Data in a Crisis – Manage Your Risk

April 15, 2013

Information has become the most compelling weapon in the world. Individuals and companies depend on it. Data is everywhere, in every form, created by everyone on every medium and its volume is increasing on a daily basis. Routinely maintaining, preserving and storing data poses serious risks which ought to be continuously assessed, monitored and planned for. This also helps if a sudden crisis occurs (eg litigation or an investigation) as the outcome may depend on the nature, extent and content of the data discovered. 

Understand your data, implement efficient policies, procedures and controls

Individuals and companies, no matter what their profile, location and sectors, need more than ever to know where their data is (location and who can access and control it), in what format and on which medium. They need to have policies, procedures, controls and safeguards in place (including regarding their communications with third parties, eg suppliers, and their customers’ and employees’ data) to keep dealing with their data effectively so that only what is necessary is created, adequately preserved and stored. These core elements need to be tested, enforced and supported appropriately. Management of information also needs to be embedded in business processes. Numerous articles exist on these topics and on the related costs and risks (eg fraud, theft, data security breach, industrial espionage, system failure or corruption, data loss, data becoming unreadable etc). 

From internal document retention policies to document destruction policies

Some large companies, who have realised that it can cost more and be more risky to maintain, preserve and archive all data rather than deleting it on an on-going basis, have already started to move from internal document retention policies to document destruction policies. These types of policies generally contain some guidelines regarding the on-going creation and destruction of data and some schedules detailing the types of data to be preserved, for how long and for which purpose. Companies also need to have clear internal policies/procedures regarding back-up tapes, the storage/archiving of data and what happens in case of litigation or an investigation. 

Obligation to preserve all potentially relevant data when a dispute or investigation occurs

In common law countries, once litigation proceedings or an investigation is in contemplation, the parties have an obligation to ensure that potentially relevant data, no matter whether it supports or affects adversely their case and no matter whether it is in hard-copy format or stored electronically, is preserved and not altered or destroyed (eg either maliciously or accidentally due to back-up tape issues). Severe sanctions (including financial penalties) may otherwise be imposed by courts or authorities. Failure to preserve can also seriously affect an individual’s or company’s credibility. 

Importance of understanding IT systems and technical issues: the need for early scoping and data assessment

The importance of understanding IT systems on which potentially relevant data may have been stored and what may be possible on the technical/legal fronts regarding the imagining/mapping, collection, review and transfer of the data has significantly increased not only for individuals and companies but also for authorities, lawyers and the courts. For example, in litigation, since 1 April 2012, parties need to complete, at least 14 days before the case management conference, a disclosure report regarding potentially relevant data which may exist, its custodians and location, how it is stored and the estimated costs of dealing with it. They also need to discuss this with the other side. An Electronic Documents Questionnaire may also be completed further to their proportionate/reasonable search for evidence. Early scoping of the electronically stored evidence (particularly if entities use cloud-based technologies with data residing outside their IT systems and in different jurisdictions) will therefore be crucial. 

Potential colossal volume of data and escalating costs

During an investigation, authorities will move fast once they have identified where the systems and potentially relevant data are. They can access not only hard-copy documents no matter where they are located but also electronically stored information (eg data stored on computers/laptops, hard drives, all types of phones, databases, back-up tapes, existing/deleted e-mails, calendar, notebooks and other files, portable data storage media such as memory sticks/DVDs/CDs, social networking sites, handheld devices, VOIP devices, web-based applications, video, off-site storage etc). 

The sources and volume of data which may be potentially relevant to litigation and/or investigation may therefore be huge as would be the costs required for its identification/preservation, collection and review. There are now however litigation rules governing the scope of the search for and management of the evidence which are aimed at reducing/managing the parties’ related costs from an early stage. 

Be prepared for a crisis: the importance of effective information management to limit the damage

Companies need to be prepared, have sufficiently trained their employees and have a response plan and budget in place so that, when the crisis occurs, no time and cost are wasted, the scope of the litigation/investigation can be limited and the strength/weaknesses can be assessed more rapidly for advice/decision-making purposes. The costs, disruption and headaches associated with a crisis and the damage which may result (including on a reputational level) may be much more significant than the initial budget spent for the on-going management of the increasing data and risks. 

‘Effective information management is therefore not merely required for defensive purpose but has positive and strategic benefits for companies who can readily (and cheaply) identify the documents which may matter in a crisis, whether it is a litigation or an investigation’

Chris Dale, author and founder of the E-Disclosure Information Project.

The first few steps taken in response to a sudden crisis may be crucial. Lessons must also be learnt from previous mistakes. Having efficient protocols in place may make all the difference. Having mapped the data and systems, implemented, tested and enforced all of these procedures and controls may also demonstrate to the courts and/or authorities that the company takes accountability and controls seriously and that it is committed to its overall corporate governance and compliance. 

Increasing use of technology providers

Companies and individuals now tend to rely more heavily on technology providers for their data management, storing/archiving and risk assessment. These specialists can also assist with the data imaging/mapping, identification, collection, review and collation which may be required for a litigation or investigation. Whilst this trend initially started in the US because of the ‘e-discovery’ process and is now standard in the UK with the important ‘e-disclosure’ and cost management rules, it has recently started to develop in civil law jurisdictions (eg France) despite the blocking statutes and other conflicting legislations existing there (eg data protection, privacy and employment laws, rules on legal professional privilege etc) and the fact that their disclosure process is narrower (there is no obligation to ‘put all the cards on the table’). 

Searching for evidence in a cross-border context

Searching for and accessing potentially relevant evidence is tricky, particularly if a company has thousands of employees in numerous subsidiaries located in several jurisdictions. During a cross-border investigation, authorities will be prepared to raid several subsidiaries in search for potentially relevant data. Companies therefore need to understand, manage and control their data and related risks in these jurisdictions and ensure that internal policies and procedures implemented locally are easily accessible so that, in the case of a sudden crisis, an appropriate response can be carefully coordinated. 

Companies dealing with cross-border litigations and/or investigations need to bear in mind that there may also be national and international legal provisions governing the access of data (eg in civil law jurisdictions like France, ‘e-disclosure/discovery’ requests are likely to be ignored or rejected and data created by employees may be not accessed without their consent) and its transfer whether it is for collection, review or disclosure. In such cases, it is therefore essential that, from the outset, internal legal teams carefully project manage and adequately document the steps taken in the search for and preservation of the potentially relevant evidence and that it involves internal IT teams, external lawyers from relevant jurisdictions (because of the cultural and legal differences) and some external technology providers and that these professionals all work together. 

Whilst risks can never be totally eliminated, taking some of the above steps may help reduce, mitigate and manage risks and thus limit the potential financial and/or reputational damage if a crisis suddenly occurs. 

Caroline Jan is a lawyer at Kingsley Napley LLP, specialising in commercial litigation and fraud investigations. She advises individuals and companies operating in various sectors and jurisdictions, including matters with criminal/civil implications: