The Preservation Phase
Preservation, the third stage of the discovery process, is where IT has a major role in protecting potentially relevant information from being destroyed. Companies must keep information not just when litigation's begun, but also when there's a reasonable expectation of legal action. For example, if a company fires an employee and things turn acrimonious, the legal department may issue a preservation notice for that employee's e-mail, HR records, and work files in anticipation of a lawsuit.
In these cases, IT must be able to shut down the machinery of automated deletion. So if the company's document management system purges files after a certain time period, exceptions must be made for data associated with a discovery effort. The same may apply to policies for overwriting backup tapes. Attorneys also rely on IT to put safeguards in place to prevent people from deleting any data that's potentially relevant to a discovery effort from PCs, shared files, and removable media.
IT has two options for preserving data. The first is to copy and move data to a secure repository. The upside to this approach is that IT and legal can be confident that data will be there when it's needed. But it's time-consuming and expensive, and it can be wasteful since many times the data won't ever be subject to legal review or required by the court.
The second option is to preserve data in place, changing user or administrator permissions to prevent people from opening, writing to, or copying the data. Many archives and document management systems let IT place legal holds on information.
Preservation, whether through moving data or keeping it in place, requires IT and legal to work together because large volumes of information may end up on legal hold for months or even years, which will affect storage demands.
The final phase that requires IT involvement is collection. Here, relevant data is gathered and delivered to inside or outside attorneys (sometimes both), who review and analyze it. Based on that analysis, counsel may expand the search, coming back to IT with new names of employees whose data could be relevant to the case, as well as new search terms and date ranges.
Collection must be conducted in a way that preserves the data's integrity, including metadata such as information on when a file was last opened or changed. Where possible, collected information is also expected to be available to counsel in its native file format.
At Blue Cross Blue Shield of South Carolina, D'Agostino collects data himself, operating the discovery software used at the company. Verizon's Singh helps craft requirements and track down locations where relevant data may reside, but the company's security department does the collecting. Verizon chose this approach because its security team is experienced in collecting digital evidence for forensic investigations and knows how best to protect metadata and maintain data's chain of custody.
At Webcor, Davis runs sensitive searches himself. For nonsensitive ones, two trained IT administrators use an e-discovery module that sits on top of the company's e-mail archive. They use terms and date ranges provided by the legal counsel's office to conduct searches. The system is set up so that the administrators don't get to see the results; only the company's attorneys have that access.