E-discovery is a relatively new concept that describes the process by which information is recovered from corporate networks, usually to answer the demands of regulators or the law. It is a subject close to the hearts of CEOs everywhere, given the stringent penalties and resulting brand damage that have been applied to companies unable to provide information on demand.
Like several other technology sectors that touch on governance, e-discovery has risen sharply in importance in the post-Enron business world and is quickly becoming a standard defence against the machinations of legal agencies, regulators and other information-hungry forces.
The e-discovery process is also fast becoming very familiar to many organisations. First, an external (or internal) demand for information comes in. It may be a serious matter such as information regarding stock-trading behaviour or something relatively trivial such as employees who have been fired asking for emails or performance evaluation reports relating to them to be disclosed. This demand triggers a chase to track down relevant information within an allotted period. Those who can provide timely information avoid penalties while those who can’t incur the risk of punishment and, potentially, bad press too.
Critical software for e-discovery includes: early-case assessment tools that help answer the initial question of whether there is a case to answer by providing a high-level overview of the situation; legal-hold tools that help firms meet their obligation to preserve all relevant information once a probe is instigated; archiving tools that preserve documents and email messages (and even video and audio); records and content management packages that offer searchable archives of information; and tools for creating policy-based approaches to the problem.
How big is the e-discovery issue? “Large and growing fast” would appear to be the short answer. Gartner predicts that the e-discovery software sector will be worth over $760m (£385m) this year, up from $524m (£266m) in 2007. In its July 2007 report The Emerging E-Discovery Market, Gartner analysts Debra Logan and John Bace wrote: “Changes to the Federal Rules of Civil Procedure, along with the ever-increasing reliance on electronic documentation in business, will have wide-ranging effects on the IT profession and IT vendors in 2007 and 2008. IT will be called on to account for elements of their infrastructure and the location of live and backup data as never before.”
Another clue as to how seriously the matter is being taken comes from the rapid consolidation of suppliers in the sector. In December 2007, Seagate agreed to buy e-discovery software platform firm MetaLincs for an undisclosed sum, supplementing earlier deals to acquire online backup firm EVault and data recovery services company Action Front. In October 2007, data protection firm Iron Mountain signed a deal to buy e-discovery software firm Stratify for $158m (£80m). Finally, July 2007 saw the biggest deal so far in the sector at $375m (£190m) when UK-based enterprise search giant Autonomy agreed to buy e-discovery firm Zantaz.
As well as the companies already mentioned, several others are attempting to stake a claim in the e-discovery sector. They include HP, which recently augmented storage and archive tools with the acquisition of e-discovery firm Tower Software, and Symantec, based in part on tools acquired with the huge Veritas merger agreement of 2004. But many other companies at least touch on the sector, including EMC and CommVault. Leaning on its dominant position on the business desktop, Microsoft is also muscling in. Early this year the software giant ran a US roadshow specifically aimed at educating customers and prospects on the e-discovery landscape.
Examples of the relevance of e-discovery are everywhere at the moment although – understandably, given the sensitive nature of many investigations – few users are willing to provide case studies of their experiences. To get a flavour of high-profile situations where e-discovery would be relevant, think of Intel’s failure to provide critical emails demanded as part of an investigation into its business processes by US courts in an ongoing antitrust case. Or remember the patent case between network chip makers Qualcomm and Broadcom where missing emails led to Qualcomm being told to pay Broadcom’s litigation fees.
Or consider the investigations into the proliferation of dot-com era “buy” ratings on internet stocks and the subsequent revelation that personal emails sent by influential analysts ran counter to those recommendations. And of course, the recent actions of Jerome Kerviel at Société Générale will, one assumes, have led to a large investment in e-discovery services.
RULES AND REGS SHOW NO SIGN OF SLOWING UP
The requirement for e-discovery has grown on the back of a sea of rules and regulations designed to compel organisations to demonstrate good governance.
The Sarbanes-Oxley Act of 2002, commonly known as SOX, came on the back of a series of high-profile corporate frauds in the US, most notably Enron. It has had an enormous effect and has demanded onerous duties of the boards of companies, especially in accounting and disclosing information to the public markets.
Although primarily aimed at companies floated in the US, SOX has had a knock-on effect around the world and has become symbolic of the new wave of corporate governance demands. In the UK, the Combined Code on Corporate Governance has also had a large effect.
The recent Federal Rules of Civil Procedure are also expected to have a seismic effect on the way US-headquartered companies handle the early stages of a discovery process.
The financial services industry has had particularly stringent regulations for many years and UK watchdog the Financial Services Authority is widely regarded as a tough watchdog that is becoming even tougher.
In the UK, the Data Protection Act and Freedom of Information Act have had an enormous effect on the ability of citizens to find out about information that affects them and has led to a heavy burden placed on local government.
Cases of sexual, racial and other forms of discrimination are also leading to the IT department working closer than ever with legal counsel.
Having to prove, quickly, that your company is not guilty of stock manipulation, insider dealing, fraud or other forms of malfeasance will do plenty to shock businesses into action on e-discovery and all signs point to the fact that companies are doing just this. A stark indication of just how seriously companies are taking the problem came in January when a financial giant, widely reported to have been Citigroup, signed a $70m (£35m) deal with Autonomy’s Zantaz subsidiary for Desktop Legal Hold, a software program that lets firms centrally control desktops and laptops by remotely enforcing policies on document and message retention.
Increasingly, say experts, large firms are investing in e-discovery ahead of any problems emerging, rather than compensating for investigations with a flurry of reactive behaviour. But even outside of enterprise hotbeds, and financial services in particular, there is plenty of scope for investigating e-discovery.
Consider the case of Iain Liddell, policy development manager at Brunel University, responsible for subject access and Freedom of Information requests that need to be dealt with in a very timely manner.
“Our daily backups were taking 24 hours for email and file store,” he says. “We have 20,000 user accounts active at any time and there is 35 to 40 per cent churn each year. The [Microsoft] Exchange storage problem was growing hundreds of thousands of messages per month and we were having to buy more and more storage each month. We’re dealing with fairly sensitive information. Search was becoming difficult and it wasn’t reliable.”
Liddell’s answer was to invest in the HP e-discovery solution and he is confident that he now has better control over the discovery process and a better understanding of best-practice procedures.
“To instil confidence that we’re not in a Big Brother situation we hold meetings to tell people what we’re doing,” he says. “We tightly control who can perform searches and we plan to share data on how we document on the website. Our rallying cry is: ‘Be open, be honest, be brave’.”
WHERE NEXT FOR E-DISCOVERY?
Today’s search and e-discovery tools already do a good job of finding structured information such as data held in spreadsheets, databases and forms. However, the push is on to get a better insight into unstructured data such as text documents, presentation slides and, of course, emails.
Email messages have emerged as a rich source when searching for clues as to whether firms did or did not break the rules. Because of the ad hoc nature of email compositions, staff will often disclose information that they would not otherwise offer. Searching for keywords in messages and headers is a start but today’s needs are more sophisticated. Therefore, software that can detect patterns of expression that give a clue as to content is highly valued.
Increasingly, experts say, regulators will also seek to gain access to other forms of communication, including phone conversations, instant messaging exchanges, video and still images. Software developers are building programs that can look for such files although the field remains quite new.
Having done the heavy lifting on e-discovery, Liddell has more sophisticated plans for Brunel. A next step will be to pilot language analysis with five per cent of the university. This will involve software that can interpret unstructured requests such as those in the text of email messages.
Among e-discovery software suppliers, the rush is on to provide comprehensive answers to probes by bringing together the disparate elements involved in the e-discovery process.
“We’re able to talk to very large companies about holistic solutions,” says Andrew Joiner, Autonomy’s vice president for information risk and management. “Customers are struggling to evaluate all the solutions out there. It’s still a very fragmented market and that’s the approach being taken by most vendors. When you read an RFP [request for proposal], every section has: ‘Who do you partner with in this area?’, but we can offer a full spectrum.”
Of course, others are singing the same tune. HP, for example, having acquired Tower, says it offers “an integrated archive platform” thanks to its email archive, storage management and other offerings.
Companies able to make sense of the changing face of regulation will be in demand over the coming months and years. As if all the recent layers of regulation and forthcoming red tape were not enough, the situation could well worsen. One driver for more activity is the sub-prime mortgage crisis and the strong likelihood of a spate of investigations into mis-selling.
“We’re definitely seeing litigation in the sub-prime crisis because there have been high-wealth individuals [with investment portfolios] and some of these portfolios were put into mortgages,” said Nicole Eagan, Autonomy chief marketing officer. “Downstream, we might see litigation about foreclosures. We think it could be the first time where voice recordings are called in.”
Even without voice recordings being dragged into the equation, plain old text is hard enough to find and even harder to get rid of without resort to physical destruction, Eagan notes. “The delete key is the biggest lie on the keyboard. It’s almost impossible to delete data forever,” she adds.
The good news for corporates at the sharp end of a probe is that best practices are emerging. Autonomy’s Eagan recommends making an early-case assessment of where the risk lies in the data in order to guide how and where the discovery process is conducted. Experienced legal counsel will also be critical at an early juncture. Eagan recommends having “a tech-savvy lawyer who can tell you the likelihood of there being a smoking gun so you can either choose to settle or go to court”.
Often, experts say, suppliers and consulting firms will go in with a services-led approach that leads to lucrative returns, but vendors in the sector say that by setting up a dedicated team, outside knowledge can be largely dispensed with.
Mike Davis, an analyst at market research firm Ovum, believes that a familiar group of consulting giants will benefit from the e-discovery boom.
“The people who are going to make lots of money out of this are the Big Five,” he says. “If you can’t afford your own team, you are going to be services-led.”
HP information management marketing director Erik Moller agrees that billable hours can mount up, especially when firms are new to e-discovery. “Typically, a SWAT team goes in, does a hit and legal teams make a lot of money,” he says.
Moller says that many firms believe data has gone because they deleted it, without realising that messages and files can be easily recovered if they have not been destroyed. “The legacy information clean-up problem is the elephant in the room,” he says. “It’s purge, not delete.”
Another problem, Moller notes, comes from the tension between IT departments seeking to keep storage volumes at a manageable level and the demands of regulators, but he believes that firms that build up experience in e-discovery can automate processes and cope with internal staff.
Autonomy’s Eagan contends that the demands of e-discovery could lead to a new role where an IT expert partners with the legal counsel of the company.
Where next for e-discovery? Autonomy’s roots in search are leading it to pursue more intelligent software where suggestive patterns can be automatically detected when parsing text. Image and audio searching are also likely to become more important as regulators demand more and more information.
Whether data resides in email, instant messaging system, phone call or video stream, companies are becoming liable to find information or suffer the consequences. Little wonder that e-discovery is becoming another critical piece of kit to serve the governance needs of organisations.