E-docs: Retention and Disclosure

November 1, 2004

The Electronic Disclosure Guidelines prepared by the Commercial Litigators Forum says this, inter alia, “Edoc retention policies are beginning to become fashionable but generally as a result of warnings from litigation lawyers as to the possible adverse consequences of retaining too much historic data”.

In 2003, market research by Cohasset Associates in the UK revealed the following:-

  • 41% of companies surveyed said that electronic records were not included in records management programmes.
  • 47% said that the IT department was not represented when records management programmes are formulated.
  • 59% did not have a formal policy regarding record retention practices for e-mail.

At the moment the Financial Services Authority in the UK does not differentiate between electronic records or any others. This is in contrast with the SEC, which provides specific requirements for the media and process used for archiving electronic records generally. The reference is SEC CFR 240 17a – 4 and it says:-

  1. Electronic records must be stored on non-rewritable and non-erasable media.
  2. The system must “verify automatically the quality and accuracy of the storage media recording process.
  3. The organisation using electronic records must provide regulators with “facilities for immediate, easy readable projection or production of ..electronic storage media images and for producing easily readable images.”
  4. The system must “store separately from the original, a duplicate copy of the record”.

If any proof was needed as to how seriously the SEC take e-mail retention, they recently fined several brokerage firms millions of dollars for allegedly failing to retain and/or produce e-mail in accordance with the above rules.

Legislation, predominantly in the US but in other countries as well, demands much tougher governance and compliance regimes. Many industry sectors

are now accountable to regulators, and governments are increasingly creating new statutory or regulatory obligations for both public and private sector organisations. Compliance management is about risk management and the level of risk depends upon the type of organisation and various factors – two of which are likelihood of litigation and the nature of the regulatory environment (both of these are areas for Electronic Data Disclosure). The AIIM says that “..compliance management is about having records you can trust, and trust in this context means

· Integrity – proving a record has never been altered since it was created

· Accuracy – proving it contains what it is supposed to contain

· Authenticity – proving it is what it purports to be by reliably demonstrating its source or origin.

· Accessibility – knowing you can find it and deliver it as required”

Those four points are excellent advertisements for electronic documents.

Further advertisement comes from a 1995 case in the USAnti-Monopoly,Inc v Hasbro Inc WL 649934 (S.D.N.Y. 1995) – where the judge said “The law is clear that data in computerized form is discoverable even if paper “hard copies” of the information have been produced”. Clearly, retaining e-mail in paper form may be an attractive means of retention, but as we know there are legal considerations, especially from a litigation standpoint:

  1. E-mail without metadata is weak evidence. Anyone can type a message on a piece of paper.
  2. E-mail in electronic form is likely to be easier to search in response to disclosure or regulatory requests
  3. Much can be learned from seeing an electronic record in electronic form without which the evidentiary value would be diminished.

As far as I am aware only one case in the US has considered the acceptability of the print to paper approach as against e-mail retention – Public Citizen v John Carlin Archivist of the US No 97-5356(DC CIR, 1999). While the case was overturned on appeal for other reasons, the lower court made it clear that it considered e-mail printed to paper to be an unacceptable method of retention.

There are other recent cases which lead to the conclusion that organisations must have a thorough knowledge of what e-mails to keep, where and for how long. In March of this year the SEC meted out the largest ever penalty of its kind and this was to the Bank of America. Without going into too much detail, the Bank claimed it could not produce certain archived e-mails but the SEC was able to prove that the Bank had recovered some of the e-mails for use in its defence, whilst permanently deleting the rest. That little action attracted a fine of $10m along with a message from the SEC which said that e-mails should be subject to retention and destruction policies. In the UK, Norwich Union had to settle a civil action for almost half a million pounds in 1997 when there was evidence which embarrassed them about their lack of e-mail management policies and in 2003 the UK supermarket chain Somerfields showed the other side of the coin when the Competition Commission, investigating price fixing, requested information from them and other UK retailers. They were given 28 days to produce relevant information and were able to hand over a CD containing up to 5,000 e-mails over a 15-month period because they had an excellent policy in place. Back to the US, two cases in 2003 showed the difficulties to preserving data, namely failing to preserve it. In Zubulake v UBS Warburg, the defendant company told its employees to retain all relevant e-mails once the plaintiff had made a claim, but then subsequently instructed the IT department to stop recycling back-up tapes. Some data was lost and the court ordered the company to bear the cost of re-deposing witnesses on the issue of destruction of evidence. In Murphy Oil v Fluor, Fluor were found not to have followed their own retention and destruction policy and they were penalised as to costs by again having to produce physical evidence.

Here in the UK, legal and regulatory authorities have typically taken a more “hands off” approach but it is believed that they are now beginning to move to tighten up the framework of rules which surround e-mail and e-doc management.

The message here is that companies, especially those that exist in a regulatory world or are prone to litigation, must have a plan to safeguard the preservation of important information whilst periodically destroying data where its usefulness has expired. Retention schedules that serve legal, regulatory and organisational needs must be created. Before there is litigation, organisations need to tame the beast that is “Data”. Retention and destruction is the key. There may be a natural inclination to save everything but it is not possible to know what negative effect data may have in future litigation. It is crucial therefore to dispose of unnecessary materials regularly.

What is the impact of this on litigation and why is unmanaged e-mail a reason for litigators to “rub their hands”? One issue is what the Americans term spoliation – this is the intentional, reckless, or negligent destruction, loss, material alteration or obstruction of evidence that is relevant to litigation. In the US, once notice of litigation is received, any wilful “spoliation” carries a fine and/or up to 20 years’ imprisonment! As to the “happy lawyers” – many organisations lack e-mail management and retention and destruction policies and this gives litigators and investigators tremendous opportunities to exploit the fact. It increases the chances that there is a damaging piece of electronic information somewhere.

How long will it be before a lawyer is prima facie negligent if he fails to advise his clients, particularly from a standpoint of litigation readiness, as to the necessity of having, and following, an electronic document retention and destruction policy?

Terry Harrison is Business Development Manager at LDM Ltd.