ICPLICPL Institute for Institute for Computer Policy & LawComputer Policy & Law

H. David LambertVice President for Information Services and Chief Information OfficerGeorgetown University

e-Discovery: Early Lessons From the Trenches

July 25, 2007 Twelfth Institute for Computer Policy & Law 2

ICPLICPL

Lesson # 1Lesson # 1Lesson # 1Lesson # 1

Yes...this is for real. The acid test:

“…you may want to talk to our E-Discovery practice...”

E-Discovery: the Arthur Andersen/Enron Prize for

Unfunded Mandates

‘Surviving’ e-discovery requires extensive collaboration between IT and Counsel’s offices.

July 25, 2007 Twelfth Institute for Computer Policy & Law 3

ICPLICPL

Lesson #2Lesson #2Lesson #2Lesson #2 There is no such thing as a

‘departmental’ application any longer. The balance of ‘institutional interest’

has changed forever. Central IT was never funded to

support this radical shift brought about by: E-Discovery Privacy Security Business Continuity

July 25, 2007 Twelfth Institute for Computer Policy & Law 4

ICPLICPL

The changing balance The changing balance of institutional of institutional

interestinterest

The changing balance The changing balance of institutional of institutional

interestinterest

EnterpriseSystems

DepartmentalSystems

Security

Privacy

Business continuity

E-Discovery

Digitalization

Availability

New business requirements

EnterpriseSystems

DepartmentalSystems

July 25, 2007 Twelfth Institute for Computer Policy & Law 5

ICPLICPL

Lesson # 3Lesson # 3Lesson # 3Lesson # 3

E-Discovery impacts every layer and component of university technical architecture and infrastructure

There is no longer such a thing as back-up; only archive

Enterprise architectures and production services often don’t extend to:

Departmental servers Desktops Departmental and personal back-up systems PDAs

Yet that information is equally subject to discovery

July 25, 2007 Twelfth Institute for Computer Policy & Law 6

ICPLICPL

Lesson # 4Lesson # 4Lesson # 4Lesson # 4

Compliance with a request or subpoena implies a level of access to desktop and personal resources that are not consistent with our organizational and operational structures.

July 25, 2007 Twelfth Institute for Computer Policy & Law 7

ICPLICPL

Lesson # 5Lesson # 5Lesson # 5Lesson # 5

Based on our experience so-far, the e-discovery requests have been comprehensive and specific.

E-mail Calendars Files shares (institutional and

personal) Phone records (cell and office) Voice mail Academic records

July 25, 2007 Twelfth Institute for Computer Policy & Law 8

ICPLICPL

Lesson # 6Lesson # 6Lesson # 6Lesson # 6

E-discovery drives up the cost of litigation to the university at a very early stage (often at pre-litigation).

Examples: Replacing back up tapes Acquiring systems to back up

departmental and personal environments Time burned by technical staff and counsel

Including the requirement for supplemental external resources

... and this is at the ‘preservation’ stage

July 25, 2007 Twelfth Institute for Computer Policy & Law 9

ICPLICPL

Lesson # 7Lesson # 7Lesson # 7Lesson # 7

Responding to preservation requests puts enormous burdens on technical staff who are critical to other on-going operations and functions.

Security staff Desktop support Systems administrators Counsel

July 25, 2007 Twelfth Institute for Computer Policy & Law 10

ICPLICPL

Lesson #8Lesson #8Lesson #8Lesson #8

The logistics associated with assuring the preservation process is completed in a timely and effective manner is complex and requires sophisticated controls.

Uniform procedures for collecting and cataloging data.

‘Accountable’ procedures for assuring the preserved data is actually preserved.

Procedures to assure users that the privacy of their data will be respected.

Privacy has been a particularly sensitive issue.

July 25, 2007 Twelfth Institute for Computer Policy & Law 11

ICPLICPL

Lesson # 9Lesson # 9Lesson # 9Lesson # 9

Processing discovery requests raises warranted concerns on the part of involved faculty and staff about privacy…

It makes our security staff appear to be the ‘bad guys’, since they are the ones who show up to do the work.

Procedures have been developed to protect ‘preserved’ data that we hope will make sense to the Faculty Senate.

July 25, 2007 Twelfth Institute for Computer Policy & Law 12

ICPLICPL

Lesson # 10Lesson # 10Lesson # 10Lesson # 10

The individuals involved in the discovery request are nearly always the most politically powerful within the institution.

Executive leadershipDeansFaculty members

July 25, 2007 Twelfth Institute for Computer Policy & Law 13

ICPLICPL

Lesson # 11Lesson # 11Lesson # 11Lesson # 11

There will be many more lessons when we move into the information discovery phase(s).