• Join our Communities!

  • Twitter Updates

    Error: Twitter did not respond. Please wait a few minutes and refresh this page.

  • Disclaimer:

    The information in this weblog is provided "AS IS" with no warranties, and confers no rights. The opinions and interests expressed on this employee blog are the employees' own and don't necessarily represent EMC's positions, strategies or views. Inappropriate comments will be deleted at the authors discretion.
  • Advertisements

Open Records and FOIA – Pushing Government Technology into the 21st Century

At a recent a conference for compliance and IT professionals working in the state government sector, it quickly become evident that one of their main concerns was the tremendous increase in the number of open records requests that they have to deal with.   Both the federal and state governments give much lip service to the theory of transparency but few have made the necessary changes to properly deal with the onslaught of requests that appear almost daily.  Wisconsin’s Governor, Scott Walker’s administration has already produced 60,586 pages of open records in response to 222 requests in 13 months.  Compare that to 312 requests filled during the previous governor’s first 4 years[1].  It’s not just Wisconsin that is dealing with an explosion of open records and FOIA requests.  The U.S. Department of Defense received 67,434 in 2009 compared to 74,573 in 2010 and the National Archives and Records administration received 14,075 in 2008 compared to 18,129 in 2011[2].  Most government entities handle open records requests the same as they handle eDiscovery for litigation, manually and on an ad hoc basis.  Unfortunately for government agencies, the turnaround for a response is much quicker than for litigation.  Federal agencies have a statutory requirement to respond to requests within 20 business days[3].  State agencies have time limits ranging from 10-30 days or within “a reasonable time.”  For this reason, IT departments are struggling to keep up and there is a substantial backlog at most agencies. Continue reading


2011 eDiscovery Year End Wrap-up

It has certainly been a banner year in eDiscovery.  Judge Scheindlin kicked things off with a bang with her decision in National Day Laborer Organizing Network v. U.S. Immigration and Customs Enf. Agency[1], that the federal government must include metadata in Freedom of Information Act (FOIA) products because certain key metadata fields are an integral part of public records.  This ruling struck fear into every government agency and would have created the need for massive changes to the way they kept and produced records.  However, Judge Scheindlin withdrew the opinion in June explaining that, “as subsequent submissions have shown, that decision was not based on a full and developed record.”  She further stated that “[b]y withdrawing the [previous] decision, it is the intent of this Court that the decision shall have no precedential value in this lawsuit or any other lawsuit.”  I guess we are left to draw our own conclusions from that statement.

2011 also saw the rise in importance of machine based classification and coding.  This was emphasized by the keynote speech given by Judge Andrew Peck at the Carmel Valley eDiscovery Retreat in July.  Continue reading

New FRCP Amendments – Clarification or Adding Confusion

The preservation of electronically stored information (ESI) is one of the biggest sources of confusion in eDiscovery.  This area of eDiscovery has been governed almost entirely by common law, as the Federal Rules of Civil Procedure (FRCP) do not explicitly address the many questions inherent in the duty to preserve, such as trigger, scope, duration, etc.  It has also been argued that the FRCP gives insufficient guidance regarding the imposition of sanctions for violations of this duty.  That’s why, just a short five years since the last one, there has been a push by many in the legal community to amend the FRCP.

Consider this complex and ambiguous definition of the duty to preserve from the Supreme Court of Texas:

A party must preserve “what it knows, or reasonably should know is relevant in the action, is reasonably calculated to lead to the discovery of admissible evidence, is reasonably likely to be requested during discovery, [or] is the subject of pending discovery sanctions.”  Trevino v. Ortega, 969 S.W.2nd 950 (Tex. 1998).

During the federal rulemaking process, the Advisory Committee on Civil Rules holds Continue reading

Legal Speaks Latin. IT Speaks Geek. Reducing Risk and Cost through the Common Language of eDiscovery

Following the theme of our flip book “The Technologists guide to eDiscovery Law” and “The Lawyers guide to eDiscovery Technology”, EMC’s CLE Luncheon in Chicago last Thursday aimed to bridge the gap between the two camps of IT and Legal.  Almost five years since the FRCP was amended and there is still appears to be a disconnect.  One of the biggest gripes by IT is that they are told what to do with no explanation as to why.  There is the perception by Legal that IT is not interested nor is there a need to explain the reasoning behind their requests.

The interaction at the luncheon was eye opening to those who held those beliefs.  It quickly became obvious by their presence and their questions that IT professionals are very interested in the workings of an eDiscovery matter and want to know how they can best help. If they know the reasons why certain data is being requested, they can be of great assistance in making sure the preservation and collection is done not only to the letter of the law but also according to its spirit.  This benefits Legal (and the organization as a whole) in a number Continue reading

Forensic Imaging – eDiscovery Overkill?

This week I had the pleasure of working with Brian Babineau from  Enterprise Strategy Group on an EMC sponsored webinar on In-House eDiscovery ROI.  During the Q&A session, an attendee asked:

“We use in-house forensic imagining tools to preserve and collect data and send it out to our outside counsel to review.  Why should we move to an in-house eDiscovery solution when this system seems to work well for us?”

I want to explore that concept a little more here because I suspect many corporations are relying solely on these tools to do eDiscovery in order to avoid taking a more focused approach that may have more upfront costs.

If you have an eDiscovery process that in your opinion works, then you should Continue reading

International eGRC: It’s a Small World After All

Mexico City, Mexico – Looking at the packed house today during EMC’s eGRC marketing presentation, I realized that concern about governance and risk as it pertains to electronic data is truly global.  The same amount of

Four Seasons

head nods occurred during the parts of the speech pertaining to organizations’ tendency to keep everything forever, the push and pull between IT and the business and legal units, and lack of transparency into their data.  I also spoke to a number of attendees afterwards.  Interestingly, some told me that at least in Mexico, there is a reluctance to move to the cloud, because corporations are uncomfortable with another entity being able to access and possibly look at their private data.   They prefer that their data remain

under their exclusive control.  Not surprisingly there is less of a concern around the risks of eDiscovery (for now a mostly a US phenomenon) and more interest around file intelligence and remediation as well as business continuity, disaster recovery and security management.  Also, as with the US, many of the organizations in Mexico are preparing to move off of 2003 and 2007 systems and up to the latest 2010 versions to take advantage of feature updates.  There was great interest in making these migrations easier by leaving behind older content for deletion or moving it to an archive where it can be managed under centralized policies and easily searched if necessary.  All in all,

Heidi Maher, Alfredo taborga Fernandez, Charles King (speakers)

Heidi Maher, Alfredo taborga Fernandez, Charles King (speakers)

EMC’s eGRC message combining the benefits of information governance with, business continuity management and security management all on a common RSA Archer Management Platform seemed well received.

Interested in attending an eGRC Seminar?  Register in a city near you!

Money, Greed, Bribery & Corruption: the Cost of International Business???

International Business and the Foreign Corrupt Practices Act (FCPA)

In 2009, prosecutors delivered on their promise to vigorously pursue individuals and corporations who violated the Foreign Corrupt Practices Act (FCPA). Thirty-three individuals and eleven organizations were named in enforcement actions brought by the DOJ or SEC. This year promises more of the same. The current number of indictments has quadrupled compared to 2008, and fines and settlements since 2009 have exceeded $2 Billion. Not only do these enforcement activities frequently result in substantial fines and penalties, but prison time for some individuals is becoming more common. Additionally, investigations sometimes trigger follow-on civil lawsuits. Indeed, many of the most prominent recent FCPA investigations have been followed by shareholders’ derivative lawsuits. The most recent example can be found here: http://www.courthousenews.com/2010/06/07/27856.htm

Any company that engages in international business should pay careful attention to the minefield that FCPA can create. By having protocols for compliance and rapid collection of both physical and electronic evidence, a corporation can vastly decrease its costs of responding as well as its risk of multimillion-dollar fines and a public relations nightmare.

So what is the FCPA?  Essentially it is a federal law prohibiting bribes to foreign government officials. To ensure compliance, it requires public companies (and subsidiaries) to:

  • maintain accurate books and records in reasonable detail, accurately and fairly reflecting the transactions and disposition of its assets, and
  • devise and maintain a system of internal accounting controls sufficient to provide assurances that assets and transactions are accounted for.

When the SEC or DOJ begins an investigation or criminal conduct is suspected, the company should immediately take the following steps to conduct its own internal investigation. This is not optional!

  1. Determine the scope of the investigation – the SEC and DOJ will consider this in determining whether the investigation was effective
  2. Secure all evidence: physical, paper and electronic
  3. Collect evidence
  4. Conduct on-site employee interviews
  5. Review evidence
  6. Determine whether to do a voluntary disclosure if a violation is detected

Electronic evidence is critical in FCPA investigations as most evidence of bribery is found in email and other electronic documents. Given its international nature, electronic evidence will likely be widespread, spanning multiple custodians, repositories, and countries. Email servers, laptops, mobile phones, thumb drives and other types of data could all contain evidence and will all have to be secured and collected no matter the format or language. This can be a herculean effort as most companies facing an investigation ultimately end up securing terabytes of information. As another hurdle to the process, if any of this data is located in a country with data privacy laws, those laws will also have to be navigated when conducting a search and collection. Additionally, if any wrongdoing is suspected, live data search alone may not be enough and a forensic search for deleted data is required.

So what is a company to do to reduce their risk of violations? There are several guidelines that have come forth from past cases:

  1. Develop clear FCPA policies and programs and communicate those policies through regular training and with acknowledgement by employees and agents
  2. Enforce those policies through reporting and discipline
  3. Develop FCPA procedures to help prevent violations:
  • through due diligence and oversight of relationships and anti-bribery provisions in contracts with third parties
  • have controls in place for accurate maintenance of books and records
  1. Bring in an independent compliance monitor
  2. Conduct regular audits to monitor effective implementation of the policies and programs
  3. When in doubt, request a statement of the Justice Department’s present enforcement intention under the anti-bribery provisions of the FCPA regarding any proposed business conduct.

No action can completely shield a company that does business oversees from an SEC or DOJ FCPA investigation, but by taking a proactive approach to compliance and discovery, it can greatly lessen the sting when it inevitably happens.