Life around the world has significantly changed in the last three months. From job losses, homeschooling, and working from home, daily life is not the same as it was in February. The world of E-Discovery has not been immune. Law firms and service providers have been forced to adapt to a quickly changing environment. Here in North Carolina, our governor issued a statewide stay at home order effective on March 30. However, most of the people heeded the advice of firm management and began working from home several weeks earlier.
Since that time we have seen a flood of articles and news reports about how people are adjusting to using video conferencing and collaboration tools such as WebEx, Zoom, Skype, and Google Docs. These tools enable us to maintain invaluable connections with our colleagues and clients, but they also have an effect on discovery we might not have previously considered. From an E-Discovery perspective, the use of these remote working tools creates new data sources for preservation and collection. Diligent attorneys and clients would be wise to consider and discuss how these tools might impact the phases of E-Discovery moving forward. Below is a list of considerations to help get the conversation started.
1. Does the client have a work from home or telework policy, and if so, does it cover the use of remote working technology?
Most workplaces probably have some type of work from home or telework policy. However, even the savviest employers likely did not foresee the world as we knew it coming to a screeching halt. I presume that these policies most likely pertain only to requests to work remotely versus in the office. As counsel, we should engage our clients in a discussion about whether their current policies sufficiently address the use of technology while working from home. For example, employers should consider which technology platforms are currently authorized and which are being utilized by the employees, such videoconferencing tools. Employers should consider whether to limit (or eliminate altogether) the use of unauthorized platforms. If an employer decides to limit the use of certain platforms for safety, privacy or other reasons, that message should be effectively communicated to the employees.
2. Should the existing BYOD (“Bring Your Own Device”) policy be revised?
As stated above, an employer should inquire of its employees what tools they use and then consider the privacy and security implications of each. A work from home policy should identify which tools may be used for work purposes and which may not (since “work” inevitably includes handling private and protected information). While some employees may have already had access to their entire work environments on mobile devices or home computers, other employees may not. Employers may now be paying for or subsidizing mobile devices for employees that were solely personal prior to the pandemic. Employers will need to closely examine their BYOD policies and consider whether revisions to the policies are warranted. Enforcement of policies related to mobile device usage is more straightforward with employer-provided devices, but more difficult if employees use their own devices for remote work. For more information on BYOD policies, click here for an extremely informative article from my colleague Russ Beets on the advantages and drawbacks of a BYOD policy.
3. Are employees saving data to a centralized location?
The remote work policy should reiterate that employees should continue to save all documents and information to a centralized, secure location, whether that location is on the organization’s network or other centralized document management system. If employees regularly and consistently save documents to a centralized location, this lessens the need for the preservation and collection of data from employees' devices. While working remotely, employees should regularly be reminded to save documents to centralized, secure locations.
Employers may also need to remind employees that communication via a direct messaging platform utilized by the employer may be a more favorable means of communication over other nonstandard or non-enterprise communications such as text messages, etc. These direct messages are likely already addressed in an organization’s data retention policy and, depending on an organization’s storage capabilities, may be stored and preserved in a central location.
4. Does the data retention policy cover data generated by the tools they now use on a regular basis?
I suspect that most policies are broad enough to cover these tools, but organizations should review their data retention policies and determine whether the data generated by these remote working tools is adequately addressed. If it is not, the policy will likely need to be updated. In some cases, an organization may need to provide additional training to its internal IT team to ensure they will be able to preserve and collect the data generated should the need arise. The IT team should consider how the tool generates, organizes, indexes and saves data.
5. Existing tools to lessen the disruption caused by COVID 19.
When it comes time to identify, preserve and collect data that might be relevant in a dispute, most litigation attorneys and E-Discovery professionals already have a few items in their toolbox to navigate this new world of remote work. The most important tool is the custodian questionnaire. You will need to know how the custodian was communicating and collaborating while working remotely. An existing custodian questionnaire may need to be revised to take into account the use of remote working tools, such as video conferencing and collaboration platforms that may have been utilized by the custodian. The custodian questionnaire should also consider whether the custodian generated any paper documents and the location of those paper documents to ensure they are also properly preserved.
In-person data collections are seemingly a thing of the past. Before COVID, while we conducted remote collections when it was necessary to do so, we preferred in-person collections because we found sitting face to face with an often anxious custodian to be the most effective means of garnering their trust and successfully drilling down to the heart of where relevant data is stored. In today’s climate, however, almost all data collections are conducted remotely by accessing an individual employee’s computer, mobile device or cloud storage location, or an organization’s network. Conducting collections from a distance comes with its own challenges, such as scheduling time to meet with custodians who are also trying to work from home, accessing various data sources, loading collection software and keeping a custodian’s attention. Thankfully, the remote collection tools and workflows we have used in the past are still ripe for today’s new world and people are learning how to manage their time and space. With employer and state travel restrictions in place, as well as restrictive stay at home orders, we are actually learning how to successfully connect with our clients and custodians from afar. I believe that this is a lasting change and the majority of collections after the pandemic ends will be performed remotely.
6. How safe is a remote document review?
Clients will almost inevitably have questions and concerns about safeguarding their private and confidential data during a remote document review. Truthfully, a remote document review comes with security challenges, simply because we cannot know with 100% certainty where the review is performed or who may have access to view an attorney’s computer screen or who may have access to review protocols and case memos. However, a remote document review can be performed safely if certain precautions are taken.
The most secure means of performing a remote document review is to require contract reviewers to use a VPN tunnel or other type of secure portal when accessing the review platform. If a VPN tunnel or secure portal is not an option, two-factor authentication should be implemented for any person remotely accessing the review platform that is not connected via a VPN or secure portal. In addition, document review contract attorneys should be required to follow any remote document review policy in place by the law firm or vendor, such as:
- No review should be performed in a public location.
- The attorney should be aware of his/her surroundings.
- The attorney should lock their computer when it is not in use.
- Any review should be performed on a computer that is only used by the reviewer, and that if this is not possible, the reviewer should clear their internet browser history and secure any files or other confidential client information before the computer or computer area is used by anyone else.
- The attorney is prohibited from downloading any materials onto their personal computers or sending/receiving materials using personal email addresses.
Because contractors are remote, it is even more important that they attend regularly scheduled (even daily) meetings about ongoing reviews to discuss any issues that arise. Similarly, contractors should provide daily reports that provide an overview of the documents they reviewed and any hot documents they encountered. It will also be important to track review rates, including documents viewed and edited per hour, and then discuss how to address outliers.
When daily life has reached some type of stability and we have all adjusted to the “new normal,” companies will need to determine if their work environment has substantially changed, how long the change may last, and whether their internal policies need to be adjusted. Hopefully, this time comes soon and without additional disruption. Who knows… maybe this will lead to more telework, more time with families, and a better quality of life.