By Alan J. Ross
To reduce liability, companies must know how to manage electronic records and how to respond to electronic discovery requests.
W hen Amy Wiginton filed a sexual harassment lawsuit against her employer, C.B. Richard Ellis, Inc., her attorney sent a detailed letter to the company’s counsel requesting that the firm stop all destruction of potential evidence, both paper and electronic. Several months later, the two parties finally agreed to a preservation order detailing what type of documents should be protected. However, between the time that it received the letter and the time that the agreement was reached, the company continued to follow its normal document destruction routine. This resulted in the destruction of data stored on e-mail backup tapes and employee hard drives, including that of Wiginton’s supervisor.
Wiginton’s attorney filed a motion for sanctions. After listening to the company’s justification for its actions—including the cost of routine backups and the fact that those backups were used for disaster recovery only—the judge ruled in favor of sanctions. He noted that the costs involved and the procedures established did not excuse the fact that the defendant had willfully and intentionally violated the duty to preserve evidence in this case (Wiginton v. C.B. Richard Ellis, U.S. District Court for the Northern District of Illinois, 2004).
In another case (Stevenson v. Union Pacific Railroad Company, U.S. Court of Appeals for the Eighth Circuit, 2004), Frank Stevenson was severely injured and his wife was killed when a train hit his car. The owner of the train, Union Pacific Railroad Company, destroyed a voice tape of a conversation between the train crew and dispatch that occurred around the time of the accident. The company also destroyed track maintenance records after the accident.
The court issued an adverse-inference instruction—that is when the court instructs the jury to presume that the evidence, if produced, would have been adverse to the party that destroyed it. In its decision, the court noted that Union Pacific had been involved in many crossing collisions and knew that the taped conversations and track maintenance records would be relevant to any pending litigation.
And in a third case (Kucala Enterprises, Ltd. v. Auto Wax Co, U.S. District Court for the Northern District of Illinois, 2003), the court dismissed a patent infringement lawsuit after it found that the plaintiff had used specialized software to delete 12,000 files a few hours before the defendant’s expert was to inspect the computer by order of court.
As these cases show, no company can afford to be ignorant about the laws governing electronic document management and electronic discovery issues. Yet industry surveys show that many are.
A 2003 Electronic Records Management Survey (the most current available) by Cohasset Associates found that of the respondents whose companies had a formal records-management program, many did not address electronic records. For example, 47 percent did not have comprehensive retention schedules that included electronic records; and 59 percent did not subject e-mail to any retention policy.
Almost half of the respondents said that their organizations did not have either a formal plan for responding to discovery requests seeking records or a formal system for responding to a legal order to hold records. Finally, 65 percent of respondent organizations did not include electronic records in their responses to legal orders to hold records.
Clearly, companies that have not addressed electronic-records management have a considerable liability exposure. To remedy the problem, senior management must consider the current state of the law and then, working with legal counsel, business units, and IT, craft a comprehensive program.
The law. Electronically stored information has been considered discoverable since federal law was amended more than 30 years ago to allow data compilations to be included in discovery. However, the rules governing the specifics of electronic discovery are in flux. In recent years, courts have issued inconsistent rulings.
For example, during a sex discrimination and retaliation case (Zubulake v. UBS Warburg, U.S. District Court for the Southern District of New York, 2003), the court ruled that “as a general rule…a party need not preserve all backup tapes even when it reasonably anticipates litigation.” However, this decision contrasts with an earlier ruling in Linnen v. A.H. Robins Co. (Massachusetts Superior Court, 1999) in which the court ruled that the company’s customary recycling program should have been suspended.
Recognizing that these conflicting rulings make it difficult for companies to develop reasonable policies, the Standing Committee on Rules of Practice and Procedure of the Judicial Conference of the United States (the federal judiciary’s rulemaking body) last year approved a package of amendments on electronic discovery. The rules must now be approved by the Supreme Court. The Court would then submit them to Congress by May 1 of next year, and if Congress does not object, the amendments take effect on December 1, 2006.
The amendments would establish five rules, each addressing different aspects of the process, as follows.
Data-handling details. The first proposed rule would require that during early discovery planning, which takes place shortly after a lawsuit is filed, each party must give the opposing counsel details about how its computer systems work so that each party will know what to request access to in the discovery process.
The information would include the various means by which data is routinely created, distributed, stored, and destroyed. The parties will also be required to discuss the form of production, preservation of electronic records, and privilege issues. The parties will typically need to consider, for example, databases, networks, computer systems, servers, archives, backup or disaster recovery systems, laptops, personal digital assistants, mobile phones, and pagers as potential discovery sources.
Access. The second proposed rule involves the discovery of electronically stored information that is not reasonably accessible, such as legacy data that is not being used and is stored on an obsolete system or backups stored for disaster recovery purposes. This rule would provide that a party need not produce such information unless the court orders it, although the burden of showing that it is not easily accessible is on the producing party and the court may order discovery of the information for good cause on specified terms and conditions. The commentary makes clear that the defendant is required to explain precisely what data is not reasonably accessible and why.
Privilege. The third proposed rule deals with the inadvertent disclosure of privileged information, the risk of which increases when dealing with electronic documents. Privileged information in this context is a communication between a lawyer and client or a doctor and patient in connection with which the client or patient is seeking legal or medical advice or services. It must be intended to be confidential and it must be related to the provision of advice or services.
The rule proposes that if privileged information is inadvertently disclosed, for example, by releasing e-mails that contain communications between general counsel and the CEO, and a court rules that the information is privileged, the party that received it must return, sequester, or destroy the information and all copies within a reasonable amount of time without using any aspect of it to bolster its case.
Ethics rules already require that attorneys stop reading a document once they realize that it contains privileged information. The determination of whether the privilege has been waived is still left to the court.
Form. The fourth proposed rule would permit the requesting party to test or sample electronic information and to specify the medium or format in which requested information will be provided. If no form is specified, the proposed rules require the responding party to produce electronic information in either the form in which it is ordinarily maintained or in an electronically searchable form.
Ideally, the information would be presented in its original and dated format so that all parties could be sure that it had not been tampered with. However, that approach is not always feasible, because the original format may use an outdated medium.
Loss. The fifth proposed rule would provide immunity for a defendant organization that could not provide some of the electronic files being requested because those files had been overwritten or otherwise destroyed in the routine operation of computer systems before discovery was initiated. The company must, however, have taken reasonable steps to preserve all remaining information once it recognized that the information might be relevant to an impending lawsuit.
The issue of when the company knew or should have known that information would be relevant is critical. Companies will be hit with severe sanctions in cases where the court determines that the data was not preserved but should have been.
One indicator that data should be preserved is when the company receives a letter from a disaffected employee threatening a lawsuit. Companies cannot wait until discovery begins to decide to preserve information that might relate to that lawsuit.
Policies. Companies must implement and oversee a reasonable records retention and destruction policy that addresses both paper records and electronic data. The policy must be communicated well to all staff, consistently implemented, and rigorously enforced.
Getting started. For an organization to formulate an electronic records retention policy, the organization must answer numerous questions about itself and its use and storage of electronic records. For example, the organization must understand what types of electronic records it generates, who in the organization generates them, where they are stored, and in what formats.
Also crucial is how the organization uses the records, during what period of time, what it costs to store them, and what it costs to destroy them. From a legal standpoint, it is important to know what records must be retained by law, for what period of time, who in the organization manages them, and what procedures must be put in place to implement a policy.
Establishing a policy. To establish a records retention policy, a business must begin by answering three fundamental questions. First, what documents constitute business records; specifically, what records are required in the company’s day-to-day decision making, financial and business analysis, forecasting and reporting, customer service, resource management, compliance with state and federal laws and regulation, and legal interests? These records make up the business records that must be retained for some period of time. All other records may and should be discarded relatively soon after their creation.
Second, into what categories can the company divide these business records? In most cases these categories should be defined broadly so as to minimize the complexity of the retention schedule and to facilitate carrying out practical destruction schedules. Most businesses produce an enormous variety of records, and there are innumerable laws and regulations requiring that many of these records be maintained for specific time periods. As a result, determining what these categories are can be difficult and time-consuming and varies according to the type of business.
Finally, how long should companies maintain the documents in these categories? In some cases, that question will be answered by a legal or regulatory requirement. In others, it is a matter of discretion, depending on the pertinence of the records to a business need. To determine the appropriate policy, the company must conduct an assessment of the operational and strategic value of the information contained in the records. In all instances, the touchstone of the company’s decisions must be reasonableness and the entire process must be documented.
Compliance training. The organization must also ensure compliance by employees. Staff must be educated about the retention policy, how it works, what their own role is in implementing the policy, and why it is important. Employees should understand the consequences—to the company and to their own careers—of either carelessly destroying or needlessly retaining data.
Documentation. The entire record retention policy, including every aspect of its adoption and the issues considered, must be documented. It is especially important that all data destruction be documented with regard to what was destroyed, when, why, and how, with the recognition that the destruction of specific records may become an issue in the event of future litigation. Thorough documentation will help the company establish the reasonableness of its actions in a court.
Enforcement. It is not enough to simply create an electronic records policy. The policy must be enforced in a way that is uniform, reasonable, and in good faith. To that end, employees should be held accountable for how well they follow these procedures, and their compliance efforts should be factored into their employment evaluations.
The company should also set up an oversight authority composed of members of the business and legal staff, as well as relevant IT personnel. This committee should be responsible for formulating the policy, communicating it to employees, and educating them on the importance of proper implementation and the actual procedures to be employed.
The committee should arrange employee training as needed and ensure that resources are in place to carry out the policy. The committee should also ensure that the policy is being followed by conducting periodic compliance reviews. It should periodically revise the policy to reflect changes in staff or organizational structure, business practices, technology, and legal or regulatory requirements.
Witness in waiting. The organization should also identify a person who will be called on to testify about the organization’s document retention policies. Most likely, this will be the person who is knowledgeable about the policy, the company’s computers, and the realities of records management at the company. However, most importantly, the person must have the ability to testify credibly in a courtroom.
The person chosen to testify would most likely to be a security professional. A company would not call its CEO or general council to testify about document destruction policies because of the obvious conflict of interest. The company’s IT professional would generally be passed over as well because of the temptation for him or her to present too much technical information to the court.
This person need not be named in the document destruction policy, but whoever is chosen should be trained to testify in a courtroom. This training does not need to be conducted in advance of a lawsuit, but when the occasion arises, detailed training is essential. Evidence presented incorrectly could be devastating to the company.
Pending litigation. A duty to preserve electronically stored records is triggered when a party learns that the evidence is or may be relevant to litigation. The duty to preserve extends to those employees likely to have relevant information in the case. The plan must, therefore, include procedures for suspending routine retention and destruction procedures for material relevant to pending litigation.
The plan should provide that documents be put on hold immediately in the event of pending litigation, and that any employees—as well as any outside counsel and directors—likely to have relevant documents in their possession, such as on computers they use or control, would be notified that they must legally retain their documents. Counsel should determine in advance how best to distribute instructions regarding a litigation hold on document destruction to employees and how to ensure that those instructions are followed.
In addition, all activities related to the litigation hold must be documented, including all advance preparation. This step serves two purposes. It helps organize the litigation hold effort, and it provides a record for potential future use in defending against a charge of inappropriate document destruction.
Counsel should instruct employees as to what must be preserved and meet with the IT department to determine the parameters of the hold. Documents should be described in broad categories, and broad timeframes should be identified.
For example, if the company is embroiled in a lawsuit with former employee Smith, counsel should inform employees to retain all e-mails that mention Smith, all e-mails sent or copied to Smith, and all e-mails that originated from Smith’s computer. Counsel should follow up with these employees to ensure that the notice was understood and is being implemented on an ongoing basis. Failure to do this can result in sanctions directed at both the company and the individuals within the company responsible for the problem.
For example, in Danis v. USN Communications, Inc. (U.S. District Court for the Northern District of Illinois, 2000), the judge found that the CEO of the defendant had “failed to implement adequate steps to discharge [his] duty to preserve documents and information that might be discoverable in this case.”
The judge recommended that the CEO be fined $10,000, although his failures had not prejudiced the plaintiff, because such a fine would, the judge said, be appropriate as a sanction to impress on the CEO the seriousness of the duty of preservation.
The court enumerated the CEO’s failures: He took no affirmative steps to ensure that documents were preserved. He failed to develop a document retention policy either in general or in response to the lawsuit. He did not inform the staff of the lawsuit or the need to preserve documents.
Privilege. In the event of litigation, companies should establish a review process that locates any documents that might contain information that is privileged or a trade secret. They should also work with opposing counsel on procedures for dealing with inadvertent disclosure of privileged documents.
Production of electronic documents increases the risk of inadvertently disclosing privileged documents in two ways: The overwhelming volume of electronic records magnifies the review problems; and electronically stored records include more information than appears on the surface.
An example of the second issue can be seen in reviewing e-mails. It is essential that the producing party review the persons designated for receipt of blind copies, which ordinarily would not appear on a hard copy. Depending on the recipient of the blind copy, privilege could be created or destroyed.
For example, if the blind copy was to the attorney or the client, the e-mail might be covered by attorney-client privilege. For example, if two business associates were discussing a matter for which they needed a legal opinion and one of them sent a blind carbon copy to the general counsel and then later asked him or her for an opinion, that communication could arguably be protected by the attorney-client privilege.
It could also be the other way around, however. The blind copy might destroy the privilege by destroying the confidentiality of the communication. It is critical to keep in mind, however, that communication can only be privileged if it is made in the context of seeking legal advice or services.
To prevent a waiver of the attorney-client privilege, the producing party must take reasonable precautions to avoid inadvertent disclosure of privileged material. Reasonable precautions may involve a specific privileged review by the company’s attorney, well beyond name searching of the documents.
Counsel should consider a negotiated protective order at the start of the case, explicitly providing that inadvertent disclosure of privileged or otherwise protected electronic information is not a waiver. And until the Standing Committee’s proposed rule requiring opposing attorneys to return, sequester, or destroy such information is finalized, counsel may also want to include language to that effect in any negotiated protective order.
Format. Companies should work with opposing counsel to determine the production format they would like any discovery materials to be in: hard copy or electronic, and if the latter, specifically which format, native or image. Historically, most documents have been provided in discovery as hard copies. Lawyers are generally more comfortable using hard copies, particularly in depositions where hard copies are essential; hard copies also allow making notations on documents or highlighting sections.
In recent years, however, the merits of electronic copies have become more evident. Electronic documents are far easier to sort, screen for key terms, and retrieve than hard copies. Electronic documents can also be loaded into a litigation support database, which can be important, particularly in large cases. In that instance, the support software may dictate the production format.
Producing documents electronically can also be less costly and time consuming. For example, the court in the case of Zakre v. Norddeutsche Landesbank Girozentrale (U.S. District Court for the Southern District of New York, 2004) held that production of evidence in electronic format relieves the producing party from the obligation to organize those documents.
Production in native format—which means giving the requesting party a copy or clone of the format in which the document was first created—is the most likely to preserve embedded data. This format allows the requesting party to preserve metadata, clone the clone, make PDFs from the second clone, and put the PDFs into a document management program, so it’s the most commonly requested. The providing company may be fine with that, or may want to produce PDFs because it is much easier to digitize everything in one format, automatically date stamp it for organization purposes, and then produce it.
Native format documents do have some drawbacks. They are easily altered, and the review of embedded data can substantially increase reviewing time, usually with little relevant information to show for it. Typically, converting the document to PDF or TIFF format, for example, destroys the embedded data, such as information on when the document was created, last altered, last printed, and last opened. But the date and time the PDF was created is recorded, after which it’s harder to alter the data.
Embedded data, as compared to content, involves items such as formatting information on a word document. This is more time consuming to review because it means that numerous pieces of information must be reviewed for each document.
In addition, documents containing privileged information cannot be redacted to produce nonprivileged portions if they are produced in native format.
These are among the issues that counsel will consider in requesting a format. The negotiations will depend on the needs of each party.
In a short period of time, the information age has changed the face of business. And that is now altering the nature of civil discovery. Business organizations must begin dealing with these vast changes now if they are to minimize their potential liabilities and expenses in future litigation.
Challenges of E-Records
The following factors make accessing and authenticating electronic records difficult.
Multiple parts. Electronic records often consist of several parts that reside on different computers, and even in different locations.
Alterability. Electronic records are subject to alteration or destruction without detection, absent the use of technological controls.
Device reliance. Over the long term, an organization may frequently change or swap out its hardware and software. This can result in an inability to read historical electronic records.
Technological complexity. Electronic records can be created using complex technological processes that make it very difficult to demonstrate the records’ trustworthiness.
Ease of transport. Electronic records are easily created, shared, published and distributed. This can make it difficult to maintain a log of the records distribution, custody, and control, thereby reducing the document’s trustworthiness.
Longevity. Electronic records can be difficult to maintain, due in part to software and hardware obsolescence, environmental damage, data corruption, and inadvertent alteration or destruction.
Alan J. Ross is a partner with Bricker & Eckler in Cleveland, Ohio. His specialties include intellectual property litigation, e-commerce and Internet law, and civil and criminal antitrust law.