Skadden, Arps, Slate, Meagher & Flom LLP & HSNO Franklin Data
By Gary DiBianco, By Gary Rubin, By Matthew Blake,
You are a United States company but a global citizen. Your shares are traded on U.S. exchanges. You have sales forces in Europe, manufacturing in Asia, and your eyes on the Middle East. It used to be that only the largest companies had a broad international reach. Now, it seems corporations of all sizes, in order to be competitive, must carefully consider overseas operations. While technology has made transition into the new global economy easier, it also creates special risks.
Imagine the following: You wake up one morning to a flurry of activity in France, where regulators have raided your main sales office seeking documents and information regarding alleged kickbacks to a key customer. You are asked to turn over hard drives, backup tapes and access to your servers. A reporter from Le Monde picks up the story, and by the time the U.S. opens for business there is a story on WSJ.com. Your stock price falls throughout the day; by the end of the week a leading class action law firm has announced the filing of a securities fraud case. The Securities and Exchange Commission (SEC) asks for information about your global sales practices and accounting policies.
Suddenly, you are faced with a swirl of information demands and document preservation obligations. French regulators want to cart your computers away-but the SEC wants the information they contain. American plaintiffs' lawyers will want it as well, and there's no telling whether additional regulators or litigants will become involved.
In today's business, all information is electronic. Paper may have been heavy, hard to store, and time-consuming to review-but it was a tangible thing, easy to inventory, and it tended to be limited in volume, even in the largest cases. More importantly, identifying relevant documents for preservation or production was relatively easy: Either a document was in your possession or custody, or it wasn't, and if it wasn't, either you controlled the people who had it, or you didn't. Electronic communication has led to exponential increases in the amount of data that companies store, and the locations where the information is stored: desktops, laptops, servers, PDAs, BlackBerries™, smart phones, optical drives, thumb drives, iPods™ and more.
Unless you spend a great deal of time talking shop with your IT managers, you probably don't know how many e-mail or file servers your company uses. You probably don't know exactly where your electronic documents are stored, what happens to your e-mails after you delete them, or how frequently your company's servers are backed up to tape. Are you prepared for information discovery across borders? Do you understand how to preserve, collect and analyze data in a way that will meet the requirements of foreign as well as U.S. courts and regulatory bodies? Are you sure?
Laws, Cultures and Conflicts
If you operate internationally, you must be cognizant not only of a patchwork of laws and regulations-many of which could conflict-but also of cultural differences that affect your response to requests for electronic information.
The initial stage in any litigation or regulatory effort is to ensure preservation of relevant materials. But an international scope makes this far more complicated than just issuing a directive to employees to stop deleting e-mails or drafted documents. You need to know where information is located, how it is stored, when it is backed up, and whether backups are rotated or destroyed. Automatic deletion or rotation policies mean that if you do nothing, you may lose files that are subject to a regulatory or litigation request.
Data collection also is far more complicated in an international context than in a purely domestic one. Local laws may prohibit an employer from searching employee e-mail files. As a cultural matter, most Americans are accustomed to the idea that an employee's computer and e-mail account belong to the employer. Outside of the U.S., the cultural understanding is frequently just the opposite: An employee's computer and e-mail account are considered private, and it may be a criminal offense to invade that privacy. Collection of data outside the U.S. may be seen as coercion by an employer, and it may lead to labor union grievances or complaints.
Once the information is collected, getting it reviewed and produced to a U.S. regulator or litigant is also no simple matter. Data privacy and blocking statutes in Europe, Asia and South America may forbid the transfer of personal data outside of their borders to an "unprotected" jurisdiction like the United States-and personal data include names, e-mail addresses and office phone numbers. Indeed, special procedures may be required before individuals outside a company-including the company's outside counsel-may review the data. And local laws may dictate that only data specifically responsive to a request may be exported, requiring counsel to review materials locally rather than shipping them to the U.S. to one centralized location, as is normally done in U.S. litigation.
Do not expect, however, any sympathy from U.S. regulators or plaintiffs' lawyers. U.S. regulators are skeptical of data protection laws and may take the view that international companies hide behind them to avoid cooperating with the regulators' investigations. U.S. courts may not be more understanding. The Supreme Court has held that U.S. discovery rules presumptively apply in civil litigation involving an international company, even if producing data in response to a discovery request would be unlawful in the international company's host jurisdiction.
These are some of the issues that will arise when an international company has to manage a conflict. How should you resolve these issues and to whom should you turn to get the process started? We'll discuss assembling your team and the basic strategies they should employ in Part Two.
In Part One, we identified some of the issues that arise in multi-jurisdictional discovery and data collection. In Part Two, we offer some practical observations on resolving these issues.
Know Thyself
As we discussed in Part One, now that companies communicate primarily in e-mail and computers have entirely replaced typewriters, the traditional notion of "possession, custody, or control" over a document no longer is meaningful. Instead, in identifying relevant documents, you must focus on:
- The custodians: Whose e-mail account might contain relevant e-mails? Whose document queue might contain relevant documents?
- The file types: Are accounting spreadsheets likely to be relevant? E-mails? Word processing documents? Enterprise data?
- File locations: Are the documents stored on a company server or on an employee's hard drive? On a peripheral device? With a third-party Web host or voice mail host vendor?
One of your crisis management team's first jobs will be to answer these questions. When dealing with U.S. regulators or prosecutors, or with plaintiffs' lawyers, almost any mistake can be corrected-except failing to identify and preserve relevant documents. In assembling your crisis management team, you should look for lawyers who have experience managing cross-border data preservation and collection efforts. They can help you identify a specialized forensic technology services vendor to image your servers and relevant hard drives, scan your paper documents, and copy data residing on peripheral devices. They should have the technical expertise to communicate with your IT managers and understand your company's IT infrastructure. Working with your attorneys, they can help ensure relevant data is preserved. Traditional communications between your attorneys and businesspeople still will be an integral part of understanding where data are located and preserving and collecting the information, but direct communications among your IT managers and outside forensic technology specialists is necessary as well.
Obtain Local Assistance
In addition to understanding and overcoming the technical issues specific to your company's IT infrastructure, your attorneys and forensic technology vendors also must address the cross-border legal and cultural conflicts we discussed in Part One. Usually, this means your crisis management team should partner with a local vendor who understands any local legal requirements and has the technical ability to help you meet them. Alternatively, in selecting your forensic technology vendor, you should consider whether it has an established presence in the foreign country involved in the crisis.
To return to the hypothetical we introduced in Part One, if you need to collect e-mail from your France-based sales and marketing staff in order to respond to the SEC inquiry, you will need to ensure you do not violate France's data protection law in doing so. This may mean engaging a local law firm to analyze any intra-company agreements between your U.S.-based parent and the French subsidiary to learn what foreign data transfers may already be permitted. In addition, you may need to engage an EU-based forensic technology vendor to host any French e-mails you collect in a location inside the European Union until you determine they can be transferred to the SEC in the United States. Alternatively, some U.S.-based forensic technology vendors are "safe harbor" companies. This means the U.S. Department of Commerce has certified that they meet EU data protection requirements and would be able receive transfers of data without violating French law. This would allow you to maintain and analyze any data in the United States before turning it over to the SEC.
In addition to substantive legal concerns, logistical barriers can bring your team to a grinding halt if not carefully planned. For example, on-the-ground collection generally requires specialized equipment. Without planning, you may face time-consuming logistical difficulties, including travel delays and customs requirements. A forensic technology vendor's toolkit is always filled with yards of computer wire, plugs and adaptors of every sort, hard drives, CD-ROMS and flash memory devices. Getting through customs and airport security with these items in your suitcase is not always easy; it's better if a local vendor can obtain them in-country.
Local partners also will help break down language barriers because they obviously will have an easier time communicating with your local IT staff. Given the complexity of modern server environments, you should not risk anything being lost in translation.
Assume Nothing; Document Everything
For better or for worse, U.S.-style litigation and internal investigations are largely alien to non-U.S. organizations. Accordingly, when planning to harvest documents and electronic data from your foreign offices, you cannot assume your foreign managers will know what to expect. When your attorneys and forensic technology vendors plan their document collection site visits, they will need to provide a detailed work plan to the heads of any foreign offices they will be visiting. The work plan should assume the foreign managers have never before participated in a forensic collection. If your team requires a conference room, the work plan should specify it. If the conference room should have chairs, power outlets and Internet connections, the work plan should specify how many and what type. If your crisis management team will need to meet with any foreign managers, the work plan should specify it and propose dates and times. The crisis management team's local partner can assist in providing any equipment your foreign office does not have onsite-but only if your crisis management's work plan specifies its needs in detail.
Once the data collection process is underway, your crisis management team must preserve and document the chain of custody. Usually, this task will fall to your forensic technology vendors, who should have experience in this area and should be prepared to testify, if necessary, about the methods they used to harvest and transport the data. Documenting the chain of custody generally should not fall to your attorneys, because conflicts could arise if they are called upon to testify as fact witnesses regarding how the information was collected.
In addition to documenting the chain of custody, your crisis management team should document who they collected data from, who they interviewed, and any issues that arose during the site visit. Civil disputes and internal investigations by government regulators can take years to be resolved. Documenting exactly what the crisis management team did will protect your company in the event of any discovery-related dispute.
For everyone involved in cross-border discovery, the objective is simple: to collect information in a manner that complies with all applicable laws and regulations while serving the client effectively. But though the objective is simple, achieving it is not. There is no substitute for technical and local expertise, and you should be prepared to engage both in order to effectively manage any crisis with cross-border implications.
Authors include Gary DiBianco, partner and Gary Rubin, associate at Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates; and Matthew Blake, partner and practice leader at HSNO Franklin Data.