A quick guide to understanding ediscovery rules and regulations
- Protecting all of the data it possesses or controls
- Preserving everything that may be relevant to anticipated or pending litigation
- Being able to collect, process, and produce data on request
Requirements that dictate an organization’s ediscovery obligations stem from three primary sources: U.S. rules and laws, foreign regulations, and data security standards.
To ensure compliance with ediscovery requirements, a business should adopt the following general approach:
- Determine which ediscovery requirements might apply to the business. Some key rules and regulations controlling ediscovery are listed below.
- Read and understand each rule, beginning with the purpose of the rule.
- Decide whether that rule applies to the business’s specific use case. If it applies, the business must either comply with the rule or adapt its practice to avoid the rule.
- Establish processes and tools to ensure the company’s compliance with each applicable rule.
- Formalize this approach through a written policy, employee training, and any necessary technical or software support.
U.S. Rules and Laws Governing Ediscovery
The Federal Rules of Civil Procedure (FRCP) define how federal civil cases proceed. Their purpose is “to secure the just, speedy, and inexpensive determination of every [civil] action and proceeding” in federal court. Rule 26 establishes the general provisions that govern discovery of all information. It defines the scope of discoverable information, explains how proportionality should be weighed, and provides guidelines for cooperation. Rule 37 delineates the sanctions or penalties that apply if a party doesn’t fully cooperate in discovery. To comply with the FRCP, companies must preserve all information that is relevant to any legal claim or defense, beginning as soon as litigation is reasonably anticipated.
The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive patient data related to healthcare or health insurance. Its privacy rule “protects the privacy of individually identifiable health information, called protected health information (PHI).” The security rule establishes “a national set of security standards for protecting” electronic health information. To comply with HIPAA, companies with healthcare information must strictly limit unauthorized access to PHI and audit the access and activity related to that data.
Foreign Regulations Affecting Ediscovery
In the European Union (EU), as of May 25, 2018, the use of individuals’ personal information is governed by the General Data Protection Regulation (GDPR). This new regulation provides heightened data privacy protections for EU citizens, including the “right to be forgotten.” It applies to any business that offers goods or services to European residents or handles their personal data. To comply with the GDPR, businesses must limit their possession and use of individuals’ personal data, keep all personal data secure, and allow individuals to control that data. Businesses that seek to avoid the GDPR must ensure that they are not obtaining any personal data from EU residents.
For now, thePrivacy Shield framework also applies when a business transfers personally identifiable information (PII) between the EU and the United States. To comply with the Privacy Shield’s certification process, businesses must protect European residents’ data, not just from data breaches but also against U.S. government surveillance. Note, though, that Privacy Shield certification does not guarantee GDPR compliance.
Data Security Standards
Finally, all ediscovery materials should be protected by the highest possible data security standards, such as those found in System and Organization Controls (SOC) 2® Type 2 certification. These standards, issued by the American Institute of Certified Public Accountants (AICPA), ensure that data is secure, available, processed to protect its integrity, confidential, and private. To maintain data security compliance, businesses should only work with vendors and web hosting applications that have current SOC 2 Type 2 certification.
In ediscovery, compliance means meeting the obligations of all applicable rules and laws for every jurisdiction where an organization does business.