Printer Friendly

To map or not to map: strategies for classifying sources of ESI: while data maps are primarily an electronic discovery tool used to help organizations mitigate their legal risks and costs, they can also help them better meet business objectives.


When traveling through an unfamiliar area, a map can be the key to finding the right path. Without maps, we work from instinct or through guesswork. The stakes are too high when responding to an electronic discovery request to rely on the ability to "figure it out." The purpose of a data map is to help an organization make informed discovery decisions in a consistent manner so similar facts and allegations lead to similar responses.

The interest in data maps is driven by the proliferation of electronic documents, increased regulatory reporting requirements, and the December 2006 adoption of the revised Federal Rules of Civil Procedure (FRCP). Numerous electronic discovery vendors, consultants, and law firms have since extolled the virtues of electronically stored information (ESI) maps as tools that support compliance with disclosure requirements under FRCP Rule 26 and as tools that can dramatically reduce cost and risk.

Two years after the promulgation of the revised rules, organizations have successfully responded to discovery demands with and without relying on ESI maps, begging the question: In an economic climate in which organizations are deferring and canceling IT projects, is there good reason to develop an ESI map?

Benefits of Data Maps

One strong argument in its favor is that an effective ESI map enables an organization to address top general counsel (GC) priorities identified in a 2008 GC Roundtable Survey:

* Understand the universe of potentially responsive ESI

* Effectively manage the ESI preservation and collection processes

* Minimize disruption to business and revenue-generating employees

* Reduce the cost of electronic discovery


There are several other arguments for creating an ESI map:

Cost Containment

Cost containment is the most appealing rationale, but it has the weakest business case. There are potential hard-dollar savings through reduced document review costs that result from more-targeted collections of ESI, but these are speculative savings.

Reduced Legal Risks

A better argument for ESI maps is that, if well designed, they will increase an organization's ability to manage preservation and collection effectively, reducing legal risks and addressing several of the above priorities.

* Improving the understanding of the organization's sources of potentially relevant ESI

* Reducing disruption to revenue-generating employees by reducing necessary consultations when responding to discovery obligations

* Enhancing risk mitigation for the organization as discovery needs increase because the ESI map and associated processes will enable greater consistency in discovery responses and disclosures

* Identifying orphaned data--data no longer associated with an owner or with the system that created it--that is not required for litigation, regulatory, business, and/or institutional memory purposes

IP Protection

While efforts by organizations to identify and manage ESI are driven primarily by electronic discovery risks, some organizations are recognizing that business objectives to better protect intellectual property, trade secrets, and private information may be supported by this process. Techniques similar to ESI mapping can help organizations better understand where sensitive information is stored on their networks so procedures can be implemented to protect it. These additional benefits notwithstanding, ESI maps remain primarily an electronic discovery tool, intended to improve risk mitigation.

Asset Tracking

IT can use the data maps to supplement their asset-tracking systems. Since the backup methodology is documented for high-risk systems, IT and legal can determine if any changes should be made to the backup protocol to mitigate potential risks to the organization.

Legal can also use these data maps to understand pockets of orphan data that may exist. Orphan data can be online or offline, but it may contain potentially responsive data. An example would be laptops or desktops taken out of use, but not yet wiped and reassigned to new employees or returned to a vendor at the end of a lease.

Adequate, Timely Disclosure

The adoption of the revised FRCP put many litigators and general counsel on notice that they did not have sufficient knowledge of their organization's sources of ESI. This lack of knowledge makes it difficult to complete timely and adequate disclosures, as required under Rule 26, but also makes it difficult to identify and preserve potentially responsive data effectively.

An additional, little-considered effect of insufficient knowledge of ESI is that an organization is in a weaker position to argue that reviewing and producing data from certain sources is unduly burdensome. Without knowledge of technical issues, such as restoration, duplication or near-duplication, volume, reliability of inventories or catalogs, determining whether the costs of discovery are proportional to a matter is next to impossible.

FRCP Rule 26(f) establishes a 99-day timeline for the meet-and-confer phase of litigation, in which parties to the lawsuit will establish a plan for the preservation and production of electronic evidence. If an organization does not know where its ESI is stored and how it can effectively preserve or collect certain types of data, it risks discovery costs that are inconsistent with the value of the litigation, missed discovery deadlines, and even penalties for failure to comply with its discovery obligations.

High discovery costs can influence settlement decisions and negotiations and may distort the outcome of the case. And, of course, courts have imposed sanctions on organizations that failed to produce requested documents according to the required timetable or that appeared to be withholding discoverable documents either deliberately or because of inadequate record management practices.

The inability to find and produce responsive data is cause for concern for most organizations. A recent example involved a global telecommunications company under SEC subpoena. The company had data maps in place that covered the majority of the key systems (e.g., PCs, e-mail servers, network shares). Following company guidelines, they collected data from each system, conducted a responsive and privilege review, and ultimately produced items to the SEC.

Part of the collection involved a project team server located in California. Unbeknownst to internal and external counsel, the project team, not company IT, created weekly backups of the server. Furthermore, the backups were created and saved going back a year. Because only the project team was aware of their existence, the backups were consequently never collected and searched for responsive data.

A year later, a member of the project team was leaving the company and while turning in his firm-issued laptop, he mentioned he also had backups of the California project team server on a USB hard drive. Lucky for the company, their employee exit procedures caught this before the data was lost, but they were forced to make an embarrassing supplemental production to the SEC long after the subpoena's stated deadline.

Improved Documentation

There are several issues at play in the above example, but one key lesson is about the danger of the lack of documentation related to the backup procedures for engagement team servers. The company clearly made an effort to document the system, but in this case it did not go to the appropriate level of detail to fully understand backup procedures. After learning from this example, the company updated its data maps to include interviewing the project teams working from the project servers to check for rogue backups. It has since made plans to incorporate project team servers into IT's disaster recovery plan and to eliminate the need for the project team to also be administrators.

Data maps help overcome these challenges. They also can help with broader corporate initiatives aimed at increasing the effectiveness of information management processes. Having a data map allows organizations to prepare quickly for the meet-and-confer and other discovery conferences or to produce documentation for regulatory reporting.

Data maps are an effective means to translate complex technical information, data storage architectures, and the evolution of an organization's IT systems into plain language that adversaries and courts can understand. It also enables an organization to classify ESI as active or not active, which can help when making decisions to review and produce ESI since inactive data does not necessarily need to be produced.

Creating data maps encourages organizations to review the way they manage records, how they store them, and how they apply retention policies. Drawing attention to records retention and disposition increases the organization's knowledge of its current practices, helping to make responses to regulatory or legal inquiries more accurate and complete.

How to Create a Data Map

It is easy to see why having a data map is valuable, but what exactly is a data map and how is one created? A data map can be a flow chart or spreadsheet that graphically represents sources of information. It may include reports or lists that define different tiers or categories of systems--from relevant to not very relevant--and identify ease of access--from online data that is easily accessible to offline data that may be difficult or time-consuming to access.

Identify Which ESI Sources to Map

Keep in mind it may not be practical to map all sources of ESI. Global organizations may have literally thousands of potential sources under the jurisdiction of separate IT and business functions. Online sources actively used by business units may be relatively easier to investigate and document than offline or inactive sources, but even these should be prioritized based upon the likelihood of the information being relevant to litigation or an investigation.

The absence of a reliable system architecture does not mean ESI mapping is impractical, but it can alter the approach to gathering information and it will take more time. Reliance on guidance from the legal department is more important when IT systems are not well documented.

Questions to consider when setting priorities for an ESI map:

* Can ESI mapping be limited geographically, for instance, to North American locations?

* Does the organization's litigation or regulatory history suggest a core set of ESI sources?

* Does the known chronology of application implementation and migration allow setting lower priorities on certain active and inactive ESI sources?

* Can the ESI map develop iteratively based on discovery events, following an initial creation of templates, surveys, and documentation guidelines?

Determine Level of Map Detail

One leading practice suggests beginning with a standard template that lists document and record types and sources of data and systems, often categorized by function, department, or division. The level of detail will depend largely upon the organization's particular needs and concerns. Some organizations, for instance, are concerned that a highly detailed data map may make it difficult to keep the map updated and accurate.

Organizations undergoing frequent structural or operational changes may not wish to spend the time necessary to capture a level of detail that will be difficult to maintain if the data attributes are constantly changing.

Data maps sometimes include only e-mail servers and file servers, but they also often include application servers, such as payroll, archiving, or business application systems. Standard elements include format and locations of ESI in e-mails or other messaging systems; desktop and laptop computer data storage policies at the organizational and individual levels; policies and processes for data backups; and policies for repurposing a computer after an employee has left the organization. See the sidebar on page 37 for a list of considerations involved in creating a data map.

Interview All Stakeholders

Creating a data map is one task that falls under the umbrella of data governance. Effective management requires effective governance. Many organizations will have existing IT or data governance structures in place that can take responsibility for keeping a data map evergreen.

Data map stakeholders include legal, IT, compliance, records and information management, human resources, finance and other departments that maintain records. The team creating the data map should interview relevant constituents to determine what ESI is significant and where it is stored. Mapping exercises frequently begin by interviewing legal to determine which systems are used to respond to a legal or regulatory matter.

Basic questions regarding each relevant system include:

* Who is the business owner of the ESI?

* Who is the IT owner?

* How is the ESI stored?

* How is the ESI backed up?

* Who created the files?

* How can the ESI be preserved?

* How will the ESI be collected if needed?

Document Backup Policies

The team should be vigilant in looking at less obvious sources of information, including backup systems, offline media, archives, and legacy systems. The data map should note the backup policy for each system, including retention and recycling for full and incremental backups. It is also useful to note whether backups are used for disaster recovery only or whether they are available for convenience restores, since that may affect future claims of accessibility of the data.

Pitfalls to Avoid

Watch out for the misuse of other tools to fulfill the purposes of a data map. Some organizations confuse disaster recovery documentation with a data map, but these are actually two different things. A quick way to understand the difference is to use a typical disaster recovery or business continuity plan as a tool to preserve and collect ESI for discovery. These IT plans contain a depth of information that is, at best, only partially helpful when responding to discovery, and, at worst, misleading because it represents technical information outside of the context of business use.

A significant problem with data maps is keeping them current. An outdated data map poses potential problems because it suggests discovery responses that are no longer appropriate. To ensure the map is current, the mapping project should include development of an IT governance process to manage periodic reviews and updates. Most organizations have existing IT change management or asset management programs that are appropriate for this purpose. The frequency of the updates depends on the IT processes of the particular organization. Are systems frequently upgraded or restructured? At a minimum, the map should be revisited each year. If the organization has an in-house coordinator for the map project, this person should be able to update the map more frequently.

Worth the Investment?

Some organizations question whether a data map is worth the significant investment of time and resources required to create it. The better question is whether the organization is comfortable with the risk of not having a data map. For organizations in highly litigious or highly regulated industries, the lack of an appropriate data map can expose the organization to potential legal or financial risks if data cannot be identified, located, or retrieved to meet mandatory legal or regulatory deadlines.



* Backup systems are critical since many organizations may have different backup systems in different departments, such as finance or research.

* Information about which data sources are backed up and where the backed up data is stored is important to consider.

* Third-party systems, such as e-mail services, in which a vendor hosts application data, should not be overlooked.

* Information about where data is stored, how often it is preserved, and whether it is commingled with other organizations' data is essential.

* Do not include every system used. A large organization will typically support more than 1,000 technology systems, but only a small percentage are typically frequent sources of ESI for discovery or investigation. Many organizations choose to include detailed descriptions of the most significant 20 to 30 systems, with less detail for a second tier of systems significant to the business, but less frequently used in responding to discovery, and with a third or fourth tier of data for less significant systems.

* Identify the custodians of the data, who may be the business owners or the IT owners of the data. Typically, the custodian is the day-to-day owner of the data or system.

* Indicate whether each data source is active. If it is not, consider quantifying the difficulty or cost in making the data accessible. In the event of a request for evidence, corporate legal counsel can quickly determine the projected cost of producing the evidence, whether duplicate or near-duplicate sources are available, and whether they can make an argument that producing from a source causes an undue cost or burden.

* Document the policies or practices that are followed for routine document retention and disposition so counsel understands the expected lifecycle for data within each source of potentially relevant ESI.

David W. Wetmore can be reached at David.Wetmore Scott Clary can be reached at See their bios on page 62.
COPYRIGHT 2009 Association of Records Managers & Administrators (ARMA)
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2009 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:electronically stored information
Author:Wetmore, David; Clary, Scott
Publication:Information Management Journal
Geographic Code:1USA
Date:Sep 1, 2009
Previous Article:Examining metadata: its role in e-discovery and the future of records managers: recent developments in law, standards, and technology suggest that...
Next Article:Forrester/ARMA survey: mitigating legal risks drives software deployment plans: records professionals have a strategic role to play in implementing...

Related Articles
Living dangerously: several months after the amended Federal Rules of Civil Procedure took effect, many companies remain woefully unprepared for...
Cooperative process for minimizing discovery burden, expense.
Forrester/ARMA survey: mitigating legal risks drives software deployment plans: records professionals have a strategic role to play in implementing...

Terms of use | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters