Electronic Records Management

By Alan J. Ross

Wiginton’s attorney filed a motion for sanctions. After listening to the company’s justification for its actions—including the cost of routine backups and the fact that those backups were used for disaster recovery only—the judge ruled in favor of sanctions. He noted that the costs involved and the procedures established did not excuse the fact that the defendant had willfully and intentionally violated the duty to preserve evidence in this case (Wiginton v. C.B. Richard Ellis, U.S. District Court for the Northern District of Illinois, 2004).

In another case (Stevenson v. Union Pacific Railroad Company, U.S. Court of Appeals for the Eighth Circuit, 2004), Frank Stevenson was severely injured and his wife was killed when a train hit his car. The owner of the train, Union Pacific Railroad Company, destroyed a voice tape of a conversation between the train crew and dispatch that occurred around the time of the accident. The company also destroyed track maintenance records after the accident.

The court issued an adverse-inference instruction—that is when the court instructs the jury to presume that the evidence, if produced, would have been adverse to the party that destroyed it. In its decision, the court noted that Union Pacific had been involved in many crossing collisions and knew that the taped conversations and track maintenance records would be relevant to any pending litigation.

And in a third case (Kucala Enterprises, Ltd. v. Auto Wax Co, U.S. District Court for the Northern District of Illinois, 2003), the court dismissed a patent infringement lawsuit after it found that the plaintiff had used specialized software to delete 12,000 files a few hours before the defendant’s expert was to inspect the computer by order of court.

As these cases show, no company can afford to be ignorant about the laws governing electronic document management and electronic discovery issues. Yet industry surveys show that many are.

A 2003 Electronic Records Management Survey (the most current available) by Cohasset Associates found that of the respondents whose companies had a formal records-management program, many did not address electronic records. For example, 47 percent did not have comprehensive retention schedules that included electronic records; and 59 percent did not subject e-mail to any retention policy.

Almost half of the respondents said that their organizations did not have either a formal plan for responding to discovery requests seeking records or a formal system for responding to a legal order to hold records. Finally, 65 percent of respondent organizations did not include electronic records in their responses to legal orders to hold records.

Clearly, companies that have not addressed electronic-records management have a considerable liability exposure. To remedy the problem, senior management must consider the current state of the law and then, working with legal counsel, business units, and IT, craft a comprehensive program.

The law. Electronically stored information has been considered discoverable since federal law was amended more than 30 years ago to allow data compilations to be included in discovery. However, the rules governing the specifics of electronic discovery are in flux. In recent years, courts have issued inconsistent rulings.

For example, during a sex discrimination and retaliation case (Zubulake v. UBS Warburg, U.S. District Court for the Southern District of New York, 2003), the court ruled that “as a general rule…a party need not preserve all backup tapes even when it reasonably anticipates litigation.” However, this decision contrasts with an earlier ruling in Linnen v. A.H. Robins Co. (Massachusetts Superior Court, 1999) in which the court ruled that the company’s customary recycling program should have been suspended.

Recognizing that these conflicting rulings make it difficult for companies to develop reasonable policies, the Standing Committee on Rules of Practice and Procedure of the Judicial Conference of the United States (the federal judiciary’s rulemaking body) last year approved a package of amendments on electronic discovery. The rules must now be approved by the Supreme Court. The Court would then submit them to Congress by May 1 of next year, and if Congress does not object, the amendments take effect on December 1, 2006.

The amendments would establish five rules, each addressing different aspects of the process, as follows.

Data-handling details. The first proposed rule would require that during early discovery planning, which takes place shortly after a lawsuit is filed, each party must give the opposing counsel details about how its computer systems work so that each party will know what to request access to in the discovery process.

The information would include the various means by which data is routinely created, distributed, stored, and destroyed. The parties will also be required to discuss the form of production, preservation of electronic records, and privilege issues. The parties will typically need to consider, for example, databases, networks, computer systems, servers, archives, backup or disaster recovery systems, laptops, personal digital assistants, mobile phones, and pagers as potential discovery sources.

Access. The second proposed rule involves the discovery of electronically stored information that is not reasonably accessible, such as legacy data that is not being used and is stored on an obsolete system or backups stored for disaster recovery purposes. This rule would provide that a party need not produce such information unless the court orders it, although the burden of showing that it is not easily accessible is on the producing party and the court may order discovery of the information for good cause on specified terms and conditions. The commentary makes clear that the defendant is required to explain precisely what data is not reasonably accessible and why.

Privilege. The third proposed rule deals with the inadvertent disclosure of privileged information, the risk of which increases when dealing with electronic documents. Privileged information in this context is a communication between a lawyer and client or a doctor and patient in connection with which the client or patient is seeking legal or medical advice or services. It must be intended to be confidential and it must be related to the provision of advice or services.

The rule proposes that if privileged information is inadvertently disclosed, for example, by releasing e-mails that contain communications between general counsel and the CEO, and a court rules that the information is privileged, the party that received it must return, sequester, or destroy the information and all copies within a reasonable amount of time without using any aspect of it to bolster its case.

Ethics rules already require that attorneys stop reading a document once they realize that it contains privileged information. The determination of whether the privilege has been waived is still left to the court.

Form. The fourth proposed rule would permit the requesting party to test or sample electronic information and to specify the medium or format in which requested information will be provided. If no form is specified, the proposed rules require the responding party to produce electronic information in either the form in which it is ordinarily maintained or in an electronically searchable form.

Ideally, the information would be presented in its original and dated format so that all parties could be sure that it had not been tampered with. However, that approach is not always feasible, because the original format may use an outdated medium.

Loss. The fifth proposed rule would provide immunity for a defendant organization that could not provide some of the electronic files being requested because those files had been overwritten or otherwise destroyed in the routine operation of computer systems before discovery was initiated. The company must, however, have taken reasonable steps to preserve all remaining information once it recognized that the information might be relevant to an impending lawsuit.

The issue of when the company knew or should have known that information would be relevant is critical. Companies will be hit with severe sanctions in cases where the court determines that the data was not preserved but should have been.

One indicator that data should be preserved is when the company receives a letter from a disaffected employee threatening a lawsuit. Companies cannot wait until discovery begins to decide to preserve information that might relate to that lawsuit.

Policies. Companies must implement and oversee a reasonable records retention and destruction policy that addresses both paper records and electronic data. The policy must be communicated well to all staff, consistently implemented, and rigorously enforced.

Getting started. For an organization to formulate an electronic records retention policy, the organization must answer numerous questions about itself and its use and storage of electronic records. For example, the organization must understand what types of electronic records it generates, who in the organization generates them, where they are stored, and in what formats.

Also crucial is how the organization uses the records, during what period of time, what it costs to store them, and what it costs to destroy them. From a legal standpoint, it is important to know what records must be retained by law, for what period of time, who in the organization manages them, and what procedures must be put in place to implement a policy.

Establishing a policy. To establish a records retention policy, a business must begin by answering three fundamental questions. First, what documents constitute business records; specifically, what records are required in the company’s day-to-day decision making, financial and business analysis, forecasting and reporting, customer service, resource management, compliance with state and federal laws and regulation, and legal interests? These records make up the business records that must be retained for some period of time. All other records may and should be discarded relatively soon after their creation.

Second, into what categories can the company divide these business records? In most cases these categories should be defined broadly so as to minimize the complexity of the retention schedule and to facilitate carrying out practical destruction schedules. Most businesses produce an enormous variety of records, and there are innumerable laws and regulations requiring that many of these records be maintained for specific time periods. As a result, determining what these categories are can be difficult and time-consuming and varies according to the type of business.

Finally, how long should companies maintain the documents in these categories? In some cases, that question will be answered by a legal or regulatory requirement. In others, it is a matter of discretion, depending on the pertinence of the records to a business need. To determine the appropriate policy, the company must conduct an assessment of the operational and strategic value of the information contained in the records. In all instances, the touchstone of the company’s decisions must be reasonableness and the entire process must be documented.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.