By Rene Novoa, DriveSavers
How to use it in the workplace
Today, many businesses have chosen to go “paperless” by keeping important documents, including those prepared and maintained by human resources (HR) departments, stored in computers rather than file cabinets.
By going paperless, businesses can experience a number of benefits, including search-friendless and storage efficiency. These electronically generated and stored files also include a huge amount of potentially useful information that is unavailable in paper form, including metadata that keeps track of when, how and by whom those files were created, modified, viewed, transmitted and deleted. With these new benefits come new requirements and possible challenges in terms of data organization and preservation.
In the event that a possible HR-related lawsuit is on the horizon, it is often HR’s responsibility to preserve and provide all relevant company data in its various forms (Word documents, Excel spreadsheets, PDFs, etc.) and digital communication from computers, phones, flash drives and other devices where that data may live. This is where eDiscovery comes in.
eDiscovery, or electronic discovery, is the process of sifting through a large amount of data and finding any pieces that may be relevant to a specific legal action or dispute. This process is called upon when electronically stored information (ESI) must be provided for use in litigation, a lawsuit or an investigation, such as the alleged unlawful firing of an employee. eDiscovery may also be used to find data related to suspected employee misconduct, such as alleged theft of company owned trade secrets.
When pending or actual litigation does arise, it is important for the HR department, as the primary caretaker of ESI, to understand how and where the data is stored. The goal is to allow the company to identify and access relevant data as fast and efficiently as possible. This process is most effective when the HR and IT departments work together with in-house and/or outside legal counsel and an eDiscovery service.
There are several steps involved in the eDiscovery process, as shown in the Electronic Discovery Reference Model (EDRM).
A professional eDiscovery company should be employed and consulted from the start of the eDiscovery process. The two steps in this process that HR needs to be directly involved in are identification and preservation.
During identification, potential sources of relevant ESI are determined. Once you have identified these, you must act quickly to ensure that none of it is destroyed or altered in any way. This is known as preservation.
Preparing for eDiscovery
eDiscovery doesn’t have to be scary. As HR professionals, putting in place simple proactive measures, known as information governance (IG), can make the eDiscovery process much more streamlined and effective if the need ever arises. IG is simply the control structure put in place to maintain company ESI.
We recommend working with your IT department to put the following IG policies into place:
1. Develop an ESI Lifecycle Plan
Develop an ESI lifecycle plan by first learning and keeping track of the length of time your company is required by law to maintain specific files. From there, develop a plan for storing ESI that must be retained and a play for destruction of data at the end of its retention period.
2. Use Current Storage Technology
Avoid the problem of important data trapped on obsolete technology, like floppy disks, by making sure to always transfer all data to current devices. Remember that technology often moves forward more quickly than your files.
3. Be Organized
Making sure that file names and folder names are clear and easy to understand ensures that the correct ESI can be located quickly when needed. It helps to decide on a naming convention and stick to it.
Make sure that the organization of important data is intuitive for new users, as well. Anybody tasked with searching your company’s ESI should be able to answer the following questions:
- Where is this information stored?
- What is this information?
- Who has access to this file?
- Why is this information being retained?
- When was this file created or last modified?
- How is this data being stored/protected?
Install appropriate firewalls, password protection, encryption and other measures as detailed in published industry regulations and as recommended by your company IT or chief security officer (CSO). Also make sure to maintain proper cybersecurity that conforms to government or industry regulations.
5. Back It Up
The court is not kind to those who have lost relevant data due to hard drive crash and ineffective backup. Maintain and regularly test effective data backup measures. Loss of relevant data due to a hard drive crash and ineffective backup has been cause for spoliation fines.
All those who have access to data that must be maintained for legal or regulatory purposes should have a full understanding of company IG policies as they relate to the data that person wishes to access. For example, a payroll clerk must be aware of IG policies as they relate to final paychecks. A manager must be aware of IG policies as they relate to employee reviews.
These policies in mind, when it comes to eDiscovery, the best advice we have is to be prepared. Consider identifying an eDiscovery partner and legal counsel and retaining these partners before the need arises. Your eDiscovery partner, along with your company’s IT department, can help to develop a plan and workflow for each possible situation. Arming yourself with a basic understanding of eDiscovery and a plan, should allow everything to go smoothly.
Rene Novoa is a certified forensic investigator and manager of eDiscovery and digital forensics at DriveSavers. Since joining DriveSavers in 2001, Novoa has performed data recovery on thousands of storage devices plagued with mechanical failures, physical damage and logical corruption.