As the volume of data collections subject to discovery rises exponentially, so too does the challenge of protecting a corporation’s confidential, proprietary and otherwise sensitive information. At the Carmel Valley E-Discovery Retreat held last week, I spoke on a panel that discussed how to identify and protect sensitive corporate ESI during the discovery process. The session was well-attended, which reflects the heightened concern among the e-discovery community about this important facet of discovery.
ESI that is sensitive enough to warrant careful handling can be found in many forms. Attorney-client privileged and work product protected information require special treatment to protect against disclosure and waiver, but other kinds of sensitive information inevitably will be found in a collection of data eligible for production including personal identifying information, compensation, bank records, credit card numbers, medical records, computer source code, customer lists, marketing plans, financial forecasts and all manner of trade secrets. Organizations must be diligent around this issue and should work with their legal teams and e-discovery providers to fashion effective, creative solutions.
The first challenge is finding these types of information in the data set. To meet the first challenge, there are a host of technology-based tools, sophisticated search techniques and data analytics that organizations can leverage to find sensitive information in a voluminous set of documents. But in many instances, good-old-fashioned human review and analysis is necessary to identify sensitive information and flag it for special treatment.
The second challenge is ensuring that the information is either withheld from production or, if subject to discovery, produced in a manner that protects the information from misuse. With respect to the second challenge, it is critical to put discovery workflows in place to ensure that sensitive ESI is not produced at all if it’s irrelevant to the dispute (or redacted appropriately if part of an otherwise relevant document), or is produced in a manner consistent with the applicable protective order or confidentiality agreement.
Someone in the audience asked if sensitive ESI could be treated like privileged information and made subject to a “clawback” agreement, so that it could be produced in discovery but pulled back at the request of the producing party if necessary. Even if clawback agreements can be used to protect some categories of sensitive ESI, they are not a panacea.
Clawbacks are not an effective solution for several reasons. First, some confidential information may be subject to legal non-disclosure requirements that a clawback cannot affect, such as SSNs or medical information covered by HIPAA. Secondly, because a trade secret must be subject to steps taken by the owner to prevent its disclosure, a cavalier production of a trade secret in litigation – even if subject to a clawback – could jeopardize the information’s status as a trade secret. Lastly, there is some sensitive information that is so valuable to an organization that it simply cannot allow the information to be seen by competitors or other third persons. As one of my co-panelists aptly observed, once that information is revealed, the “genie can’t be put back in the bottle.”