I. DEFINITIONS
1. ELECTRONICALLY-STORED INFORMATION ("ESI"): information created, manipulated, communicated or stored in analog, digital, magnetic and any other electronic format. This includes email, instant and text messages, voicemail, calendars, contacts, diaries, appointments, addresses, journals, tasks, notes, databases, word processing documents, spreadsheets, charts, graphs, slides, software, firmware, websites, internet sites, temporary internet files, cookies, cache files, intranet information and data, embedded data, metadata, deleted data, residual data, videotapes and audiotapes.
2. ELECTRONIC STORAGE DEVICE: Any storage device or equipment that is or can be used to access, maintain or store ESI including: hard drives on desktop and laptop computers, servers, backup tapes, zip drives, thumb drives, flash drives or memory, CDs, DVDs, floppy disks, optical disks, magnetic tapes, personal data assistants ("PDAs"), cell phones, hand-held computers and/or devices, iPods, iPads, and any other device that stores data in any analog, digital, magnetic or electronic form.
3. ZUBULAKE (Zoo-boo-lake): Series of five judicial decisions emanating from the United States District Court for the Southern District of New York (Scheindlin, Shira J.) that are the leading cases on a party's ESI obligations in litigation. A young woman securities trader for UBS Warburg sued her former employer for gender discrimination and retaliation after she was passed over for a promotion and allegedly subjected to improper sexual conduct. After the lawsuit was filed, it was discovered that the HR director had failed to implement a retention plan, leading to the deletion by UBS Warburg of a number of potentially relevant emails, leading to the imposition of severe sanctions against UBS Warburg and ultimately, a $29 million jury verdict against the company.
4. LITIGATION HOLD: A directive not to destroy any document or ESI that might be relevant to an ongoing or reasonably foreseeable legal proceeding, or which might lead to the discovery of relevant information.
5. SPOLIATION: The destruction, material alteration, or the failure to preserve for another party's use evidence in any pending or reasonably foreseeable litigation which is relevant or which might lead to the discovery of relevant information.
6. RECORDS MANAGEMENT POLICY: A "Records Management Policy" is a written policy governing the handling of a company's information and business records from their creation through destruction, and should include every form of information and record created, received, stored or used by the employer. It must simultaneously provide detailed and specific instructions as to creating, receiving, storing and using the information and records and should extend to electronic as well as hard copy documents as well.
II. DEVELOPING AND IMPLEMENTING AN EFFECTIVE RECORD RETENTION/ DESTRUCTION POLICY
The terms "record retention policy" and "data destruction policy" are well known, but too few companies have adopted thorough guidelines governing the retention of company data. Most companies would like to have a comprehensive and up-to-date policy, but the task of drafting and maintaining such a policy is often neglected in favor of more pressing day-to-day business concerns. When employers sit down to think about drafting a written policy that addresses every piece of information created, used, modified and stored, they often find the task too daunting to tackle. The reluctance is compounded by the fact that most data is created, used, modified, and stored electronically. This fact creates several obstacles. First, electronic data does not clutter an office like stacks of files or rows of file cabinets. In this way, most business data, because it is electronic, is out of sight and therefore out of mind. Second, because so much of a company's data is created, used, modified or stored electronically, some familiarity with technology is required to draft a policy affecting the data. Third, there is just so much data and so many types of data that it is difficult to draft a single policy that addresses it all.
The temptation is to focus too narrowly on the end-result, the destruction of data. The term "record retention policy" is inadequate because it presumes that all information is retained, which need not be the case. The term "document destruction policy" also falls short because it skips to the end result and ignores the utility of the information from its creation through its utilization. It is best to think of this task as one to draft a "Records Management Policy," one that governs the entire lifecycle of business information. The exercise of creating a comprehensive Record Management Policy will improve the overall hygiene of the company.
Purposes of Records Management Policies
Creating an effective Records Management Policy will both save your company money in the way in which it operates its daily business over the long run, and will simultaneously and more immediately reduce your company's litigation risks. A properly crafted Records Management Policy increases efficiency by reducing redundant data and facilitating the identification of relevant data at key intervals. Such a policy will provide the framework to manage storage costs, as the employer will know exactly how and where information is created and received, how and where it is kept, and how and when the information is destroyed. A Records Management Policy also supplements an employer's disaster recovery plan because crucial data is catalogued and stored according to pre-determined and uniformly exercised rules prior to the disaster.
A Records Management Policy serves important risk management goals as well. By reducing the volume of data, it reduces litigation costs required to cull out relevant from irrelevant data. It formalizes an employer's response to litigation and the discovery process that will follow. Finally, such a policy will reduce the chances that an employer will be sanctioned in the litigation process for failing to satisfy its obligations to preserve and produce information relevant to the dispute.
Philosophical Choices in Crafting your Company's Policy
The first step is to identify and catalogue the sources and location of all of your company's data, particularly ESI. This requires creating an inventory of computers (including home computers and any mobile devices used by employees), identifying software programs used to create, utilize and manage ESI, and describing the manner in which any data is stored and backed-up. The same process should be extended to any hard document files maintained by the company to create one comprehensive document detailing the information and records of the company. This inventory must be re-examined on a periodic basis as new technologies emerge and the manner in which an employer conducts business changes.
Before drafting a Records Management Policy, all employers must make a basic philosophical choice, which should be influenced by an evaluation of the psychology of the employees who will implement the policy. Under the law, an employer need not save every bit of information. The ultimate question, then, is, "should this employer keep everything?" For some companies, particularly those whose professional judgment may be called into question in the future, saving drafts and multiple iterations may be prudent. The ability to recreate the decision-making process through drafts and detailed notes or communications may be valuable. For companies with more regular, routine, and discrete tasks, it may not be necessary to retain data for prolonged periods of time. For those companies, business records have a defined shelf-life.
The keys to any Records Management Policy are (1) crafting a policy that the employees will actually execute and (2) crafting a policy that serves the realities of the employer's business practices. Creating a written document that is not put into practice by those in the trenches merely sets a written standard by which the company's deficient conduct will be judged. Assume, for example, that a Records Management Policy calls for a certain class of information to be discarded in five years. If only some data within the class is actually discarded by year six, the employer will be forced to try to explain the selective implementation of the policy (which could expose the employer to sanctions in litigation). If a company's employees have a natural inclination not to destroy business records and if the costs of storage can be managed, it may reduce overall risk to simply retain all information in perpetuity rather than violate a standard of its own creation. As part of the self-examination process, employers should make an informed decision as to the philosophy it wishes to embody in its Records Management Policy.
Essential Elements of Records Management Policies
While a Records Management Policy must be tailored specifically for each employer, there are several common ingredients to all such policies. Here are some of the essential elements:
- Address the entire lifecycle of business records. After completing the technology survey described above, an employer should be capable of crafting a policy that addresses the entire lifecycle of its information and business records from creation, use, storage, to deletion. A comprehensive Records Management Policy cannot skip directly to the destruction of data but addresses its entire lifespan. A comprehensive policy must also grapple with business data that resides on or is accessed from employees' home computers and mobile devices.
- Identify leadership. Another essential element to comprehensive policies is the clear identification of company leadership responsible for monitoring the implementation of the policy. The policy should identify company officers responsible for drafting and amending the policy, officers responsible to ensure compliance with the policy, and officers responsible to monitor the litigation hold process (described below).
- Reduce discretion. Records Management Policies should also reduce discretion as much as possible. The goal is routine employment of the policy to ensure uniform application throughout the company. If too much discretion remains in the hands of each employee, the chances are good that one employee will delete information on time while another will retain information longer than necessary. As technology improves, automating records retention will become more cost-effective, which will remove discretion from employees. Until the process is automated, the policy must strive for uniform application.
- Integrate with other policies. The policy must also integrate with existing practices, particularly the computer use policies. Many companies already govern, restrict or monitor their employees' use of company resources, such as computers and technology. Because the Records Management Policy addresses the entire lifecycle of business information, most of which is created or utilized on computers, the Records Management Policy must compliment any other policies that also impact the creation, utilization or destruction of data.
- Include deliberate flexibility. The Records Management Policy must also include the inherent flexibility to adjust to any changes in the company's technology or business practices.
- Audit the policy. One way to ensure that the policy keeps pace with changing practices is to periodically audit employees' performance. Another recommended practice is to audit the technology survey completed before the policy was drafted. These audits should be scheduled at express intervals within the text of the policy.
- Include a chart for discarding information. Because the policy must be user-friendly, it is advisable to create a simple chart identifying the categories of information and the schedule by which that category should be purged. This chart will summarize the narrative contained within the policy itself.
- Describe litigation hold procedures. Finally, a Records Management Policy must include procedures that will be implemented upon any reasonable threat of litigation to suspend all destruction of data that might be relevant to the dispute. This feature is a called a "Litigation Hold."
How Long Should An Employer Retain Data?
Because there are many different types of business records or information, there are many different answers to the question "when can I discard data?" Under a Records Management Policy, each type of data carries its own, deliberately chosen lifespan. In some instances, statutes or regulations (HIPAA — Health Insurance Portability and Accountability Act; FACTA — Fair and Accurate Credit Transaction Act; Gramm-Leach-Bliley Financial Services Modernization Act; state and federal labor laws; Internal Revenue Code, etc.) supply the date on which a particular class of data can be discarded. For some categories of data, it is prudent to retain data indefinitely. In other circumstances, an employer is left to determine a time frame that is reasonable under its unique circumstances. The law provides that a Records Management Policy cannot be crafted with the purpose of frustrating potential adversaries. The law therefore requires that the time set for discarding information be reasonable. The time periods selected should be derived from a deliberate and informed process. In the end, ensuring uniform application of the time periods selected is as important as choosing a reasonable lifespan.
Litigation Holds
To serve one of the essential purposes of Records Management Policies, minimizing litigation risk, an effective policy must include written procedures for suspending the routine destruction of data when litigation is likely. Assume that an employer has adopted a Records Management Plan calling for the deletion of emails within one year from their creation. Assume that an employee is terminated under suspicion of embezzlement. A lawsuit concerning the termination may be likely. If the company reasonably anticipates litigation regarding the departed employee, it is under a duty to preserve all information that might be relevant to the dispute. To preserve potentially relevant information, the company must temporarily cease destroying emails to, from and concerning the departed employee. The litigation hold portion of the Records Management Policy outlines the specific steps to be taken to ensure that all data concerning the potential litigation are preserved. Among other things, it identifies clearly the officers responsible to ensure data is not lost and the officers responsible for collecting the relevant data.
The reason for including detailed litigation hold procedures is to protect against the risk of sanctions from the Court for losing data that might be relevant to the dispute. Assume this time that the company deletes emails that are older than one year. Under this hypothetical, assume that the dispute is from a consumer that was injured when using the company's product, but the company was not aware of the injury. The company had no reason to know that it would be sued. If in the routine and orderly application of the Records Management Policy, the company deleted stale emails before it had reason to know of the consumer's injuries, it cannot be sanctioned for losing relevant data. If, on the other hand, the company was not diligent in its discarding of emails older than one year, and some old emails remained while others were deleted, the company may be sanctioned for losing relevant data. To obtain protection from sanctions, a company must have a written policy governing the destruction of data and the implementation of that policy must be consistent. Employers and their counsel must audit the employees' compliance with the litigation hold at regular intervals during the litigation.
The Policy Must be Monitored and Kept Up to Date
Because it is crucial that the Records Management Policy be uniformly applied across the company, persistent monitoring is required. That is, the work is not over once the policy is drafted. It is advisable for employers to obtain written certifications from its employees that they have received and understand the terms of the policy. It is essential that officers of the company provide training on the implementation of the policy and litigation holds in particular. Finally, the company's leadership must audit the implementation of the policy and reward satisfactory performance as it would with other company policies.
Questions for your Company to Consider
1. Do you have a document-retention/destruction policy?
2. Have you updated the policy in the past year to reflect changes in technology?
3. Have you had your document-retention/destruction policy audited by outside counsel to confirm its enforceability in light of the most recent guidance from courts in your jurisdiction?
4. Does your company's policy contain a clear procedure to suspend the policy's routine operation in the event of threatened or actual litigation?
5. Is there a formal, well-documented, well-publicized process for informing employees about a litigation hold?
6. Does this process include clear instructions to IT personnel?
7. Do your key employees know how to trigger a "litigation hold?"
8. If there is a litigation hold imposed, are there frequent and repeated litigation hold reminders?
9. In the event of a litigation hold, can records potentially responsive to the litigation be easily segregated so they can be preserved from deletion in the ordinary course of business?
10. In the event of a litigation hold, can employees still delete emails and other ESI?
11. Do you have a structured archive — and does your document retention policy control the retention and destruction of data stored on it?
12. Does the archive interface with all necessary sources (server, laptops, PDAs, etc.) to capture records?
13. Can employees delete records before they reach the archives?
14. Who has access to delete records from archives?
15. Has your backup system ever failed to restore backups?
16. Do you test your backup restoration process regularly?
17. Do you use backup tapes for long-term records retention?
18. How frequently do members of your company ask to have backup tapes restored to recover information they need?
19. Do people in your company keep critical business records on their laptops?
20. Do people in your company use personal or home email accounts for company business?
21. Are copies of these records routinely uploaded to the archive system?
This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice. Your receipt of Good Company or any of its individual articles does not create an attorney-client relationship between you and Sheehan Phinney Bass + Green or the Sheehan Phinney Capitol Group. The opinions expressed in Good Company are those of the authors of the specific articles.
|
