IAPP-GDPR Web Banners-300x250-FINAL

By Thomas Shaw, CIPP

This is the first article of a three-part series exploring litigation exposure and readiness for Asian companies. Part two of the series will explain how non-U.S. companies, particularly those based in the Asia/Pacific region, can analyze and deal with the risks of U.S. litigation exposure to pre-trial discovery data requests.

Due to expansive rules on discovery, jury trials, and the size of damage awards, plaintiffs worldwide choose to bring their claims in U.S. courts. So it is important that non-U.S. companies consider their exposure to U.S. litigation. After an Asian corporation has determined their exposure to U.S. litigation, they must take steps to analyze their current readiness to deal with requests for pre-trial discovery. Because response to discovery requests under U.S. rules is time sensitive, respondents must have the ability to fully describe their responsive data within about 100 days of the initiation of a lawsuit. Failure to respond appropriately can lead to fines and/or other types of sanctions, as an Asian manufacturer recently discovered. This means that companies must proactively set up a series of information-governance protocols and discovery procedures that allows for rapid response. Asian companies must know what data they have, where it is located, how long it is retained, who owns and controls it, how to preserve it, what automated or manual deletion processes exist, how to halt them, and how to collect information in its original state for discovery.

But it is no longer just U.S. litigation that will drive the needs for this type of information governance. Each country in Asia has its own discovery rules based on their respective legal heritage and several have undertaken to create special rules for the discovery of electronically stored information (ESI), as U.S. federal and state courts do. For example, Australia’s Practice Note 17 and Singapore’s Practice Direction No. 3 spell out guidance for dealing with e-discovery under litigation filed in those countries. Other Asian countries will likely follow. In addition, a variety of regulatory requirements, privacy laws, and information-security requirements mandate much more rigorous information governance practices. Audit attestation needs, such as local versions of Sarbanes-Oxley (SOX) or service provider audits (e.g. SAS 70) or internal investigation needs further push Asian companies toward an information-governance framework that controls corporate data and provides the ability to respond to any information-based request, be it litigation, regulation, statute, audit, or other.

The Electronic Discovery Reference Model (EDRM) is a multi-phase reference model that documents the steps required to respond to litigation discovery requests for ESI. The nine phases in order are: Information Management, Identification, Preservation, Collection, Processing, Review, Analysis, Production, and Presentation. Because the phases from Processing forward typically involve specialized external resources and procedures, such as large volume processing, vendor software, and teams of lawyers, this article will focus only on what most corporations can initially undertake themselves, the first four EDRM phases. This is also in accordance with two industry trends. The first is that, to save money, firms are looking to in-source parts of the EDRM lifecycle and the first four phases represent that which they can most easily handle, assisted by appropriate best-practice procedures and vendor software. The second is that companies are moving their focus to the left side (earlier phases) of the EDRM model. Firms realize that if they proactively understand their data and understand how to preserve, find, and collect it, this will go a long way in reducing their discovery tasks and so their litigation, regulatory, audit, and compliance expenses and exposures

Information management

This EDRM phase should be initiated before any litigation is known or anticipated. It involves the establishment and maintenance of infrastructure, processes, and training surrounding a corporation’s body of information. This includes all information—structured and unstructured—used by the corporation in pursuit of its business objectives and is much more than just the accounting database or the e-mail system. The infrastructure includes all systems, applications, and devices, including servers, PCs, laptops, tapes, DVDs, USB drives, mobile phones and networks, and more, that store and transmit this business data. The processes include those to record business information, store, retrieve, use, and then, finally, delete it. And to effectively use the information, a corporation’s employees must be trained to implement and maintain the infrastructure and processes, and to deal with any changes.

To begin to understand whether a corporation’s information management program is “litigation ready,” a number of high-level questions must be asked and answered about the corporate data, infrastructure, processes, and people.

  • Is there a complete and current inventory of the corporate data sources and physical (hardware, software, network) infrastructure?
  • What ESI is contained in non-active IT systems (e.g. archival or legacy systems)?
  • What metadata exists and is it fully documented for each type of ESI?
  • Are there fully engaged data custodians and IT technical leads for each type of ESI and each technology component?
  • What legal access is there to data (and metadata) stored with third-party vendors?
  • Are there information management/ security policies originating from top leaders?
  • Are there record retention/disposal timeframes and processes for all record types that comply with all contractual, statutory, and regulatory obligations?
  • Are archiving and backup processes implemented and documented?
  • Is records management implemented (e.g. record declaration and deletion)?
  • Are all the policies and procedures actually in use by skilled people trained to use them? 

It is important to understand the possible different data sources includable as ESI to see the broad scope an inventory must cover. The data in the table below are data sources subject to discovery.

Unfortunately, to grapple with the disparate ESI sources and information management processes, there is no one over-arching framework. But if a company has implemented a program structuring or protecting corporate information, such as records information management or information security, this should provide a sufficient framework upon which to build. As an example, the ISO 27001 information security certification standard and its related ISO 27002 controls provide a valuable set of requirements and tools that should ensure sufficient rigor not only for the security of information but also can be extended to information management as needed. ISO 27002 includes certain controls addressing:

  • Assessment of risks
  • Documented corporate policies
  • Ongoing management commitment to these corporate policies
  • Inventory, ownership, and acceptable use of information assets
  • Classification and handling of information
  • Training and awareness
  • Exchange of information
  • Protection of organizational records
  • Auditing for compliance with the policies and standards

These controls can be adapted and expanded for information management purposes. The risk assessment (as further expanded in related standard ISO 27005) can be used to evaluate the risk that any data sources will be subject to a discovery and how that risk would be treated by altering the preservation rules. An information management policy and management commitment to those policies would set the tone and direction for the corporation. Training and awareness-raising about the information management policies and procedures ensures that the whole corporation gets involved and stays engaged on an ongoing basis. Cumulatively, the ISO 27001/27002 information security controls with certain extensions can provide the corporation with a sufficient initial depth to the information management function to reasonably respond to discovery data requests.

To create an information management policy, corporations can begin by considering the guidelines set forth in the Sedona Conference document about managing records and information. Among the many guidelines, the following two provide some initial insight. First, the organization will have to create something that works for its particular situation, as “no single [information and records management] standard or model can fully meet an organization’s unique needs.” Second, corporations will have to determine what data to retain or to discard, as “defensible policies need not mandate the retention of all information and documents.” Finally, for those organizations with the resources to implement true records management (records are a subset of information that is retained in a format and for a timeframe based on legal, regulatory, or contractual requirements), use of the ISO 15489-1 records management standard may be appropriate.


When a corporation becomes aware of a lawsuit, either when it is initiated or anticipated, it must identify the data that would be responsive to that certain matter. While the specifics of any particular lawsuit cannot be known until receipt of the complaint, discovery request, retention letter, or court order, a company can and should prepare. The corporation can develop the processes that it will utilize to form and engage a discovery response team, identify key witnesses and people of interest, and scope the sources of information that may be relevant to the lawsuit. Because all data sources, infrastructure, and custodians have already been previously identified in the information-management phase, it is then only a matter of verifying that they remain current and determining what, if any, additions have taken place.

In addition, if a company finds that any data source is of the type that would be considered difficult to access at a reasonable cost or effort, and so be the basis of a not-reasonably-accessible argument, it could document those reasons for all such data sources. When responding to an actual discovery request, the litigation-hold process and the related interviews would start during the Identification phase. The litigation-hold process will be discussed below in the Preservation phase, but it would be appropriate to create interview checklists for data custodians/owners, key IT personnel, and persons of interest to the subject matter of the lawsuit now, well in advance of needing them for discovery response.


A party to a lawsuit must ensure relevant ESI is preserved and protected against destruction or alternation. To do this, a corporation must prepare and circulate a litigation-hold communication to all relevant parties. It may also need to copy the e-mail and other files of persons of interest, image their hard disk and removable drives, or even image forensic data for deleted/hidden files or encrypted data. As part of notifying parties of their preservation obligations, it is critical that any routine processes that delete or modify ESI be stopped or altered. This might include various system procedures, such as overwriting of system logs or daily transaction files, certain archiving processes, or the overwriting of backup tapes sent offsite as part of a disaster recovery plan. Communicating and working with the IT team is key, but all employees will need some training on their preservation duties under legal holds.

The specific ESI and persons of interest will not be known until actual litigation arises, but again a company can prepare in a number of ways. First and foremost are the legal-hold procedures. Guideline 9 of the Sedona Conference document on legal holds states: “The legal hold policy and process of implementing the legal hold in a specific case should be documented considering that both the policy and the process may be subject to scrutiny by the opposing party and review by the court.” So a company should proactively document, based on their data and systems inventory: the retention periods for all data, the deletion procedures (manual or automated), how to stop deletions or quarantine data, the steps needed to take a forensic backup of a device as required, and who to notify about the preservation of data. Besides creating policies and procedures for legal hold, a template legal-hold letter should be drafted in advance, taking into account all data sources, data and IT custodians/owners and their responsibilities. In addition, acknowledgement forms from legal-hold letter recipients that demonstrate an acceptance of their responsibilities and completed tasks for preservation within the stated scope should be drafted in advance.

There is an important question on when the duty to preserve attaches. The U.S. federal procedural rules do not address this directly, but the Sedona Conference legal holds Guideline 1 states that: “Reasonable anticipation of litigation arises when an organization is on notice of a credible threat it will become involved in litigation or anticipates taking action to initiate litigation.” In Zubulake IV, the court stated the typical starting point is when a party knows or should know it is relevant to imminent or ongoing litigation. Courts have had to fashion their own interpretations, which are usually fact specific, of when they should have known. In a recent case involving an Asian corporation, a Taiwan company’s duty to preserve was started long before (six years) the actual notice was received, as the court viewed the fact that there was other litigation involving the same patents belonging to the plaintiff as putting the company on notice to preserve relevant evidence. As such, corporations need to proactively review any available information on possible litigation and then implement timely legal holds as appropriate. And companies can create in advance the process and triggers for releasing a legal hold when it becomes appropriate to do so.

Finally, it is important to analyze the inventory data regarding the records retention/destruction timeframes, policies, and procedures, and ensure that they are in compliance with applicable rules. Under U.S. federal procedural rules, there is a safe harbor from being sanctioned for destroying ESI if the destruction happens as part of a “routine, good faith operation.” The Sedona Conference legal holds Guidelines 2 and 3 state that: “reasonableness and good faith” are demonstrated by a records-retention policy and by reporting potential threats of litigation. So it is critical that corporations begin and maintain these programs long before any legal action is initiated so that they become routine. To remain in good faith, these destruction operations must stop when the corporation is aware of litigation.


This phase occurs when preserved information that is not relevant or is inaccessible can first be filtered out, where appropriate search terms, date ranges, and file types are determined and data is collected under valid chain-of-custody and authenticity protocols. Again, this cannot be performed in advance, but the processes to do so can be derived proactively. Processes that detail whom collects what ESI using which tools to what media types, plus the appropriate chain-of-custody and authentic protocols can all be determined in advance. Collection is the phase when the transition from in-sourcing to outsourcing should start, as if any of the collection is done improperly (e.g. altering metadata, losing chain of custody), it may make the ESI evidence inadmissible. Outsourcing is especially valid when forensic collection is required (e.g. deleted/hidden files), if sensitive information is involved, when there are staffing or skill shortages or project management needs, and if there are large volumes, short timelines or internal biases within the corporation. The division between in-sourcing versus outsourcing during the Collection phase should be determined in advance.

When performing collection, data protection laws and contractual confidentiality commitments come into play. The requirements to safeguard personal information of employees are required under a number of Asia/Pacific statutes. For example, Japan’s Personal Information Protection Law requires that any personal information stored by corporations holding information on more than 5,000 persons obtain their consent before transferring the data to a third party unless an opt-out mechanism is provided. Australia’s federal Privacy Act requires anyone transferring data to a third party to ensure that the third party reasonably complies with the Act’s privacy principles. Hong Kong’s Personal Data (Privacy) Ordinance also has a requirement that the third party recipient is acting under similar privacy provisions. Most Asia/Pacific countries have or will have shortly some statutory data privacy protections. It is also important to verify that all contractual confidentiality commitments have a provision that allows for an exception in case of litigation demands.

Asia-Pacific e-discovery laws

Corporations doing business in multiple countries will need to understand local and foreign e-discovery rules. In Asia, local e-discovery rules are beginning to emerge in 2009. Under Australia’s Practice Note 17, parties are encouraged to agree upon the scope and timetables for discovery and strategies for preservation, reasonable searches (including not reasonably accessible information), and the management of ESI and the related document-management protocols. Singapore’s Practice Direction No. 3 is amended to include discovery and inspection of electronically stored documents, computer databases, and electronic media or recording devices. Parties are encouraged to agree on discovery protocols and utilize reasonable searches. Provisions also cover metadata, forensic discovery, and factors to consider if needing to order discovery. Hong Kong’s Practice Direction 5.2 tells parties to exchange documents without having to prepare lists of documents. Because parties can now litigate commercial contract disputes in Hong Kong and enforce those judgments in China, this may open China, itself, to these procedural rules.


Asia-Pacific parent corporations do business in an increasingly litigious, multi-jurisdictional business environment, with overlapping litigation, regulatory and various compliance data requirements. To be able to respond to all of these competing demands for information, corporations must first proactively undertake to implement best-practice information-governance procedures. This will allow them to respond both promptly and accurately to requests for this information from plaintiffs, government agencies, and auditors. Based upon this common foundation of information governance, procedures specific to each external source of demand can be implemented, such as those to deal with litigation in the various forums in which they do business. For litigation, firms can follow the general steps outlined above to start to set a high-level direction and then can enlist the proper expertise to help them through this multi-disciplinary process. This includes technically adroit attorneys, IT expertise, information custodians, and external resources, including vendors whose software can enable a number of the EDRM phases and discovery consultants who can shape the many processes needed. Finally, Asian corporations can and should take advantage of the “quiet” pre-litigation time to designate executive leadership for e-discovery, appoint cross-functional teams representing all stakeholders, prepare needed processes, tools, and project management techniques and then perform the walkthroughs and tests to be ready to respond to data discovery requests from the all-too-likely litigation.

Thomas J. Shaw, Esq., is an attorney, CPA, CIPP, CISM, ERMP, CFF, CISA, CITP and CGEIT based in Tokyo, Japan, who works with corporations across Asia to develop their legal, e-discovery, information security, data privacy, compliance, and information governance policies and procedures to assess, prepare for, and respond to litigation and technology risk. He can be reached at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

or on the Web at www.tshawlaw.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»