General counsel might already have the technology they need, without buying specialized software, to preserve documents for discovery without risking too much data in the event of a breach, but it will be far from a perfect solution, legal process specialists say.
When you combine legal departments’ growing reliance on cloud platforms and other third-party data partners with the rise of remote work, you get a massive headache when it comes to creating a reasonable legal hold process.
Just knowing where all the data is and who needs to be designated a custodian can be a challenge when you have employees using Slack and other cloud-based tools that sit outside your internal servers, Geoffrey Klingsporn, senior assistant city attorney for the city and county of Denver, said in an Exterro webcast.
There might be a temptation to have a legal hold policy that tries to capture as much data as possible so you can protect your organization against challenges that it failed to implement a reasonable process for meeting discovery needs, said Matt McCartney, a senior manager at Ernst & Young.
But if you do that, you risk exposing too much data in the event of a data breach, which each year grows more frequent in organizations of all sizes and more states clamp down with laws penalizing bad data management practices.
“The most defensible [position you can take] is to preserve everything, but how defensible is that position when data gets breached?” said McCartney.
From a privacy and security standpoint, it makes sense to have an organization-wide policy to delete as much data as possible on a regular basis but that can leave you exposed to sanctions from a legal hold standpoint.
Given the challenge general counsel often face getting dedicated money for legal tech tools that can automate the process, it makes sense to build relationships with IT to maximize the tools the organization already has.
The Microsoft 365 suite is a good example of a common set of tools that can go a long way in helping in-house teams meet legal hold needs, although it will also leave big gaps in what you can do.
“Get a sense of what these legal hold tools do and try to replicate that as best you can with what you have,” said Klingsporn. “You can make that master list of custodians, whether in a spreadsheet or a mailing list in Outlook, and you can make the boilerplate email that contains what it needs. Then you can train a couple of people to send out and track who hasn’t responded using scheduled emails and automated reminders.”
Often, the legal team won’t have the same licenses as the IT team, so they won’t necessarily know about or know how to use all of the tools in, say, Microsoft 365 that could be deployed for legal holds.
“The Microsoft 365 environment has a lot of hold tools built in, from the backend, so by getting a good relationship with your Microsoft 365 team, you can convince them to give you or some attorneys and staff the right access controls,” said Klingsporn. “You can do a lot from the backend to preserve and hold but also search and export, so there are probably tools you already have that you’re not using.”
Even if you maximize a widely used set of tools like that, there’s functionality of specialized software that you won’t be able to duplicate. In-place preservation is a good example.
With that functionality, all of the data you need is identified and stored where it resides, so you don’t need to make and store a copy of it in a dedicated place, a process that often results in multiple copies getting generated and stored, adding to privacy and security risks.
“If you decide to preserve the data via collection and not just in-place, you’re creating a number of copies,” said McCartney. “You have a preservation copy and probably make a backup of that copy.”
Then if you’re using a third-party vendor, there could be multiple copies on that side. “Now you have seven copies of data that you have to manage,” McCartney said. “My point of view is, do as much as you can in-place.”
One of the advantages of a specialized tool like Exterro is it preserves in-place, eliminating the need for collecting and managing multiple copies, said Mike Hamilton, senior managing director at Exterro.
If you get pushback from the executive team on dedicating resources for specialized legal hold technology, you can point to what happens if you get hit by a court for not having a reasonable preservation process in place.
In Torgensen v. Siemens, for example, a 2021 case, one of the parties got hit with harsh adverse inference sanctions because data in a Facebook account that should have been preserved was deleted. In another case, Doubleline Capital v. Odebrecht Finance, one of the parties was hit with spoliation sanctions, and in Mahboob v. Educational Credit Management, there was a call for spoliation sanctions after one of the parties failed to suspend the automatic deletion of call recordings.
“I use horror stories like these internally … when I’m trying to stress the importance of preservation and the breadth of what [needs to be] saved, “ said Klingsporn, “But also in the other direction – upstairs, so to speak – [there’s] the need to convince the executive level to either make technology purchases or upgrades and prioritize the processes you need…. It’s good to have these in your back pocket if someone questions [why this is important].”