When it comes to e-discovery, the proactive approach will always trump the reactive. Taking steps in advance to know an enterprise's storage units and what types of electronic data they contain ultimately will save a company time and money when an e-discovery request arises.
In fact, there is even a legal requirement to do this under the amended Federal Rules of Civil Procedure, which says companies must have the ability to rapidly disclose where potential relevant information exists and what actions they are taking to preserve it.
But despite the obvious benefits and the legal mandate, most companies have yet to embark on mapping out their data. Instead their legal departments rely on an ad hoc system, resulting in a mad dash to find responsive information after receiving a litigation notice.
Because these reactive processes aren't tested, they pose huge risks to companies that don't have a grasp on precisely where all their potentially responsive data lies. Creating a data map minimizes those risks.
"People put off [data mapping] because they have bigger fires nipping at their heels, but it is something you need to do," says Brad Harris, director at Fios Inc., an e-discovery consultancy. "It is costly and very risky if you don't. However, it is fairly onerous to take on."
Data maps can take many forms, from complex two-dimensional charts to simple spreadsheets. The map's format will depend on the needs of the company and the legal department's resources. For example, software can assist in-house counsel with creating graphical data maps; however, this method can prove costly. Software such as Microsoft Excel or Access is a reliable and cheaper alternative.
Regardless of the map's format, it is crucial that the company captures all the necessary data regarding the enterprise's content. This begins with coordinating with IT to know the company's storage units. These include servers, back-up tapes, laptops and mobile storage devices, including smartphones.
"Most companies' IT departments have mapped this information as a means to manage storage," says Moshe Mosbacher, director of IT at AdamsGrayson Corp., a legal consultancy. "These maps don't have legal requirements in mind, so they aren't very useful to legal, other than to serve as the starting point for creating a data map."
To be useful, data maps should capture what type of data lives where. For example, the map should show which repositories contain customer information, financial information and information regarding IP. This way in-house counsel can pinpoint data for a case and act fast to institute a legal hold.
In case there are questions regarding a repository, the data map should also contain the contact information for both the business and IT personnel with knowledge of the repository. The business contact, such as a HR manager who inputs information into PeopleSoft, will know the content of the repository, while the IT representative will know where this content is stored, such as which server contains PeopleSoft information.
Although legal can capture the majority of information in a data map through joint efforts with IT, some crucial information must be gathered with the help of records management.
"Talk with records management and review any policies or procedures that exist with respect to document retention, including e-mails," says Christine Franklin, senior counsel at Neal Gerber Eisenberg. "Ask about your company's back-up and disaster recovery policies."
This information is crucial to the data map because it can help in-house counsel determine the accessibility of certain information. According to the amended Federal Rules, if information is not reasonably accessible, the producing party can argue against producing it or argue that the requesting party should bear some of the production costs.
"Once you know what is accessible, you can do some sample searches to get an idea of what it would cost to collect and review different types of information," Franklin says. "If you can take that information into court, especially if it shows producing certain information may be too expensive, then you can use it for some strategic maneuvering."
Even after all this information is collected, the data map is still not complete. As long as an organization is creating and destroying data, gaining and losing employees, and purchasing and recycling equipment, a data map will remain in constant flux. It is the job of the legal department to keep the data map up to date, along with support from IT and records management.
To keep the data map active, IT must inform both records management and legal of any changes to the company's storage assets. If new servers are brought on board, older servers are replaced or information is relegated to new repositories, IT should track this information and ensure it is reflected on the data map. "IT needs to understand that changes to the enterprise's IT infrastructure may have a potential impact on legal," Harris says.
Conversely, legal must communicate to IT any new types of litigation or matters that come up so that the two departments can discuss how they may impact the data map. Records management should be part of these conversations to ensure that data retention and destruction policies are enforced accordingly.
As e-discovery requests become more frequent and courts continue to hold companies accountable for complying with the Federal Rules, data maps will become a necessary component of litigation readiness.
"Although there's no reason you couldn't collect data for a discovery request on the fly every time, it would take a super amount of resources in the heat of a crisis," Harris says. "That's
a whole lot of wasted effort for something you could create a repeatable process around."