Most IT managers would prefer to think about technology and about helping technology serve the business. Too bad that the real world has distractions. Your organization is already in the courts, it will be, it is working to stay out of them, or some combination thereof.
You don’t need to be an information specialist to be aware that going to court is generally awful. To be the defendant is worse. Involvement in criminal cases is widely regarded as traumatic as losing a limb or a close relative.
What happens in the courtroom is like the visible part of an iceberg. While dramatic, it's far smaller than what is underwater. In corporate trials, much of what's most important happens at “discovery.” Discovery is a term of art; it's an out-of-the-courtroom process that delivers information — documents — from one party to another.
Discovery is fiendishly expensive, especially for the unprepared. Tiny differences in operations that seem trivial to other-than-lawyers can have enormous consequences in the light of discovery.
Neither you nor I is a lawyer, so we're not in a position to prepare for, execute, or establish policy about discovery. We do know data, though, and we belong on the team making decisions for the organization. Learn a little of the pertinent language, and you'll be far more effective in communicating with your legal experts.
The Centrality of Discovery
As an information technologist, you recognize that any organization must answer such essential security questions as “What's the password on our wireless access point?” and “How are backups of our SCCS (source-code control system) organized?” Legal matters are similar: At a bare minimum, someone needs to think about:
- When an end-user deletes an e-mail message, is it really gone, or is there a temporary copy that lasts for a while, or is it actually eternally available with the right access?
- Who decides which employees can edit or change the public website?
- If an employee has an idea at work, but only writes about it on her own equipment, after hours, is the idea her property, or the company's?
We're not going to answer such questions today. You need to see, though, that the best answers come when you team up with lawyers to discover them.
Discovery as Unifying Perspective
You might be involved in answering a wide range of legal questions: the guilt of a cracker, whether a former employee was treated fairly, how a particular patent award applies to your employer's products, or who said what to whom during a mandated "quiet period."
Whatever the question, though, an early phase of its litigation involves exchange between the parties regarding specified relevant information and records. Lawyers might call on you to deliver "all messages" qualified in a certain way. This is gravely serious. However distant it appears from your real end-users, or confused the language is from an engineering perspective, you must respond to these demands. If records aren't available, say so. If you regularly held video chats with a customer, but didn't record the sessions, simply report those facts.
Recognize, also, that you're likely to see more of these requests over time. Every time there's an innovation in social media, for example, there's a corresponding potential for legal involvement. Courts might expect you to "deploy an archiving solution to capture and retain social media content, especially for highly-regulated industries like finance and health care." While you might be operating under policies developed when "message" largely meant "e-mail," now SMS, Twitter, Wikis, SharePoint, and potentially dozens of other channels have the potential to be pertinent.
Other technical shifts also threaten the applicability of your policies. Use of tablets and other handhelds is exploding, of course; what kind of control do you have over those data? Only a small minority of tablet owners back up their data, let alone encrypt or otherwise protect them at rest. What does that mean for your archiving and compliance?
For useful legal perspective, read at least part of Managing Discovery of Electronic Information: a Pocket Guide for Judges, from the Federal Judicial Center. Think how the concepts there apply to you. How would you retrieve all the e-mail ever received by one specific employee? Do you have a way to do so? Have you defined policies that lead to those results, or are you just hacking your own systems to get what you're after? Does "delivery" of the source code for a Web page mean that it's printed on paper? In a .ASP or .php file? Rendered as PDF? Which of these alternatives should your organization prefer?
There are many technical matters related to discovery that are your professional obligation to raise, because they are unknown or opaque to legal counsel. Suppose you're called on to deliver a webpage, for example. Someone needs to decide whether that's the rendered form, or HTML source, with all the distractions the latter might have in comments and procedural scripting.
A similar question: Should DOC files include all history and revisions as they happen to appear in a particular instance? Is it permissible to "print" them to PDF? Desirable? How much does it cost you in time to print 35,000 Word documents as PDF? Does PDF/A, in any of its forms, fit your organization's requirements for archiving?
Make these matters explicit with your lawyers. Different courts operate under slightly different rules. Do not assume that you know how to apply something you saw or learned in the past. It can also happen that rules change through time, just as, say, the definition of HTML has evolved over the last 20 years.
Rules of e-discovery were notoriously in the news just last summer, for example, during an action of Oracle America. v. Google. This particular decision seemed at the time to raise a "key wrinkle in some archiving systems" that perhaps bears even on the order in which different fields were entered during composition.
The ultimate consequence of this specific decision now appears likely to be smaller than originally appeared. The conclusion of Richi Jennings' article above, though, certainly stands: "IT people should ... discuss the issue with their legal counsel." Not just that: IT people should, as much as they can, work with legal counsel before any litigation to establish policies and practices that protect their employers and themselves.
My special thanks to Groklaw and to Richard L. Santalesa of Info Law Group; both contributed crucially to this article.
See also:
