard copy documents no matter where they are located but also electronically stored information (e.g. data stored on computers/laptops, hard drives, all types of phones, databases, back-up tapes, existing/deleted emails, calendar, notebooks and other files, portable data storage media such as memory sticks/DVDs/CDs, social networking sites, handheld devices, VOIP devices, web-based applications, video, off-site storage etc).
The sources and volume of data which may be potentially relevant to a litigation and/or investigation may therefore be huge as would be the costs required for its identification/preservation, collection and review. There are now however litigation rules governing the scope of the search for and management of the evidence which are aimed at reducing/managing the parties’ related costs from an early stage.
Be prepared for a crisis: the importance of effective information management to limit the damage
Companies need to be prepared, have sufficiently trained their employees and have a response plan and budget in place so that, when the crisis occurs, no time and cost are wasted, the scope of the litigation/investigation can be limited and the strength/weaknesses can be assessed more rapidly for advice/decision-making purpose. The costs, disruption and headaches associated with a crisis and the damage which may result (including on a reputational level) may be much more significant than the initial budget spent for the on-going management of the increasing data and risks.
“Effective information management is therefore not merely required for defensive purpose but has positive and strategic benefits for companies who can readily (and cheaply) identify the documents which may matter in a crisis, whether it is a litigation or an investigation”
Chris Dale, author and founder of the E-Disclosure Information Project.
The first few steps taken in response to a sudden crisis may be crucial. Lessons must also be learnt from previous mistakes. Having efficient protocols in place may make all the difference. Having mapped the data and systems, implemented, tested and enforced all of these procedures and controls may also demonstrate to the Courts and/or authorities that the company takes accountability and controls seriously and that it is committed to its overall corporate governance and compliance.
Increasing use of technology providers
Companies and individuals now tend to rely more heavily on technology providers for their data management, storing/archiving and risk assessment. These specialists can also assist with the data imaging/mapping, identification, collection, review and collation which may be required for a litigation or investigation. Whilst this trend initially started in the US because of the “e-discovery” process and is now standard in the UK with the important “e-disclosure” and cost management rules, it has recently started to develop in civil law jurisdictions (e.g. France) despite the blocking statutes and other conflicting legislations existing there (e.g. data protection, privacy and employment laws, rules on legal professional privilege etc) and the fact that their disclosure process is narrower (there is no obligation to “put all the cards on the table”).
Searching for evidence in a cross-border context
Searching for and accessing potentially relevant evidence is tricky, particularly if a company has thousands of employees in numerous subsidiaries located in several jurisdictions. Authorities, during a cross-border investigation, will be prepared to raid several subsidiaries in search for potentially relevant data. Companies therefore need to understand, manage and control their data and related risks in these jurisdictions and ensure that internal policies and procedures implemented locally are easily accessible so that, in a case of a sudden crisis, an appropriate response can be carefully coordinated.
Companies dealing with cross-border litigations and/or investigations need to bear in mind that there may also be national and international legal provisions governing the access of data (e.g. in civil law jurisdictions e.g. France, “e-disclosure/discovery” requests are likely to be ignored or rejected and data created by employees may be not accessed without their consent) and its transfer whether it is for collection, review or disclosure. In such cases, it is therefore essential that, from the outset, internal legal teams carefully project manage and adequately document the steps taken in the search for and preservation of the potentially relevant evidence and that it involves internal IT teams, external lawyers from relevant jurisdictions (because of the cultural and legal differences) and some external technology providers and that these professionals all work together.
Whilst risks can never be totally eliminated, taking some of the above steps may help reduce, mitigate and manage risks and thus limit the potential financial and/or reputational damage if a crisis suddenly occurs.