Information Management – Theory and Reality

July 30, 2011

I do not accept any of the evidence of the Respondents.  It is self serving and exculpatory. If it has been accurate and true, it would have been supported by documentation,’[1] said His Honour Judge Simon Brown QC in last year’s decision in Wetton v Ahmed, which was recently upheld by the Court of Appeal.[2] The comment highlights the importance of contemporaneous documentary evidence – both its existence and its production.

Whilst Wetton v Ahmed may have been a case where the documents in question never existed, there are many cases where the documentation does exist but cannot be found or where the documentation did exist but no satisfactory explanation for not finding it can be offered.  Having information within the corporate filing cabinets is one thing.  Finding it is another.  Likewise knowing where it is to be found is one thing. Retrieving it is another. Even where a document has been found and retrieved, there is the further challenge of deriving meaning from it.

The courts, the ever-increasing number of regulators and more and more state agencies have powers to compel data to be produced, usually within challenging time-scales.  Add to this the powers of foreign regulators and law enforcement agencies, and the range of circumstances in which production of information can be compelled for legal purposes is almost overwhelming.

The Electronic Discovery Reference Model (EDRM)[3] charts the end-to-end process for producing information for legal proceedings. However, it views the information management phase of the process as distinct from the production phase. The management part is to the left and the production part to the right.  In our view, the extent to which the management is properly addressed, the production part is made easier.  To do this successfully involves eliding management with production and viewing one as an integral part of the other.  Experts have begun to recognise this and the right is now moving to the left, so to speak. In effect, information management and e-disclosure are one and the same.

Whilst 8 out of the 9 stages charted by the EDRM cover ‘post-incident’ tasks – the things you have to do to react adequately to a need to produce evidence –  an ability to react at all means getting things properly organised at the pre-incident stage. This means thinking about production when tackling storage.

Both the storage of information and the ability to produce it demand the ability to locate and retrieve the information.  In practice finding and retrieving information is not necessarily straightforward and is rarely just an automated activity.

Storage and Archiving

Some organisations implement document management systems or archive solutions to store data effectively so as to comply with information retention policies.  When implementing such a system, it is important to consider the methods of mass retrieval of the information should there be an incident which results in the need to analyse it quickly. If insufficient consideration is given to the variety of contexts in which retrieval for legal purposes is required, the solution will only be a partial one.  As we have already argued, storage and retrieval are different sides of the same coin.

Having a document management policy governing what information should be created, stored and deleted is a good place to start.  But in practice policies are not implemented properly or fully enforced.  For example, it is common to encounter problems such as data stored on back-up tapes which are not labelled, making it time-consuming to catalogue them.  Some archive systems remove attachments from e-mails and store them separately, making it difficult to reassemble the originals and read them outside of the archive system.

Sometimes, e-mails are restored only to find out that they are mere ‘stubs’ – empty mail items showing metadata but no content, pointing to an archive system which is perhaps no longer available.

As organisations create increasing amounts of information and storage methods are always evolving, difficulties often arise in retrieval for legal purposes because the period over which the data has to be examined is often a number of years. The actual number of years of retrieval may in practice be defined more by what data has been stored than by the period over which the relevant legal enquiry extends. This means that in any one case you are likely to encounter a variety of different types of data, sources of information, and methods of storage.  It is not that long ago that data was stored on a 3.25 inch floppy disk. Today it is rare for anyone to even have a disk drive.

Head in the Clouds

The problem is further exacerbated with the trend towards outsourcing of IT systems and cloud computing. So when you ask, ‘where is the data?’ you could well find out that it is on a server somewhere in, say, Argentina, or worse, the answer might be ‘we do not know.’

Corporations are also increasingly giving up their suite of office software products run on internal infrastructure and opting for services like Google Docs, which allows online document creation, modification and storage.  According to Google, more than three million businesses run Google Aps.[4] It might be a cheap and efficient way to work but it is important to consider the obstacles that may impede an attempt to search and collect potential evidence. It is essential when entering into an agreement with a cloud storage provider, that the contract covers the ability to export the data en masse and quickly when required.  Information governance managers must consult those involved in compliance with legal production demands in order to ensure that their job is done fully.

Best Practice

In the meantime, there are a number of techniques that work well to ensure that retrieval can be done effectively.

The best way to figure out where the information is, and how best to go about collecting it, is to have a round-table meeting between:

·        the lawyer advising on the production obligation (who understands the context in which the search and retrieval has to take place, the deadlines and who will be thinking about how the retrieved information will be viewed as evidence of relevant events),

·        staff or managers involved in the underlying commercial project or event which is the subject of the production demand (who understand what kind of information was being created at the time and how it was stored at the time),

·        internal IT (who know about the IT infrastructure), and

·        a legal technology consultant with experience of the forensic context who can assist in ‘translating’ the IT jargon into a meaningful language accessible to the whole team.

Organisational data mapping can help keep track of where the information might be stored. Probing and challenging the initial response is important. It is not unusual to hear upon first request, ‘we no longer have that information,’ after which a bit of digging and questioning reveals the existence of a basement archive full of printed documents, or a box of back-up tapes that everyone has forgotten about.

It is also important to interview individual custodians of data. People have their own ways of managing information and it is not uncommon to discover a pile of floppy disks, CDs, DVDs or other media on an office shelf which contains data that, according to the document retention policy, would have been long deleted if stored centrally.

First Steps

The first step after any production obligation arises or an incident occurs which is going to be the subject of a legal investigation should be to preserve potentially relevant information. Whether or not there is a formal preservation obligation, early preservation of potentially relevant documents will ensure they still exist if and when you go looking for them. Some simple steps can be taken to preserve documentation from deletion:

·        stop automatic deletion of old e-mails if in force, and increase mailbox limits for custodians

·        take back-up tapes with potentially relevant information out of circulation so that they are not overwritten

·        take sound copies of existing data to stop deliberate or inadvertent deletion – the forensic process of imaging is the most thorough.

Conclusion

Effective information management is effective risk management.  Any adverse inference or costs sanction due to an inability to produce evidence is clearly best avoided, so carefully thinking about how potential evidence is stored and can be retrieved is paramount.  If the information storage and retrieval elements of an organisation’s risk profile are addressed with legal production in mind, the process of e-disclosure will be far less daunting.

Daniel Kavan is an Electronic Evidence Consultant at Kroll Ontrack.

Mark Surguy is a Partner at Eversheds.



[1] Re Mumtaz Properties Ltd; Wetton (as liquidator of Mumtaz Properties Ltd) v Ahmed and others, 3 August 2010 at [63].

[2] [2011] EWCA Civ 610.

[3] http://www.edrm.net/

[4] http://www.google.com/apps/intl/en-GB/customers/index.html