Category Archives: Backup & Recovery Systems

e-Discovery California: Go See Cal!(PERS) about Retention Policy Pitfalls


 

Retention policies.

Can't live with 'em…can't live without 'em.

Damned if you do…damned if you don't.

Very few people like change, especially in corporate environments.  It's just another burden to bear.  If something's changing, you know what'll follow; a meeting, memo, or training.  Who wants that?

Rolling out a retention policy will usually result in a lot of complaining, but when coupled with all of the complex, new eDiscovery regulations, it gives you something else to worry about – even if you have no anticipated litigation at the time the policy is implemented (notice I didn't say 'pending', which isn't the proper standard).

Just ask CalPERS, aka the California Public Employees' Retirement System.  CalPERS implemented an internal 60-day retention policy – and apparently didn't bother to tell anyone.  Furthermore, they gave 2,300 of their employees discretion over what additional ESI should – and shouldn't – be kept.

Oh, did I mention they're currently under state and federal investigation?

It's prudent to be aware that, no matter when a retention policy is implented, your opponents will always have an interest in claiming you're committing misconduct by deleting evidence of…misconduct.  Therefore, I rountinely suggest that, prior to implementing – or modifying – a retention policy, a thorough review of current status should be performed – just in case you have to explain it to the judge.

e-Discovery California: Upcoming Presentations & Activities – May/June 2011

00443095
I thought it might be a good idea to share my presentation & conference schedule for the next couple of months…this will also explain why I haven’t had as much time to post; I have deadlines!

May 17-18th:  As mentioned prior, I’ll be attending LegalTech next week in downtown Los Angeles.  At the moment, I’m planning to attend both days.

June 1st:  I’m presenting a one-hour CLE for general credit at the Los Angeles County Bar Association Litigation Section Inn of Court, titled, “How to Lose an eDiscovery Case in 30 Days“.  The synopsis:

“The steps you take in the first 30 days leading up to the initial ‘Meet & Confer’ can make or break your case.  This program will discuss what to do before, during and after to keep you on track.”

June 24th:  I’ll be making two one-hour CLE presentations in the computer lab (.5-hour general & .5-hour ethics credit, limited to 25 people per lab) at the California Bar’s Solo and Small Firm Summit at the Anaheim Marriott, titled, “Earth, Wind, Fire, Flood & ESI: Disaster-Planning for the Law Office“.  The synopsis:

“A ‘disaster’ encompasses a lot more than you might think. The ‘physical’ office is covered; what about the ‘virtual’ office? If you suffer a catastrophic failure on Monday, can you be back in business Tuesday morning? Are there ethical issues? It’s 2 am. Do you know where your data is?”

Hey, that’s what I get for writing synopses at the last minute, late at night.  How many times do you think a tech-weenie like myself has used the line, “It’s 2 am. Do you know where your data is?”  (Answer: Too many times!!!).

I’m sure Hillary Clinton thanks me.


 

EC2 Say, Amazon…Not So EC2 Do…

MP900425511

 

Folks, I'm not going to bag on Amazon.com too much for their Elastic Compute Cloud (EC2) failure; I'm sure they're getting enough flack from their customers.  However, this is why I dislike any absolute statements when we're dealing with this type of technology.  Technically, they're right.  You don't have to worry about the cloud.  You do have to worry about your cloud.

The cloud may have a backup plan for you.  Do you have a backup plan for your cloud?

Glossary of Excuses

MP900448581
Risk.  What is it, exactly?  Here are a few good definitions:

"The possibility of suffering harm or loss; danger."

"Product of the impact of the severity (consequence) and impact of the likelihood (probability) of a hazardous event or phenomenon."

"The quantifiable likelihood of loss or less-than-expected returns."

"The amount of statistical gamble that someone (usually management) is willing to take against a loss. That loss can for example be either in profits, reputation, market share, or franchise."

Ok…so, knowing that all of this is on the line, why do I keep hearing words like, "Underestimated", "Miscalculated", "Unexpected" and "Unanticipated" every time something goes wrong?

I'm unimpressed.

The latest is the crack (or should I say, sun roof) that appeared in the fuselage of a Boeing 737.  As either lawyers or techies, our miscalculations are bad enough, but when these people miscalculate (as in our previous study of Japan's nuclear mishap), other people die!

As a human being, I have to at least give Boeing credit for stepping up to the plate and publicly acknowledging their mistakes.  As an attorney?  Well…that's another matter, entirely.

A company I worked with many years ago hadn't implemented any disaster-planning.  When their catastrophic event occurred (prior to my arrival), they were essentially out of business for close to three weeks before the systems could be rebuilt.  In another incident, one of my direct reports was fooling around with an Exchange server and ended up accidentally deleting one of the accounts.  Too bad it happened to belong to the CEO…

Yep, disregarding risk may result in a death…but in our disciplines, it's more likely to be one of us!

Japan Epilogue: (Un)Safe Harbor: 10% x 50 Years = Prison?

MP900321207

We started with a premise:  A disaster has occurred.  What now

We segued into a limited examination:  Were we properly prepared?  Why or why not

Now, comes the all-too-familiar Watergate-esque finale:  What did we know; and when did we know it?

According to this comprehensive report, officials were warned that there was a 10% risk within a 50-year span of a tsunami swamping the protective barriers of the Fukushima Dai-ichi nuclear power plant – and disregarded it.  What result?

  • Human toll: incalculable
  • Environmental damage due to radiation contamination: incalculable
  • Damage to 'hard assets' (plant, equipment, etc): incalculable
  • Near-term cost to replace loss of % of daily supply of electricity to Japanese citizens: incalculable
  • Evacuation and relocation costs: incalculable
  • Current financial losses to shareholders of TEPCO: $30 billion dollars of market value
  • Errors and Omissions losses to insurance carriers: incalculable

I could go on, but you get the idea.  Now for the bad news.  That's not the worst of it.  How about:

  • Liability of executives, government officials, etc. for negligence.  I'm referring to all liabilities (i.e., not just financial issues), since some parties may enjoy sovereign immunity; but that doesn't address their political liabilities.
  • Liability of executives, government officials, etc. for criminal negligence.  Think that it isn't a distinct possibility?
  • Liability of corporate executives to their shareholders for massive losses due to lack of reasonable prudence.

You know what?  I have to stop now.  This feels ghoulish.

The point I'm making is, certainly, this is about as bad as a disaster gets, but we can all learn from it because there's only one item we need to change – scale.  Plus, the most important thing relevant to us in the real-life case study we're now seeing is what happens when we're wrong.

Worried eDiscovery clients always ask me how they're ever going to do everything right.  I tell them, there is no such thing.  It's impossible to anticipate everything, but as a rule of thumb, the fallback position is the basic negligence standard:

Knew, or should have known.

If they acted in good faith based on what they knew or should have reasonably anticipated at a given point in time – and present a defensible position as to why they acted – they'll likely preserve safe harbor.  Naturally, one can never completely account for the odd rogue judge.  The day all judges rule alike is the day I give a specific answer.  In the meantime, you do the best you can.

The key is in making sure you have the appropriate harbor pilot.

Japan Redux: You can lead a Board to Water, but you can’t make them Drink

MP900400964 It's been roughly two weeks since the devastating events in Japan.  As I mentioned in my initial post regarding their disaster-recovery efforts, we weren't going to know all of the elements we needed to know at that time in order to make an assessment – and we don't know them now.  On the other hand, we know enough to put them under a magnifying glass.  If you're part of a disaster-preparedness team, a cursory examination of their nuclear mess is a true 'teachable moment'.

Why do I keep harping on this?  Because litigation may take on all of the elements of a disaster-recovery operation in that out of nowhere, you're tasked with finding, restoring and producing massive quantities of information – possibly from several sources and/or geographic locations.  And, somebody has to pay for it (Zubulake, Toshiba, et al).  Oh, and tic-toc – the clock is ticking…

Let me preface this by saying that armchair quarterbacking is easy – and this is not a 'bash Japan' post.  You don't kick someone when they're down (but you do try to learn from their mistakes).  Nor is it an "I told you so" post – at least, not by me.  Let's be honest, for a moment.  Sometimes, when a person says "I told you so", they really did tell you so.  So what?  The issue isn't what they told you, the issues are:

  1. Did they tell you something of substance?
  2. Did they provide facts & figures to support it?
  3. Were they qualified to make the assessment? (i.e. on what basis should you rely on their opinion?)
  4. Was it relevant to the concerns at hand?
  5. If you answered 'yes' to one through four, did you give their information careful, deliberative and proper consideration?
  6. Did you solicit, collect and examine supporting and/or dissenting viewpoints to confirm/contradict the opinion?
  7. Was a 'Cost vs. Benefit' analysis performed?
  8. Did you adopt all (or some) of their recommendations?
  9. Why?
  10. Did you dismiss all (or some) of their recommendations?
  11. Why?
  12. Have you properly assessed every possible risk?
  13. Are you qualified to answer question #12, and if not, what other sources should you consult? ("Know what you don't know")
  14. What is the timetable to re-convene in order to re-assess the situation and modify the plan, if necessary?

[Add your own questions here]

What are questions nine and eleven about?  You should always be prepared to justify and/or defend your position.  After all, you may have to persuade your bosses today, but you never know who you might have to persuade tomorrow (I'm thinking…a judge?  A jury?)

Last night I read this article from the Washington Post (and others over the past few days) regarding how the Japanese authorities considered risk when assessing how to protect their nuclear plants.  In my opinion, if you commit to the short amount of time necessary to read the entire story, you'll learn more about disaster-preparedness than you ever could in a classroom; unless, of course, they're studying this disaster.

In an island nation, surrounded by volcanic activity, "experts" didn't even consider a major tsunami as part of the plan for the Fukushima Daiichi power plant because it was considered "unlikely".  But, here's an even better question, raised at the conclusion of the story:

"To what degree must regulators design expensive safeguards against once-a-millennium disasters, particularly as researchers learn more about the world’s rarest ancient catastrophes?"

Which leads me to the obvious follow-up:

  1. If a catastrophe occurs superior to our level of protection, what will be the likely result?
  2. Was this factored into our 'Cost vs. Benefit' analysis?

Two weeks ago, the experts may have thought that the risks were worth it.  But now that radiation is showing up in drinking water as far away as Tokyo?  My guess is, they wish they'd have built the retaining walls a few feet higher.

"Nobody anticipated…"

Voyeurism: eDiscovery Style

MP900402022 So, my PDA was working fine this morning…then it wasn't.  A total and complete software crash.  I traced it down to an offending app, but it completely hosed (thank you, Canada) the O/S.  And of course, I'm out of town!  So, I located my carrier's nearby retail outlet and headed on over.  They couldn't repair it, even with their "push" software.  However, due to my predicament (out of town and desperate), they were able to swap me over to a new device.  Awesome!

How did I reward them for their excellent customer service?  By hounding the poor tech, first by insisting that he had to wipe my prior device clean and second, by insisting that he show me how he was going to do it, then let me watch.  The store was full, they were busy and I caught a person or two rolling their eyes at my request, but I persevered.

Quite frankly, the tech understood when I explained that as an attorney, there was confidential client info on the device and our ethics rules compel us to protect it (that, or he thought I was just making it all up so he would delete porn, or something…hey, as long as I get it done, let him imagine whatever he wants!)  But take note; I protected client information – as I'm obligated to do – and, I had a recent backup available on my laptop, so I lost virtually nothing.  Good for me; good for my clients!

Sadly, this is the eDiscovery equivalent of voyeurism.

e-Voyeurism?  Nahhhh…

True Disaster-Recovery: What Japan Teaches Us

What if?  Those two words form the initial basis of a disaster-recovery conversation.  Like you, I've seen the heartbreaking pictures from Japan and what gets me is, a country that is known for having the best earthquake-disaster-preparedness in the world has suffered tremendous losses in spite of that fact.

The best laid plans…

Japan's nuclear facilities prepared for a monstrous earthquake, but not an 8.9.  Is there any way to plan for an 8.9?  And if so, at what cost?  Obviously, when contrasted with the devastation we've seen – and may yet see – I wouldn't blame you if you said money is no object.  But in reality, we're rarely given a blank check.  We're required to work within parameters; sometimes very constrictive ones.

Lessons learned:  No matter how thoroughly you plan, it's impossible to prepare for absolutely every contingency that may befall you.  In the future – when memory of this disaster has faded and the passage of time blunts the impact – when envisioning a worst-case-scenario for your disaster-recovery program, if those around you are prone to cut corners, remember Japan.

Nuthin’ but a “G” Thang

I'm probably the last to comment on the Gmail/cloud issue – and you already know my opinion of cloud computing – agnostic.

We find that almost anything in life is great…when it works. When it doesn't?

Where the mistake is usually made is in the assumption that things always work. We pick up the landline, expect the dial-tone to be there and are shocked if it's not.

If I wasn't an eDiscovery dude, I'd probably sell insurance like my grandfather. Maybe I learned something about disaster-planning by observing him.

If you're going to use the cloud, institute a backup plan and stick to it – or make sure your provider is doing so.

Oh, and don't forget to test it regularly, in order to avoid 'Chronic' problems – such as getting into a David-and-Goliath war with a 3rd-party like Google.