BIA is committed to ensuring ongoing quality service during the COVID-19 pandemic.View

The CTO’s Role in eDiscovery: Evaluate, Update, Communicate

The CTO's role in eDiscovery

The Chief Technology Officer or CTO’s role in eDiscovery is much the same as their role in other areas of the company, that is, to join (if not lead) any decisions on technology solutions utilized by the company in all aspects of its daily business operations. Legal technology decisions, made inside or outside the organization, are no exception. Most likely, your company’s legal team already makes legal technology decisions—with or without you. Chances are, they are managing legal data using external and/or cloud-based technologies that may require integration with your internal systems and/or policy compliance. So, if you are not involved in that conversation already, you should be. The CTO’s role in eDiscovery consists of three rather simple charges packed full of some not-so-simple responsibilities.

1. The CTOs’ role in eDiscovery is to EVALUATE.

When your company wants to purchase, adopt, or license technological tools, it is your job as Chief Technology Officer to evaluate and vet these tools from the standpoint of functionality, cost, data security, and compliance. Here are some valuable points to cover and specific questions to get you started.

Functionality & Integration

  • What are the snafus with this tool?
  • What kind of things go wrong, why, and how are they remedied?

(Once upon a time… A BIA client once proposed a basic backup tool for complex eDiscovery purposes. Our CTO joined the conversation early on and discovered that, while the application did collect data from custodians inside their network, it failed to preserve the MAC dates properly. Because the tool did not fulfill even the most basic of eDiscovery needs, it would have doomed the process from the outset, added significant costs later, and possibly even resulted in sanctions.)

  • Do we already have something in the company that would work?
  • Are we investing in overlapping products, and can we consolidate into one to create consistency across departments?
  • Why are we using multiple different platforms to collect, process or review our data?

(Once upon many a time… As is often the case, a recent new enterprise client of ours retained BIA to help modernize, unify, and overall improve their chaotic eDiscovery processes. While the request was nothing out of the ordinary, the situation was somewhat unusual. This client had their legal data strewn across 70+ active cases, a nearly uncountable number of internal systems, law firm-provided resources, various offline and online repositories, and review tools. The result was not only overlapping products, but general confusion, a lack of control and vetting of those platforms, and of course, extended costs. It took some time to get control of all those resources, but now the client has a single source for each step in the eDiscovery workflow—fully vetted, secured, and at a much lower overall cost.)

  • Are there auto-generated passwords? What is the password policy for external systems and can those be controlled through SSO or at least be subjected to your company’s password rules, protocols and practices?
  • Will the seemingly useful SAAS product that the legal team wants require data sync with your internal systems down the road? If yes, how will those syncs work? Is there an API? Do they need to be run within your network? Will we have any policy compliance issues?
  • Remember that many legal apps are designed and presented to convince your legal team that the apps will simplify life, but your vetting shouldn’t stop there. Your colleagues in Legal need you, their CTO, to look further down the road than a new app’s spiffed-up website or pretty interface. The CTO’s role in eDiscovery is to ask the hard technology questions to vet data security, privacy, and compliance issues that others in the company simply won’t know to ask. 
  • If we need to, how do we get our data back out of the system? While the website or user interface might look sleek and straightforward, there are often unseen requirements for getting data in and out of these systems. You’ll want to vet those systems up front as well before it’s one day suddenly dropped in your lap.

Cost

The CTO should be involved in the researching, vetting, negotiating pricing with vendors, and purchasing of all technologies, even those used mainly or solely by the legal department (or outside counsel). The obvious questions apply here—is the tool priced right, are there better deals out there, and so forth. More so than your Legal colleagues, as CTO you are in a much better position to understand the reasonableness of those costs in light of the broader technology landscape. It is your job to look under those pricing-related stones that Legal overlooks or chooses to leave unturned.

That said, don’t let your legal department make decisions based solely on price. You’ve been there and done that. The legal community, and eDiscovery teams especially, are frequent offenders in that regard. We see it all too often—clients pivot on a dime and select solutions based on the cheapest option. But there are other considerations to any technology spend as you well know, from implementation costs to security considerations (an unsecure system isn’t worth even the smallest cost) and more. Legal needs the CTO to step in and examine the underlying details of a solution—not just the purportedly “cheap” cost estimate alone.

Data Security

A substantial piece of the CTO’s role in eDiscovery involves data security and governance—keeping track of how data gets stored, managed, archived, and deleted. That may also bring in the CISO and/or CIO as well. In many instances, it’s a team effort, with the CTO in a central role.

Historically, the role of making routine decisions about where to store data was isolated to the IT department. Indeed, those were simpler times when decisions largely focused on which hardware in your company-controlled data center would be utilized for a specific purpose or internal need. But with the vast array of cloud systems and storage solutions available today, it’s no longer a simple question, rather one with far-reaching implications. More than ever before, the CTO must be involved in even those routine data storage decisions, as those decisions may implicate various company policies, practices, protocols, and regulatory obligations.

With an eye to eDiscovery, you need to vet those data storage locations and solutions in consideration of potential future eDiscovery needs and obligations. You have to understand the ripple effects that different decisions will create later when you go to retrieve that data in response to a regulatory inquiry, legal obligation, or other such need.

The CTO’s role in eDiscovery involves asking data questions that general users don’t contemplate, such as:

  • How is our data in each solution (internal or external) managed, stored and backed up? Is it encrypted at rest and in transit?
  • Why are we using 2 different platforms to review our data? Wouldn’t it be more secure to utilize a single source?
  • Is our data safe? Have we fully vetted the proposed solution for data security and protection obligations?
  • Do we maintain ownership of our data, and who has access to it?
  • How do we recover, delete, and/or remediate it when needed?
  • Are we allowing company communications through apps such as Signal and WhatsApp that, while encrypted, could pose issues during a request for data? 
  • Are we allowing apps that could retrieve and store pictures, videos, and personal/demographic info in controversial apps like TikTok?
  • How are we keeping sensitive company data safe in the WFH era where remote work is muddying the data security waters?

I cannot overstate the importance of getting involved in these decisions sooner rather than later. I have found that doing my own review of RFPs or security assessments is a great place to start.

(Once upon a time… A marketing firm client wanted to purchase BIA’s litigation hold tool. We completed their standard security assessment—boxes checked, policies confirmed, contract signed. Only then did the company’s CTO join the conversation. He was extremely competent and brought to the table relevant and valuable questions about scripts, sync validation, API and more. The problem was the timing; had he been involved much earlier, we could have addressed these issues much sooner in the security assessment stage and avoided many, many hours of additional exchanges, adjustments, and negotiations – on both the company’s part and ours.)

2. The CTO’s role in eDiscovery is to CREATE & UPDATE.

Policy

CTOs should take a lead role in creating and implementing policy, even with respect to legal technology RFPs and related decisions. As in the client example above, failing to participate in that process early on means that you’ll end up asking questions later about data synchronization, exposing PII, and any number of other issues that perhaps wouldn’t even get discussed without your input.

A particular legal software or solution might meet the needs of your legal team, but it could fail to meet your company’s technology requirements and policies, and thus, should be rejected nonetheless. The last thing you want is to be stuck creating shortcuts, backend modifications and other costly late adjustments to accommodate those needs when that should have been reconciled earlier. And when creating policies or vetting those solutions, keep in mind that Legal has to meet requirements that may be unfamiliar to you, so it must be a team effort from the outset.

Documentation

To create and implement policy, work closely with the eDiscovery steering committee at your company to develop both the policies and their documentation. (Don’t have an eDiscovery steering committee? We can help.) Make sure that committee routinely reviews and updates those policies and documentation, too. Non-existent or even stale policies and documentation can become equally big problems. When a case hits and you need eDiscovery, you want to have the marching orders in place so that the appropriate parties are informed, in touch, know their obligations, and can begin marching together, in step and on plan.

Updating

The CTO’s role in eDiscovery includes regularly updating – or at least making sure the legal team is updating – those legal technologies selected. While many legal technology solutions are online and effectively automatically updated, there are still many behind-the-firewall solutions you can implement as well. If you don’t keep those solutions updated, you could miss updated legal requirements and practices that can cost you later.

As the CTO, you know all about the risks of outdated software in everyday operations — how many stories have you heard about some outdated software or system starting a cascading data breach? Just as your data security needs to be maintained to prevent those issues, so do legal and regulatory obligations. When you are creating and updating your legal solutions and related policies and practices as outlined above, don’t overlook the fact that the software itself might go stale. Ensure that you and your legal committee routinely review your solutions to prevent that from happening.

3. The CTO’s role in eDiscovery is to COMMUNICATE.

CTOs, when was the last time you talked to a senior legal advisor at your organization? If your answer is sometime recent, then congratulations—you are the exception. For the rest of you, I urge you to have more frequent and more productive conversations with your legal team. Those exchanges should include questions like: Our data is stored in locations x, y, and z – does that pose any eDiscovery compliance issues? Here is what we’re doing with our data and how it’s encrypted. If we move data around to different global locations to save money, will that violate any contracts we have with any clients or regulations like GDPR? So many issues can sneak up on you – there’s a lot of legal responsibility out there. Don’t let your cloud-based data get too cloudy from not talking about those issues routinely with your Legal colleagues.

The days of just doing what is right from the technology perspective are over. Coordination between tech and legal departments is essential to your company’s success and risk avoidance. If Legal is operating without IT when your company is under stringent audit, for instance, they’re putting that audit at risk.

Embrace change, communicate change.

Be aware that decisions made last year may lead to different decisions this year. In the rare event that the technology has not changed, often the law has. Decisions that were historically one-sided should be made together. Make yourself aware of what technology decisions are being made in other departments.

A major concern for a CTO is being caught unprepared and potentially putting your company at risk in a legal matter because of a decision you made under some influence (possibly budgetary) and/or without enough context or discussion with the appropriate parties. I am constantly asking: What decisions affecting technology are being made without my knowledge? And I routinely talk with other senior managers throughout my organization, making sure to know the answers myself, so I can prevent that unwelcome surprise… I encourage you to do the same.

Talk to the experts.

At any level, be open to and actively seek out guidance from industry experts. As CTO of the company, you’re probably not that eDiscovery expert. BIA’s eDiscovery Experts have been coaching the C-Levels at corporations for nearly two decades. Whether you need help forming an eDiscovery steering committee, creating protocols or an eDiscovery playbook, or choosing the right litigation hold software (we’re partial to the one we built back in 2011), we’ve got your back. The CTO’s role in eDiscovery is a complex one but the concepts therein are quite simple; we invite you to reach out today.

Contributors: Scott Hammer, Maureen Murchie