eDiscovery Maturity Self-Assessment Test (eMSAT-1)
I took the EDRM's eMSAT test tonight, the eDiscovery Maturity Self-Assessment Test. My aim in taking the test was not to grade the actual policies and procedures of any real organization but to use my own experience and common sense to see how a typcial business might answer the questions on the test. The eMSAT is an Excel file that is available for download on this page, www.edrm.net/resources/emsat1 , that automatically records answers to questions listed on separate worksheets. The test makes evaluations in seven areas (Information Governance; Data Identification, Preservation and Collection; Data Processing and Hosting; Data Review and Analysis; Data Production; Personnel & Support; and Project Conclusion). There are multiple questions to answer in each area, and you must choose one of five answers:
1. No process, reactive
2. Fragmented Process
3. Standardized Process, Not Enforced
4. Standardized Process, Enforced
5. Actively Managed Process, Proctive
. . . showing how thorough your eDiscovery policies and procedures are. The overall average grade that I estimated (again, just really based on informed hunches) was 2.6 - showing the eDiscovery process to be fragmented overall. I made the assumption that processes would be more effective where there are institutional departments involved, and where a business has a lot at stake financially. eDiscovery for a legal case is essentially a disruptive process - something has gone wrong -- there is legal trouble -- and it interrupts the normal productive operations of a company. A firm's IT department should focus very carefully on a disaster recovery or data backup plan since this is an obvious risk and central to its main mission. The litigation hold processes ought to be very thorough, because a company's in-house will understand that there are clear legal consequences for not complying with the need to preserve data once litigation is reasonably anticipated. The processes for identifying and withholding privileged data ought to be very proactive, since nearly any business will have proprietary information will not want to fall into the hands of competitors.
I also gave a 5 for the process of producing data in a legal proceedings [that it must be proactive], because the EDRM specified that this involves the requirement that, "If metadata is important, you can produce documents in native format.", which seems to be not only standard practice these days, but is also required by courts. The option for an enforced, standardized process includes a guideline stating that, "You most frequently produce in a near-paper/near native format, where you produce text, email and most file types in near-paper form but you produce spreadsheets and databases in near-native form.", so I didn't select this since I don't think near native productions are so common, especially for spreadsheets.
I find to hard to find that there is any process in place in most organizations to deal with certain eDiscovery problems. I don't think many businesses are closly monitoring their employees' social media posts or attempting to implement eDiscovery best practices for them. It would surprise me if many companies have specific protocols in place for searching for and retrieving ESI or are considering the more advanced methodologies. It's hard to imagine a business taking resources and time away from its core operations to onboard and train new people on eDiscovery tasks that may come and go.
I would also think that most businesses have fragmented processes in place at best for dealing with data hosting or early data assessment.
It's guesswork on my part, but my image of what's going on in eDiscovery in the business world is of very fragmented efforts overall to meet legal and technical demands. See the results of mock report below.