Corporate IT executives need to create internal task forces today to deal with what can be an expensive threat - litigation, Black Hat attendees were told.
These permanent teams should include themselves, key business executives and the company's lawyers, and be ready to find and turn over data - all of it - that suing parties require. Otherwise their businesses face potentially astronomical fines, says John Benson, an e-discovery consultant with the law firm Stinson Morrison Hecker.
Failure to produce all the data it had in a 2005 court case resulted in a US$1 billion-plus jury award against Morgan Stanley, a decision later overturned but still representing a cautionary tale, Benson told Black Hat attendees in a briefing called "When lawyers attack: Dealing with the new rules of electronic discovery."
Part of the problem is that there are few new rules because the law hasn't caught up with technology yet. Courts in regions of the country are feeling their way along and gradually setting precedents, but that is a process that can take decades. "There is very little case law and few analogies to be made with existing discovery case law," he says.
For instance, if a company agrees to turn over Excel spreadsheets, are they required to turn over the formulas used to generate data in the cells? "Is the formula in Excel data or data about data?" Benson says.
Litigation-response teams need to form as soon as possible to be prepared before lawsuits hit, because in some states businesses have just 99 days to negotiate exactly what data they will turn over for the other side to examine and "99 days in the legal world is a nanosecond," Benson says.
The teams should take basic steps:
- Establish standard policies for retaining and destroying corporate data and set up a mechanism for the policies to be followed.
- The teams should map exactly what data the corporation has and where it is stored. Lawyers for Qualcomm got in trouble that jeopardized their careers for failing to come up with 200,000 documents relevant to a patent case with Broadcom until after the trial was over.
- Meet whenever litigation hits to implement planned responses to the type of suit being filed. Data required in response to a sexual-harassment suit by an employee is vastly different from that required for a mass-tort suit, Benson says.
- Find a vendor that can process the data and get it into a form attorneys can view. This can include printing out relevant data, putting it in a standard digital format or producing it in native from, for instance.
- Train employees in how data should be handled to streamline the data-gathering process. For instance, storing work documents centrally and referencing them with URLs in e-mails rather than attaching them reduces space required for storing the e-mails and the volume of data to be turned over during e-discovery, Benson says. "There are deduplication technologies, but they shouldn't be relied on," he says.
Setting up response teams is key because if communications break down internally and data isn't produced, it causes problems down the road.
While the situation is improving, many attorneys are unfamiliar with corporate IT and unaware of where to look for data. They might, for example, ask just the relevant workers in a lawsuit to produce documents when it would be more comprehensive to involve IT staff that know what data exists and where it is, Benson says.
"Businesses need to find attorneys that understand technology well. It's pretty rare today, but that will change over time," says Benson, who is an attorney and an IT professional.