Q: What challenges do the new
e-discovery rules, effective as of Dec. 1, 2006, pose for banks?
Barry Murphy, Forrester Research: The challenges are really the same for all organizations, whether a bank or a consulting company or a biotech firm. The only difference is that banks are under more government regulation (e.g., SEC) than some other industries and often do discovery specifically for regulatory requests.
The Federal Rules of Civil Procedure (FRCP) amendments really affect organizations in three ways. First, they require a framework for early attention. Organizations not ready to address issues when litigation or regulatory requests hit will immediately be behind. Second, they give a safe harbor for data destruction, meaning there are no penalties for deleting electronically stored information in keeping with routine operation of IT systems if the party took reasonable steps to preserve it. However, this means that organizations must have granular retention policies in place, and technology to enforce those policies and audit the enforcement as well.
Finally, there is the requirement for native file production. Organizations must be able to produce electronically stored information in its native format with its metadata intact and prove a valid chain of custody. Again, this spotlights the need for technology to manage the full life cycle of information.
John Mancini, AIIM: The new rules have complex implications for all organizations, including banks. Companies need to know what electronic information they are storing and where it is. They need policies in place governing the management of electronic information, they need to follow those policies and they need to be able to prove compliance. The it's-too-hard-to-produce argument won't stand up anymore. These sound simple and basic on the surface. But according to AIIM surveys, the environment in most firms is barely controlled chaos.
Cliff Shnier, Aon Consulting: First, these are amendments to the Federal Rules of Civil Procedure and are therefore only applicable to matters in the federal courts. While all state courts will amend their respective rules in ways that are similar (some have done so already), this process is not yet complete. Second, for the most part these amendments codify, clarify and resolve the case law on electronic discovery that has developed over the last 10 to 15 years. The effect of amending the rules nationwide is to remove all doubt about whether or not electronically stored information is discoverable.
Examples of such rules are: the requirement for an early meet-and-confer [Rule 26(f)], the issue of electronic data that is not reasonably accessible [Rule 26(b) 2 (B)] and forms of production of electronic data to the other side [Rule 34(b)], and Rule 45 third-party subpoenas, which are particularly relevant to banks. Banks differ from other companies because they have to consider both their own risks when sued directly and their procedures that must be followed when subpoenaed as a third party, which happens frequently given the nature of banking.
Q: Are banks' systems prepared to deal with the new e-discovery rules?
Murphy, Forrester Research: In my experience, banks are only ready for specific discovery requests, like those relating to SEC Rule 17a-4. To comply with that rule, many banks have deployed e-mail archiving systems. However, they have done so only for one set of workers — brokers. Discovery truly applies to all employees and to all kinds of content, not just e-mail. The large banks I've spoken with have yet to connect records management with e-discovery, which says to me that they are definitely not ready to deal with the amended rules proactively.
Mancini, AIIM: In general, banks and other organizations with pre-existing requirements related to electronic information are probably in better shape than most to deal with the new electronic discovery requirements. They already have some experience with managing electronic information in a structured fashion.
Michael Sears, Mathon Systems: Banks, like most large institutions today, lack the fine-grain policies and the enforcement tools necessary to stay ahead of the wave of documents and e-mail. I say "fine grain" to mean those policies that closely consider the content, originator, receiver and time/date of the communication. All of those factors should be considered in creating a records- and message-retention policy. Most organizations decide en masse to maintain all documents for five years and then delete no matter what as a policy. That's not going to work for a court that is trying to facilitate a good-faith search for a needle in a haystack. You must have a detailed policy and then the mechanism to enforce.
Q: What kinds of technology solutions and functionality do banks need to deploy to assure that they can comply with the e-discovery rules?
Murphy, Forrester Research: E-discovery issues will eventually be managed within a larger enterprise retention-management context that will include records management, compliance, message and file system archiving, and storage. In the short term, however, there will be room for point solutions to help deal with the fact that most of the necessary information within a discovery request is not well-managed today. The new rules are explicit about being able to put litigation holds on content, which both records management and e-mail archiving products currently provide.
Mancini, AIIM: Again, the expectation for structure, process and documentation of electronically stored information sounds simple. The volume and variety of documents, spreadsheets, images, sound files, e-mails and instant messages that surround most business processes in organizations, including banks, cry out for a comprehensive strategy and framework. But creating a strategy and beginning to move toward a structured set of processes is a key indicator that a company takes these requirements seriously.
Sears, Mathon Systems: The most important solution is one that tags a document with at least time, sender, receiver and subject matter information every time a document is accessed, saved and sent. This is a hard problem, as tagging can be time-consuming and burdensome. If a solution interrupts the established workflow of the user, the solution will not be used and you'll end up not capturing the benefits that you set out to create.
Q: Are there potential benefits to banks from investing in e-discovery compliance initiatives?
Murphy, Forrester Research: Certainly there is the benefit of cost avoidance. Better management of information proactively leads to lower costs during discovery by minimizing the amount of collection and processing that has to occur. There is also the risk mitigation factor, which many financial services firms measure very closely. More insight and responsiveness could be an ancillary benefit, but most e-discovery technology deployments are not focused on that. To gain these benefits, banks will need granular retention policies that their legal teams can live with (and businesspeople can respect) and technology in place to automatically manage and enforce those policies.
Mancini, AIIM: In general, any effort to get unstructured information under control pays dividends beyond that of simply avoiding legal risk. The single biggest bottleneck most organizations have in getting their processes under control is the mass of unmanaged information that surrounds, engulfs and strangles these processes. Organizations typically report significant process improvements resulting from getting their electronic information under control.
Shnier, Aon Consulting: In general, yes. However, the investment can take a variety of different forms and can occur at any one of several stages along the discovery continuum. This can start with an upfront audit of a company's records-retention policies and general litigation preparedness prior to any actual litigation. Moving along to the point where a company is on notice of a potential claim, the investment can take the form of early consultation with experts with a view on preserving and collecting the potentially relevant data, in a forensically sound manner.
Moving further along, the investment will take the form of deciding and implementing the best methods to reduce the collected volumes of potentially relevant data down to the volumes of actually relevant data, through the use of sophisticated and defensible search strategies. This will be followed by well-organized and streamlined review of the data that remains.
Moving even further ahead, the investment will take the form of determining the manner in which the data are to be produced to the other side, and the form in which the data coming in from the other side is desired. Expertise and technology is available at each step of the way to mitigate the costs that might otherwise be incurred overall in the electronic discovery process, as well as to increase the likelihood of a favorable outcome in the litigation.
Sears, Mathon Systems: The new rules can be seen as another rationale for IT to upgrade its assets. As court decisions have very clearly shown, the court has a level of expectation in document delivery that will not tolerate that old the-computer-ate-the-e-mail excuse. And with the investment made, companies can enhance their abilities, not only with e-discovery actions, but with the ability to track documents for regulatory and security needs, and to optimize the hard capital assets — servers, storage devices, networks, etc. — that companies currently have. These new solutions can give you a much better idea of what documents you hold, and from that, you can better decide when and how to increase or decrease your physical plant.
(Silver Spring, Md.)
VP of Enterprise
(Los Altos, Calif.)
VP, Financial Advisory and Litigation