In Part One, we identified some of the issues that arise in multi-jurisdictional discovery and data collection. In Part Two, we offer some practical observations on resolving these issues.
As we discussed in Part One, now that companies communicate primarily in e-mail and computers have entirely replaced typewriters, the traditional notion of "possession, custody, or control" over a document no longer is meaningful. Instead, in identifying relevant documents, you must focus on:
- The custodians: Whose e-mail account might contain relevant e-mails? Whose document queue might contain relevant documents?
- The file types: Are accounting spreadsheets likely to be relevant? E-mails? Word processing documents? Enterprise data?
- File locations: Are the documents stored on a company server or on an employee's hard drive? On a peripheral device? With a third-party Web host or voice mail host vendor?
One of your crisis management team's first jobs will be to answer these questions. When dealing with U.S. regulators or prosecutors, or with plaintiffs' lawyers, almost any mistake can be corrected-except failing to identify and preserve relevant documents. In assembling your crisis management team, you should look for lawyers who have experience managing cross-border data preservation and collection efforts. They can help you identify a specialized forensic technology services vendor to image your servers and relevant hard drives, scan your paper documents, and copy data residing on peripheral devices. They should have the technical expertise to communicate with your IT managers and understand your company's IT infrastructure.
Working with your attorneys, they can help ensure relevant data is preserved. Traditional communications between your attorneys and businesspeople still will be an integral part of understanding where data are located and preserving and collecting the information, but direct communications among your IT managers and outside forensic technology specialists is necessary as well.
Obtain Local Assistance
In addition to understanding and overcoming the technical issues specific to your company's IT infrastructure, your attorneys and forensic technology vendors also must address the cross-border legal and cultural conflicts we discussed in Part One. Usually, this means your crisis management team should partner with a local vendor who understands any local legal requirements and has the technical ability to help you meet them. Alternatively, in selecting your forensic technology vendor, you should consider whether it has an established presence in the foreign country involved in the crisis.
To return to the hypothetical we introduced in Part One, if you need to collect e-mail from your France-based sales and marketing staff in order to respond to the SEC inquiry, you will need to ensure you do not violate France's data protection law in doing so. This may mean engaging a local law firm to analyze any intra-company agreements between your U.S.-based parent and the French subsidiary to learn what foreign data transfers may already be permitted.
In addition, you may need to engage an EU-based forensic technology vendor to host any French e-mails you collect in a location inside the European Union until you determine they can be transferred to the SEC in the United States. Alternatively, some U.S.-based forensic technology vendors are "safe harbor" companies. This means the U.S. Department of Commerce has certified that they meet EU data protection requirements and would be able receive transfers of data without violating French law. This would allow you to maintain and analyze any data in the United States before turning it over to the SEC.
In addition to substantive legal concerns, logistical barriers can bring your team to a grinding halt if not carefully planned. For example, on-the-ground collection generally requires specialized equipment. Without planning, you may face time-consuming logistical difficulties, including travel delays and customs requirements. A forensic technology vendor's toolkit is always filled with yards of computer wire, plugs and adaptors of every sort, hard drives, CD-ROMS and flash memory devices. Getting through customs and airport security with these items in your suitcase is not always easy; it's better if a local vendor can obtain them in-country.
Local partners also will help break down language barriers because they obviously will have an easier time communicating with your local IT staff. Given the complexity of modern server environments, you should not risk anything being lost in translation.
Assume Nothing; Document Everything
For better or for worse, U.S.-style litigation and internal investigations are largely alien to non-U.S. organizations. Accordingly, when planning to harvest documents and electronic data from your foreign offices, you cannot assume your foreign managers will know what to expect. When your attorneys and forensic technology vendors plan their document collection site visits, they will need to provide a detailed work plan to the heads of any foreign offices they will be visiting. The work plan should assume the foreign managers have never before participated in a forensic collection.
If your team requires a conference room, the work plan should specify it. If the conference room should have chairs, power outlets and Internet connections, the work plan should specify how many and what type. If your crisis management team will need to meet with any foreign managers, the work plan should specify it and propose dates and times. The crisis management team's local partner can assist in providing any equipment your foreign office does not have onsite-but only if your crisis management's work plan specifies its needs in detail.
Once the data collection process is underway, your crisis management team must preserve and document the chain of custody. Usually, this task will fall to your forensic technology vendors, who should have experience in this area and should be prepared to testify, if necessary, about the methods they used to harvest and transport the data. Documenting the chain of custody generally should not fall to your attorneys, because conflicts could arise if they are called upon to testify as fact witnesses regarding how the information was collected.
In addition to documenting the chain of custody, your crisis management team should document who they collected data from, who they interviewed, and any issues that arose during the site visit. Civil disputes and internal investigations by government regulators can take years to be resolved. Documenting exactly what the crisis management team did will protect your company in the event of any discovery-related dispute.
For everyone involved in cross-border discovery, the objective is simple: to collect information in a manner that complies with all applicable laws and regulations while serving the client effectively. But though the objective is simple, achieving it is not. There is no substitute for technical and local expertise, and you should be prepared to engage both in order to effectively manage any crisis with cross-border implications.
Courtesy of Skadden, Arps, Slate, Meagher and Flom LLP.