The Fortiva Blog

Posted by Alan Armstrong, VP Business Development

My final article in the FRCP readiness series is about Collection, Search, and Retrieval – the most expensive, tedious, and time-consuming element of the legal discovery process. To paint some context, allow me to start with a story about Dave, an Assistant General Counsel at a Fortune 500 company.

Recently I was in a meeting with 20 people, including Dave, where this company was evaluating  Fortiva against an in-house competitor. Fortiva was the underdog, as this in-house competitor is considered the leader in the space for companies who want to go through the hassle of managing their own email archive.

Dave was attending the meeting mostly out of obligation to review all the vendors being considered, but his underlying goal was to find a way to do better “Early Case Assessment”, to reduce the cost of collection and processing, and to just know, going in to a “meet and confer” meeting, what data can be discovered, and at what cost.

Until this moment in the meeting, Dave was fairly nonplussed with our discussion. His eyes were not glossing over exactly, but he definitely had not been enthused. We were in the middle of a product demonstration, when our SE began to show the Fortiva search capability. All of a sudden, there was a rustling of papers at Dave’s end of the room. Remember, there were 20 other people in this room, so I didn’t have eye contact with everyone. After a bit of mumbling back and forth, the project sponsor, Andy, interrupted: “I just want everyone to know what’s going on here … when Fortiva shows you this search capability, they are executing a search against their production database, not a demo system.”

It seems that Dave was flummoxed by the response time of the search.

This is not surprising:  in many cases, it can take days (or even weeks) for Legal to retrieve the results of a search request, and the request must be executed by IT. As a result, Dave was shocked and stopped the meeting to clarify what had just happened. For him, real-time search in the hands of Legal rather than just IT was a game changer.

Let’s just say Fortiva won that account over the in-house competitor who could not offer a search performance guarantee. (We challenge our competitors to offer an SLA around search).

Dave’s reaction reveals a lot about the difficulties that Legal has in meeting its objectives. Knowing what kind of data the company has and being able to search and retrieve it can be very costly and time consuming.  And because a “meet and confer” must occur within 99 days of filing, counsel must know what data exists, where it exists and the cost and timeframe of retrieval.  Dave and others in his situation have told me that it is quite common for legal to be unsure about what it can deliver and at what cost.  This can result in over-promising and under-delivering, not to mention the possibility for fines and “negative inferences”. The search technology we showed him was exciting precisely because it would enable Dave to know what he has and make a more informed decision sooner.

Bottom line, here is some advice to prepare for e-Discovery:

1. Ensure you can identify sources of data and be prepared to  start to collect, search and review relevant email data when notice of suit first received
2. Invest in real-time search technology
3. Ensure data is easily searchable to perform early case assessment

Hope this helps.

Alan

Read more on the Preparing for FRCP series - Part 1 - Part 2 - Part 3 - Part 4 - Part 5

Posted by Alan Armstrong, VP Business Development

“Stop recycling the tapes!” Our prospects often described this as their approach to litigation holds before implementing Fortiva.

FRCP now requires that companies place a litigation hold on data immediately upon hearing of a potential lawsuit. This means that companies cannot wait even until the lawsuit is officially filed; they must place the hold upon suspicion of an impending lawsuit.

A Litigation Hold suspends disposition of information pending the outcome of a related lawsuit. The typical approach has several problems, but the primary problem is the lack of precision; when you place a hold on a set of tapes, you are retaining all of the information on those tapes, which will certainly be more information than you are required to retain.

And with more information comes a greater cost of processing and filtering, but worst of all it increases the risk of retaining information beyond its desired retention policy.

The other problem with the typical approach to litigation holds is that they often rely on end users to refrain from deleting information. After legal makes the “backup tape retention order”, the next step is often to instruct users to stop deleting any relevant information.

Does this sound dangerous? Consider:

• When legal asks an end-user to stop deleting information related to a legal case, they are frequently asking someone under investigation to preserve incriminating evidence.
• “They have been warned” doesn’t cut it. In case you are thinking that it may be OK if an end-user deletes information, even if they do so illegally, think again. The court holds the company and its lawyers responsible for the enforcement of retention policies. For examples of this, see the Qualcomm and the Intel vs. AMD cases.

Our recent survey found that companies are largely catching on. When asked whether companies had formalized and enforced a litigation hold process for email, the results were encouraging:

These numbers are a stark contrast from our survey of March 2007, when 91% said that they had no litigation hold in place.

You may rightly ask, then, what is the alternative to the blanket approach of litigation holds. The answer lies in centralizing control of the information. In the Fortiva archive, creating and enforcing a litigation hold is as easy as a few clicks, and no action is required by end users. With this approach, you can easily implement the best practices that we recommend:

1. Empower legal counsel to oversee litigation hold process and ask IT to demonstrate that litigation holds are being enforced
2. Never rely on end users to enforce a litigation hold
3. Narrow litigation hold to include only responsive information (by keyword, custodian, date range, etc)

If you follow these directions, you will no longer have to retain “all or nothing”. Take a look for yourself.

Read more on the Preparing for FRCP series - Part 1 - Part 2 - Part 3 - Part 4 - Part 5

Posted by Alan Armstrong, VP Business Development

In this series we are looking at the basics of FRCP compliance. In my previous article, I pointed out that many companies fail to meet the most basic federal rules because they get embroiled in debates about retention policy. Indecision means non-compliance!

I think the reason that companies fail to decide is because they are focusing on the wrong question. Most times the debate is about whether information is a legal asset or a liability, and that question cannot be definitively answered; in some legal situations, the information will be in your company’s favor while in others, it will be against you. The trouble is, the potentially incriminating information can’t really be controlled or even destroyed (too many copies exist, and once the email is sent outside your company, you don’t have the power to destroy it). In their indecision about retention policies, companies continue to go through expensive discovery procedures, and must eventually deal with the incriminating or exculpatory information.

I suggest that you consider this issue from a different angle: Information discovered early is a strategic weapon. Forget about assets and liabilities; in every legal case you’ll have to deal with both. What can make the difference, though, is the ability to pinpoint information instantaneously. With the right information in hand, your company can use the information strategically to have cases withdrawn or dismissed before they even get to the “meet and confer”, or worse yet the costly discovery phase.

To illustrate, allow me to share the story of one of our customers, anonymously of course.

John (not his real name) described a legal action that came against his company. The company was in the middle of a very large business transaction, and a supplier sensed that the company was vulnerable to a legal attack. The suit was launched, and of course legal came to IT looking for evidence. Because John had implemented an email archive (Fortiva), and imported all historical email into the archive, he was able to instantly query the archive for relevant email.

With a small and targeted set of search results, he quickly exported the data to PST and provided it to one of the company’s contract administrators. After reviewing about 100 emails, the contract administrator pulled 16 emails that clearly demonstrated than the supplier’s claim was false.

Our customer John took those 16 emails, sent them to the plaintiff, and the case was immediately dropped. Needless to say, John was pretty proud of his foresight. Because he had retained email, he had more information than the opposing side.

Bottom line: For Legal, Email, in a searchable archive, can be more than an Asset. It can be a strategic weapon that you can use to defend your company.

So how long should you retain email? If you get beyond the false dilemma of asset vs. liability, you can let the business drive retention policy. I hope that helps you simplify the whole question.

-    Alan

PS: This argument only makes sense if you have an archive that your legal counsel can search quickly and painlessly. Most archiving software is painfully slow to search, so your legal counsel may not even have imagined it would be possible to access the “strategic weapon” on their own in 20 seconds or less. That’s why Fortiva issued the Search Challenge. As far as I know, Fortiva is the only company in the industry to contractually guarantee search performance. And if our logic is right, it won’t be easy to emulate. See our series on search for the gory details.

Read more on the Preparing for FRCP series - Part 1 - Part 2 - Part 3 - Part 4 - Part 5

Posted by Alan Armstrong, VP Business Development

A mentor once counseled me that the most important thing about a company strategy is to have one. It may sound trite, but it is actually quite profound; he is saying that there may be many valid strategies, but ultimately you just need to pick one, stick to it, and focus on execution.

What’s the relevance to email and document retention? In this series we’re focusing on the basics of FRCP compliance, and the first question that always comes up is: What retention policy should we implement? The FRCP guidelines on retention policies are similar to my mentor’s advice on strategy:

1. Have a policy
2. Enforce the policy
3. Be able to demonstrate that you are enforcing the policy

Were you looking for something more specific? Unless your company is regulated in some way (financial services and some healthcare companies may fall under more specific regulations), the FRCP does not specify a retention policy.

Many companies that I meet with wish that the fed would simply dictate a timeframe for retention, because in the absence of such specifics, many companies fail to decide on a policy, and as a result, fail to comply with the regulations.

Once you decide on a retention policy, you can begin to move towards compliance. I’ve seen several companies who delay and delay and delay, until ultimately they are caught in a legal situation by their own inaction.

So my primary message here is: Decide on a policy!

But how do you decide on that retention policy? Stay tuned for my next post.

Read more on the Preparing for FRCP series - Part 1 - Part 2 - Part 3 - Part 4 - Part 5

Posted by Alan Armstrong, VP Business Development

I described earlier how the lawyers for Qualcomm found themselves in very hot water earlier this year. When lawyers get sanctioned, the water is very very hot. As that case continues through the court I would like to look at the wider trends: how are companies responding to the changes to the Federal Rules of Civil Procedure (FRCP), and what practical measures can your company take to protect yourselves against the courts, who have become increasingly demanding about email and other e-Discovery requests.

While I’m not a lawyer, and I certainly don’t claim to be offering legal advice, I have spent a lot of time working with customers to understand the changes to the FRCP amendments and what they mean. At Fortiva, we’ve also researched how these changes are impacting businesses through independent surveys. We recently shared this information in a webcast, and based on the positive feedback, I decided it might be helpful to put it into a series of posts that will start by covering overall market trends (this article), followed by an in-depth look at the three critical areas of FRCP compliance (in future posts):

1. Enforcing retention policy
2. Litigation hold
3. Collection, search, and retrieval

For each of these areas, I will describe what the law requires, what our industry surveys tell us about what your peers are doing, and some best practices. Finally, I will wrap up the series with some thoughts on how to overcome the barriers to getting your company ready for e-Discovery.

But first let’s return to the Qualcomm case. This case is significant on its own, with its high profile and high impact to the individual lawyers, but more than that it seems to be part of a wider trend where the courts have lost patience with companies claiming ignorance or citing prohibitive costs for e-Discovery requests. Over the past year, Fortiva commissioned two surveys (March 2007 Survey & November 2007 Survey ) that measured the ongoing impact of the changes to FRCP in December 2006, and the results are quite dramatic:

Companies don’t take steps like this because they enjoy it; compliance rarely drives revenue, but as the courts have started to enforce the new rules, the financial and other costs of non-compliance have forced companies to get ready. Our January survey found that average litigation costs (excluding settlement costs and judgments) exceeded $200,000 for 51% of organizations, with 8% putting that cost at over $1M. A full 20% of companies have settled a case to avoid the cost of search and recovery of email.

A few other stats that should be cause for concern:

• 35% are not confident that emails are fully reviewed to ensure attorney-client privilege is not waived before being sent to opposing counsel during Discovery
• 47% of respondents do not agree that their legal team can effectively review relevant email in the 99-day window before the meet and confer session
• The majority of businesses have recognized the potentially negative impact e-discovery requests can have, and are doing something about it. Based on the survey, the majority of businesses are now actively taking steps to reduce their risk, meet the FRCP requirements and improve their e-discovery processes.

Is your legal team waiting for fines or sanctions to get prepared? Our surveys indicate that the majority of businesses now recognize the negative potential impacts that e-discovery requests can have and are now actively taking steps to reduce their risk. If yours is not, you’ll soon be in the minority; FRCP compliance is quickly becoming standard operating procedure.

But if you haven’t yet covered your bases, I hope you find this series of articles helps to provide some pragmatic steps to do so.

Read more on the Preparing for FRCP series - Part 1 - Part 2 - Part 3 - Part 4 - Part 5

Posted by Alan Armstrong, VP Business Development

I wrote a few weeks ago about the impact that the updated FRCP Regulations have had on Qualcomm. More specifically, I referred to the potential impact on the individual lawyers retained by Qualcomm, and the retained firm, Casebeer, who were engaged in Qualcomm’s patent litigation with rival Broadcom. 
After failing to present critical emails related to the case, the attorneys were required to defend their e-discovery processes, under threat of personal sanction.

Well, there is an update. On January 7, Judge Major entered her decision. The court accused the offending lawyers of "exceptional misconduct" for failing to properly supervise the discovery process, and referred six of those attorneys to California Bar for disciplinary review and required counsel to appear in chambers for CREDO review.

It seems to me that this is a precedent-setting case that should make legal counsels sit up and take note. The implication is that attorneys can be found personally liable for ensuring the organization they represent is effectively meeting its e-discovery requirements. What’s really scary though is that they have very little recourse if they were acting in good faith, but the organization undermines that.

I’ve been talking about this case with Arthur Smith, ESQ, of Husch & Eppenberger. Arthur calls it “The Qualcomm Dilemma”: On the one hand, client/attorney privilege does not allow lawyers use certain protected information to prove that they were following regulations. On the other hand, valuable proof may exist in those privileged and protected documents. So in this case, there may be proof that the lawyers believed that all relevant documents were being presented, but that proof will never come to light because it is protected by Qualcomm’s client-attorney priveledge.

As Arthur alliterated, counsel must Prove Prudent Practices in Preserving and Producing Electronically Stored Information. The evidence for their defense comes out of the testimony of those involved in the process, but not out of the privileged documents themselves.

She wasn’t kidding around, was she? It is the personal responsibility of lawyers to ensure that e-Discovery is done right. Paying attention yet?

Posted by Alan Armstrong, VP Business Development

Software is disappearing, or more accurately, becoming invisible, embedded, just part of the seamless fabric of everyday life.  Of course, even in a SaaS world, someone still has to conceive, design, develop, test, configure, deploy, and manage the shared environment, but as things continue to centralize, it’s conceivable that a handful of IT people will eventually be running all of the CRM systems in the world, for example.

Or so believe the watchers of NetSuite’s IPO yesterday, which was incidentally the day before Winter Solstice, a pagan holiday that celebrates the time of year when the number of daylight hours starts to increase in the Northern hemisphere, after a long descent into darkness. As I was writing this article yesterday, NetSuites performance on the day was not too dramatic, but by market close it had risen a total of 36.5%, and this after it opened at double the initial price range (Click here to see the opening day's price chart).

Channel partners seem to understand this trend. In an earlier entry , I talked about how SaaS threatens the existing model for a lot of large SIs and VARs, who make a lot of money handling the complex installation and configuration of enterprise software. A survey released this month by IDC  seems to back up my central thesis. The good news in that survey is that the large majority of Microsoft’s huge partner community already knows that SaaS will change their business model, and 70% of them see SaaS as an opportunity. I do not have the full report, but I’d like to drill down into more detail here; it’s one thing to say that you see something as an opportunity, but quite another thing to be successful as you try to exploit that opportunity. Sometimes a company’s DNA just prevents it from making the kinds of changes that may be necessary to exploit new opportunities. As the days get longer for SaaS, we shall see who profits.

The IDC results also appear to agree with my earlier comment that SIs and VARs will need to be much more savvy about the business itself, because the technology is becoming commoditized.

In recent weeks I have had a significant number of inquiries from companies who want to offer the Fortiva service to their own customers. To varying degrees, they have understood that SaaS can be good for them. Here are some anonymous examples:

• A litigation support company wants to help its clients reduce the cost of producing and processing email during a lawsuit. By putting email into an archive, the processing costs go way down, and in turn, the VAR also bills less to its customer. Why would a VAR want to bill less? Because if the VAR ignores this huge cost savings, the customer will look elsewhere. The smart guys are cannibalizing their own revenue streams because if they don’t, they won’t have a revenue stream. By extension, these VARs are finding ways to increase their business services, that is, actually ADD VALUE on top of what they RESELL. What a concept.
• A large implementation consulting company wants to add a SaaS offering as an option to on-premise software. Read that sentence again! Implementation consulting lives on the complexity of on-premise software. But with SaaS, they receive some pretty big benefits too, the most compelling of which is recurring revenue. When they sell the Fortiva service, they will get an annuity revenue stream that just keeps on paying, year after year. That gives them predictability and smoothes out the troughs and peaks that can kill any consulting firm. Moreover, they know that their customers will be demanding SaaS options, and if they can’t provide it, they will look more like product pushers than real business partners.
• An email hosting company is stumbling because of the immense cost and complexity of offering an on-premise archive as a service. They took an archiving product designed for single-tenancy and have tried to offer it as a utility for clients; a hosted model. As a result, they have to account for the actual costs of managing the in-house software, and are finding that they cannot sell it profitably; it’s just too expensive. Internal IT teams frequently underestimate the costs of management, but this hosting company can’t ignore it. They are looking to SaaS because with multi-tenancy, you get high utilization, which in turn gives you much lower costs.

So there certainly are opportunities for VARs and SIs in the world of no software. If SaaS at first looked like a deep, dark winter, in fact, there is more sunlight in their future.  But the VARs will have to get smart, and they’ll have to actually add value.

Happy Solstice everyone.

Posted by Alan Armstrong, VP Business Development

Here’s the scenario: You send a message with a 1MB attachment to ten colleagues in your company. When you do that, your email server keeps just one copy, so your message only takes up 1MB of storage. Pretty efficient, right? This idea is called Single Instance Storage (SIS), and it allows us all to share such large files without driving up storage demands more quickly than necessary.

Now, if your colleagues are anything like mine, 9 out of 10 of them will never delete the message or the 1MB attachment that you send. (And if they are anything like my colleagues, only 4 out of 5 of them will even open it, so thank goodness that they aren’t eating up all those bits for an individual copy. :))

As time passes, however, you and all of your colleagues will likely hit a storage limit, and need to delete things from their email stores. Many people do this according to date or size, so when they are notified about an impending “Quota overrun”, many of them will create local copies (PSTs) of their large and old emails so that they can continue to reference the old email when needed, but it won’t take up space on the email server.

At this point, things get really bad. Remember that when you sent this email, and until this point, your 1MB attachment was only consuming 1MB of storage. When 9 out of the 10 recipients, and you as the sender, each move the message to a local PST file, the file is copied to each person’s local or network file storage. This is not a big deal for local storage, because local disk is plentiful and cheap. The problem, however, arises, during company-wide backups.

A single backup of a 1MB file is unlikely to ever cause a problem; however, in the scenario above, the IT department is now going to consume 10MB of bandwidth, backup storage, as well as a few extra seconds of backup time, for a single file of 1MB. This happens because the backup process is not set up to recognize multiple copies of the same file.

If that were not bad enough, each time you modify, or even open, the PST file, it needs to be backed up again. Thus that 10MB file might be backed up daily for 2 weeks, or however long the IT team retains backup tapes. At that point, your 1MB file could potentially be using as much as 100MB of storage space (see Figure 1).

Some teams and some products can get around this problem of whole-cloth PST backup, but nonetheless you get the idea.

Or did you? Here it is, put in another way:

• Local copies of corporate data cause problems. They create duplication of data, consume many times more storage, consume backup space, bandwidth, and precious backup window times.
• Perhaps worse than any of those things, they take the data out of a centralized place where it can be managed as a corporate asset. Locally stored data cannot easily be disposed of as it should, and could put the company in a difficult situation in the case of a lawsuit.
• When IT imposes email quotas, the problem moves and multiplies.

What’s the solution to these problems? Well, very briefly, you should consider moving the Exchange / email data to a secondary tier of storage; to an archive. With an archive in place, IT can restrict or eliminate the use of PST files, which can have a huge impact on corporate storage resources. In fact, in our example above, it would take our 100MBs of storage space down to just 2MBs (see Figure 2).

We’ve had customers tell us that as much as 80 percent of their network storage was being taken up by PST files - getting rid of this storage hog, especially to an on-demand email archive, can have a huge impact on IT - both in terms of infrastructure and the time required to manage and backup that amount of data. Getting rid of PSTs can also significantly reduce a business’s potential exposure to legal risks by getting rid of “rogue” PSTs that don't get deleted according to any policy, and that can easily end up in the wrong place (like a disgruntled former employee's home desktop).

It’s like a game of whack-a-mole; you hit one problem but it just comes up somewhere else. But in this case, the problem multiplies a hundred fold. It seems like a paradox, but this is a case where you lose money by trying to save money: IT imposes quotas on end-user mailboxes in order to reduce the cost and burden of storing email on Exchange. But when IT whacks that mole, 10 other moles pop up in PST files across the company, and then multiply again in backup routines.

Whack that mole for good. Kill the little rodent. He’s been chewing up your storage for too long. The only real way to do it is to retain a single, central copy of the file. Might I recommend an archive?

Posted by Alan Armstrong, VP Business Development

One of my first full-time job interviews after college was with Andersen Consulting. You know them now as Accenture (and in retrospect, it was just prescient to have rebranded Andersen Consulting before the … incidents).

In any case, my interviews were back in the early 1990’s, when Groupware was all the rage. I was not offered a job, and, again, in retrospect, I am so glad that my career took another path at such an early stage. Some of my friends at the time spent several years toiling away at Andersen. For the most part they became jockeys of Lotus Notes.  At the time Andersen Consulting had made a massive “Change Management” business that usually involved a Lotus Notes implementation. A more skeptical comment might be that the “Change Management” was simply a cover for a huge Notes implementation, but I am sure that some business value was also created in many cases. When it came to implementing Notes, however, so much of the cost of these changes involved install, configuration, and maintenance of Notes its associated infrastructure.

There are many other examples that could be named, where massive businesses have been built simply to customize and configure enterprise software for individual companies. SAP, PeopleSoft, Novell, Tivoli, and CA; each has spawned its own ecology of Systems Integrators. In all cases the SIs claimed, and still claim, to “add value” to their implementation.

SaaS has become a large potential threat to this breed of company. An example from my own market: Email Archiving. The first generation of archiving solutions brought a great opportunity for Systems Integrators to install, customize and configure policies for these in-house solutions. However, as time passed, it became increasingly clear that the ongoing management of an email archive is very difficult – much harder than is anticipated by most IT departments. 

Most IT departments think of archiving as storage, and storage is, in theory, cheap and getting cheaper. But there is a lot more to archiving than storage; archiving requires data to be collected, processed, indexed, searched, and disposed according to complex retention policies. This all gets even more difficult when certain subsets of information must be put on “legal  hold” so that it is retained beyond standard retention policies to be used as potential evidence in a legal proceeding.

To manage an archive, a system must perform all of these tasks and simultaneously manage the long-term integrity, disaster recovery, and high-availability of the data. Clearly there is a lot more here than just disks and tapes.

With all of this complexity, why would a company run their own email archive? The usual objection is that companies want control over their data, and companies are concerned about security. Large companies, it is argued, can achieve the economies of scale, so they can host an application just as efficiently as an outsourced provider.   By that same argument, SMBs, because they are small, cannot achieve the economies of scale, and so they far prefer to outsource, or consume applications on demand, like a utility. No one would dispute this. But I believe the enterprise too will turn to SaaS for many kinds of applications.

The critical issue is not customer size, though initially SaaS and other hosted applications have had issues with scaling to the enterprise. (On the other hand, does anyone question whether Google Apps could handle a company of 100,000 employees?) Over time, the critical issue will become whether the application itself is, as Geoffery Moore describes, Core or Context. In Moore’s terms, core activities are those that differentiate a company, the activities that create and sustain the company’s competitive advantages. Apple, for example, is differentiated by design.

Context activities are those activities that are necessary for the company to survive, but they do not create or sustain the company’s competitive advantage. We have a receptionist in the office, and while she does important work, she does not make our company what it is in the competitive market place. To use an example closer to home, your company uses email, but do you use it in such a unique way that it adds to your competitive advantage?

Moore says that the truly great companies will essentially outsource all context activities, and focus only on the core. Apple will not outsource design, but does it really need to host its own email system? Does your company need to host its own email system?

Which brings us back to SaaS. For too long the enterprise has spent precious up-front capital and person-energy deploying all sorts of context activities and IT projects. Some argue that large companies, because of their size, can achieve economies of scale in IT, and so it makes sense to host their own applications.

But Moore says that this is a distraction, and I agree. In 5-10 years, it will appear quaint to be hosting your own email / communications server, and many other applications. SaaS is not just a delivery model, and it’s not just a consumption model. It’s a model that allows companies to invest in their core differentiators, and leave the rest to specialists.

If this is true, what is the future of the Systems Integrator? Stay tuned for my views on this in a future post.