Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Understanding E-discovery Risks

Internal auditors familiar with electronic discovery processes can recommend policies and practices to prepare organizations for data requests.

Comments Views

Electronic discovery, or e-discovery, is the collection, preparation, review, and production of electronic documents in litigation discovery referred to as electronically stored information (ESI) that includes virtually all forms of digital information. Legally, ESI is treated as a document, subject to the same rules associated with physical evidence.

In the United States, e-discovery is governed by the Federal Rules of Civil Procedure (FRCP), a body of rules focused on governing court procedures for managing civil suits in U.S. district courts. Historically paper-centric in nature, the FRCP underwent several substantive rule revisions that went into effect in 2006 in response to growing reliance on ESI. These changes now require organizations to manage their data so that it can be produced timely and completely during the legal discovery process.​

The Electronic Discovery Reference Model (EDRM) was placed in the public domain in 2006 in response to the FRCP changes to provide a common, flexible, and extensible framework for the development, selection, evaluation, and production of ESI (see "The Six Stages of the EDRM Process" below). Auditing the organization's e-discovery process typically does not end up on the annual audit plan. However, conducting an examination of this area may uncover unexpected dividends in the form of recommendations addressing improvements in e-discovery process efficiencies, cost-cutting opportunities, and enhanced security of nonpublic information (NPI) mandated by government privacy laws.

E-discovery Risks 

Collectively, the EDRM stages raise numerous risks about which management should be concerned, including faulty processes, NPI regulatory noncompliance, and spoliation (i.e., the improper destruction of physical and ESI documents either through a conscious decision or by not following the right processes). The potential for a broken chain of custody also could impact detrimentally the confidentiality, integrity, and availability of ESI/NPI.​

Social Media

With the uptick in both the discovery, as well as liability, of social media, organizations lacking policies governing the use of their own social media may be at risk. In addition, the absence of social media training may put personnel at risk should company information find its way onto employee social media sites and personally owned computers and mobile devices. In that scenario, employees may risk being subpoenaed and having their personal equipment seized during litigation. Inadequate mobile device policies covering both company and employee-owned devices introduce additional concerns, including expanded data leakage risks and discoverable ESI/NPI outside the organization's control.​

Multinational Companies

The absence of an enterprisewide discovery program that addresses overseas subsidiaries and affiliates may put organizations at risk for noncompliance concerning foreign discovery and privacy laws. U.S. courts have demonstrated that a foreign-based party to litigation generally must comply with discovery requirements under FRCP. For U.S. companies operating abroad, the Hague Evidence Convention (HEC) may apply, which covers international discovery requests for information. As of 2011, 58 member states conformed with the HEC, which allows evidence to be taken from one member state to another without recourse to consular and diplomatic channels. In the European Union (EU), Council Regulation No. 1206/2001, which provides similar rules focused on EU member state requirements, largely has superseded the HEC. However, neither convention currently addresses e-discovery and privacy requirements, which forces organizations to comply with nation-specific regulations.


The lack of adequate data classification, retention, and destruction policies for physical documents and ESI can increase spoliation risks and make organizations susceptible to the risks that arise when items are kept beyond their required life spans:

  • Increased physical and computer data storage costs.
  • Discovery of evidence that could prove detrimental to the organization's case.
  • Reputational harm should unfavorable information go public.
  • Expanded discovery costs resulting from the review and production of retired records.
  • Legal fines, penalties, sanctions, and judicial adverse inference instructions resulting from inappropriate record management practices.


The EDRM production stage presents a challenge for organizations regarding how to protect ESI/NPI once it's in the hands of the litigants because protection of NPI is still needed regardless of who has possession.​

Mitigation Strategies

Nation-specific Data Protection and
Privacy Laws

One of the biggest challenges involving international e-discovery and safeguarding of personal information is exemplified by the clash of cultures and the sheer number of different treaties, laws, and regulations that exist between countries. 

European Union 

The EU relies on the Data Protection Directive (Directive 95/46/EC) governing the protection of individuals with regard to the processing and movement of personal data between member states and "third" countries, the term used by EU legislation to designate non-member countries. Per this directive, personal data may only be transferred to third countries if they can provide an adequate level of protection. Furthermore, some member states such as France impose additional restrictions on the export of personal information that require additional adherence.​

Pacific Rim 

Several countries within the Pacific Rim have enacted laws and blocking statues that restrict the use and movement of electronically stored information and personal information beyond their borders including Australia, China, Hong Kong, India, Japan, Singapore, South Korea, and Taiwan. Other Pacific Rim countries are considering similar measures that are in various stages of development.

Based on risk concerns, internal audit should consider evaluating the organization's e-discovery processes to ensure that adequate controls exist to mitigate risks. The organization's e-discovery standards and procedures to address how to manage ESI requests and protect NPI throughout the EDRM life cycle should be documented and approved by management.

To help comply with FRCP Rule 26(f) on conference preparation, an ESI data map should identify custodians for ESI sources, create an inventory of systems that store and process ESI, and establish ownership of ESI record retention processes. The existence of an up-to-date ESI data map will help facilitate processes associated with EDRM's Information Management and Identification stage.​

Document Preservation Notice

Ideally, a designated legal department representative should be authorized to accept the summons or complaint to avoid being blindsided by requests handled elsewhere in the organization. Upon receipt of a summons or if a lawsuit is anticipated, the legal department should notify IT and other relevant departments when an action involves a request for ESI via a document preservation notice (DPN). The DPN authorizes a legal hold action per FRCP Rule 26(f) that requires preserving ESI pertinent to the request.

Employees should suspend deletion, overwriting, or any other destruction of relevant information, including the disabling of automatic functions such as deletion of emails, to prevent spoliation. Automated deletion processes should remain deactivated until the legal hold has been lifted. Any new ESI created after the DPN is issued also must be preserved if relevant to the request. Once ESI preservation has expired, the legal hold can be rescinded so normal archival and deletion processes resume. Key stakeholders in the e-discovery process should be identified to ensure they are involved sufficiently to comply with FRCP Pretrial Conference Rule 16.​

Chain of Custody

The chain of custody process should be documented and demonstrate to the court that all parties involved are meeting the requirements addressing the integrity and safekeeping of ESI. This includes processes used for the creation of forensically sound copies of electronic evidence per FRCP Rule 34(b) on document production and provides information associated with production efforts, including:

  • Authorization and authentication.
  • Title transfer during pick-up and media hand-off.
  • Security of media in transit.
  • A certificate of data deletion and media disposition.
  • Any access to media content throughout the EDRM process.

Cloud Computing

Throughout the EDRM life cycle cloud computing services should be discouraged because reliance on outside vendors could compromise the chain of custody. If this option is not feasible, however, contractual language changes to address e-discovery support or obtaining affidavits that could vouch for chain of custody integrity should be considered.​


Data classification, retention, and destruction policies should be documented, approved, and followed for the categories that contain ESI:

  • Structured — data warehouse records, databases, customer relationship management, and enterprise resource planning records.
  • Semi-structured — email, instant messaging, wikis, blogs, SharePoint, and voice over IP.
  • Unstructured — word documents, spreadsheets, audio files, video files, and slide presentations.

Email and Social Media

Although email historically has been the most common type of ESI requested, recent trends point to increased demand for social media and mobile device messages. Organizations should take an inventory of what social media sites are being used along with measures to educate employees on their associated risks. In addition, organizations should consider backing up their own social media use to mitigate potential spoliation risks.​


Data management processes should exist to identify and delete data that have no business value or contain extraneous NPI scattered throughout the enterprise. Unwanted NPI can lead to increased data leakage risks and expanded ESI production efforts. Accordingly, management should consider eliminating unnecessary data using duplicate file removal software.

Processes also should exist to ensure copies of requested ESI/NPI are preserved. Failure to do so may result in incurring additional time and expense to recreate what was originally provided in the event a data breach takes place while under the requestor's custody. This becomes especially relevant when NPI is lost or stolen from organizations that need to comply with privacy breach notification laws.

E-discovery processes should not rely solely on using backup tapes for ESI. Backup tapes are intended for the indiscriminate backup of data and can result in increased costs and expanded search efforts, are subject to degradation over time, and are not well-suited for long-term storage. Instead, a solution might be to retain selective information for specified time periods using enhanced ESI search capabilities.​


Programs should exist to ensure that employees understand e-discovery procedures, including the handling of ESI/NPI throughout the EDRM life cycle. Wherever practical, automated archival, retention, and deletion processes should be considered to support safe harbor protection and help reduce spoliation risks associated with manual processes.​

Multinational Companies

An enterprisewide e-discovery program tailored to comply with international ESI and privacy requirements should be in place for organizations operating abroad. Organizations lacking in-house expertise should consider engaging legal firms residing in the countries of operation as well as consulting firms specializing in these areas.​


In the production stage of the EDRM process, ESI/NPI is frequently delivered to requesting parties by email, which often is unsecure. Consequently, precautions such as using a mutually agreed-upon encryption process to secure emails en route, downloading ESI/NPI via a secured Web portal, or copying ESI/NPI into password-protected zip files should be considered. Manual ESI/NPI delivery employing removable devices should be secured using encryption and password protection.

The inadvertent delivery of privileged information to opposing parties that must be returned or destroyed becomes a concern if ESI/NPI is involved. Litigants should be instructed to secure the data upon return or destroy it to render it unrecoverable. When ESI contains NPI, a notification should be sent by the legal department to opposing parties to impart the organization's expectations for NPI security and protection. Parties that submit a legal claim for ESI/NPI typically do not have a contractual relationship with the respondent and therefore are not obligated to protect ESI/NPI; comply with the organization's archival, retention, and destruction policies; or provide notice should a data breach or leak occur. As such, an ESI requestor notification process should spell out:

  • The expectation that the requestor will exercise due care to secure and protect the respondent's NPI.
  • The requestor's obligation to notify the respondent's designated representative in the event a data breach or leak of the respondent's NPI takes place while it's under the requestor's custody.
  • The respondent's right to seek legal remedies, including compensatory damages, incurred costs, regulatory fines, and penalties, should the breach occur as a result of the requestor's negligence.

The delivery receipt feature should be enabled when using email to send the ESI requestor notification to confirm that the message was received.​


Installing integrated archival software is a best practice that can address the capture, indexing, storage, security, retention, and discovery of ESI. By consolidating ESI silos with search, retrieval, and e-discovery functionality, this option can facilitate EDRM management and provide numerous benefits such as:

  • Providing automatic capture of email messages and attachments within a centralized repository.
  • Furnishing tools to help classify the content of email and files and apply the appropriate retention periods.
  • Preserving copies of all requested ESI/NPI data files.
  • Saving the organization time, money, and resources.
  • Supporting EDRM processes that are consistent and repeatable.

The archival solution can be integrated with a virtual data room (VDR) that provides ESI document sharing via a secured Web-based portal. Advantages of using a VDR include the ability to bundle ESI/NPI requestor notifications along with the subpoenaed items to assure delivery, provide logging capabilities to track all requests, and reduce production delivery channels.

Stay Proactive

Organizations that lack a formal e-discovery program may be scrambling should a request for ESI come their way. It may be worthwhile for internal auditors to start a dialogue with management to determine the feasibility of conducting an audit. By taking a proactive approach, internal audit can promote education of e-discovery risks and advocate solutions to help steer the organization clear of potential legal fines and sanctions.​

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.



Comment on this article

comments powered by Disqus
  • IIA GRC_July 2020_Premium 1
  • AuditBoard_July 2020_Premium 2
  • IDEA_July 2020_Premium 3