Managing and protecting all enterprise data


New rules, new game for compliance and ediscovery

The updated Federal Rules of Civil Procedure set new standards for electronically stored information, and may have a significant bearing on how your company manages its digital documents. Some of the country's top legal experts weigh-in with suggestions on how to create retention policies that can keep your company on the right side of the law.

In light of the revised FRCP compliance rules, you may need to change your document-retention policies or face the consequences in court.

The updated Federal Rules of Civil Procedure (FRCP) make electronically stored information (ESI) as important in litigation matters as paper-based documents. The rules now explicitly designate ESI as discoverable in a federal legal proceeding. "With 40% of corporate information spending its entire life in electronic form, ESI has become very important in litigation," says Tom Russo, a member of the Corporate Counsel Technology Institute at Widener University School of Law, Wil-mington, DE, as well as a faculty member at the National Judicial College in Reno, NV.

In addition, the updated rules state that data should be in the form in which it was created with its meta data. "We're now teaching lawyers all about meta data," says Fred Lederer, chancellor professor of law and director of the Center for Legal and Court Technology at William & Mary School of Law in Williamsburg, VA.

With paper documents, usually only the final version was filed and saved. Not so with ESI. "You might have 15 copies of the same document stored. Casual conversation [in email or voice mail] is now stored electronically and is considered a corporate document for litigation purposes," says Russo. "Suddenly, all this data is sitting there. The risk of discovery during litigation is great." Due to that litigation risk, adds Russo, a retention system that gets rid of data as soon as there's no business or regulatory reason to keep it is one of the most important things you can have.

"Our retention strategy can be summed up like this: Preserve data for the appropriate amount of time," says Robert Gerbrandt, senior project manager/legal at TD Bank Financial Group, Toronto. "That means keeping the right information in the right place for the right amount of time and not a moment longer." The bank has set up a cross-functional working group composed of members from the compliance, HR, legal, audit and business units to define its retention policies.

Retention policies are critical, but litigation changes everything. As soon as a lawsuit has been filed against a company or could be anticipated, the company is obligated to preserve all pertinent data. "At that point we have to preserve all the data. That means freeze everything," says Gerbrandt. "The destruction component of the retention policy gets interrupted."

"The biggest mistake companies make is to not store data [in the face of] a litigation hold or regulatory requirements," says Ronald Hedges, a former U.S. Magistrate Judge in the U.S. District Court for the District of New Jersey and currently counsel, litigation and dispute resolution at the Nixon Peabody LLP law firm in New York. Multimillion dollar litigation awards have been won due in large part to the failure of a company to produce the required documents.

Even when confronting litigation, companies can selectively follow normal retention policies. "If the litigation involves an employment issue and focuses on the actions of a few key players, you can still destroy other data according to your retention policy," says Martha Dawson, partner, co-practice chair, ediscovery analysis and technology group at K&L Gates in Seattle.

Cost of accessing data
The federal rules are fairly clear about making data available for litigation. But Rule 26(b)2(b) provides some wiggle room if the data is inaccessible or the cost of accessing the data is unreasonably burdensome. "The big question here is whether accessibility is reasonable or not," says Hedges.

There are no guidelines as to what constitutes unreasonable accessibility or burdensome costs; a judge makes the call for each particular case. Bruce Radke, partner and co-chairman of the ediscovery practice at Vedder Price Kaufman & Kammholz PC in Chicago, suggests three factors judges will use:

  • Size of the case. A multimillion dollar case absorbs higher accessibility costs than a small case.
  • Who's incurring the cost. Judges will feel large corporations can absorb much higher costs than individuals or small companies.
  • The relevance of the information being targeted. If the data is likely to be central to the case, cost probably won't be a barrier.

The interpretation of what constitutes accessibility or burdensome cost varies widely. "One judge told us that it will be four to five years before we start to see consistency and predictability in applying the new rules," says Radke.

CIO meets general counsel
The federal rules, particularly Rule 26(f), require that the parties to litigation meet early in the process to discuss issues regarding discoverable information. Furthermore, the parties, according to Rule 26(a)(1), must provide a description by category and location of all electronically stored information and its accessibility.

If nothing else, these rules will force a company's CIO and general counsel (GC) to meet and talk about ESI, storage systems and storage processes in general and then again whenever specific litigation arises. Radke recalls arranging one such meeting at a Fortune 100 client and then walking away with the distinct feeling that "the CIO and GC had never met before."

IT in the dock
In litigation, an IT person can be called to testify in one of two ways: as an individual with knowledge based on their direct experience or as a representative of the corporation. According to Rule 30(b)(6) of the FRCP, just about anybody (described in the rule as "officers, directors, or managing agents, or other persons") can be required to give a deposition on behalf of the corporation.

In that case, you're expected to represent the total knowledge of the corporation on the issue at hand. "The CIO and CTO have always been called into court to describe how information systems are designed and how the data is stored," says Radke. "Now you can expect to see more of it because of the importance of electronic data. IT people need to be ready." Specifically, IT people will be called on to explain:

  • Where, when and how data is stored and accessed
  • The safeguards in place to back up or otherwise protect the data
  • The structure, format and type of data stored
  • The cost of accessing the data
  • Policies and procedures related to data storage, access, retention and destruction

Key ediscovery terms

Adverse inference: The judge instructs the jury to infer that destroyed evidence would have been harmful to the party responsible for the destruction. This can frequently result in the sanctioned party losing the case. You can lose the case simply by losing data, not on the merits of the case.

Custodian: A person who has documents.

Document request: This is the basic tool used to take documentary discovery. Basically, the other side gives you a list of the documents they want to examine. To the extent that they're relevant and not privileged, you'll generally have to give these documents to the requesting side.

Document retention: This term covers the process of maintaining and destroying documents according to retention periods that were assigned based on the document content.

Litigation: This generally covers not only lawsuits, but government or internal investigations and other related compliance efforts. When a company gets sued or sues someone, or receives a subpoena or other official request for documents, there's an obligation to preserve and produce responsive documents.

Litigation hold: When litigation becomes reasonably foreseeable, the company must preserve all relevant data. A litigation hold is imposed on relevant information to prevent its deletion. Violation of this duty to preserve can result in a claim of spoliation and, ultimately, loss of the case.

Privilege: Protects a document from discovery or being used as evidence. The most common form of privilege is that of attorney-client communications. This can be a tricky subject, so you should discuss any potential privilege issues with counsel as soon as possible in the process.

Sanction: Penalties imposed by the courts or the governing body, such as the Securities and Exchange Commission.

Spoliation: Deleting, destroying or withholding material relevant to a legal proceeding. Sometimes auto-delete policies can cause records to be destroyed without any affirmative action on your part. Spoliation can be subject to criminal sanctions or an adverse inference.

Rank-and-file IT people are often asked to educate the CIO or some technically clueless VP required to be deposed under Rule 30(b)(6) on behalf of the corporation. In that case, you'll have to bring the person up to speed fast because lawyers report that the initial meeting in which the discoverable data is scoped out usually takes place about a month after notice of litigation has been received. "The goal is to have this meeting as early as possible," says Lederer at the Center for Legal and Court Technology.

The revised Federal Rules of Civil Procedure also applies to existing mandates such as Sarbanes-Oxley, HIPAA and various Securities and Exchange Commission (SEC) regulations. "The new rules [FRCP] are concerned with the preservation of evidence [and] ... about the access to data in the event of litigation," says George Paul, partner and chair of the ediscovery and data management group at Lewis & Roca LLP, Phoenix. "It is fair to say that the rules have raised awareness tenfold, 1,000%, among litigators," he adds.

Charlotte Bahin, partner, corporate department and financial services group, Lord Bissell & Brook LLP in Washington, DC, specializes in the banking sector and banking regulations. "Banks have a long record of good, robust records management. They have been storing and reporting data for check clearing laws, HMDA [Home Mortgage Disclosure Act], CRA [Community Reinvestment Act] and more," says Bahin. "The new federal rules are really an overlay of ediscovery rules. It might cause some people to rethink policies. It certainly has sparked discussion between IT, legal, compliance and audit, but banks are so regulated to begin with it doesn't have much impact."

Tom Gesell, IT director, TruWest Credit Union in Tempe, AZ, agrees: "The HMDA data storage requirements are minimal; same with CRA. We capture loan application data at application origination. It really is a very small amount of data," says Gesell. "Because we also sell insurance and investments, we do have to save email, which has big storage requirements. Both the SEC and Sarbanes[-Oxley] require us to keep records of correspondence with these clients. The federal rules don't change things much for us."

Basically, the revised FRCP have forced companies to figure out how to keep what they're supposed to keep and throw out what they no longer need. In addition, in litigation, companies need to be able to:

  • Identify potentially relevant material
  • Preserve that data and keep it from being deleted
  • Produce that data for attorney review and production to other parties
  • Release that data once the litigation is over; allow documents to be returned to their default document-retention status

No single solution fits all
There isn't a single solution that addresses the unique requirements of every firm because each company's needs and regulatory situations are unique. However, the first requirement for success in any corporation is to build a strong relationship between the processes of IT and the needs of legal counsel. With the revised FRCP, this best practice has become compulsory for most companies. IT and legal need to speak each other's language so that characterizations of the processes under which records are retained electronically, their locations and how to access them are understood.

"For organizations, the big change imposed by the amendments to the FRCP is its requirement of early meet-and-confers on ESI," says Jon Neiditz, attorney and risk management expert in the Atlanta offices of Lord Bissell & Brook LLP. "For organizations, this means either you have to be ready with this information or risk outsourcing its collection at substantial cost and substantial risk of missing some information store, with potentially disastrous consequences."

Unfortunately, it's rare in any company to have clear ownership of structured and unstructured data. When no single employee has information mapping as the central part of their job, it's doubtful that there's an established retention method or location for select types of records. This costs the company in several ways:

  • Time to respond. If your lawyers can't make representations based on a solid document-retention process, every case will become a full-blown data discovery exercise. Instead of knowing there are no documents on a particular subject because your policy states they're deleted after three years, you'll have to look in every nook and cranny in the company for documents that may relate to that subject.

  • Mistakes. A poorly implemented document- retention policy could cause you to inadvertently mislead the court when responding to a document request. If you don't recover from this, you can be subject to sanctions by the court, which can result in very bad (and expensive) things happening.

  • Trustworthiness. If you get the reputation as a company that can't do this well, you run the risk that every case will turn into a big forensic exercise because you'll have squandered the trust of the courts.

Clearly, there's a need for a joint venture between legal and IT to protect the corporation by implementing employee-awareness campaigns, and creating/ repairing/documenting data-retention, litigation hold and data destruction processes.

Getting it done
To change your company's current state of document- retention compliance, you'll need to brush up on your ability to influence others. The General Electric Company uses the following basic process, called "Change Acceleration Process," to not only turn the direction of the company, but ensure that the new path selected is strong enough to last.

  1. Prepare the management team or initiator of change to effectively lead. Many company directors and officers have short attention spans, so the best way to make an initial good impression is to use 30-second sound bites of critical information that matters the most to them. Be specific about the topic; for example, say "Regarding implementing the record- retention guidelines. How much can the business save? What is the risk of doing nothing?"

  2. Pick a sponsor with visible, active public commitment and support of the change. Try to get the sponsorship of your chief legal counsel or CFO; they're the best company representatives for activities associated with litigation preparedness and compliance. If this isn't reasonable, then find your champion based on their ability to influence the organization.

  3. Create a shared need and develop a vision and strategy for the company's forward direction. A high-impact method to change behaviors is to provide actual vignettes with painful outcomes to validate the importance and consequences related to the management of information and records. A daily scan of the front page of The Wall Street Journal often nets the best results.

The revised Federal Rules of Civil Procedure have only been in place since December 2006, so the precedent-setting cases that will set the direction for plaintiff and defense attorneys in the early stages of discovery regarding the determination of accessibility and authentication of documents are yet to be played out. The first case on authentication that attention is focused on is Lorraine v. Markel American Insurance Co., a relatively innocuous case about an insurance claim resulting from a lightning strike on a boat that would otherwise not merit a 101-page opinion from the judge; however, it establishes the first review of admitting electronic evidence and the following five evidence standards to be satisfied, according to a LexisNexis summary:

  • If the electronic evidence is relevant (Rule 501)
  • The authenticity of the information (Rule 901(a))
  • Whether the information is hearsay, including relevant expectation, if the document is offered for its substantive truth (Rule 801)
  • The original writing rule (Rules 1001-1008)
  • Whether the probative value of the document is substantially outweighed by the danger of unfair prejudice or other considerations (Rule 403)
  1. Monitor key process measurements. Most of us have a natural resistance to change. Far too often, great processes migrate back to less-efficient methods because no one is watching. Metrics have to be easy to access and understand. You'll know you've succeeded when the memory of the previous state is a bit of an embarrassment.

Article 13 of 26

Dig Deeper on Data storage compliance and regulations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Storage

Access to all of our back issues View All