Summary of the FTC's Model Second Request - Part 2


Here's a continuation of last night's tip on the FTC's Model HSR Second Request. The definitions and instructions at the end of the model help make clear how the FTC expects electronic discovery to be conducted.

The definition for 'data map' specifies that it should be a list or diagram which shows physical and electronic information in a company's possession, custody, or control, including the information systems for, "email messages, voice-mail messages, communications logs, enterprise content management, instant messaging, database applications" . It should encompass data held in back-up systems, the cloud, and by third party vendors.

The definition for 'document' makes clear that the term should include all forms of electronically stored information. However it specifically excludes:

1. Invoices and purchase orders

2. Architectural plans and engineering blueprints.

3. Tax, environmental, and human resource documents.

4. "relational and enterprise databases, except as required to comply with an individual Specification."

This kind of information of may have to be produced pursuant to certain specifications in the model.

The FTC will consider excluding searches of back-up disks unless it appears that data is missing from the computers and servers searched by the company. It may only search back-up disks for key custodians or specific date ranges.

In general, the company's production must include any documents obtained up to 45 days prior to full compliance with the second request. However any documents relating to the sale of the relevant product, including market studies, forecasts and surveys; timetables for the proposed transaction; plans for operational, policy, financial and other changes to be made as a result of the transaction; the reason for the proposed transaction; and opinions on the proposed transaction obtained 21 days prior must also be produced.

Sensitive personally identifiable information and health information must be redacted. It includes the use of a social security number by itself, or a person's name, address or phone number, used with a date of birth, ID number, account number or credit card number.

The instructions specify that Excel, Access, and PowerPoint files be produced in their native format. Emails, attachments, and other electronic files are to be produced as TIFF images and include standard metadata fields (see the excerpted chart below) which must include hash values and an 'alternative custodian' field that has a, "[l]ist of custodians where the document has been removed as a duplicate."

Hard disk drives are to be used for productions 10 GB and larger. DVDs and USB flash drives are acceptable for smaller productions. The data must be scanned for viruses and encrypted with NIST FIPS-Compliant cryptographic hardware. Email threading and data duplication software cannot be used unless until the company has contacted the FTC's technical officials.

An index should be submitted listing document custodians, the corresponding document control number range, and any applicable box numbers. A privilege log is also required listing, "each document’s authors, addressees,and date; a description of each document; and all recipients of the original and any copies".