Compliance, legal and IT departments have good reason to be alarmed when a subpoena, regulatory request, or internal investigation triggers an e-discovery process. The answers to questions about possible criminal or other illegal activity are hidden in a mountain of institutional data, say panelists and attendees at a recent Legalweek event hosted in New York by parent company ALM, an information and intelligence firm.
The task of uncovering the facts is time-consuming and costly. “Financial firms will have to produce and analyze data stored in a multitude of applications — anything from a cell phone all the way to a relational database,” says George Socha, managing director for global consultancy BDO Consulting in New York. “It can be structured or unstructured.”
It is the growth of unstructured data that causes the most concern among specialists in e-discovery, the legally-required multi-step data collection and evaluation. “The higher volume of business interactions taking place through emails, text messages and smart phone applications makes it far more difficult for financial firms to handle the e-discovery process,” says Socha. Finding what is needed could be even harder than looking for the proverbial needle in a haystack, because it involves deconstructing narrative text.
Mistakes can be expensive. “Inefficiency in e-discovery can multiply the costs of litigation or of responding to a government investigation. Even worse, non-compliance can result in judicial sanctions, regulatory fines, or other remedies that can jeopardize the entire outcome of the litigation or investigation,” explains David Cohen, a partner in charge of the global e-discovery practice at Reed Smith.
Lawmakers and regulators on both sides of the Atlantic are also prompting some changes to how e-discovery is handled. Recent amendments to the US Federal Rules of Civil Procedure are potentially reducing the workload for financial firms required to produce e-discovery results in federal cases in the US. “Requests for information are now required to be proportionate, which means that those requesting the data should limit the request to what is reasonable and necessary,” explains Cohen.
However, European regulators could be making it tougher for financial firms to produce data needed for US-based legal proceedings. According to Cohen, increased enforcement of privacy laws in Europe, including the new General Data Protection Regulation (GDPR) effective in May 2018, hampers the ability of financial firms to retrieve personal data stored in European locations. Personal data includes a name, photo, e-mail address, bank details, posts on social networking websites and a computer’s IP address.
The new GDPR harmonizes data protections laws across the European Union and extends the scope to foreign companies. “Financial service firms that have employees, customers or partners in the European Union need to prepare now for GDPR,” cautions Will Wilkinson, a consultant in London for Basel-headquartered Yerra Solutions, a consulting and managed services firm specializing in e-discovery. “Preparation needs to include an evaluation of e-discovery technology and procedures because of new liabilities related to knowing what data is available, being able to access it, transfer it and delete it within a month upon request.”
The fine for violating the new stricter EU data privacy law can be substantial — the greater of E20 million or 4 percent of the offending firm’s global annual revenues for the preceding financial year. Therefore, Cohen urges financial firms to consult the Sedona Conference website for guidance on handling e-discovery in international civil litigation, and seek advice from international legal counsel before accessing or transporting any data from Europe that includes personal information. “GDPR will impact virtually every corner of an organization. The legal and compliance teams should drive preparations with the help of IT, marketing, finance, human resources and any other department that gathers or stores personal data,” recommends Wilkinson.
Given all the challenges, what’s a financial firm to do when it comes to e-discovery? Based on interviews with panelists and attendees at the recent Legalweek event, FinOps Report has come up with the following practical list of five do’s and don’ts.
1 — Do Safeguard Data Correctly
The first step of an effective e-discovery program is a preventative one. For starters, financial firms must comply with a sea of requirements of which data they must store, for how long and in what form.”Ideally, the data will be available and retained properly in its original format without any corruption,” says Richard Dilgren, vice president of data science for e-discovery services provider FRONTEO in San Francisco. That data retention has to include all devices on which information is stored regardless of whether it is an internal database or elsewhere.
Next up: data retrieval. “Financial firms must also know exactly where each set of data is stored, how it has been stored as well as who has access to it,” says Dilgren. Dedicated data managers will likely only have tracked whether structured data related to specific transactions is located in front, middle or back-office applications. When it come to unstructured data, only traders might be aware of whether any conversations relevant to specific transactions were conducted through off-site resources such as mobile devices.
“At the core of a successful e-discovery process is a successful information governance program,” says Wilkinson. “A financial firm can’t afford to have any process gaps which would create a regulatory or legal headache.” Not knowing where data is located, who collected it and whether the files are contaminated will create a red flag.” A financial firm can’t possibly prove it is innocent of any wrongdoing if its data is indefensible.
Presuming the data’s whereabouts are known, deleting or altering data when asked to produce it is the worst idea possible. A regulatory agency or judge presiding over a lawsuit won’t take kindly to finding out that someone at a firm has decided to “accidentally” hit a delete button or tried to add data elements when the e-discovery process has been triggered. “Following the legal hold requirement is one of the most critical elements to proving the e-discovery process has been fulfilled correctly,” explains Dilgren. “A judge could rule that the data destruction was intentional leaving the defendant in a far weaker position and potentially causing it to lose the case.”
2 — Don’t Dump Data
Just gathering and dumping every possible source and data element into the process isn’t necessarily the best approach. More than 50 percent of the costs related to e-discovery can be attributed to data analysis. A financial firm might think that it can just ask its external counsel to review all the data it finds to satisfy a particular request. A no-brainer, right? Wrong. “That attitude presumes the law firm has the necessary data mining and analytical technology to track down the exact elements of data,” cautions Seyi Verma, senior product manager at Druva. a Sunnyvale, CA-headquartered firm specializing in data storage and retrieval. Some law firms may have the data mining technology, but others might just rely on old fashion manpower to read tens of thousands, if not millions of pages.
The more time it takes e-discovery data reviewers to uncover the relevant data, the higher the expense for the already bewildered financial firm. “There are plenty of data mining, metadata analysis and predictive coding tools now available to do cost-effective filtering,” asserts Verma. “It’s all a matter of using the right ones.” Using such applications can reduce the number of data reviewers required from several dozen to only a handful.
3 — Don’t Presume IT Knows Everything
E-discovery isn’t all about technology. Automation can only go so far. “The biggest mistake financial firms can make is presuming that IT specialists understand everything about record retention, data governance, chain of custody and legal strategy,” warns Michael Prounis, managing director of e-discovery and litigation data analytics for AlixPartners in New York. “They need to have the right information governance, workflow management, and IT applications in place.”
Prounis recommends that the e-discovery process be handled by a combination of internal and external compliance, legal and IT professionals. AlixPartners, Yerra Solutions, BDO, and Reed Smith are among a cottage industry of consultants and law firms helping financial firms design cost-effective e-discovery programs.
Regardless of whether a financial firm decides to place the ultimate responsibility for e-discovery compliance under either its IT or legal department, it should still rely on a dedicated e-discovery team, cautions Socha. The criteria for the best e-discovery experts have far less to do with education and far more to do with training, experience and personality. Because there are few formal programs for e-discovery training, most learning takes place on the job.
“The best IT specialists can fail at e-discovery. So can the most experienced attorneys,” says Socha. The likely reason: they view e-discovery as strictly a technical or compliance exercise. “The optimal e-discovery practicioners are inquisitive and passionate about digging deep into mountains of data to find the kernel of truth,” he advises.
4– Do Avoid Unnecessary Costs
Receiving a request for information doesn’t mean throwing caution to the wind. Financial firms need to understand the expense of storing, retrieving and analyzing data. Doing comparative shopping isn’t shameful. Evaluating the costs of licensing different third-party applications and services with the results they generate can go a long way to reducing unnecessary expenses.
So can regularly deleting obsolete data that has no value for business or compliance requirements. “The more data there is to go through the more expensive e-discovery will be,” explains Cohen.
Storing unnecessary data can also be legally hazardous. Once a firm faces litigation or an investigation, it is obligated to preserve existing data. Any private, cynical or sarcastic comment an employee ever made in quickly drafted e-mails may be used to embarrass the entire firm. All retained information is also subject to computer hacking.
Relying on cloud-based applications to collect, manage, transfer and review data can cut down the time it takes to complete the e-discovery process and minimize the potential for improper data destruction, suggests Verma. Such applications, offered by Druva, can even help legal teams gain a competitive advantage over opposing counsel because they allow firms to find and analyze data at the very beginning of case assessments or before they are officially served with demands for information.
5 — Do Plan Ahead
Financial firms should take a lesson from their experiences with cybersecurity. They are just as susceptible to a request triggering the e-discovery process as they are a data breach. If a firm hasn’t figured out how to store its data correctly, doesn’t know where it resides, doesn’t know how to retrieve it, or doesn’t know how to analyze it before it faces an e-discovery process, it’s in big trouble. “If you know that you are in a litigious industry, you need to be prepared,” says Verma.
Copyright: sangoiri / 123RF Stock Photo
Leave a Comment
You must be logged in to post a comment.