As the volume of electronically stored information (“ESI”) continues to expand rapidly, working with e-discovery vendors for collection, processing, review and production has become commonplace. Entrusting massive amounts of sensitive company data to an e-discovery vendor for the life of a litigation (and sometimes longer) is routine. But do you really know where your data is and who is responsible for it?

Earlier this week, it was reported that GlaxoSmithKline PLC filed a complaint in New York state court alleging that a New York City-based e-discovery vendor, Discovery Works Legal Inc., and its CEO Harry Debari is “holding hostage over 20 terabytes of GSK’s most sensitive and confidential data, and threatening to withhold and destroy the data unless GSK pays the ransom” of more than $80,000. According to the article discussing the complaint, Discovery Works was in control of roughly 3.75 billion pages of GSK documents in “unknown” locations.

While this is an extreme, and hopefully isolated incident, it highlights the potentially precarious situation that can be created when ESI is handed over to a third-party vendor. Of course, there is a very low likelihood such a hostage situation would ever arise with the large number of reputable vendors that occupy the e-discovery space. That said, there are many steps that could be taken to mitigate such risk, and/or simply give companies and law firms the ability to reduce storage/hosting fees or switch e-discovery vendors for any number of reasons.

When negotiating with e-discovery vendors, companies or law firms responsible for a given matter can:

1. Insist that the original collection media provided to the vendor (e.g., hard drives) be returned to the company or law firm for safe keeping;

2. Maintain a copy of all production sets that are produced;

3. Negotiate reasonable archiving fees up front, and require that at the end of a matter (or at reasonable intervals during an engagement) an archive set of the company’s data is provided to the company or law firm for safe keeping;

4. Require the vendor to certify that it has destroyed or returned all of the company’s data at the conclusion of the matter or at the company’s or law firm’s instruction.

Maintaining original collection media and a copy of all production sets can be done at little or no cost, whereas vendors charge fees for creating archival sets of data that contain information such as issue coding. These modest precautions would not only go a long way to mitigating a doomsday scenario such as the one unfolding for GSK, but would also provide flexibility to clients and law firms. Keeping a copy of source data, productions sets and archive copies of review databases facilitates switching vendors or in-sourcing review work if necessary. Moreover, maintaining a greater degree of control over one’s data helps prevent becoming too dependent on (or even the victim of) any one vendor.