You know and love our Must-Read IT Blogs lists, but now, say hello to the nonprofit side.
If you’re not currently involved in litigation or an investigation and won’t be in the future, then e-discovery isn’t something your business needs to concern itself with. The rub is that it’s often impossible to predict whether your business will be involved in a lawsuit or investigatory action.
Fortunately, the recent amendments to the Federal Rules of Civil Procedure do not impose any requirements on companies outside of the litigation process. And because small and midsize businesses are less likely to be involved in litigation, they are at less risk. However, if your business and IT departments aren’t prepared and you suddenly find yourself involved in a lawsuit, it may be too late to take the appropriate action. Here are three best-practice steps that IT departments should keep in mind with regard to e-discovery and electronically stored information:
The obligation to preserve records commences as soon as your company becomes involved in litigation or a regulatory investigation or reasonably anticipates such an action. The duty extends not only to paper records but also to electronically stored information (ESI).
Even if you don’t willfully destroy records, you and your company may be liable for “spoliation of evidence” if relevant information is lost as a result of automatic-deletion protocols. If, for example, your company automatically deletes electronic communications after 90 days and you continue with that policy when litigation is anticipated, that is sanctionable conduct. Sanctions for spoliation range from fines and other penalties to “adverse inference” presumptions that could cause you to lose a case. If spoliation is found to be intentional, you may even face criminal liability.
So how do you avoid these dangers? Think through this type of situation in advance, and as soon as litigation or an investigation is anticipated, be prepared to suspend any automatic-deletion policies and send out a “legal hold” notice to every employee and agent who may have relevant information. Work with your legal counsel to prepare a form of legal-hold notice and to adopt legal-hold procedures in advance, so that you are prepared when litigation hits.
If you are involved in litigation or an investigative proceeding, you usually will be required to provide to the other side all documents relevant to the matter. This includes not just hard copies of documents, but also ESI, which means that anything you have stored at your company, on your network, in off-site storage, or otherwise within your care, custody or control, is potentially subject to discovery.
Because storing electronic documents has become so inexpensive, many companies never delete their electronic records and thus may have a massive amount of ESI to sort through in the event of litigation. The cost of collecting and sifting through many gigabytes (or even terabytes) of information to find what is potentially relevant can be prohibitive — sometimes more so than the litigation claim itself. Indeed, a burgeoning new “e-discovery” industry has built up around the process, with hundreds of vendors, consultants and lawyers available to help you (at no small cost) to gather, filter and process your records.
So what steps can you take now to reduce costs and exposure later? Businesses should not save everything. Instead, enact a record-management policy, supported by a record-retention schedule that preserves documents and ESI only for as long as required for legal needs and business compliance. Once litigation hits, you will need to implement a legal hold, so now is the time to clean up old records and eliminate any that are not needed.
There are several steps you can take to delete old records. Use automatic-deletion protocols to dispose of most sent and received e-mail after a specified period, such as 90 days. Train employees to set up electronic folders (preferably on shared servers where records are regularly backed up and easily accessible) for storing e-mails that truly need to be saved longer than the standard retention period. Legal counsel can help you draft a retention policy and retention schedules, setting forth retention periods for each type of document. For most companies, only a small portion of records will be subject to any legal retention requirements absent a legal hold.
Disaster-recovery media are a matter of particular concern, both because of the volume of information stored and the potential cost of restoring and searching backup tapes or disks. Maintain backup media only for as long as necessary for disaster-recovery purposes — typically weeks, not months or years. Do not use backup tapes as your record archives. The amended Federal Rules provide some discovery protection for ESI deemed “not reasonably accessible because of undue burden or cost,” but you undermine such arguments if you use your backup tapes for archival purposes instead of for disaster recovery only.
Just about every week the news reports another discovery of “smoking gun” e-mails or text messages. Victims have included prominent politicians, pharmaceutical companies, financial advisers and businesses of all kinds. A single ill-considered, cynical or sarcastic e-mail or instant message generated by one employee can be used in litigation against an entire company.
Employees need to be taught the proper and improper use of e-mail and other IT resources. It is a myth that e-mail and text messages are like spoken conversations: private, safe and short-lived. The truth is that e-mails are ubiquitous — because of mass addressing, forwarding and e-mail chains that retain message threads, it is not unusual to find 10 or more copies of the same e-mail in stored records. E-mail can be misaddressed, misconstrued, forwarded, leaked or discovered in litigation. Indeed, lawyers and investigators now make e-mail a prime target of their discovery efforts precisely because employees are often careless in what they say.
Sensitize employees to the dangers of e-mail and instant messages. Workers should avoid writing anything that they would not want to see published in the local newspaper. Adopt and publicize an IT resources “acceptable use” policy that includes prohibitions against using company resources in ways that violate the company’s anti-discrimination policy, to transmit sexual or pornographic content (including off-color remarks or jokes) or to transmit material that may be copyrighted or otherwise protected. The policy should be agreed to by all employees and should include notice that no right of privacy exists in information sent or received using company resources, and that use of e-mail, the Internet and other IT resources will be monitored. Consider adopting mandatory e-mail sensitivity training for all employees.
Companies that can stay out of litigation have nothing to fear from the new e-discovery rules. But often it is difficult to predict whether your company will be targeted for litigation or might need to initiate a claim against others. Following the above steps can help you to protect your company against the greatest e-discovery risks and costs.
[Note: This column is for informational purposes only and should not be relied on as legal advice without first consulting a lawyer.]